On February 9, 2022, the United States Securities and Exchange Commission (“SEC”) proposed a set of new rules and amendments aimed at strengthening cybersecurity readiness and improving the cyber resilience of investment advisers and firms. investment against cybersecurity threats and attacks.
If adopted, these rules will incorporate existing SEC staff guidance on cybersecurity policies and procedures and create new requirements for reporting cybersecurity incidents.
The proposal includes new Rule 206(4)-9 under the Investment Advisers Act of 1940 (the “Advisors Act”) and new Rule 38a-2 under the Investment Company Act of 1940 (the “Company Act”).
Key provisions of the proposed rules include:
Obligation to maintain cybersecurity policies and procedures
The proposal would require investment advisers and investment firms to adopt and implement policies and procedures reasonably designed to address cybersecurity risks. The rules set out certain general elements that cybersecurity policies and procedures must contain to help address operational and other risks that could harm advising clients and fund investors, or that could lead to access or unauthorized use of advisor or fund information, including personal information. information from their customers or investors.
Obligation for advisers to report material cybersecurity incidents to the SEC
The proposal would require investment advisers to report material cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C.
The rules define “significant cybersecurity incidents” as a single or combination of cyberincidents that significantly disrupt or degrade the ability of the adviser, or the ability of a private fund client of the adviser, to maintain critical operations. Incidents are also “material” if they lead to unauthorized access or use of advisor information, where the unauthorized access or use of that information results in: (1) substantial harm to the advisor, or (2) substantial harm to a client, or private fund investor, whose information was accessed.
Obligation to disclose cybersecurity risks and incidents to customers and prospects
The proposal would amend Form ADV Part 2A to require investment advisers to disclose cybersecurity risks and incidents to advising clients and potential clients. Investment firms would be required to provide a description of any material fund cybersecurity incident that has occurred in the last two fiscal years in investment firm registration statements. The proposal includes changes to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.
Additional Record Keeping Requirements
The proposal would amend Rule 204-2 (for investment advisers) and Rule 38a-2 (for investment firms) to maintain records related to the proposed rules, including its cybersecurity policies and procedures, and the occurrence of cybersecurity incidents.
Call for public comments
The public comment period will be open for 60 days after the proposed release is posted on the SEC’s website – through April 11, 2022 – or 30 days after the proposed release is posted in the Federal Register, according to the longest period.
Registered investment advisers and investment firms are already subject to SP Rule 30(a) – the SEC’s version of the Gramm-Leach-Bliley (GLBA) “safeguard rule”. The Safeguard Rule requires registered investment advisers to adopt written policies and procedures implementing reasonably designed technical, administrative and physical safeguards to protect the security and confidentiality of client records and information. However, the proposed rule imposes cybersecurity requirements for data and systems that go beyond the scope of the safeguard rule and, for the first time, would impose a reporting obligation for significant incidents. Coming less than six months after the SEC sanctioned eight companies for safeguard rule violations, the proposed rule demonstrates continued attention and commitment to cybersecurity enforcement. It’s part of a broader trend of actions by US government agencies, including the US Department of Justice, US Department of Homeland Security and the US Federal Trade Commission, aimed at improving the cybersecurity practices of private sector organizations following the administration’s decision. Executive Order “Improving the Cybersecurity of the Nation” issued last year. (Executive Order 14028, May 12, 2021).