On February 9, 2022, the Securities and Exchange Commission ("SEC") formally proposed new rules related to cybersecurity risk management for Registered Investment Advisers ("RIA"s) and Private Fund Advisers. This new proposal titled “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies," are aimed to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies against cybersecurity threats and attacks.
The proposed rules and amendments are intended to address concerns about cybersecurity preparedness and reduce cybersecurity-related risks to clients and investors; improve adviser and fund disclosures about their cybersecurity risks and incidents; and enhance the SEC's ability to assess systemic risks and oversee advisers and funds. The SEC published a Fact Sheet overviewing the rule, highlighting four aspects of the proposal;
- Require advisers and funds to adopt and implement written policies and procedures
that are reasonably designed to address cybersecurity risks;
- Require advisers to report significant cybersecurity incidents to the Commission on
proposed Form ADV-C;
- Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
- Require advisers and funds to maintain, make, and retain certain cybersecurity-related
books and records.
The Fact Sheet additionally overviews the following proposed amendments:
Cybersecurity Risk Management Rules
The proposal includes new rule 206-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. The proposed rules list certain general elements that advisers and funds would be required to address in their cybersecurity policies and procedures to help address operational and other risks that could harm advisory clients and fund investors or lead to the unauthorized access to or use of adviser or fund information, including the personal information of their clients or investors.
Reporting of Significant Cybersecurity Incidents
A reporting requirement under new rule 204-6 would require advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. These confidential reports would strengthen the efficiency and effectiveness of the SEC’s efforts to protect investors by helping the Commission monitor and evaluate the effects of a cybersecurity incident on an adviser and its clients, as well as assess the potential systemic risks affecting financial markets more broadly.
Disclosure of Cybersecurity Risks and Incidents
The proposal would amend Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. Like advisers, funds also would be required to provide prospective and current investors with cybersecurity-related disclosures. Specifically, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in funds’ registration statements, tagged in a structured data language.
Rule 204-2, the books and records rule under the Advisers Act, sets forth requirements for maintaining, making, and retaining books and records relating to an adviser’s investment advisory business. The proposal would amend this rule to require advisers to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. Similarly, proposed rule 38a-2 under the Investment Company Act would require that a fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule.