As cybersecurity incidents increase in frequency and notoriety, the Securities and Exchange Commission (the “SEC”) aims to strengthen cybersecurity regulations across the financial industry, including registered investment advisers with the SEC (“RIA”) and registered investment companies and business development companies (collectively, the “Funds”). On February 9, 2022, the SEC proposed new rules and amendments (the “Proposal”) which, if adopted as proposed, would create specific disclosure and reporting requirements for RIAs and Funds on cybersecurity matters , as well as specific requirements for cybersecurity policies and procedures. Notably, the proposal was released on the same day that the SEC released another significant set of proposed rules applicable to private fund advisers, which was the subject of our previous article, SEC Proposes Important Regulatory Overhaul for Private Fund Advisers.
Highlights of some of the key elements of the proposal are outlined below:
Cybersecurity risk management policies and procedures
Under the proposal, RIAs and funds should adopt and implement policies and procedures reasonably designed to address cybersecurity risks. These policies and procedures would, among other things, require RIAs and funds to: (1) periodically assess their exposure to cybersecurity risk, (2) implement controls designed to minimize user risk and prevent any unauthorized access to company systems and data, (3) adopt appropriate measures to monitor exposure to company systems and protect company information from unauthorized access or use, (4) adopt measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities, and (5) develop measures to identify, respond to and recover from cybersecurity incidents. In addition, RIAs and Funds should review these policies and procedures annually and prepare a report describing this assessment.
Reporting of significant cybersecurity incidents
The proposal would require RIAs to report significant cybersecurity incidents to the SEC. Importantly, RIAs would also be obligated to report significant cybersecurity incidents. on behalf of clients of the Fund or private funds. The proposal would require RIAs to report any significant cybersecurity incident to the SEC within 48 hours of when the RIA has a reasonable basis to conclude that such an event has occurred. An RIA would report such an incident by submitting the proposed new Form ADV-C, which would provide a structured format for reporting significant cybersecurity incidents.
Disclosure of cybersecurity risks and incidents
The proposal would also amend Form ADV Part 2A (an RIA’s “booklet” to require an RIA to disclose: (1) cybersecurity risks that could materially affect its services, (2) how it assesses , prioritizes and addresses those risks, and (3) any cybersecurity incident during the last two fiscal years that has significantly disrupted or degraded RIA’s ability to maintain its critical operations, or that has resulted in substantial harm to itself or his clients. In addition, the proposal would require an RIA to provide interim brochure changes to existing customers if an RIA adds a cybersecurity incident or materially revises information about a disclosed cybersecurity incident.
Similarly, the proposal would require the disclosure of any material cybersecurity incident of the Fund that has occurred in the last two financial years in the Fund’s registration statement.
The proposal would also impose additional record keeping requirements for RIAs and funds to maintain certain records related to the requirements of the proposal.
The public comment period for the proposal will remain open for at least sixty days after the proposal release is posted on the SEC’s website. Although most RIAs and Funds already have compliance policies and procedures that address cybersecurity, if the proposal is adopted as proposed, it would provide specific requirements for these procedures and create new reporting and reporting obligations. disclosure with respect to cybersecurity matters. Although the proposal is still pending, we suggest that RIAs and funds review their cybersecurity policies, procedures and practices and consider how the proposal, if adopted, would affect current practices, particularly in light of the increasing attention paid by the SEC to cybersecurity issues.