The proposed US Securities and Exchange Commission (SEC) rule concerning Cybersecurity Risk Management for Investment Advisers and Funds introduces strict rules for the adoption, implementation, annual review, and reporting of detailed and comprehensive written cybersecurity policies, controls, and procedures.
The rule also requires very quick notification of cyber incidents to the SEC, outlines new recordkeeping requirements, and requires the disclosure of cyber risks and incidents to clients and investors. While that may sound fairly standard, the Alternative Investment Management Association (AIMA) raises some questions, namely, the reference to “significant cyber incidents” but, what constitutes ‘significant’?
AIMA’s other primary concerns are:
- The 48-hour notification deadline for significant cyber incidents – this proposed deadline could burden IT security team and distract them from responding to the threats. Tough luck if you’re a one-person IT security band. For reference, the UK’s GDPR has a 72-hour cyber incident reporting deadline.
- The public disclosure of cybersecurity risks and incidents – The last thing a firm will want after a cyberattack is to publicly broadcast their cybersecurity flaws and roll out the red carpet for hackers. Why does this need to be disclosed publically, and so soon after the event?
AIMA’s response to this proposal was one of more than a hundred, and many other also raised similar concerns so now it is a waiting game to see if the US regulator will heed to industry concerns.