On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. If adopted, the proposed rules would apply to registered investment advisers (“RIAs”), certain registered investment companies (“RICs”) and business development companies (“BDCs,” together with RICs, “registered funds”). Notably, the proposal would require RIAs to notify the SEC on a confidential basis within 48 hours of discovering a significant cybersecurity incident. The proposed rules represent the first of several rule proposals on cybersecurity that SEC Chair Gensler has indicated are forthcoming from the agency.
Risk Management Rules
The proposed rules would require RIAs and registered funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules describe various elements that RIAs and registered funds would be required to address in their cybersecurity policies and procedures regarding operational and other risks that could harm advisory clients and fund investors or lead to the unauthorized access to or use of information, including personal information of clients or investors. The proposed rules would allow firms to tailor their cybersecurity policies and procedures to fit the nature and scope of their businesses and address their individual cybersecurity risks. At a minimum, however, all RIAs and registered funds would be required to conduct a periodic risk assessment; minimize user-related risks and prevent the unauthorized access to information and systems; monitor information systems and protect information from unauthorized access or use; detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to information and systems; and deploy measures to detect, respond to, and recover from a cybersecurity incident.
Annual Review and Oversight
The proposed rules would require RIAs and registered funds to review their cybersecurity policies and procedures no less frequently than annually. Accordingly, advisers and funds would be required at least annually to:
(1) review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
(2) prepare a written report.
The report would, at a minimum, describe the annual review, assessment, and any control tests performed; explain the results, document any cybersecurity incident that occurred since the date of the last report; and discuss any material changes to the policies and procedures since the date of the last report. In the case of registered funds, the proposed rules would also require a fund’s board of directors, including a majority of its independent directors, initially to approve the fund’s cybersecurity policies and procedures, as well as to review the annual written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures.
The proposal would amend the books and records rules for RIAs and registered funds. Specifically, the proposal would require advisers to maintain certain records related to cybersecurity risk management and the occurrence of cybersecurity incidents. Likewise, registered funds would be required to maintain copies of cybersecurity policies and procedures and other related records specified under the proposed rules. These records would generally have to be maintained for at least five years.
Incident Reporting to the SEC
For the first time, RIAs would be required to report significant cybersecurity incidents on a confidential basis to the SEC. Under the proposal, RIAs would be required to submit the new Form ADV-C promptly, but in no event more than 48 hours after having a reasonable basis to conclude that a “significant adviser cybersecurity incident” or a “significant fund cybersecurity incident” had occurred or is occurring. The proposal would also require RIAs to amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after information reported on the form becomes materially inaccurate, new material information about a previously reported incident is discovered, and resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident.
Under the proposal, a “significant adviser cybersecurity incident” is defined as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
(1) substantial harm to the adviser; or
(2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
Similar to a significant adviser cybersecurity incident, a “significant fund cybersecurity” incident has two prongs, e.g., that it:
(1) significantly disrupts or degrades the fund’s ability to maintain critical operations; or
(2) leads to the unauthorized access to or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.
The SEC’s proposing release posits that significant fund cybersecurity incidents may include cyber intruders interfering with a fund’s ability to redeem investors, calculate net asset value, or otherwise conduct its business. The proposing release also observers that other significant fund cybersecurity incidents may involve the theft of fund information, such as non-public portfolio holdings or personally identifiable information of the fund’s employees, directors, or shareholders.
Form ADV-C would include both general and specific questions related to the significant cybersecurity incident, such as the nature and scope of the incident, as well as whether any disclosure has been made to any clients or investors. Such information would include, among other things:
- The date the incident occurred, if known;
- The approximate date the incident was discovered;
- Whether the incident is still ongoing;
- Whether law enforcement or any government agency other than the SEC has been notified;
- A description of the nature and scope of the incident, including any effect on critical operations;
- Actions taken or planned to respond to and recover from the incident;
- Whether any data was stolen, altered, accessed, or used for any unauthorized purpose;
- Whether any personal information was lost, stolen, modified, deleted, destroyed, or accessed without authorization;
- Whether disclosure has been made to clients or investors; and
- Whether the incident is covered under a cybersecurity insurance policy.
Disclosure of Cybersecurity Risks and Incidents to Clients and Investors
The proposed rules would also enhance required disclosure around cybersecurity risks and incidents. For RIAs, the proposed rules would amend Form ADV Part 2A to mandate disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. For registered funds, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in a fund’s registration statements, tagged in a structured data language.
The public comment period on the proposed rules will remain open until the later of April 11, 2022, or 30 days following publication of the proposing release in the Federal Register.