The next regulatory shakeup in asset management

This article is co-authored by Adil Palsetia, Partner, Cybersecurity, KPMG in Canada and Mihai Liptak, U.S. Solutions Lead, Risk Intelligence, KPMG in the U.S.

With cyberattacks and data breaches on the upswing, cybersecurity preparedness is already a topic of concern for Canadian investment advisors and investment firms. However, with new rules on deck from the United States (US) Securities and Exchange Commission (SEC), investment firms with business activity in the US will need to put even more focus on cybersecurity risk management in the months ahead.

While the SEC started focusing on cybersecurity regulation in earnest fifteen years ago, its primary focus was financial services.

This focus has shifted over the past 24 months. As more individuals have entered the financial services market and as technology takes a central role in critical business operations, the SEC and state level regulators have broadened their focus to public companies, investment firms, broker dealers, exchanges, and other entities.

The heightened focus recognizes that companies operating in the asset management landscape are plugged into an increasingly wide range of systems, networks, and service vendor platforms. These interfaces pose cybersecurity risks and can lead to cybersecurity incidents, data breaches, and critical process failures impacting shareholders and markets and may result in financial loss, reputational damage, market impact loss in shareholder value and increased client turnover.

The amendments will hold more entities to account with the aim of increasing cybersecurity resilience within the financial sector as a whole. With broad scope and several new requirements to observe, these proposed changes are significant and will have a major impact on the asset management industry.

Essentially every organization in the Canadian investment advisor community is impacted. The applicability test appears simple. If a firm or foreign investment fund is registered with the SEC, it is scoped in. Some may expect exclusions based on company size, with exceptions for smaller firms, but there’s no guarantee.

New SEC rules are already in effect for public companies and the proposed requirements for private investment advisors and funds are slated to go live in Q4 of 2023. Those for broker-dealers are scheduled to go live in April of 2024.

These dates, however, are not written in stone. Observers point out that while the new rules for public companies weren’t supposed to go live until December 2023, they were in fact enacted sooner, with ratification on July 26, 2023. To avoid surprises, investment advisors should stay abreast of SEC timelines and start planning.

For everyone, with or without a cybersecurity risk management program or strategy, the new rules introduce obligations regarding cybersecurity policies and procedures, disclosures, and record-keeping.

Many private advisors, especially large institutional firms, already adhere to cybersecurity policies as a matter of due course, though there has been no formal requirement to do so. For these advisors, the new rules may simply represent a formalization of cybersecurity best practices that they already follow.

The proposed rules being updated are the Advisor’s Act, Section 206-4 (9) and the Investment Company Act, 38a-2. Advisors and funds must adhere to the following requirements:

• Implement written policies and procedures to address cybersecurity risks
• Execute a risk assessment to understand the primary risks facing the organization, and what processes and controls are in place to safeguard organizational assets
• Report significant, e.g. “material”, cybersecurity incidents to the SEC (on proposed Form ADV-C)
• Maintain, make, and retain certain cybersecurity-related books and records. Organizations will be expected to conduct an annual review of the design and effectiveness of their cybersecurity risk management policies and procedures.
  

First and foremost, Canadian investment firms need to understand that the proposed SEC rule changes apply to them. If they have any dealings in the United States, they will be in scope. After reviewing the amendments, advisors should look closely at the following risk areas and start preparing.

Develop a process for determining materiality

One update that raises the stakes for investment firms is the process around cybersecurity incident disclosures. If a firm or fund experiences a “material” cybersecurity event, it must be reported to the SEC. For public companies, the SEC set the deadline for making such a disclosure at four days. It’s likely that the SEC will hold investment firms to the same timeframe.

Organizations need to document, or establish, a regimented and repeatable process for responding to cyber and technology risk events, including a formalized framework to determine their materiality. To meet SEC disclosure timelines, they’ll need a process that can be carried out quickly.

Organizations will need to update those filings to include cybersecurity and mention what processes and teams are in place to determine the materiality of cybersecurity incidents. Ideally, the Chief Information Security Officer (CISO) should oversee the report and legal counsel should be added as one of the stakeholders.

Define third-party risk

Investment advisors need to obtain clarity on their third-party vendor relationships and recognize the level of cybersecurity risk they pose to their organizations. If a SaaS supplier, for instance, experiences a material cybersecurity event, it may implicate the investment firm. The next step is to determine materiality – again, within the four-day reporting window.

Once the clock is ticking, firms will have little time to pull materials together and get their paperwork prepared. They’ll need assurances from third-party vendors that they’ll be notified as soon as possible about any cyber or technology event.

To expedite the materiality determination process, investment advisors may need to open channels of communication with vendor owners. They may need to update vendor contracts to reflect new terms around fault and liability and to support the new reporting deadlines around material events. Some firms might choose to overhaul their third-party programs or reduce the number of third-party relationships they maintain.

Start proactive preparations

With the new amendments for investment firms, firms can either wait for the ink to dry to learn the particulars or take proactive steps based on the likelihood that the updates will mirror the rules already in force for public companies.

Preliminary steps might include conducting risk assessments, standing up testing programs, or adding cybersecurity to the testing programs and compliance obligations advisors already have in place. Firms may also look ahead to how their 10-K and 20-F filings might change as their cybersecurity and technology environments evolve. Firms are recommended to put a review process in place to capture changes in those areas.

Firms should also note the ramifications for non-compliance: the risk of regulatory fines from the SEC.

Because investment advisors have not faced significant regulatory rigor over the years, they tend to demonstrate less maturity in the cybersecurity and technology risk management space. On the one hand, smaller firms might be less prepared to stand up a suitable risk program to address the proposed SEC rules, however they tend to face far fewer risks than large firms do.

The newly required SEC risk assessment will help smaller firms understand what risks they’re exposed to. In most cases, it will drive down the compliance requirements smaller firms will need to add to their processes. The challenge is that this assessment needs to be properly documented, which will have downstream impacts in terms of effort and cost.

KPMG in Canada has the tools and experience to assist investment firms build a strong foundation for SEC compliance. We can conduct Cyber Maturity Assessments (CMA), Third-Party Security Risk Assessments, Threat and Risk Assessments (TRA), to review and assess an organization’s existing cybersecurity controls, and compare results against SEC regulations to identify any gaps and deltas. Based on those analyses, we can help investment advisors and broker-dealers set up testing and compliance programs. We can also help run those testing programs as a managed service.

To comply with the new SEC rules, investment advisors need to gain new speed in observing short reporting timelines. We can help develop the necessary materiality frameworks and strong governance that ensure their third-party program, cyber program, and regulatory program are firmly connected and operating efficiently.

By addressing compliance issues and cybersecurity posture today through KPMG’s approach, investment advisors can avoid future challenges and stay focused on building value. For more information about the new SEC rules and to discuss their impact for your organization, contact us.