Amid the rising wave of cyberattacks, the Securities and Exchange Commission (SEC) has recommended a set of new regulations to strengthen cybersecurity for investment advisers and investment companies (funds). These regulations, if passed, will include current SEC staff recommendations on cybersecurity policies and procedures, while also establishing additional reporting requirements for cybersecurity incidents. Advisors and funds will be required to develop cybersecurity policies and processes that are appropriate for the nature of their company and capable of mitigating cybersecurity risks.
The proposed rules include the following key provisions:
periodically assess, categorize, prioritize, and draft written documentation of the cybersecurity risks associated with their information systems and their data
User security and access: design controls to minimize user-related risks and prevent unauthorized access to systems and data
Information protection: monitor information
systems and protect data from unauthorized access or use, based on a periodic assessment of their information systems and their data
Threat and vulnerability management: detect, mitigate and remediate cybersecurity threats and vulnerabilities
Cybersecurity incident response and recovery: implement measures to detect, respond to and recover from cyberattacks
Investment Advisers & Funds to Report Cybersecurity Issues to the SEC
The proposal compels investment advisors to file a new Form ADV-C to the SEC to disclose severe cybersecurity events, including on behalf of a fund or private fund customer. "Significant cybersecurity events," according to the guidelines, are a single or a series of cyber incidents that significantly impair or degrade the advisor's capacity to maintain vital operations or the ability of a private fund client of the adviser to maintain key operations. For Incidents to be considered "serious", they must lead to illegal access or use of advisor information, resulting in (1) considerable injury to the adviser, or (2) substantial harm to a client or investor in a private fund who suffered the leak.
Requirements for Review & Approval
The new guidelines require advisers, funds, and their boards of directors to review and approve cybersecurity policies and procedures. To meet their review duties, advisers and funds would be obliged to conduct an annual evaluation of cybersecurity policies and processes and publish a written report summarizing the review's findings at least once a year. This annual review would have to include an evaluation of the design and efficacy of cybersecurity for investment advisers' procedures and whether they reflect changes in cybersecurity threats over time.
Requirements to Inform Clients and Prospects of Cybersecurity Risks and Incidents
The proposal compels investment advisors to report cybersecurity risks and events to advise clients and prospective clients as part of Form ADV Part 2A. In their registration statements, investment organizations would be obliged to disclose a summary of any significant fund cybersecurity events that happened in the previous two fiscal years. Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6 are all included in the plan. According to the SEC, the new disclosure rules will enhance investor protection and enable them to make more informed decisions.
Requirements for Additional Record Keeping
The proposal would change Rule 204-2 (for investment advisors) and Rule 38a-2 (for investment corporations), requiring them to keep documents relating to the proposed regulations, including cybersecurity policies and procedures and cybersecurity incidents. Advisers and funds would be required to retain evidence of the following for five years:
Policies and procedures for cyber-security
Annual evaluations conducted
Documents about the yearly evaluations
Regulatory filings about cyber-attacks
Risk evaluations for cybersecurity
The proposed regulations would include current SEC recommendations on cybersecurity policies and procedures while imposing new incident reporting and disclosure requirements. The new guidelines would give fund boards defined supervisory obligations. The SEC seeks the investment adviser and funds questions about the proposed rule in each part of the proposal as it works towards finalizing the regulations. Given the SEC's emphasis on cybersecurity for investment advisers and funds, it's likely the regulations will be enacted.
Comments are due April 11, 2022 - See full list of SEC proposed rules