In February of 2022, the Securities and Exchange Commission proposed new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies, as well as amendments to certain rules that govern investment adviser and fund disclosures.
While some funds and advisers have implemented cybersecurity programs under the existing regulatory framework, there are no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs. In order to address concerns that some registered funds and advisers have not implemented reasonably designed cybersecurity programs and therefore may be at greater risk of harm, the Commission is proposing rules that specifically would:
- Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks
- Require advisers to report significant cybersecurity incidents to the Commission on proposed Form ADV-C
- Enhance adviser and fund disclosures related to cybersecurity risks and incidents
- Require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records
Require Written Policies and Procedures Addressing Cybersecurity Risks
The Commission is proposing rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, which would require advisers and funds that are registered or required to be registered to implement cybersecurity policies and procedures. The proposed rules list certain general elements that advisers and funds would be required to address in their written policies and procedures in order to respond to operational and other risks that could harm advisory clients and fund investors or lead to the unauthorized access to or use of adviser or fund information, including the personal information of their clients or investors.
Under the proposed rules, an adviser’s or fund’s cybersecurity policies and procedures generally should be tailored based on its business operations, including its complexity, and accompanying cybersecurity risks. The proposed rules would also require advisers and funds, at least annually, to review and evaluate the design and effectiveness of their cybersecurity policies and procedures.
Require Reporting of Significant Cybersecurity Incidents
The proposal includes a reporting requirement under new rule 204-6 that would require advisers to report significant cybersecurity incidents to the Commission on a confidential basis, including on behalf of a fund or private fund client, by submitting a new Form ADV-C within forty-eight hours of occurrence.
Enhance Disclosures Related to Cybersecurity Risks and Incidents
The Commission is also proposing amendments to adviser and fund disclosure requirements to provide current and prospective advisory clients and fund shareholders with improved information regarding cybersecurity risks and cybersecurity incidents. The proposed new rules would amend Form ADV Part 2A for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds so as enhance such cybersecurity disclosures.
Require Certain Cybersecurity-Related Books and Records
The proposed rules would require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records. Rule 204-2 under the Advisers Act sets forth requirements for maintaining, making, and retaining books and records relating to an adviser’s investment advisory business. The Commission has proposed amending this rule to require advisers to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. Likewise, proposed rule 38a-2 under the Investment Company Act would require that a fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule.
The proposed rules were published in the Federal Register on March 9, 2022. The public comment period will remain open until April 11, 2022. The full text of the proposed new rules can be found at https://www.sec.gov/rules/proposed/2022/33-11028.pdf