On February 9, 2022, the Securities and Exchange Commission (SEC) proposed expansive new rules addressing cybersecurity risk management for registered investment advisers (advisers) and investment companies (funds). The proposal includes a new rule 206(4)-9 under the Investment Advisers Act of 1940 and a new rule 38a-2 under the Investment Company Act of 1940, as well as amendments to other rules governing investment adviser and fund disclosures. The proposed cybersecurity rules go far beyond Regulation S-P’s and S-ID’s focus on customer records and identity theft by including a new obligation for advisers to report[1] significant cyber incidents to the SEC within 48 hours, and requiring advisers and funds to comprehensively assess, mitigate[2] and disclose cyber risks[3] in a manner that formalizes and builds upon the SEC’s prior guidance,[4] examination activity[5] and enforcement actions.[6]
Highlights of the proposed cyber risk management rules include:
1. 48-Hour Reporting Requirement
Advisers must report to the SEC a cybersecurity incident within 48 hours, or a group of related cybersecurity incidents that significantly disrupts or degrades the adviser’s or its funds’ ability, or the ability of a private fund client of the adviser to maintain critical operations, or that leads to the unauthorized access or use of adviser or its fund’s information, where the unauthorized access or use of such information results in (a) substantial harm to the adviser or its fund, or (b) substantial harm to a client, or an investor whose information was accessed.
2. Comprehensive Cybersecurity Risk Management Program
The proposed rules require advisers and funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks, including policies and procedures to:
Assess Risk: Periodically assess, categorize, prioritize and document cybersecurity risks, including risks from the use of service providers.[7]
Secure User Access: Implement acceptable use, multifactor authentication, password controls, need-to-know access, remote access, mobile devices and related employee training.
Protect Information:
- Monitor and protect information systems based on data sensitivity and type, system use and available malware protection, e.g., through encryption or network segmentation.
- Implement and document oversight of service providers, including appropriate contracts and diligence.
Manage Vulnerabilities: Detect, mitigate and remediate any cyber threats and vulnerabilities.
Respond and Recover from Incidents: Detect, respond to and recover from a cybersecurity incident, including compliance with breach reporting obligations.
Annual Review: At least annually review, and prepare a report of any cyber incidents and material changes. For funds, must include board review of initial policies and procedures and annual report.
Recordkeeping: Retain for five years all policies and procedures, cyber incident reports, reviews and assessments.
3. Disclosures
The proposed rules updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.
The period for public comment on the proposed rules will remain open for 60 days from the data the SEC published the rules on its website or 30 days from the publication of the proposed rules in the Federal Register, whichever is later. We are continuing to digest the SEC’s voluminous
[2] Rules 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act.
[3] Amendments to Form ADV for advisers and Forms N-1A, N-2, N-3, N-4M N-6, N-8B-2, and S-6 for funds.
[7] Requirement covers systems that process any electronic information related to the adviser/fund’s business, including any personal information, defined to include any information that can be used, alone or in conjunction with any other information, to identify an individual. For advisers, personal information also includes any other non-public information regarding a client’s account.