SEC Proposes New Cybersecurity Risk Management Rules to Enhance Cybersecurity Preparedness, Protect Investors

Key Points

• The SEC voted to propose new rules related to cybersecurity risk management.
• The proposed rules would require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors.
• Advisors and funds would also have to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.

The Securities and Exchange Commission (SEC) recently announced it has proposed new cybersecurity-related rules, designed to enhance cybersecurity preparedness and protect investors.

Per the SEC’s press release:

The SEC voted to propose rules related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures.

The proposed rules would:

• Require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors
• Require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form 
• Require advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements
• Set forth new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities
• Require advisers to complete an annual assessment of the design and effectiveness of its cybersecurity policies and procedures and prepare a written report with results of the review. 

What’s next?

According to the SEC schedule, the proposal will be published on SEC.gov and in the Federal Register. The public comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.

How EisnerAmper can help

If you have any questions about the proposed rules or want to learn more about how our Technology Consulting team helps business owners improve their technology security, compliance, and controls, please contact us.