Wipfli logo
Back to Articles

New SEC rules on cybersecurity for RIAs

Derek J. Olson
Sep 09, 2024
3 min read

Are you ready to respond to a cybersecurity incident? Do you have a written plan with specific procedures and requirements? The U.S. Securities and Exchange Commission (SEC) will now require it.

The SEC recently adopted new cybersecurity rules for “covered institutions,” which include registered investment advisors (RIAs) and broker-dealers.

The new rules, included in amendments to Regulation S-P, focus on actions that covered institutions must take to prepare for and respond to cybersecurity incidents. They were published in the Federal Register on June 3, 2024. Large firms must comply with the new rules within 18 months from this date, and small firms have 24 months.

What are the main changes to Regulation S-P?

There are four main topics addressed in the amendments to Regulation S-P:

  • An incident response program “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information”
  • Breach notification rules for affected individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization”
  • Due diligence and monitoring of service providers
  • Expanded rules for recordkeeping and privacy notices

How can RIAs prepare for compliance?

Cybersecurity threats have become an increasingly common risk for businesses of all industries. Business leaders regularly ask their experts, “Are we secure?” These new rules present the impetus to ask a better question: “Are we prepared?”

Rather than focusing on controls and protections to reduce the probability of a cyberattack, the new SEC rules focus on ensuring that covered institutions are prepared to respond effectively, thereby mitigating the impact of an incident.

The cornerstone for effective response is to have in place an incident response plan. Many firms rely on off-the-shelf incident response plans provided by a consultant or found on the internet, but these documents are soon forgotten, sitting on a shelf collecting dust. If firm leaders don’t know what’s in the plan, they will not respond according to the plan. When the fire alarm goes off, no one starts reading a detailed evacuation plan; they either have a reasonable knowledge of what they’re supposed to do, or they panic and guess. This is not going to fly in the new regulatory environment.

Given the new SEC rules requiring an incident response program with specific response requirements, leaders must have a reasonable knowledge of what is required of them when a cyber incident strikes. The best way to accomplish this is through the practice of tabletop exercises.

A tabletop exercise is a discussion-based simulation of a hypothetical crisis scenario. Leaders gather together to walk through a hypothetical incident, discussing the actions they would take in response to a given set of facts. Tabletop exercises have been used for decades by first responders, military leaders, governments and private organizations to prepare for disasters and crises. They are also a widely practiced method to prepare for cybersecurity incidents.

A tabletop exercise focused on a cybersecurity incident scenario can accomplish several objectives:

  • Improve awareness and understanding: As part of the exercise, participants should clearly identify the key roles and responsibilities, the incident response process and the legal and regulatory requirements of the firm.
  • Assess readiness and identify gaps: Walking through the process will highlight potential issues in existing cybersecurity protections or the incident response process. The exercise will also help to validate, review and update documented plans and procedures. The SEC requires that the incident response plan be documented. Firms will not want to have one process documented and do something completely different during a real cyber incident.
  • Build confidence: Mentally going through the motions will help build confidence in the response process. This confidence will reduce fear and panic during a cyber incident or any other crisis the firm might face.
  • Mitigate the impact of an incident: The ultimate goal of the exercise is to reduce the impact of a cyber incident should one occur. Help ensure the firm is prepared to comply with SEC-mandated procedures and has the right processes in place to contain the attack, minimize business impact and reduce financial costs.

What you should know

The new amendments to SEC regulation S-P reflect the growing importance of cybersecurity incident response for RIAs and their customers. RIAs should review and update their incident response programs and conduct regular tabletop exercises with an experienced facilitator to improve their preparedness and compliance.

How Wipfli can help

Cybersecurity is more important than ever, and Wipfli’s team of dedicated professionals has the experience your firm needs to protect against digital threats and meet SEC compliance standards. We can help you formulate a strategy, implement your plan and keep things running smoothly. Contact us today to get started.

Author(s)

Derek J. Olson

Let's talk about how Wipfli can meet your needs.

How to calculate your tech ROI
Get our guide to building your firm’s business case for new technology.
Download e-book
Three people in business attire talking in an office
State of wealth management industry report
Download report
Wipfli named a top firm serving wealth management firms
Wipfli recognized among the top 5 wealth management professional services firms by Wealth Solutions Report
Learn more
Two people in business attire sitting across from each other in an office
State of asset management industry report
Download report

TOP PICKS

Ron Niemaszyk
Ronald S. Niemaszyk 12/17/2024
Key exam priorities for the Securities and Exchange Commission in 2025
Read full story
Shannon McIntosh 12/16/2024
From compliance to confidence: Mastering the new CMMC requirements
Read full story
Matthew Hovis
Matthew Hovis 11/18/2024
Mind the gaps: Recent enforcement actions and what they say about AML/CFT data management
Read full story