StrateZen
StrateZen

Federal Compliance Regulations


Key federal requirements that registered investment advisors (RIAs) must comply with regarding information and cybersecurity:

1.  Regulation S-P:

  • Safeguard Rule: Requires RIAs to adopt written policies and procedures to safeguard customer records and information.
  • Privacy Rule: Requires RIAs to provide initial and annual privacy notices to customers, detailing the firm’s information-sharing practices​ (<a href="https://www.jdsupra.com/legalnews/sec-proposes-cybersecurity-risk-2620218/" ;="" target="_blank"><span>JD Supra</span></a>)​​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.
  • Proposed SEC Cybersecurity Rules:
  • Risk Assessments & Policies/Procedures: RIAs must conduct cybersecurity risk assessments, document them, and implement policies and procedures to address identified risks.
  • Incident Reporting: Report significant cybersecurity incidents to the SEC within 48 hours.
  • Disclosure Requirements: Publicly disclose cybersecurity risks and incidents in brochures and registration statements.
  • Recordkeeping: Maintain records related to cybersecurity policies, risk assessments, and incident responses​ (<a href="https://www.sec.gov/news/press-release/2022-20" ;="" target="_blank"><span>SEC.gov</span></a>)​​ (<a href="https://www.kirkland.com/publications/kirkland-aim/2022/03/sec-new-cybersecurity-rules-investment-advisers" ;="" target="_blank"><span>Home | Kirkland &amp; Ellis LLP</span></a>)​​ (<a href="https://www.dechert.com/knowledge/onpoint/2022/2/sec-proposes-new-cybersecurity-rules-for-sec-registered-advisers.html" ;="" target="_blank"><span>Dechert</span></a>)​.

2.  FTC Safeguards Rule (under the Gramm-Leach-Bliley Act):

  • Information Security Program: Develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards.
  • Risk Assessment: Conduct regular risk assessments to identify and address potential threats to customer information.
  • Service Provider Oversight: Take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards and require them by contract to implement and maintain such safeguards​ (<a href="https://www.debevoise.com/insights/publications/2021/03/the-secs-cybersecurity-priorities" ;="" target="_blank"><span>Debevoise</span></a>)​​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

3.  Cybersecurity and Infrastructure Security Act:

  • Reporting Requirements: Organizations must report significant cybersecurity incidents to CISA.
  • Information Sharing: Encourages sharing of cyber threat indicators and defensive measures with the government and other entities​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

4.  FINRA Rule 3110:

  • Supervisory Procedures: Establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, including those related to cybersecurity.
  • Cybersecurity Guidance: FINRA provides guidance and resources to help firms enhance their cybersecurity programs and protect customer information​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

5.  NIST Cybersecurity Framework:

  • Framework Core: Provides a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
  • Implementation Tiers: Describes the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework.
  • Profiles: Align the framework core with the business requirements, risk tolerance, and resources of the organization​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

6.  OCIE Cybersecurity Initiative:

  • Examinations: Conducts examinations of RIAs to assess their cybersecurity preparedness, including governance and risk management, access controls, data loss prevention, vendor management, training, and incident response.
  • Risk Alerts: Issues risk alerts to provide observations from examinations and recommend best practices for improving cybersecurity programs​ (<a href="https://www.debevoise.com/insights/publications/2021/03/the-secs-cybersecurity-priorities" ;="" target="_blank"><span>Debevoise</span></a>)​​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

7.  Section 404:

  • Internal Controls: Requires management and external auditors to report on the adequacy of a company’s internal control on financial reporting. This includes controls related to the security of financial data and systems​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

8.  Security Rule:

  • Safeguards: Requires firms to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI)​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

9.  Information Sharing: Encourages sharing of cyber threat information between private sector and federal government to enhance collective cybersecurity defense mechanisms​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

10.  EO 13636 - Improving Critical Infrastructure Cybersecurity:

  • Voluntary Standards: Promotes the adoption of voluntary cybersecurity standards and best practices among critical infrastructure sectors.
  • Information Sharing: Enhances the sharing of cybersecurity information between the government and the private sector​ (<a href="https://www.natlawreview.com/article/sec-s-most-recent-cybersecurity-move-what-registered-investment-advisors-need-to" ;="" target="_blank"><span>The National Law Review</span></a>)​.

These federal requirements are designed to ensure that RIAs implement robust cybersecurity practices to protect customer information, manage cybersecurity risks, and comply with reporting and disclosure obligations. For more detailed information, you can refer to the respective federal agency websites and regulatory publications.