The SEC’s Regulation S-P in the Age of Cybersecurity

The SEC has used the Safeguards Rule to address cybersecurity concerns for RIAs, but arguably that rule is a dated and imperfect fit. RIAs might look to the more recent steps taken by others in the financial services sector as a way to inform their Safeguarding Procedures and related protocols (for example, incident response). These efforts include the comprehensive frameworks established by the banking regulators and the recent frameworks put forward by NYDFS and NASAA that reflect current thinking in cybersecurity.

Cybersecurity worries regularly lead the news and the boardroom agenda as a major part of the zeitgeist of our time. A single cybersecurity incident can move markets, end careers, or prompt litigation. In this age of cybersecurity, financial institutions have rapidly realized the importance of maintaining robust defenses to protect both customers and the institution from bad actors, whether internal or external.

Reflecting the piecemeal nature of financial services regulation in the United States, federal and state regulators have begun jockeying for position by adapting existing regulations to cybersecurity concerns and by breaking ground with new cybersecurity regulations. Each regulator has taken its own path with respect to the institutions it regulates, and no one approach has become dominant.

For investment advisers registered under the Investment Advisers Act of 1940 (RIAs), the US Securities and Exchange Commission (SEC) is the primary functional regulator. So far, the SEC has taken a path of adapting existing requirements in Regulation S-P to address cybersecurity concerns through the issuance of guidance and enforcement actions.

This article provides an overview of Regulation S-P, discusses how the SEC has interpreted Regulation S-P to address cybersecurity and certain

SEC and FINRA enforcement activities, reviews cybersecurity initiatives undertaken by other regulators and organizations, and offers concluding remarks that may help RIAs with a path forward. Throughout we discuss considerations and takeaways for developing and evaluating cybersecurity compliance for RIAs. MORE

Mark Brown