In February, the U.S. Securities and Exchange Commission voted to propose two new rules on cybersecurity: rule 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act. From a high-level perspective, the proposed rule for advisors in its current form will require:
- Cybersecurity risk management policies and procedures, including annual reviews, written reports and additional record-keeping;
- Reporting of significant cybersecurity incidents to the SEC on a new Form ADV-C; and
- Disclosure of cybersecurity risks and incidents with amendments to Form ADV Part 2A.
For registered investment advisors working with retirement plans, the SEC’s 206(4)-9 proposal follows the Department of Labor’s cybersecurity guidance that was issued in April 2021. Considered together, it’s clear that cybersecurity is top of mind for regulators, which raises the question of whether the two agencies’ efforts will converge or diverge. Convergence would benefit plan advisors who fall under both agencies’ supervision; divergence could result in more work to comply with multiple rules and suggestions.
There is a key difference between the agencies’ approaches. The SEC is following a formal rule-making procedure with a public comment period that will run until at least April 11, 2022. The date for issuing a final rule and its contents is unknown, said David Porteous, a partner with Faegre Drinker, and will be influenced by the number of comments the proposal receives. “You could get four comments, you can get 4,000,” Porteous observed. “I wouldn't be surprised, given the importance of this issue, that you get a number of comments that the SEC has to at least contemplate.”
In contrast, the DOL issued guidance, tips and suggested best practices in three separate documents aimed at plan fiduciaries, service providers and participants. The agency did not follow a formal pre-publication rule-making process with these publications. David Levine, principal and co-chair, plan sponsor practice with Groom Law Group, said the DOL’s previous use of a similar informal process with the fiduciary rule as expressed in PTE 2020-02 has been challenged in two lawsuits. Those lawsuits’ outcomes could impact the DOL’s cybersecurity guidance, said Levine.
The DOL is putting the onus on plans to ask the right cybersecurity questions in the first place, Porteous explained. In contrast, the SEC is telling RIAs and funds they will be required to have a “risk framework to deal with cybersecurity and make disclosures regarding its adequacy and conduct testing regarding its adequacy,” said Porteous. “So, one way or the other, I'd say that the temperature is rising on the quality of cybersecurity risk for a registered investment advisor, whether you're in the DOL space or not.”
RIA in a Box’s vice president and general counsel, Christopher DiTata, said while there isn’t necessarily a conflict between the agencies’ guidance and proposed rules, the SEC proposal seems to go into greater depth, particularly with respect to disclosure. The SEC proposal not only wants advisors to adopt internal policies and procedures but also to disclose to the SEC any cybersecurity incidents. Both the DOL and the SEC call for the financial institution to alert investors of meaningful cybersecurity incidents, he said.
Another difference DiTata highlighted: The SEC identifies a specific cybersecurity framework, that of the National Institute of Standards and Technology (NIST), while the DOL guidance is more open-ended. The DOL calls on plan sponsors to supplement their own efforts by offering “plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss” while the SEC has a deep focus on the financial institution itself to protect the end investor. “That’s not to say that the SEC wouldn’t support investment advisors training clients on cybersecurity hygiene,” DiTata added.
Although the SEC’s final rules are several months away, DiTata believed any efforts to satisfy one agency will be helpful in meeting the best practices recommended by the other. Both plan sponsors under the DOL and investment advisors under the SEC will benefit from education of employees, practical prudent access controls, sensible device management and ongoing monitoring of service providers. “The NIST framework—Identify, Protect, Detect, Respond, Recover—is equally applicable to either and forms a strong starting point for any cybersecurity program, including financial services firms,” said DiTata. “Heeding one agency’s recommendations will bring you a long way toward compliance with the other’s.”
Levine says the industry will be in a better position to judge the degree of regulatory alignment as the agencies’ rules, guidance and enforcement actions evolve and develop. He cites the DOL’s cybersecurity enforcement as an example of that evolution. A few years ago, prior to publishing its guidance, the DOL was asking 10 high-level questions about cybersecurity practices. The most recent version of the questionnaire has expanded to three or four pages of detailed questions. “I think the question is, as this continues to evolve, will there be alignment between the SEC and DOL or will there be inconsistency,” said Levine. “So far, it seems good, but I think it's important for advisors to keep both of these in mind as they go forward.”