Last updated on March 26, 2024
The Securities and Exchange Commission (SEC) proposed cybersecurity risk management rules for registered investment advisers, investment companies, and business development companies. The proposed rules aim to reinforce the cybersecurity preparedness of investment advisors and companies against cybersecurity attacks and threats.
New Rules in a Nutshell
The suggested rules include the adoption and implementation of written cybersecurity policies and procedures that address security risks perceived as especially dangerous for fund investors and advisory clients. In addition to that, the rules make advisers responsible for reporting every major cybersecurity incident that may affect the adviser or its fund.
Also, the proposal includes a requirement, which states that every adviser and fund must publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years. Advisers can do that in the form of a brochure or registration statement.
Furthermore, new archiving rules have been suggested that would require advisers to preserve cybersecurity information in a safer way.
SEC Recommends Multi-Factor Authentication
Importantly, the proposed set of rules lists Multi-Factor Authentication (MFA) as one of the possible ways to ensure user security and controlled access. However, the rule recommends advisers and funds to consider Multi-Factor Authentication methods that are not based on SMS delivery.
SMS-based authentication methods are generally seen as less secure than other non-SMS-based MFA methods. Low security of SMS one-time passwords had already been discussed before by the National Institute of Standards and Technology (NIST), which famously discouraged companies from using SMS as a Two-Factor Authentication (2FA) method.
Here at Rublon, we agree that SMS Passcode is among the least secure authentication methods but at the same time recognize the advantages of using this form of authentication. We believe in choice. Therefore, we give our customers the possibility to choose the SMS Passcode method as one of the available authentication methods. Should a customer decide they do not want their users to use SMS authentication, they can disable this authentication method in the Rublon Admin Console and use a more secure authentication method instead. If you are looking for good security, go for one of the following authentication methods: WebAuthn/U2F Security Key, Mobile Push, Mobile Passcode.
Rublon Can Secure Access to Your Investment Funds
Multi-Factor Authentication (MFA) is considered an industry best practice for investment advisory firms. The Securities and Exchange Commission (SEC) recommends deploying Multi-Factor Authentication to increase the security posture of investment firms. There is no reason to wait until the recommendation turns into a requirement. Bad guys will not wait.
RIA firms are a common target of cybersecurity attacks and hacking attempts because registered investment adviser technology systems contain sensitive client information and non-public data that may be attractive to malicious actors. RIA firms should put greater emphasis on cybersecurity and take the risk of a cyberattack seriously.
You can give Rublon Multi-Factor Authentication a try by starting a 30-day Free Trial.
