Skip to content

Enforcement Highlights

  • About Us
  • Contact
  • Cookie Policy
Enforcement
Highlights

Covering SEC, CFTC, FINRA, PCAOB, States, Exchanges, & FCA Enforcement Activities

SEC Proposes New Cybersecurity Risk Management Rules for Registered Investment Advisers and Funds

On Wednesday, the Securities and Exchange Commission announced proposed new cybersecurity risk management rules and amendments for investment advisers and investment companies. The proposed rules are designed to address concerns about advisers’ and funds’ cybersecurity preparedness and incident response in an effort to strengthen client and investor protection. The proposed rules include the following:

  • Cybersecurity Risk Management Rules. The proposed rules include a new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. These proposed rules would require advisers and funds to adopt and implement policies and procedures to address cybersecurity risks. The proposed rules enumerate core areas of consideration including: (1) risk assessment; (2) user security and access; (3) information protection; (4) threat and vulnerability management; and (5) cybersecurity incident response and recovery. The proposed rules would require advisers and funds to review their policies and procedures at least annually and prepare a report on their effectiveness.
  • Reporting of Significant Cybersecurity Incidents. The proposal includes new rule 204-6, which would require advisers to report significant cybersecurity incidents—including on behalf of a fund or private fund client—to the SEC on new Form ADV-C. Advisers would be required to submit the proposed Form ADV-C within 48-hours of having a reasonable basis to conclude that a significant adviser or fund cybersecurity incident is occurring or has occurred. These confidential reports are designed to assist the SEC in monitoring the effects of a cybersecurity incident on an adviser, its clients, and the financial markets more broadly.
  • Disclosure of Cybersecurity Risks and Incidents. The proposed amendments would add a new Item 20 entitled “Cybersecurity Risks and Incidents” to Form ADV’s narrative brochure, or Part 2A, which is the publicly available and primary client-facing disclosure document for registered investment advisers. The proposed rule would require advisers to describe in plain English cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize and address cybersecurity risk. Such cybersecurity risks could be considered material whether or not they led to a cyberattack or other incident. Rather, materiality under the proposed rule would be based on whether there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information, including (1) potential disruption of the adviser’s ability to provide services; (2) the adviser’s potential loss of client data; and/or (3) the ability of the risk to harm the client (e.g. illiquidity).
  • Recordkeeping The proposed rules include amending recordkeeping rules for advisers (204-2) and funds (38a-2) to include maintaining certain records related to the proposed cybersecurity risk management rules and occurrence of cybersecurity incidents.

The proposed cybersecurity rules and amendments announced on Wednesday stem from a broader focus on cybersecurity regulation by the SEC that extends to other registrants and financial industry participants. For instance, late last month, chairman Gary Gensler indicated the SEC is considering enhancing numerous aspects of the cybersecurity regulatory framework to address the ongoing risk cyberattacks pose to the financial industry. In his speech at Northwestern’s Securities Regulations Institute, Chairman Gensler highlighted the cost of cyberattacks on the financial system—extending into the billions or trillions of dollars—and laid out the target areas for enhanced regulation, including:

  • “Freshening up” Regulation Systems Compliance and Integrity (Reg SCI). Adopted in 2014, Reg SCI is a rule covering a large set of registrants, including stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations. The rule requires these entities to have sound technology programs, business continuity plans, testing protocols and data backups. In his remarks, Chairman Gensler proposed to “Freshen up” Reg SCI by considering deepening its requirements and expanding the rule’s application to other large entities that are currently not covered, such as the largest market-makers and broker-dealers.
  • Enhancing Cyber Risk and Event Reporting for Public Companies. Chairman Gensler focused on the emerging risk cybersecurity threats pose to public companies and the need for robust disclosure regimes to inform the public of these risks as they evaluate whether to invest. While Chairman Gensler noted that cybersecurity disclosures are already part of public companies’ reporting obligations, he asked the staff to make recommendations for ways in which cyber risks and events will be dealt with, including by examining public companies’ cybersecurity governance, strategy, risk management and cyber risk disclosure practices.
  • Expanding SEC’s Focus to Non-registrant Service Providers. Chairman Gensler noted that non-registrant service providers—including fund administrators, index providers, custodians, data analytics providers, etc.—play critical roles in the financial sector and may become targets for hackers. Thus, Chairman Gensler asked the SEC to propose recommendations on how to address cybersecurity risk from service providers, including possibly requiring certain registrants to identify service providers that could pose such risks and/or holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.

Given the SEC’s increased focus on cybersecurity regulation and its announcement of proposed rules for investment advisers and funds, all entities within the purview of SEC regulation should take note of the SEC’s focus on cybersecurity as a top-of-mind investor-protection initiative this year and consult experienced counsel to stay informed of any rule changes and enforcement initiatives.

 

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
February 15, 2022
Written by: David W. Porteous and Isaac Smith
Category: Compliance and Supervision, Hedge Funds and Private Equity, Investment Advisers and Broker Dealers
Tags: Cybersecurity

Post navigation

Previous Previous post: SEC Disgorgement Claim Challenged After Supreme Court’s Decision in Liu
Next Next post: BlockFi to Pay $100 Million Over Crypto Lending Platform

Subscribe to Email Alerts

Categories

  • Compliance and Supervision
  • Futures and Derivatives
  • Hedge Funds and Private Equity
  • Insider and Manipulative Trading
  • Investment Advisers and Broker Dealers
  • Municipal Bond Offerings
  • Public Companies, Accounting, and Auditing

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Contact
  • Cookie Policy
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT