In February, the Securities Exchange Commission (SEC) announced new cybersecurity requirements for registered investment advisors. The proposed changes, which are currently in the comments phase, are likely to be formalized and published before the end of the year. Here’s what you need to know before that happens.
What will the new rules do?
Essentially, they will put teeth into the SEC’s existing rules about how transparent RIAs must be about cybersecurity. The proposed rules set out a desired standard for protecting client data, and require you to define and report on your security programs to prove that you’ve achieved that outcome.
How do I prepare to comply?
The proposed rules don’t specify exactly what technical steps you should take to formalize your plan to protect client data, but it does require that plan to include details on how you will perform all of the following:
- Documenting your security program in detail, especially policies and procedures around risk assessment, data security controls, and reporting
- Regularly testing documentation and procedures, and communicating the results all the way up to your board of directors
- Reporting material cybersecurity incidents and breaches to the SEC within 48 hours of detection using a standardized form
- Disclosing cybersecurity risk and incidents to clients
- Retaining and maintaining documentation records for five years
How can Xantrion help?
If you aren’t sure whether your security program will meet these more stringent standards, Xantrion can help you evaluate it and add any needed protections.
We can also help you understand the SEC’s documentation requirements (i.e. what you need to document and how to do it), then work with your compliance officer or other responsible party to create and maintain that documentation. In addition, we can help you perform the necessary tests of your documentation and procedures and guide you in communicating the results to your board in a meaningful way.
Our role as a managed security provider is to prevent security incidents from happening in the first place, which will help limit the time you spend reporting on and disclosing them. If a cyberattack or data breach does happen, though, Xantrion will provide you with incident and response details promptly so you can meet the SEC’s 48-hour reporting requirement and disclose them to clients.
Finally, Xantrion’s backup and recovery service can help you keep your cybersecurity documentation and records safely stored for the required five years.
Get started now
Don’t wait until these new cybersecurity guidelines go into effect before preparing for them – call Xantrion today to get a head start! And remember: in a market that gets more privacy-conscious by the day, being proactive about transparency isn’t just about compliance. It also gives you the competitive edge of being able to demonstrate to current and prospective clients exactly how attentive you are to protecting their sensitive financial information.