The SEC's 2023 cybersecurity rules (effective 2024 for larger advisers) require registered investment advisers to: adopt written cybersecurity policies and procedures, implement annual reviews of those policies, report significant cybersecurity incidents to the SEC within 48 hours via Form ADV-C, and make cybersecurity disclosures on Form ADV. IT requirements include written policies, incident detection and response capabilities, and documentation sufficient to demonstrate compliance.
The Two Main Rules Affecting Investment Advisers
The SEC released two related cybersecurity rules in 2023, both building on existing obligations under the Investment Advisers Act:
- Cybersecurity Risk Management Rule (Advisers Act Rule 206(4)-9): Requires RIAs to adopt written cybersecurity policies, conduct annual reviews, implement specific technical controls, and maintain records.
- Incident Reporting Rule (Advisers Act Rule 204-6): Requires reporting "significant cybersecurity incidents" to the SEC within 48 hours, and annual disclosure of cybersecurity risks and incidents on Form ADV.
Compliance dates were phased: larger advisers (AUM $1.5B+) had earlier deadlines; smaller advisers had 18-month implementation periods. As of mid-2026, all registered advisers should be in full compliance.
What the Written Cybersecurity Policy Must Address
Rule 206(4)-9 requires written policies and procedures "reasonably designed to address cybersecurity risks." The rule specifies several required elements:
- Risk assessment: Identification and assessment of cybersecurity risks to adviser information and systems
- User security: Controls to prevent unauthorized access — the rule specifically identifies authentication, access controls, and password management
- Information protection: Encryption, data classification, and handling procedures
- Threat and vulnerability management: Processes for identifying, assessing, and mitigating threats — including patch management
- Cybersecurity incident response: Detection, response, and recovery procedures; preservation of relevant records
- Business continuity and disaster recovery: Plans to ensure continued operations and recovery from incidents
- Third-party risk: Oversight of service providers that receive or store adviser information or have access to adviser systems
The 48-Hour Incident Reporting Requirement
This is the element that has gotten the most attention. "Significant cybersecurity incidents" must be reported within 48 hours of discovery. The SEC defines "significant" as any incident that:
- Significantly disrupts or degrades the adviser's ability to maintain critical operations
- Leads to the unauthorized access or use of adviser information that results in substantial harm to the adviser or its clients
- Results in the loss, theft, or corruption of material information
From an IT operations perspective, this 48-hour requirement means you need:
- Security monitoring capable of detecting incidents quickly — you can't report something you haven't detected
- A defined escalation path: who determines whether an incident is "significant"?
- Pre-drafted incident report templates to meet the 48-hour deadline under pressure
- Legal counsel pre-engaged to advise on materiality determinations
IT Controls That Satisfy the Rule's Requirements
Translating the rule's language into IT implementation:
| Rule Requirement | IT Implementation |
|---|---|
| User security and access controls | MFA enforced, role-based access, privileged access management, quarterly access reviews |
| Information protection | Full disk encryption on all endpoints, TLS for data in transit, DLP for email and cloud storage |
| Threat and vulnerability management | Vulnerability scanning, patch management SLA (critical patches within 72 hours), EDR on all endpoints |
| Incident detection and response | SIEM or SOC monitoring, written IR plan, tabletop exercise annually |
| Business continuity | Tested backup and recovery procedures, documented RTO/RPO, alternate work arrangements |
| Third-party risk | Vendor security questionnaires, contract security requirements, periodic review of critical vendors |
Annual Policy Review Requirement
The rule requires annual review of cybersecurity policies and procedures, with documentation of the review. This is not a cursory checkbox — examiners look for evidence that the review was substantive:
- Review any cybersecurity incidents that occurred during the year and what they revealed about policy gaps
- Update the risk assessment to reflect changes in the threat landscape and your IT environment
- Document any policy changes made as a result of the review
- Report findings to senior management and document that review
Your IT provider should support this annual review by providing an updated risk assessment, incident log, and recommendations for policy updates based on changes in your environment.
Frequently Asked Questions
Does the SEC cybersecurity rule apply to exempt reporting advisers (ERAs)?
ERAs are exempt from many Advisers Act requirements, but the cybersecurity rule applies to registered investment advisers. ERAs that are not registered with the SEC are not directly subject to this rule, though they may face state-level equivalents.
What constitutes a "significant" cybersecurity incident requiring SEC reporting?
The SEC defines significance around material impact — disruption of critical operations, substantial unauthorized access to client information, or material harm. Routine phishing emails that were blocked, or incidents contained before reaching client data, would not typically qualify. You should document the determination for any incident you evaluate and decide not to report.
What records must be maintained for cybersecurity compliance?
Rule 204-6 requires maintaining records of cybersecurity incidents, the written policies and procedures, and documentation of the annual review. Records must be kept for 5 years. Your IT provider and compliance consultant should coordinate on which logs and documents must be preserved and in what format.