Main Content
Securities Compliance Podcast: Compliance in Context

The Securities Compliance Podcast Season 4: Episode 5

On Season 4 Episode 5 of The Securities Compliance Podcast: Compliance in Context, host and Calfee Partner Patrick D. Hayes discusses the SEC Cybersecurity Rule Proposal (Rule 206(4)-9) with a panel of experts from ACA Aponix and Fairview®, LLCCarlo di Florio, Christine Tetherly-LewisMichael Pappacena, and Amber Allen, Esq., CIPP (US)


Interview with Carlo di Florio (Co-Host; ACA Aponix), Christine Tetherly-Lewis (ACA Aponix), and Mike Pappacena (ACA Aponix) and Amber Allen (Fairview Cyber):

  • Historical look at the SEC’s focus on Cybersecurity

  • Formalization of cybersecurity protocols and Rule Proposal 206(4)-9

  • Overview of the Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds

  • What is Rule 10, how does it relate to 206(4)-9, and what are some of the key differences and similarities?

  • When has a cybersecurity incident occurred?

  • How can firms provide proper oversight and staffing of their cybersecurity program?

  • What are the incident disclosure periods for 206(4)-9 and Rule 10?

  • When does a firm actually “know” an incident has occurred that requires reporting to the SEC or disclosure to its clients?

  • How does Cybersecurity Rule Proposal reconcile with Rule 206(4)-11 and the rule proposal on outsourced service providers?

  • What are the components of the Cybersecurity Rule Proposal and what are the impacts of each?

  • When it comes to potential adoption, what are some major challenges that firms face with regard to these rule proposals?


10:14 – “You really see the growth and focus by the SEC and FINRA and other regulators starting in 2010 and forward timeframe. You mention a number of risk alerts there and I would observe that the exam division has published more risk alerts, special reports, and exam priorities specifically focused on cyber than any other subject. And the same thing at FINRA with some really excellent reports.” – Carlo di Florio

12:20 – “So under the proposed rule 206(4)-9, the SEC has set forth this proposal that would require advisers to adopt specific and fairly prescriptive requirements to address cybersecurity at a firm level. It would require comprehensive programs to address things like cybersecurity risk assessments, which would be conducted annually and potentially more frequently depending on changes in firm risks and also even just industry risks.” – Amber Allen

31:44 – “You don’t know what you don’t know is sort of a cliché when it comes to cyber, but making sure that you have appropriate tools in place that can help you detect an incident or a potential incident. I think that what firms need to do with respect to understanding if there is a significant incident has really – when they look at their incident response plans and how they receive alerts, notifications, and monitoring – set some guidelines and some boundaries around what that all means.” – Mike Pappacena

33:28 – “I think it’s really critical for firms to have thorough monitoring programs in place so they can keep an eye on potential breaches. And under the proposed rule, the SEC did note that firms should be reporting once they have a reasonable basis for concluding that an incident is occurring or has occurred. And it’s interesting that it also noted specifically that that does not mean that they know that the incident has occurred.” – Amber Allen

35:24 – “Testing of all of these practices is really, really important. The best way to be prepared is to roleplay. Step through some of these scenarios. Make sure you know how you would react, how you’d maneuver, and ultimately, how you’d survive one of these issues if an incident does, kind of, reveal itself.”  – Christine Tetherly-Lewis

About the Securities Compliance Podcast: Compliance in Context

Introducing the Securities Compliance Podcast: Compliance in Context presented by Calfee, Halter & Griswold, and the National Society of Compliance Professionals and hosted by Patrick D. Hayes, Partner and Chair of Calfee's Investment Management practice.

Designed as a personal master class for the securities legal and compliance professional, this podcast embodies Patrick’s passion to help you put Compliance In Context™ by combining the technical expertise of industry thought leaders and innovators with the practical experience of doers and key decision makers.

Listeners will find the podcast on Apple Podcast, Google Podcast, Spotify, and Stitcher.

The opinions expressed by guest speakers and panelists during Securities Compliance Podcasts may not necessarily reflect the viewpoints of the attorneys and professionals of Calfee, Halter & Griswold LLP or its subsidiaries or affiliates. Calfee’s educational content is intended to inform and educate readers about legal developments and is not intended as legal advice for any specific individual or specific situation. Please consult with your attorney regarding any legal questions you may have. With regard to all content including case studies or descriptions, past outcomes do not predict future results.


Media Contact

Susan M. Kurz
Chief Marketing & Client Development Officer
216.622.8346 (office)
513.502.8950 (mobile)

Subscribe to our Alerts


Jump to Page