How can we help?

836
You’ve Got Questions. We’ve Got Answers.

As SEC regulations on cybersecurity get closer to going into effect, we know RIAs have numerous questions. We have been closely following all SEC developments and are here to help answer the most pressing questions. Read on to learn more about how and when SEC cybersecurity regulations might affect your business.

When will final SEC cybersecurity regulations for RIAs be released?

There are several rules we are watching closely — two on cybersecurity risk management (one for RIAs, one for broker/dealers). Both are in the final rule stage. The rule for RIAs has been through two comment periods and our best guess is it will be released during the late third or early fourth quarter of 2023. The version for broker/dealers will probably push into 2024. We are also closely watching the so-called “outsourcing rule” which relates to a registrant’s oversight of third-party service providers. The federal register currently has this in the first half of 2024, but that date is subject to change.

What do I have to do to stay compliant?

Our AdviserSecure base offering is designed to meet all of the SEC requirements with minimal effort on the part of RIA staff. Your compliance officer/team will certainly need to be involved, but we will take the lead and walk you through the process to develop the documentation required and implement the technology that will meet all of the requirements. If you want to go above and beyond just meeting the requirements the AdviserSecure Complete add-on includes numerous technologies to significantly lower your risk of being the victim of a cyberattack, but are not specifically required by regulation.

What are the prerequisites for the AdviserSecure service?

You need to be in Microsoft 365. If you aren’t there, we can help get you there. You must have a cyber insurance policy that we have reviewed for adequacy. If you don’t have one, we can refer you to someone who can help you get one. Finally, you must have a switch or firewall capable of port mirroring which our security appliance can connect to. We can help you figure out if you have this and if not can help you find a low-cost solution to get this in place.

What level of effort is required of me as a CCO or compliance professional?

The SEC does not allow RIAs to completely pass off responsibility for meeting ANY regulatory requirement to a third party and cybersecurity is certainly no exception. We will need to work closely with you through the onboarding process initially. Once that is complete, we’ll need you to designate someone we can work with on a regular basis (daily, weekly, etc.) to discuss any cybersecurity activity we see in the environment which requires investigation (these interactions are very tactical in nature). Beyond that, you’ll need to sit in on semi-annual review meetings. While we will help to facilitate the creation and storage of documentation related to your compliance, in the SEC’s eyes you ultimately ‘own’ that responsibility so you’ll need to do your due diligence and review/verify everything we create. Finally, in the event there is some type of cyber incident, you (like us) will need to have a seat at the table during incident response.

Can’t my managed service provider/technology provider/existing IT staff just do this?

Probably not. First, we are highly specialized and focused in the areas of cybersecurity and compliance, holding both Certified Ethical Hacker and Investment Adviser Certified Compliance Professional ® designations. Your existing technology provider or internal team is likely more of a generalist. Second, building the infrastructure and process to monitor cybersecurity threat activity in real time is a completely different discipline than supporting an organization’s technology. This isn’t an area where you want to take a chance on somebody missing something. Third, with the pending outsourcing rule from the SEC, there will likely be specific requirements that will need to be in your vendor contracts. Our agreements will meet those requirements – both present and future. Your IT company may not adapt so readily. Finally, a large portion of what AdviserCyber does relates more directly to regulatory compliance – developing and maintaining documentation, process, policies, etc. and is not directly related to working with technology. Your existing IT company or staff likely isn’t prepared to handle that part. All of that being said, we will work closely with your existing IT partner or in house team where needed in order to ensure smooth operation of your technology environment. And if you don’t have an IT company we can refer you to one that has the expertise and experience working with us as part of a team.

What does it cost?

Before providing you with an exact quote, we’ll need to learn some of the specifics of your environment. That being said, as we look across our entire customer base, our AdviserSecure offering generally averages around $100/month/computer or user. For larger organizations it is generally a little lower and for smaller organizations a little higher. There is a minimum of $2,000/month and a 12-month term with discounts for 2- and 3-year terms. There is also an onboarding fee which is highly dependent on the state of your cybersecurity and related compliance today. That fee is usually in the thousands of dollars vs. tens of thousands or hundreds of dollars. Reach out to us for your customized RIA Cybersecurity Compliance Assessment which will include exact pricing for your organization.

The SEC has mentioned the NIST Cybersecurity Framework in several risk alerts and other communications – can you help me align with that standard?

Yes. We can develop a custom engagement to walk you through the entire process to assess where you are today, perform a gap analysis, and help you move towards full alignment with NIST CSF. Our tools will also continue to monitor your compliance on an ongoing basis so you don’t ‘drift’ out of compliance over time. Although there is no test, audit, or certification for NIST CSF, we can produce robust reports showing your compliance and the specific controls you have put in place and even make a version of this report available to regulators, customers or external partners (via a gated site behind an NDA if you’d like) to demonstrate your alignment with this standard.

I’ve found other tools for RIA cybersecurity and compliance on the market that are less expensive – how are you different?

It is very important to draw a distinction between a tool that does ‘monitoring’, ‘automated remediation’, and ‘reporting’ from the service AdviserCyber provides. The issue with a tool is that all it is going to do is spit out a LONG to-do list for you, and as a compliance professional you don’t need more to do. “This computer is missing a patch”, “this firewall has a vulnerability due to misconfiguration”, “this user doesn’t have multi-factor authentication set up”, “we detected potentially malicious activity on this laptop”. Now what? AdviserCyber combines white glove service with white hat hacker expertise, so those alerts and to-do items come to US, not you. As a compliance pro, are you the one that should be making judgements about whether the detection of an NMAP scan in your environment is legitimate or malicious behavior? We’d suggest you leave that to us, and free yourself to focus on your core area of expertise.

Let's Connect

Want to learn more? We’re available to answer questions about pricing, custom cybersecurity needs and more. We can even give you a detailed outline of what the onboarding and implementation of AdviserSecure looks like