Important SEC Cybersecurity Changes Expected to Come This April

Important SEC Cybersecurity Changes Expected to Come This April

Important SEC Cybersecurity Changes Expected to Come This April

Author(s): Christian Scott

In February of 2022, the U.S. Securities and Exchange Commission (SEC) voted to establish a formal set of cybersecurity risk management requirements under the Investment Advisers Act of 1940 (“Advisers Act”) for registered investment advisers and investment funds. These proposed cybersecurity risk management rules as part of Rule 206(4)-9 are expected to be finalized in April 2023 per the SEC’s regulatory agenda. These new potential cybersecurity requirements are designed by the SEC to bolster investors' confidence in the advisers' and funds' operational resiliency, as well as the safety of their investments. The SEC has already released a Fact Sheet setting the clear expectation that the core framework for these cybersecurity requirements will be finalized soon, which is expected to have significant implications for investment adviser and private fund cybersecurity programs moving forward.

The SEC’s Key Points of Focus for their Cybersecurity Requirements Include:

  • Establishing Annually Reviewed & Codified Written Information Security Policies; Including Coverage for Business Continuity Planning & Incident Response
  • Advisor and Fund Disclosure Requirements Pertaining to Pertinent Cyber Risks & Incidents
  • Incident Response Requirements That Include Reporting Incidents Within 48 Hours to The SEC
  • Conducting Regular Risk Assessments, Including, Formally Categorizing, Tracking & Prioritizing Cyber Risks
  • Ongoing Vulnerability & Threat Management, Including Scanning, Monitoring, Tracking & Patching of Vulnerabilities
  • Third Party and Vendor Risk Management Processes to Manage Residual Risk Associated with Unauthorized Access to Sensitive Fund Information.
  • Implementing Robust User Access Controls & Information Protection Controls to Restrict Access to Sensitive Fun Information
  • Enhanced Fund Board Oversight, Recordkeeping & Reporting Requirements, Including Approving Cybersecurity Policies, Measuring the Efficacy of Cybersecurity Processes, Tracking Cyber Policy Changes Over The Last Five Years & More.

How Gotham Security, An Abacus Group Company, Can Help:

The SEC has already made it clear with its Fact Sheet that they intend to ratify these proposed legislative changes soon, so firms should be proactive and prepare in advance.

The Gotham Security team is at the forefront of tracking and understanding the latest cybersecurity regulatory changes from the SEC and other regulatory bodies, and Gotham Security has specific services tailored to meet the needs of these requirements and the challenges imposed on firms.

Gotham Security’s SEC Cyber Readiness Specific Services Include:

  • Conducting Regular Cyber Risk Assessments
  • Building Written Information Security Policies, Incident Response Plans & Business Continuity Plans
  • Continuous Vulnerability Scanning & Risk Management Services
  • End-user Security Awareness Testing & Training
  • Conducting Network & Cloud Penetration Testing
  • Performing Third Party Due Diligence & Risk Assessments

Set up a meeting today, or reach out to our team at [email protected] .

Who We Are


Initially founded in 2013 in the heart of New York City, Gotham Security is an Abacus Group company that focuses on providing boutique cybersecurity services. Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services to organizations all across the world, including many Fortune 1000 companies.

© 2023 Gotham Security