Blog
← Back to Blog
May 15, 2022 financial

SEC Is Coming for Financial Advisors on Cybersecurity. Are You Ready?

SEC cybersecurity regulations for financial advisors

The SEC has proposed new cybersecurity rules for registered investment advisors and funds. The proposed rules would require written cybersecurity policies, incident reporting within 48 hours, annual reviews, and board oversight of cybersecurity risk. For financial advisors and wealth management firms, the compliance landscape is about to change significantly.

What the SEC Is Proposing

Written Cybersecurity Policies and Procedures

Firms must adopt and implement written policies addressing: risk assessment, user security and access, threat and vulnerability management, information protection, and incident response and recovery. Sound familiar? These mirror what HIPAA has required of healthcare for years.

48-Hour Incident Reporting

Significant cybersecurity incidents must be reported to the SEC within 48 hours. This is faster than HIPAA's 60-day window and signals the regulatory trend toward rapid disclosure.

Annual Review

Cybersecurity policies must be reviewed at least annually and updated based on changes in risk, technology, or business operations.

Public Disclosure

Funds would need to disclose cybersecurity risks and incidents to investors. Transparency is the direction of regulation across all industries.

What Financial Practices Should Do Now

Don't Wait for Final Rules

The proposed rules will be finalized, possibly with modifications. But the direction is clear. Firms that prepare now will be ahead when compliance deadlines hit.

Conduct a Risk Assessment

Document your cybersecurity risks: what data you hold, where it's stored, who has access, what threats you face, and what controls you have in place. This is the foundation of every regulatory framework.

Implement Core Controls

  • MFA on all systems containing client data
  • Encryption of client data at rest and in transit
  • Access controls limiting data access to authorized personnel
  • Backup and recovery procedures that are tested regularly
  • Security awareness training for all staff
  • Vendor management ensuring third-party providers meet security standards

Document Everything

Regulators want evidence. Document your policies, your risk assessments, your training records, your incident response procedures, and your annual reviews. If it's not documented, it didn't happen.

Engage Your Compliance Team

If you have a Chief Compliance Officer, cybersecurity should be on their agenda. If you don't, designate someone responsible for cybersecurity compliance and give them the authority and resources to do the job.

The Pattern

HIPAA for healthcare. GDPR for privacy. State breach notification laws. And now SEC cybersecurity rules for financial services. The pattern is clear: every regulated industry is getting prescriptive cybersecurity requirements. The question isn't whether your industry will be regulated. It's when.

Prepare now. The rules are coming.