SEC Proposes Cybersecurity Rules for RIAs and Funds

On February 9, 2022, the SEC proposed rules related to cybersecurity risk management for regulated investment advisers (“Advisers”), registered investment companies and business development companies (Funds), as well as proposed amendments to certain rules that govern investment adviser and fund disclosures.

The proposed rules and amendments are designed to address concerns about Advisers’ and Funds’ cybersecurity preparedness and reduce cybersecurity-related risks to clients and investors; improve Adviser and Fund disclosures regarding their cybersecurity risks and incidents; and enhance the Commission’s ability to assess systemic risks and oversee Advisers and Funds.

Cybersecurity Risk Management Rules

Under the proposed new rule 206(4)-9 under the Investment Advisers Act of 1940 (the “Advisers Act”) and new rule 38a-2 under the Investment Company Act of 1940 (“Investment Company Act”), Advisers and Funds would be required to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules list the following elements that need to be addressed:

• Risk assessment
• User security and access
• Information protection
• Threat and vulnerability management
• Cybersecurity incident response and recovery

The above-mentioned proposed rules also include the following requirements:

• Advisers and Funds are required to conduct annual reviews and prepare and maintain written reports of their cybersecurity policies and procedures.
• A Fund’s board of directors is required to review and approve the cybersecurity policy and procedures and any material changes to the policy and procedures, and also read and approve any written reports on cybersecurity incidents.
• Specific recordkeeping requirements regarding an Adviser’s cybersecurity policies and procedures and various written reports.

Reporting of Significant Cybersecurity Incidents

New rule 204-6 under the Advisers Act would require Advisers to report significant cybersecurity incidents to the SEC on behalf of a Fund or private fund client on a new Form ADV-C. The Commission believes these reports would aid in their efforts to protect investors by helping the SEC better monitor and evaluate the effects of a cybersecurity incident on an Adviser and its clients as well as assess the potential systemic risks affecting the broader financial markets.

Disclosure of Cybersecurity Risks and Incidents

Proposed new rules would amend Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an Adviser’s clients and prospective clients. Funds would also be required to provide current and prospective investors with cybersecurity-related disclosures. The proposed amendments would require a Fund to describe any significant fund cybersecurity incidents occurring over the last two fiscal years in their registration statements.

Recordkeeping

The new proposal would amend Rule 204-2 of the Advisers Act, which is the books and records rule, to require Advisers to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. Proposed rule 38a-2 of the Investment Company Act would require a Fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule.

The proposal will be published on sec.gov and in the Federal Register. The public comments period will remain open for 60 days following publication on the SEC website or 30 days following publication in the Federal Register, whichever period is longer.