On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.
Building on the Commission’s mission to protect investors and ensure orderly markets, the statement cites the rise in cybersecurity threats and highlights the disruptive consequences and costs (for advisers, funds and investors ) lack of preparation. The waiver bases the proposal on advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies and procedures to ensure compliance with that fiduciary duty (and other SEC regulations). 17 CFR § 275.206(4)-7; 17 CFR § 270.38a-1 (“Investment Firm Compliance Rule”). The waiver asserts that the proposed rules are necessary, even though it cites existing rules that already address cybersecurity issues: Reg. PS, 17 CFR 248.1 to 248.31, already requires protection of customer records and information, therefore encompasses cybersecurity – just like Reg. S-ID, 17 CFR 248.201-.202which requires a written impersonation program.
Generally, the proposed rule rests on four key pillars, requiring companies to: (1) “adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks,” Proposed Rules 206 (4)-9 and 38a-2; (2) “report cybersecurity incidents affecting the adviser, its fund or its clients;” (3) disclose material cybersecurity risks and incidents, through proposed amendments to Form ADV and various Fund forms; and (4) implement concurrent record keeping requirements.
In summary, the proposed rule requires:
Cybersecurity risk management policies and procedures
Written policies and procedures
Risk assessment – Carry out periodic risk assessments, with written documentation, to
- inventory, categorize, prioritize
- vendors and service providers
Periodically, at least once a year, or as needed to respond to changes in the business or its threat landscape.
Security and user access policies and procedures which must include:
- Standards of behavior for authorized users
- Two-factor user identification and authorization
- Timely distribution, replacement and revocation of passwords
- Least required user access
- Securing remote technologies
Protection of information – Monitoring and periodic evaluation of information systems and data, taking into account:
- Sensitivity and importance of data
- Personal informations
- Access, storage and transmission of data
- Access controls and malware protection
- Potential consequences of a security incident
Threat and Vulnerability Managementincluding monitoring, remediation and response training
Incident Response and Recoveryaddressing business continuity, data protection, incident information sharing and reporting to the Commission, including written compliance policies and procedures.
Annual review and written reports
Supervision of the fund’s board of directors
Board of Directors of the Fund Oversight and approval by the board of directors of a Fund, comprising a majority of independent directors.
Record keeping for five-year standard retention, including at a minimum: (a) cybersecurity policies and procedures; (b) annual review report; (c) any filed Form ADV-C; (d) records relating to any incident; e) risk assessment records.
Report to the Commission
Proposed Rule 204-6 would require an advisor to complete and file the new Form ADV-C within 48 hours of having a reasonable basis to believe a “significant cybersecurity incident” has occurred or is in the process of occurring. to occur, as well as important updates within 48 hours. . A “significant incident” is proposed as an incident that significantly disrupts or degrades critical business continuity or results in substantial harm to the advisor, fund or investors.
Disclosure of cybersecurity risks and incidents
Disclosure of cyber security risks and incidents as part of existing disclosure requirements for advisors (Form ADV) and funds, including providing interim amendments to existing clients.
Commissioner Peirce dissented, stating that while well-intentioned, the proposed rule is:
- Too prescriptive for a problem that requires constant flexibility, innovation and lends itself better to a public-private cooperation approach;
- Insufficiently grounded in anti-fraud rules, as it addresses operational risk and compliance issues in situations where the advisor is most often the victim, not the perpetrator; and
- Perhaps unnecessary, given the existing rules dealing in part with cybersecurity.
His dissent can be found here. Indeed, while the Commission can regulate brokers, the proposed rule does not address them. Instead, its delegated self-regulatory body, FINRA, has taken a far less prescriptive approach to cybersecurity under various of its existing rules. See 2022 Report on FINRA’s Risk Review and Oversight Program on pages 10 et seq., here.
Comments on the proposal should be submitted to the Commission no later than 30 days after publication in the Federal Register or April 11, 2022.
The SEC press release is here. The proposal, version no. 34-94197, IA-5956, IC-34497 (file S7-04-22), is here.