New Cybersecurity Risk Management Rules
As proposed, the new Cybersecurity Risk Management Rules (Rule 206(4)-9 under the Advisers Act and new Rule 38a-2 under the Investment Company Act) will require firms to adopt and implement a written cybersecurity risk management program that covers the following areas, while allowing for some degree of customization to each firm’s business:
- Periodic risk assessment and inventory
- User Security and Access
- Information Protection
- Threat and Vulnerability Management, and
- Incident Response and Recovery
To read the entire follow-up blog post, download now!