Is Your Firm Ready for the SEC?

How To Prepare for the Regulations of Tomorrow

By Jason Elmer, Founder and President of Drawbridge

It is no secret that cybersecurity regulations are on the rise: in 2022, the U.S. Securities and Exchange Commission (SEC) proposed cybersecurity rules that would affect all firms in the alternative investment industry. In addition to the processes already examined such as risk assessments and vulnerability management, the SEC also proposed conducting compliance checks around board oversight, incident response and annual reviews that require enhanced reporting. While these are only proposals for now, they represent a revolutionary shift in how the SEC will conduct due diligence in the future.

For many firms, new layers of cybersecurity and new compliance requirements can seem overwhelming. But if the SEC proposed rule changes tell us anything, it is that firms must take a proactive rather than reactive approach to ensuring their cyber posture ahead of the new rules expected in 2023, following the SEC reopening the comment period for another 60 days. Cybersecurity is no longer a checklist item to be considered once a firm has achieved a certain level of AUM or funding – cybersecurity is a top consideration for firms of all sizes, and the SEC will not differentiate based on size.

A cautionary tale can be found in EyeMed, an Ohio-based vision care benefits company that was required to pay a $4.5 million fine for failing to conduct a necessary risk assessment and violating the New York State Department of Financial Services cyber rules. This costly mistake could have been avoided had they conducted ongoing vulnerability assessments and implemented a multifactor authentication process for their email system. In addition to the fine, EyeMed was given three months to conduct a risk assessment and provide the regulator with a clear plan to improve its cybersecurity practices to avoid serious mistakes in the future.

The EyeMed incident shows that cybersecurity is a compounding issue that cannot be solved overnight. It requires firms to take charge and create comprehensive, technical and actionable plans that can be quickly executed so firms can stay one step ahead of looming threats. The key piece of preparation for SEC compliance is in “owning” a firm’s cybersecurity. Technology solutions can make this process easier for firms and empower them to take a proactive approach to their cybersecurity defenses, such as implementing data flow mapping to perform in-depth vulnerability analysis. These types of solutions are not only required for regulatory compliance, but also vital to protect the integrity of the data and information firms deal with daily.

While certain technical controls like policies, risk assessments and cybersecurity training can be outsourced, there are additional actions that firms will be required to complete, including:

• Internal team training to comply with the proposed 48-hour incident reporting deadline
• Data flow mapping to understand vulnerabilities and enable firms to implement the required mitigation tactics
• Board reporting on the fund’s current and future cybersecurity preparedness ownership becomes particularly important in this case.

Many firms historically left cybersecurity in the hands of IT providers or MSPs, particularly those firms without a CISO. That is no longer adequate. Cybersecurity today must be reviewed to protect sensitive data and information and prevent the significant cost of non-compliance. The stakes are even higher in the face of the new SEC regulations, and firms that fail to incorporate cyber into their strategic business operations and budgets may end up paying for it elsewhere, both in fines and in the loss of consumer trust.

Ensuring a firm’s effective cyber posture is not an overnight process – it requires ongoing risk assessments and an actionable road map to identify existing vulnerabilities and correct for the future. With appropriate planning, technological investment and empowerment from board members, firms will be able to meet and exceed the SEC guidelines – and become proactive in their fight to protect against cyberattacks.

About the Author

Jason Elmer brings more than 20 years of cybersecurity and IT infrastructure experience to his role at Drawbridge. As Founder and President, he is responsible for driving the firm’s day-to-day operations, expanding its geographic and technology footprint and leading the company for global growth and scale. His management background includes multiple executive leadership roles and extensive experience delivering business critical FinTech software and solutions that meet the specialized needs of hedge funds and private equity managers.

You can find out more about Jason’s work at https://drawbridgeco.com