SEC Cybersecurity Rules Target Investment Advisers and Investment Companies

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed a package of new rules and amendments to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies against cybersecurity threats and attacks.

If adopted, these rules will incorporate existing SEC staff guidance on cybersecurity policies and procedures, and create new requirements for reporting cybersecurity incidents.

The proposal includes a new rule 206(4)-9 under the Investment Advisers Act of 1940 (the “Advisers Act”) and a new rule 38a-2 under the Investment Company Act of 1940 (the “Company Act”).

Key provisions of the proposed rules include:

Requirement to Maintain Cybersecurity Related Policies and Procedures

The proposal would require investment advisers and investment companies to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The rules set out certain general elements that cybersecurity policies and procedures must contain to help address operational and other risks that could harm advisory clients and fund investors, or that could lead to the unauthorized access to or use of adviser or fund information, including the personal information of their clients or investors.

Requirement for Advisers to Report Significant Cybersecurity Incidents to the SEC

The proposal would require investment advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C.

The rules define “significant cybersecurity incidents” as a single or a combination of cyber incidents that significantly disrupt or degrade the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations. Incidents are also “significant” if they lead to unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.

Requirement to Disclose Cybersecurity Risks and Incidents to Clients and Prospects

The proposal would amend Form ADV Part 2A to require investment advisers to disclose cybersecurity risks and incidents to advisory clients and prospective clients. Investment companies would be required to provide a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in investment companies’ registration statements. The proposal includes amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.

Additional Recordkeeping Requirements

The proposal would amend Rule 204-2 (for investment advisers) and Rule 38a-2 (for investment companies) to maintain records related to the proposed rules, including its cybersecurity policies and procedures, and the occurrence of cybersecurity incidents.

Call for Public Comments

The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website – until April 11, 2022 – or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

In Context

Registered investment advisers and investment companies are already subject to Rule 30(a) of Regulation S-P – the SEC’s version of the Gramm-Leach-Bliley (GLBA) “Safeguards Rule.” The Safeguards Rule requires registered investment advisers to adopt written policies and procedures implementing technical, administrative, and physical safeguards reasonably designed to protect the security and confidentiality of customer records and information. However, the proposed rule imposes cybersecurity requirements for data and systems that go beyond the scope of the Safeguards Rule, and for the first time would impose a reporting requirement for significant incidents. Coming not six months on the heels of the SEC’s sanctioning of eight firms for violation of the Safeguards Rule, the proposed rule demonstrates an ongoing focus and commitment to cybersecurity enforcement. This is part of a larger trend of actions from agencies across the U.S. government, including the U.S. Department of Justice, the U.S. Department of Homeland Security, and the U.S. Federal Trade Commission, aimed at enhancing the cybersecurity practices of private sector organizations following the Administration’s “Improving the Nation’s Cybersecurity” executive order issued last year. (Exec. Order 14028, May 12, 2021).