According to a 2024 Cybersecurity Benchmarking Survey, 45 percent of surveyed compliance personnel from asset management, investment adviser and private market firms have expressed concerns about how the Securities and Exchange Commission (SEC) will enforce its newly developed cybersecurity rules.
The ACA Group and National Society of Compliance Professionals released the results from the survey that exhibited the sense of uncertainty surrounding the enforcement of the SEC’s cybersecurity rules. The results indicated that 44 percent of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36 percent of compliance professionals cited concerns with complying with cyber incident reporting requirements and timeframes.
Mike Pappacena, a partner of ACA group, said in a statement that “it’s clear that regulatory compliance remains a top concern,” because nearly half of respondents expressed uncertainty about SEC enforcement. Pappacena said the survey results underline the importance of staying ahead of evolving cybersecurity threats.
The online survey consisted of around 310 investment adviser firms. All firm sizes were represented and responding firms belonged to varied business types, with most responses coming from asset managers, broker- dealers, and alternative investment advisors.
According to the survey, around 80% of the participants are confident in their firms’ ability to combat a cyber breach and that the top cyber threat that raised concern is payment fraud and business email compromise.
As a result of the SEC’s adopted rule, public companies are now required to disclose cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The SEC rules now require companies to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
The SEC additionally requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The companies are provided a four-day grace period to disclose any cybersecurity incidents from the moment it deems the incident as material.
The SEC’s Consideration of Additional Cybersecurity Proposals
Cybersecurity has been a top priority for the SEC. The Commission is currently considering other cybersecurity-related proposals including one that would require brokers, dealers, investment advisers and companies to implement written policies and procedures concerning unauthorized access to or use of customer information. This would include procedures that are purposed for notifying customers of the incident.
The SEC is also proposing to broaden the scope of information covered by making changes to the requirements for safeguarding customer records and information, and for properly disposing of consumer report information.
Although these proposed measures signal a determined effort to enhance protection for investors, many are worried as to exactly how the SEC will enforce these newly adopted rules and proposals. 
Jacob Horowitz is a contributing editor at Compliance Chief 360°