By Michael Brice, Founder and President, BW Cyber
Back in February 2022, the SEC proposed sweeping cybersecurity risk management rules for RIAs and funds. Key to these proposed rules is the requirement for advisers to report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients to the Commission on a new confidential form within 48 hours. Furthermore, the proposal requires advisers and funds to publicly disclose in their brochures and registration statements cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years.
As I read those proposed rules, my first thought was, “How does an adviser truly know what a reportable ‘significant cybersecurity incident’ is”?
Fast forward to July 26, 2023, when the SEC adopted ‘Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies‘ that start to become effective this December. The requirement to report ‘strategic cybersecurity risk’ as well as the requirement to notify the SEC of a ‘significant cybersecurity incident’ within four days closely mirrors the proposed disclosure rule requirements for RIAs and funds to report within 48 hours. My professional response to this requirement is, “Wow – good luck complying in such a limited timeframe…” (yes, that’s sarcasm).
Fast forward just two months later. The SEC filed suit against Solar Winds on October 30, 2023 – not even two months after the final rules for public companies came into force – for ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities’. And to add insult to injury for the public sector, now cyber criminals are helping the SEC to enforce cyber incident reporting. Yes, you read that correctly. On November 15, 2023, one the world’s most active ransomware criminal organizations posted the following note on the Darkweb, per their breach of MeridianLink (a publicly traded lending technology company):
‘We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules.’
So back to my sarcastic, “Wow” comment: We’ve now arrived at the point where organized crime is literally helping the SEC to take punitive action against companies if targeted firms don’t pay the criminal’s extortion demand. The irony here harkens back to the old expression, ‘The beatings will continue until morale improves.’ And, while that may sound funny if you’re an asset manager and not a public traded company, my point is that these two scenarios are now the future playbook for the asset management industry if/when these proposed new rules are approved.
So, what do you do? The proverbial throwing one’s arms in the air is not where I am headed. Nor am I saying that the sky is falling.
But, if and when you have to report a ‘material cybersecurity incident’ to the SEC, or you simply want to know how to respond to a cybersecurity incident, you must have a plan. And that plan is called an Incident Response Plan (IRP). If you don’t have one, you should. And if you do have one, it should articulate how to define and respond to a material cybersecurity incident.
Regardless of whether the SEC currently requires you to report or not, your next due diligence questionnaire will ask if you’ve had a cyber incident. While it’s important to know what a ‘cybersecurity incident’ is, it is even more important to know how to actually respond to one. While explaining this process goes well beyond the scope of this article, what I can say is that if you have an IRP, you must perform an ‘IRP Tabletop’ exercise to know whether your IRP is truly a viable document to help you respond to a cyber incident, or if it’s simply a worthless document with words ‘IRP’ on the cover.
Regardless of whether you have an IRP or have tested your IRP with a tabletop exercise, if you are a public traded company, you should be updating your board as to the firm’s overall strategic risk as well as the firm’s ability to identify and report a material cybersecurity incident to the SEC within four business days. If you’re an asset manager, I urge you to read between the lines of the SolarWinds action and the MeridianLink ransom attack to ensure you are best prepared to respond to a potential cybersecurity event.