SEC proposes cybersecurity risk management rules for investment advisers, funds and business development companies

The Securities and Exchange Commission (SEC) has joined a host of other regulators in doubling down on efforts to protect against the rapidly intensifying cyber threats—with important implications for all SEC-registered investment advisers (Advisers) and SEC-registered investment companies (Funds).¹

On February 9, 2022, the SEC proposed a package of new rules and amendments designed to enhance the cybersecurity practices at investment advisers and investment companies, including mutual funds, exchange-traded funds, insurance separate accounts, business development companies and closed-end funds (the Proposal).

This move comes as elements of the US government, called to action through President Biden’s Executive Order in May 2021,² are finding ways to improve the nation’s cybersecurity. The SEC’s Proposal follows on the heels of SEC enforcement actions against eight firms in 2021 for deficient cybersecurity procedures and a flurry of SEC publications on cyber risks, all in response to concerns about the disruption an attack on Advisers and Funds could cause to the economy.

Indeed, information security and operational resilience is not a new focus for the SEC – the topic has been the focus of risk alerts and appeared consistently in the SEC Examination Priorities list since 2014, and we expect it to appear again on the 2022 list, due for release imminently.³ We also expect to see increased enforcement activity against firms that the SEC determines give insufficient attention to cybersecurity risk management, even absent this rulemaking.

On the one hand, generally speaking the SEC’s proposed cybersecurity requirements are not novel for the investment sector. Rather the Proposal focuses on incorporating best practices and standards that are already included in other regulatory frameworks, such as the New York State Department of Financial Services’ cybersecurity requirements. Moreover, some of the proposed rules build on the familiar compliance frameworks set out in Rule 206-4(7) under the Investment Advisers Act of 1940 (the Advisers Act) and Rule 38a-1 under the Investment Company Act of 1940 (the 1940 Act). On the other hand, the SEC’s proposed requirements would require significant effort, expense and expertise. Perhaps the most impactful aspect is that the Proposal would cause cybersecurity to be fully integrated into all Advisers’ and Funds’ compliance programs. Put another way, the Proposal would cause Advisers and Funds to fully embrace a “cyber culture” where cybersecurity is integrated into an Adviser’s and Fund’s operations.

In short, the Proposal sets out four requirements to:

1. adopt and implement written cybersecurity policies and procedures that include certain key elements;
2. report significant cybersecurity incidents which affect an Adviser or its registered or private fund clients to the SEC within 48 hours;
3. disclose significant cybersecurity risks and cybersecurity incidents in Fund prospectuses; and
4. maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.

First, the Proposal sets out new Rule 206-4(9) under the Advisers Act and new Rule 38a-2 under the 1940 Act that would require Advisers and Funds to implement cybersecurity policies and procedures that are tailored based on the Adviser or Fund’s business complexity and cybersecurity risks. Under the Proposal, written policies and procedures should contain specific elements, including risk assessments and controls to detect, mitigate, and remediate threats and vulnerabilities and should specify how the Adviser or Fund will meet new requirements to conduct in-depth due diligence reviews of, and negotiate new contract terms with, service providers. Similar to Rules 206-4(7) and 38a-1, the written policies and procedures must be reviewed at least annually and, for Funds only, be approved by the board.

In addition to reviewing the written polices and procedure annually, Funds must also prepare an annual written report describing the annual review, assessment, and any control tests performed, detail any cybersecurity incidents that occurred since the date of the last report, and discuss any material changes to the policies and procedures since the date of the last report. While the cadence and format of these requirements mirror those of Rules 206-4(7) and 38a-1, the rules’ detailed focus on cybersecurity will be new to Advisers and Funds, who to date have only had to comply with the SEC’s Safeguard Rule (Rule 30 under Regulation S-P) and some state cybersecurity requirements.

Second, the Proposal introduces a requirement for Advisers to report “significant” cybersecurity incidents to the SEC within 48 hours, including on behalf of a Fund or a private client. This requirement would come on top of other applicable regulatory reporting requirements and may result in an overall acceleration of reporting.⁴ A cybersecurity incident would trigger reporting if it either: (i) significantly disrupts critical operations; or (ii) leads to the unauthorized access or use of Adviser information that results in substantial harm.

Where required, the reporting would be confidential and achieved through the filing on the SEC Investment Adviser Registration Depository (IARD) platform of a new form, Form ADV-C. The Adviser would be required to submit Form ADV-C within 48 hours after the Adviser has a reasonable basis to conclude that a significant Adviser cybersecurity incident or a significant Fund cybersecurity incident had occurred or is occurring. Advisers must amend Form ADV-C if information previously filed becomes inaccurate, new information is discovered, and after the cybersecurity incident is resolved.

Third, the SEC proposes amending existing Adviser and Fund disclosure requirements. With respect to Funds, Form N-1A, as well other Fund registration forms, would be amended to require specific prospectus disclosures of significant Fund cybersecurity incidents occurring in the prior two fiscal years that affected the Fund, the Fund’s adviser, or the Fund’s service providers. Likewise, for Advisers, the Form ADV Part 2A would be amended to require similar disclosures of cybersecurity risks and incidents.

Fourth, the Proposal sets forth new recordkeeping requirements under Advisers Act rule 204-2 and proposed rule 38a-2 under the 1940 Act. Under the Proposal, Advisers would be required to maintain: (i) a copy of their cybersecurity policies and procedures that are either in effect or were in effect within the past five years; (ii) a copy of the Adviser’s written report documenting the annual review of its cybersecurity policies and procedures conducted in the last five years; (iii) a copy of any Form ADV-C filed by the Adviser within the last five years; (iv) records documenting the occurrence of any cybersecurity incident in the last five years; and (v) records documenting an Advisers cybersecurity risk assessment in the last five years. Funds would have similar recordkeeping requirements under the Proposal and would also have to keep copies of written reports provided to the board within the last five years. Funds would be subject to similar recordkeeping requirements.

Among the more impactful elements of the Proposal are the requirements to report significant cybersecurity incidents to the SEC within 48 hours and disclose third party service provider cybersecurity incidents on the Fund prospectus/Adviser Form ADV. Advisers and Funds may want to consider retaining oversight of its service providers by seeking regular cyber health certifications from its service providers and negotiating a right to terminate the relationship with its service providers following a cybersecurity incident, for example. Prospectus disclosure requirements could also heighten the Fund’s liability for misstatements and omissions. Recordkeeping requirements regarding cybersecurity controls, annual reviews and cybersecurity incidents also may trigger SEC enforcement actions using the Adviser’s or Fund’s own documented records, rather than requiring the SEC to undertake a forensic exam, as is currently the case.

The SEC is currently accepting comments on the Proposal until April 11, 2022 or 30 days following publication of the proposing release in the Federal Register, whichever period is longer. No matter the final form these rules take, companies would be well advised to review the Proposal and consider the steps they would need to take, both from a technical perspective as well as from a legal compliance perspective, to comply with the Proposal.

Comments are closed.