SEC Proposes New Cybersecurity Risk Management Rules for Advisers and Funds
By: Megan A. Bowman
Last week, the Securities and Exchange Commission (SEC) voted to propose new rules applicable to registered investment advisers and investment companies.
The new rules under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of 1940 (Investment Company Act) would impose new cybersecurity risk management requirements, including the adoption and implementation of written information security policies and procedures and the disclosure to the SEC and clients of certain cybersecurity incidents.
These rules follow the SEC’s January 26, 2022, proposal to require private equity fund advisers file a current report on Form PF within one business day of discovery a “significant disruption or degradation” of a fund’s “key operations,” reporting the date of the event and when it was discovered, where the event occurred (fund, adviser, service provider), whether the adviser initiated a disaster recovery or business continuity plan, and the impact to normal operations.
Legally mandated cybersecurity risk management programs and security incident notification procedures are not novel concepts. For example, many companies have matured their information security practices in response to laws like Massachusetts’s Data Security Regulations. However, to date, the SEC has neglected to require registered investment advisers and investment companies take more robust actions to mitigate the risks to clients and investors posed by, what the SEC characterizes as, a “lack of cybersecurity preparedness.”
Risk Management Policies and Procedures
Under Rules 206(4)-9 of the Advisers Act and 38a-2 of the Investment Company Act, each adviser and fund must adopt “reasonably designed” cybersecurity policies and procedures that require:
- Periodic and documented cybersecurity risk assessments of the adviser or fund’s information systems.
- System access controls, including multifactor authentication measures, procedures for timely replacement and revocation of passwords or authentication methods, and securing remote access technologies.
- Service provider oversight and the protective monitoring of information systems.
- Threat and vulnerability detection, mitigation, and remediation measures.
In connection with these proposed requirements, the SEC recommends advisers and funds consult the 2018 National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, as well as the Cybersecurity and Infrastructure Security Agency’s Cyber Essentials Starter Kit.
In addition, under the proposed rules, advisers and funds’ policies must address cybersecurity incident response and recovery. For the purposes of the proposed rules, “cybersecurity incident” is defined as, “an unauthorized occurrence on or conducted through [an adviser’s or fund’s] information systems that jeopardizes the confidentiality, integrity, or availability of [an adviser’s or fund’s] information systems or any [adviser or fund] information residing therein.” Personal information received, maintained, created or processed by an adviser or fund is considered part of the adviser or fund’s “information systems.”
Advisers and funds’ policies must also include measures to ensure continued operations of the adviser or fund in the event of a cybersecurity incident and require written documentation of any cybersecurity incident and the response to such incident.
Advisers and funds are required to review their cybersecurity policies and procedures at least annually to assess their design and effectiveness. Advisers and funds must also prepare a written report that describes such review and assessment, describes any tests performed and related results, documents cybersecurity incidents, and addresses any material changes made to the adviser or fund’s policies and procedures. Funds must submit the report to the fund’s board of directors for review.
Reporting to the Commission
Further, the SEC proposes external reporting requirements in connection with “significant” cybersecurity incidents. A “significant” cybersecurity incident is a cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades an adviser or fund’s ability to maintain critical operations or leads to the unauthorized access or use of adviser or fund information, where the unauthorized access or use of such information results in substantial harm to the adviser, fund, or a client or investor.
Under Proposed Rule 204-6 of the Advisers Act, advisers are required to report significant cybersecurity incidents to the SEC “promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that any such incident has occurred or is occurring.” Reports must be submitted using a new Form ADV-C, and advisers must amend previously-filed reports within 48 hours of discovery of new material information or inaccuracies, or the resolution of the incident.
Client Disclosures and Registration Statements
The SEC also proposes revisions to Form ADV Part 2A for advisers and several registration forms for funds. Under the proposed revisions, advisers and funds must describe any significant cybersecurity incident that has occurred in the last two fiscal years, including (1) the entity/entities affected, (2) when the incident was discovered and whether it is still ongoing, (3) whether any data was stolen, altered, or accessed or used for any unauthorized purpose, and (4) the effect of the incident on operations; and whether the incident has been, or is being, remediated.
Further, new Item 20 in advisers’ Form ADV Part 2A calls for descriptions of cybersecurity risks that could materially affect the adviser’s advisory services and how the adviser assesses, prioritizes, and addresses cybersecurity risks created by the nature and scope of its business. Advisers must also deliver interim brochure amendments to existing clients if the adviser adds a disclosure of a cybersecurity incident or materially revises information already disclosed about an incident.
It is unknown what final form the SEC’s proposed rules and amendments will take. Comments are due on or before (1) 30 days after the proposing release is published in the Federal Register, or (2) April 11, 2022, whichever is later. However, the SEC’s proposed rulemaking reflects a growing trend in the United States to regulate the protection of information systems and brings this national conversation to the forefront of the financial sector.