According to WealthManagement.com, the Securities and Exchange Commission (SEC) voted to propose two new rules on cybersecurity for registered investment advisers (RIAs), and one of the SEC’s proposals follows the Department of Labor’s (DOL) cybersecurity guidance. Business litigation partner David Porteous discussed the two agencies’ approaches.
The publication noted that the SEC is following a formal rulemaking procedure with a public comment period that will run until at least Apr. 11, 2022. Porteous said that the date for issuing a final rule and its contents is unknown and will be influenced by the number of comments the proposal receives. “You could get four comments…or 4,000,” he stated. “I wouldn’t be surprised, given the importance of this issue, that you get a number of comments that the SEC has to at least contemplate.”
The DOL is putting the onus on plans to ask the right cybersecurity questions in the first place, Porteous explained. In contrast, the SEC is telling RIAs and funds they will be required to have a “risk framework to deal with cybersecurity and make disclosures regarding its adequacy and conduct testing regarding its adequacy,” he said. “One way or the other, I’d say that the temperature is rising on the quality of cybersecurity risk for an RIA, whether you’re in the DOL space or not.”