S4:E5 | Cybersecurity Rule Proposal Redux - Lessons From The Front Lines | Compliance In Context

Welcome back to the Compliance in Context Podcast! On today’s show, we do a double-feature Lessons From The Front Lines episode on the SEC Cybersecurity Rule Proposal (Rule 206(4)-9) with an esteemed panel of experts from ACA Aponix and Fairview Cyber, including Carlo di Florio, Christine Tetherly-Lewis, Mike Pappacena, and Amber Allen. Given the increased focus from the SEC and the fact that many elements of the rule proposal represent challenges already facing SEC-registered firms, this is an episode you won’t want to miss!! 

Show

Interview with Carlo di Florio (Co-Host), Christine Tetherly-Lewis (ACA Aponix), and Mike Pappacena (ACA Aponix) and Amber Allen (Fairview Cyber)

• Historical look at the SEC’s focus on Cybersecurity
• Formalization of cybersecurity protocols and Rule Proposal 206(4)-9
• Overview of the Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
• What is Rule 10, how does it relate to 206(4)-9, and what are some of the key differences and similarities?
• When has a cybersecurity incident occurred?
• How can firms provide proper oversight and staffing of its cybersecurity program?
• What are the incident disclosure periods for 206(4)-9 and Rule 10
• When does a firm actually “know” an incident has occurred that requires reporting to the SEC or disclosure to its clients?
• How does Cybersecurity Rule Proposal reconcile with Rule 206(4)-11 and the rule proposal on outsourced service providers?
• What are the components of the Cybersecurity Rule Proposal and what is the impact of each?
• When it comes to potential adoption, what are some major challenges that firms face with regard to these rule proposals?

Quotes

10:14 – “You really see the growth and focus by the SEC and FINRA and other regulators starting in 2010 and forward timeframe. You mention a number of risk alerts there and I would observe that the exam division has published more risk alerts, special reports, exam priorities specifically focused on cyber than any other subject. And the same thing at FINRA with some really excellent reports.” – Carlo di Florio

12:20 – “So under the proposed rule 206(4)-9, the SEC has set forth this proposal that would require advisors to adopt specific and fairly prescriptive requirements to address cybersecurity at a firm level. It would require comprehensive programs to address things like cybersecurity risk assessments which would be conducted annually and potentially more frequently depending on changes in firm risks and also even just industry risks.” – Amber Allen

31:44 – “You don’t know what you don’t know is sort of a cliché when it comes to cyber, but making sure that you have appropriate tools in place that can help you detect an incident or a potential incident. I think that what firm’s need to do with respect to understanding if there is a significant incident is really—when they look at their incident response plans and how they receive alerts, notifications, and monitoring—is really set some guidelines and some boundaries around what that all means.” – Mike Pappacena

33:28 – “I think it’s really critical for firms to have thorough monitoring programs in place so they can keep an eye on potential breaches. And under the proposed rule, the SEC did note that firms should be reporting once they have a reasonable basis for concluding that an incident is occurring or has occurred. And it’s interesting that it also noted specifically that, that does not mean that they know that the incident has occurred.” – Amber Allen

35:24 – “Testing of all of these practices is really, really important. The best way to be prepared is to roleplay. Step through some of these scenarios. Make sure you know how you would react, how you’d maneuver, and ultimately, how you’d survive one of these issues if an incident does, kind of, reveal itself.”  – Christine Tetherly-Lewis