Filters
-
-
-
-
Professionals
Submit buttons for industry and practice area filtering
Publications
On February 9, 2022, the Securities and Exchange Commission (“SEC”) voted to propose new rules and rule amendments relating to cybersecurity risk management and disclosures for registered investment advisers (“Advisers”), and registered investment companies and business development companies (together, “Funds”). These proposed rules and amendments (the “Proposed Rules”) under the Investment Advisers Act of 1940 (the “Adviser’s Act”) and the Investment Company Act of 1940 (the “Investment Company Act”) would require Advisers and Funds to (1) adopt new cybersecurity policies and procedures; (2) report significant cybersecurity incidents to the SEC; and (3) disclose cybersecurity risks and incidents.
Proposed new rule 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act (collectively referred to as the “Risk Management Rules”) would require all Advisers and Funds to adopt and implement written cybersecurity policies and procedures “reasonably designed to address cybersecurity risks.”
The Proposed Rules define “cybersecurity risk” to include “financial, operational, legal, reputational and other adverse consequences that could result from cybersecurity incidents, threats and vulnerabilities.” Generally, the cybersecurity policies and procedures should be reasonably designed to ensure the Adviser’s or Fund’s operational capability when confronted with a cybersecurity incident. Although such policies and procedures should be tailored to fit each firm’s cybersecurity risks, they must include the following general elements:
An Adviser or Fund could administer such policies and procedures in-house, or through a third party, subject to appropriate oversight. Similarly, a Fund’s Adviser or sub-Adviser could administer the Fund’s policies and procedures.
The Risk Management Rules would require Advisers and Funds to review their cybersecurity policies and procedures no less than annually to (1) assess the design and effectiveness of such policies and procedures, particularly in light of any changes in risk; and (2) prepare a written report describing the assessment and results.
Proposed rule 38a-2 would also require a Fund’s board of directors (including a majority of its independent directors) to (1) initially approve the cybersecurity policies and procedures, and (2) review the annual review report.
Under proposed rule 204-6 of the Advisers Act, Advisers would be required to submit a newly-proposed Form ADV-C promptly, but in no event more than 48 hours, after reasonably concluding that a significant cybersecurity incident has occurred or is occurring. Advisers would need to amend a previously filed Form ADV-C promptly, but in no event more than 48 hours (1) if the information reported becomes materially inaccurate; (2) if new material information is discovered; or (3) after resolving the incident or closing a related internal investigation.
The new Form ADV-C would collect information regarding a significant cybersecurity incident through a series of check-the-box and fill-in-the-blank questions, and would be filed electronically with the SEC through the Investment Adviser Registration Depository (“IARD”) platform. The SEC’s preliminary view is that Form ADV-C should be confidential.
Advisers. The Proposed Rules would amend Form ADV Part 2A (the “brochure”) to add a new Item 20 entitled “Cybersecurity Risks and Incidents”. Advisers would be required to describe, in plain English, the cybersecurity risks that could materially affect their advisory services, and how they assess, prioritize, and address those risks. Advisers would also be required to describe any cybersecurity incidents that occurred within the last two fiscal years that have resulted in significant disruptions in critical operations or have resulted in substantial harm to the Adviser or its clients.
Rule 204-3(b) under the Advisers Act does not require Advisers to deliver interim brochure amendments to existing clients unless the amendment includes disciplinary information. The Proposed Rules would amend rule 204-3(b) to require an Adviser to deliver interim brochure amendments to existing clients promptly if the Adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.
Funds. Funds would also be required to disclose significant cybersecurity incidents to prospective and current investors. The Proposed Rules would amend Fund registration forms, requiring a description of any significant Fund cybersecurity incident that has occurred during the last two fiscal years and whether it has or is currently affecting the Fund or its service providers. The new information must be tagged using Inline XBRL.
Additionally, Funds would need to consider cybersecurity risks when preparing risk disclosures in Fund registration statements. If a cybersecurity risk is determined to be a principal risk of investing in a Fund, that Fund should reflect that in its prospectus. The requirements for disclosure describing the incident would be similar to the information that new Form ADV-C requires. To make timely disclosures of cybersecurity risks and significant cybersecurity incidents, a Fund would file a supplement with the SEC, and include such information in its annual shareholder report.
The Proposed Rules would amend the Advisers Act books and records rule (rule 204-2) to require Advisers to maintain the certain records for five years, including (1) cybersecurity policies and procedures; (2) annual reviews thereof; (3) documents related to the annual reviews; (4) regulatory filings related to cybersecurity incidents required under the Proposed Rules, including any records related to any response and recovery from such an incident; (5) any cybersecurity incident; and (6) cybersecurity risk assessments.
The full text of the Proposed Rules can be found here. The SEC has requested comments to address 64 specific questions related to the Proposed Rules. Comments are due 30 days after publication in the Federal Register or April 11, 2022, whichever is later.