The Impact of SEC Withdrawal of Cyber Rule

Written By Advisor Armor

The SEC recently withdrew proposed cybersecurity rules for investment advisers and registered funds. These proposed rules, initially introduced between 2022 and 2023, aimed to standardize cybersecurity governance and incident reporting, including requirements for written policies, incident reporting, and enhanced risk disclosure. 

Reasons for Withdrawal:

  • Industry Pushback: Concerns were raised by various industry groups, including investment advisers and broker-dealers, about potential burdens and overlaps with existing regulations.

  • Duplicative Regulations: Existing frameworks like Regulation S-P, FINRA rules, state-level laws, and existing SEC disclosure requirements already address cybersecurity to some extent.

  • Shift in Regulatory Strategy: The withdrawal may indicate a shift in the SEC's approach, possibly favoring less prescriptive guidance or more targeted rulemaking. 

Impact of the Withdrawal:

  • Regulatory Uncertainty: While the withdrawn proposals remove specific requirements for investment advisers and funds, cybersecurity remains a high priority for the SEC.

  • Increased Responsibility: Firms now bear greater responsibility to develop and implement their own cybersecurity programs without clear guidance from the SEC.

  • Continued Scrutiny: The SEC will likely continue to scrutinize cybersecurity practices through routine examinations and enforcement actions. 

Recommendations for Firms:

  • Develop a comprehensive cybersecurity program: This should be tailored to the firm's specific size, complexity, and threat exposure.

  • Document everything: Maintain detailed records of risk assessments, training, incident response exercises, and other cybersecurity activities.

  • Stay informed: Monitor potential new guidance or targeted rulemaking from the SEC, especially concerning incident disclosures and reporting thresholds.

  • Prioritize strong governance: Ensure leadership understands cybersecurity risks and that tested controls are in place. 

In essence, while the proposed cybersecurity rule has been withdrawn, firms should not interpret this as a signal to de-prioritize cybersecurity. Strong cybersecurity practices remain essential for protecting clients, maintaining regulatory standing, and addressing evolving threats in the financial sector. 

Advisor Armor
Next

Cybersecurity Under the Microscope: What the SEC’s 2025 Exam Priorities and Reg S-P Updates Mean