Don’t Wait for the New SEC Cybersecurity Rule

Financial institutions must get ready to report on assessing, monitoring, mitigating and remediating cyber risks

Financial firms are doing business in a golden age for cybercriminals. In 2022, web application and API attacks against financial services firms grew by 257%. Policymakers are amplifying the call for financial institutions (FIs) to become better stewards of investor data. 

The White House released its National Cybersecurity Strategy in March, toward the ultimate objective of protecting investors and the integrity of the financial markets. Shortly after, the SEC reopened the comment period on the 2022 proposed Cybersecurity Rule 206(4)-9, which provides registered investment advisers, asset managers and funds with a set of rules governing cybersecurity reporting, disclosure and governance.

Whether an FI is ahead of the curve or behind the pack on reporting cyber risk to stakeholders, it is inadvisable to wait until the SEC’s rules kick in to begin a path to compliance. Asset managers can immediately educate themselves on the new requirements and pre-empt the SEC by codifying and fortifying their attack incident reporting processes, customer notification processes and written cybersecurity policies and procedures.  SOURCE