In a recent press release, the Securities and Exchange Commission announced they are proposing cybersecurity risk management rule amendments for registered investment advisers, registered investment companies, business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures.
Specifically, the , the reporting of significant cybersecurity incidents, the public disclosure of cybersecurity risks and additional recordkeeping requirements. Let’s break it down.
Cybersecurity Risk Management Rules: The SEC proposal includes new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act (collectively, the “proposed cybersecurity risk management rules”). The proposed cybersecurity risk management rules would require advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks.
SEC proposed rule 206(4)-9 would require policies and procedures that address:
- Risk assessment
- User security and access
- Information protection
- Cybersecurity threat and vulnerability management
- Cybersecurity incident response and recovery
Similarly, proposed rule 38a-2 under the Investment Company Act would require that a fund maintain:
- A copy of its cybersecurity policies and procedures that are in effect, or at any time within the last five years were in effect
- Copies of written reports provided to its board
- Records documenting the fund’s annual review of its cybersecurity policies and procedures
- Any report of a significant cybersecurity incident provided to the Commission by its adviser
- Records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident
- Records documenting the fund’s cybersecurity risk assessment. These records would have to be maintained for five years; the first two years in an easily accessible place
Reporting Significant Cybersecurity Incidents: The proposal includes a reporting requirement under new rule 204-6 that would require advisers to report significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. Proposed rule 204-6 would require investment advisers to report on Form ADV-C within 48 hours of a significant adviser cybersecurity incident or a significant fund cybersecurity incident having occurred or currently occurring.
The rule would define a significant adviser cybersecurity incident as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or which leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
- Substantial harm to the adviser
- Substantial harm to a client, or an investor in a private fund, whose information was accessed
Disclosure of Cybersecurity Risks and Incidents: Currently, advisers provide disclosures to their prospective and current clients on Form ADV’s narrative brochure, or Part 2A, which is publicly available and one of the primary client-facing disclosure documents used by advisers. Form ADV Part 2A contains information about the investment adviser’s business practices, fees, risks, conflicts of interest, and disciplinary information.
The proposal would amend Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. Like advisers, funds also would be required to provide prospective and current investors with cybersecurity-related disclosures. Specifically, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in funds’ registration statements, tagged in a structured data language.
The proposal includes amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.
Recordkeeping: Rule 204-2, the books and records rule under the Advisers Act, sets forth requirements for making, maintaining, and retaining books and records relating to an adviser’s investment advisory business. The proposed amendments would require advisers to retain:
- A copy of their cybersecurity policies and procedures formulated pursuant to proposed rule 206(4)-9 that is in effect, or at any time within the past five years was in effect
- A copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures pursuant to proposed rule 206(4)-9 in the last five years
- A copy of any Form ADV-C filed by the adviser under rule 204-6 in the last five years
- Records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident, in the last five years
- Records documenting an adviser’s cybersecurity risk assessment in the last five years. Records documenting the occurrence of a cybersecurity incident may include event or incident logs, as well as longer descriptions depending on the nature and scope of the incident
NRS comments: The Russian invasion of Ukraine, which brings with it the increased risk of cyber warfare, is a sad and stark reminder that advisers must remain vigilant, constantly protecting their firms and the data to which they have been entrusted by their clients. The US Cybersecurity and Infrastructure Security Agency said this is a “Shields Up” notice following the invasion:
While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization, large and small must be prepared to respond to disruptive cyber activity.
The proposal asks for comment as to how best to determine which advisers should be subject to all requirements and which may be exempted from some, due to size of firm, size of managed assets, nature of business, etc. There is tremendous possibility that unanticipated consequences may flow from such a sweeping rule; NRS recommends that SEC-registered advisers of all sizes carefully review the proposed rule (rather than just relying on the SEC-prepared press release and/or fact sheet) and submit comments on how the proposed rule can be improved, which proposals are overly burdensome of smaller or more specialized firms, and real-life scenarios that are likely to arise if the proposal is adopted in its current form.
Instructions for submitting comments are found on page 2 of the .
Often, proposing releases do more than simply list and describe the types of rules the SEC wants to create; they also show the Commission’s current thinking on important topics. Even if this rule is never adopted, advisers should carefully read the release and ask themselves whether certain practices should be incorporated into the firm’s policies and procedures, simply as a way of meeting the firm’s fiduciary duty (and the SEC’s expectations).
For example, while a written cybersecurity risk assessment is only proposed at this point, an SEC examiner could well ask if the adviser has one and, if the adviser does not, the examiner might find that the lack of a risk assessment is inconsistent with the adviser’s fiduciary duty.
All in all, it’s clear that cybersecurity is and will remain one of the top priorities across the entire scope of the financial industry, with firm’s facing heightened rules and regulations to ensure their clients privacy and deter cyber-attacks.
Want to ensure your firm is prepared? Learn more about the specific rules and regulations at our upcoming .
Supporting Links:
