On Wednesday, the Securities and Exchange Commission announced proposed new cybersecurity risk management rules and amendments for investment advisers and investment companies. The proposed rules are designed to address concerns about advisers’ and funds’ cybersecurity preparedness and incident response in an effort to strengthen client and investor protection. The proposed rules include the following:
- Cybersecurity Risk Management Rules. The proposed rules include a new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. These proposed rules would require advisers and funds to adopt and implement policies and procedures to address cybersecurity risks. The proposed rules enumerate core areas of consideration including: (1) risk assessment; (2) user security and access; (3) information protection; (4) threat and vulnerability management; and (5) cybersecurity incident response and recovery. The proposed rules would require advisers and funds to review their policies and procedures at least annually and prepare a report on their effectiveness.
- Reporting of Significant Cybersecurity Incidents. The proposal includes new rule 204-6, which would require advisers to report significant cybersecurity incidents—including on behalf of a fund or private fund client—to the SEC on new Form ADV-C. Advisers would be required to submit the proposed Form ADV-C within 48-hours of having a reasonable basis to conclude that a significant adviser or fund cybersecurity incident is occurring or has occurred. These confidential reports are designed to assist the SEC in monitoring the effects of a cybersecurity incident on an adviser, its clients, and the financial markets more broadly.
- Disclosure of Cybersecurity Risks and Incidents. The proposed amendments would add a new Item 20 entitled “Cybersecurity Risks and Incidents” to Form ADV’s narrative brochure, or Part 2A, which is the publicly available and primary client-facing disclosure document for registered investment advisers. The proposed rule would require advisers to describe in plain English cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize and address cybersecurity risk. Such cybersecurity risks could be considered material whether or not they led to a cyberattack or other incident. Rather, materiality under the proposed rule would be based on whether there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information, including (1) potential disruption of the adviser’s ability to provide services; (2) the adviser’s potential loss of client data; and/or (3) the ability of the risk to harm the client (e.g. illiquidity).
- Recordkeeping The proposed rules include amending recordkeeping rules for advisers (204-2) and funds (38a-2) to include maintaining certain records related to the proposed cybersecurity risk management rules and occurrence of cybersecurity incidents.
The proposed cybersecurity rules and amendments announced on Wednesday stem from a broader focus on cybersecurity regulation by the SEC that extends to other registrants and financial industry participants. For instance, late last month, chairman Gary Gensler indicated the SEC is considering enhancing numerous aspects of the cybersecurity regulatory framework to address the ongoing risk cyberattacks pose to the financial industry. In his speech at Northwestern’s Securities Regulations Institute, Chairman Gensler highlighted the cost of cyberattacks on the financial system—extending into the billions or trillions of dollars—and laid out the target areas for enhanced regulation, including:
- “Freshening up” Regulation Systems Compliance and Integrity (Reg SCI). Adopted in 2014, Reg SCI is a rule covering a large set of registrants, including stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations. The rule requires these entities to have sound technology programs, business continuity plans, testing protocols and data backups. In his remarks, Chairman Gensler proposed to “Freshen up” Reg SCI by considering deepening its requirements and expanding the rule’s application to other large entities that are currently not covered, such as the largest market-makers and broker-dealers.
- Enhancing Cyber Risk and Event Reporting for Public Companies. Chairman Gensler focused on the emerging risk cybersecurity threats pose to public companies and the need for robust disclosure regimes to inform the public of these risks as they evaluate whether to invest. While Chairman Gensler noted that cybersecurity disclosures are already part of public companies’ reporting obligations, he asked the staff to make recommendations for ways in which cyber risks and events will be dealt with, including by examining public companies’ cybersecurity governance, strategy, risk management and cyber risk disclosure practices.
- Expanding SEC’s Focus to Non-registrant Service Providers. Chairman Gensler noted that non-registrant service providers—including fund administrators, index providers, custodians, data analytics providers, etc.—play critical roles in the financial sector and may become targets for hackers. Thus, Chairman Gensler asked the SEC to propose recommendations on how to address cybersecurity risk from service providers, including possibly requiring certain registrants to identify service providers that could pose such risks and/or holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.
Given the SEC’s increased focus on cybersecurity regulation and its announcement of proposed rules for investment advisers and funds, all entities within the purview of SEC regulation should take note of the SEC’s focus on cybersecurity as a top-of-mind investor-protection initiative this year and consult experienced counsel to stay informed of any rule changes and enforcement initiatives.