S3:E12 | The New SEC Cybersecurity Rule Proposal--What You Need To Know | Compliance in Context

Welcome back to Compliance In Context podcast! On today’s show, we do a deep dive on the new SEC Cybersecurity Risk Management rule proposal for Investment Advisers—what it says and what you can do now to help prepare your firm for the potential updates that may be necessary comply with the new rule. In our Headlines section, we look at two recent interviews from Chair Gensler stating that most cryptoassets are securities, and what the future holds for this growing area of the financial markets and the potential impact on compliance. And finally, we’ll wrap up today’s show with another installment of Outtakes series where a recent SEC and CFTC sweep uncovered “egregious misconduct” related to off-channel business communications for 16 regulated entities, and what are some of the key lessons investment adviser and broker dealer firms should take away in order to avoid suffering the same fate. 

Show

 Headlines

• Chair Gensler interview with PLI regarding disclosure requirements of digital assets
• Chair Gensler interview with Coinbase regarding cryptoassets as securities

Interview with Amber Allen and Craig Watanabe

• Review the evolution of the SEC’s Cybersecurity guidance
  • Reg S-ID
  • Reg S-P
  • Prior enforcement actions
  • SEC Risk Alerts
• Discuss the specifics of Proposed Rule 206(4)-9
• Analyze the benefits of cybersecurity risk assessments
• Outline additional elements of the new rule in conjunction with best practices from prior guidance
  • User Security and Access
  • Information Protection
  • Vendor Management
• Examine the use of incident response plans and applicability of cyber insurance
• Summarize key steps firms can take to protect their firms now and what to do when a breach occurs

Final Segment – Outtakes

• SEC and CFTC Sweep Uncovers “Egregious Misconduct” Related to Off-Channel Business Communications

Quotes

09:24 - “I think evolution is a good word and I would view this most current proposal (Rule 2064-9) as evolutionary rather than revolutionary. And in your introduction, I really picked up on one key word and I think that really characterizes what the SEC is doing, and that is codify. And I’ll take it one step further: formalize.” - Craig 

12:05 - “Having the potential obligation to disclose an incident within 48 hours of that occurring could be a pretty onerous requirement for the firms, especially when they’re trying to juggle some of the things that go alongside of a data breach.” - Amber 

26:32 - “One of the problems with cybersecurity is that it’s easy to talk about but hard to do. And I will say this, it’s particularly challenging because many compliance officers don’t have a lot of savviness with regard to IT and, in particular, information security.” - Craig