The Securities and Exchange Commission (SEC) has joined a host of other regulators in stepping up efforts to protect against rapidly escalating cyber threats, with significant implications for all investment advisers registered with the SEC. SEC (advisers) and SEC-registered investment firms (funds). ).1
On February 9, 2022, the SEC proposed a set of new rules and amendments aimed at improving the cybersecurity practices of investment advisers and investment firms, including mutual funds, exchange-traded funds, account separate insurance companies, business development companies and closed-end funds. (Proposal).
The move comes as elements of the U.S. government, called to act through President Biden’s Executive Order in May 2021,2 find ways to improve the nation’s cybersecurity. The SEC’s proposal follows SEC enforcement actions against eight companies in 2021 for deficient cybersecurity procedures and a flurry of SEC publications on cyber risks, all in response to concerns about disruption that an attack on advisors and funds could cause to the economy.
Indeed, information security and operational resilience is not a new priority for the SEC – the subject has been the subject of risk alerts and was consistently on the list of SEC review priorities. since 2014, and we expect it to appear on the 2022 list again, due for imminent release.3 We also expect to see increased enforcement activity against companies that the SEC says pay insufficient attention to managing cybersecurity risk, even in the absence of such regulation.
For one thing, generally speaking, the cybersecurity requirements proposed by the SEC are not new to the investment industry. Instead, the proposal focuses on integrating best practices and standards that are already included in other regulatory frameworks, such as the New York State Department of Financial Services’ cybersecurity requirements. In addition, some of the proposed rules build on the well-known compliance frameworks set out in Rule 206-4(7) of the Investment Advisers Act 1940 (the Advisers Act) and Rule 38a-1 of the Investment Companies Act 1940 (the 1940 Act). On the other hand, the requirements proposed by the SEC would require considerable effort, expense and expertise. Perhaps most impactful is that the proposal would see cybersecurity fully integrated into the compliance programs of all advisers and funds. In other words, the proposal would lead advisors and funds to fully embrace a “cyber culture” where cybersecurity is integrated into an advisor’s and a fund’s operations.
In brief, the proposal sets out four requirements for:
- adopt and implement written cybersecurity policies and procedures that include some key elements;
- report significant cybersecurity incidents affecting an advisor or its SEC-registered or private fund clients within 48 hours;
- disclose material cybersecurity risks and cybersecurity incidents in the prospectuses of the Funds; and
- maintain some recordings related to proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.
First, the proposal sets out new Rule 206-4(9) under the Advisors Act and new Rule 38a-2 under the 1940 Act which would require advisors and funds to implement policies and cybersecurity procedures adapted to the activity of the adviser or the fund. complexity and cybersecurity risks. As part of the proposal, written policies and procedures should contain specific elements, including risk assessments and controls to detect, mitigate and remediate threats and vulnerabilities and should specify how the advisor or fund will respond to new requirements to conduct thorough due diligence reviews of, and negotiate new contract terms with, service providers. As with Rules 206-4(7) and 38a-1, written policies and procedures must be reviewed at least annually and, for Funds only, approved by the board of directors.
In addition to the annual review of written policies and procedures, the Funds must also prepare an annual written report describing the annual review, assessment and control testing performed, detailing any cyber security incidents that have occurred since the date of the last report and discussing of any material changes to policies and procedures since the date of the last report. While the cadence and format of these requirements mirrors those of Rules 206-4(7) and 38a-1, the rules’ emphasis on cybersecurity will be new to advisers and funds, which to date have not. had only to comply with the SEC safeguard. Rule (Rule 30 under SP Regulation) and some state cybersecurity requirements.
Second, the proposal introduces a requirement for advisers to report “significant” cybersecurity incidents to the SEC within 48 hours, including on behalf of a fund or private client. This requirement would be in addition to other applicable regulatory reporting requirements and could result in an overall acceleration of reporting.4 A cybersecurity incident would trigger a report if it: (i) significantly disrupts critical operations; or (ii) leads to the unauthorized access or use of Advisor information that results in substantial harm.
If applicable, the declaration would be confidential and made by filing a new form, the ADV-C form, on the SEC Investment Adviser Registration Depository (IARD) platform. The adviser would be required to submit Form ADV-C within 48 hours after the adviser has a reasonable basis to conclude that a Material Advisor Cyber Security Incident or a Material Fund Cyber Security Incident has occurred or is in the process of occurring. to occur. Advisors should amend Form ADV-C if previously filed information becomes inaccurate, if new information is discovered, and after the cybersecurity incident is resolved.
Third, the SEC is proposing to modify the existing disclosure requirements for advisers and funds. With respect to funds, Form N-1A, as well as other fund registration forms, would be amended to require specific prospectus disclosures regarding the fund’s material cybersecurity incidents that occurred in the previous two fiscal years. that have affected the fund, the fund adviser or the fund department. suppliers. Similarly, for advisors, Form ADV Part 2A would be amended to require similar disclosures of cybersecurity risks and incidents.
Fourth, the proposal sets out new record keeping requirements under Rule 204-2 of the Advisers Act and proposed Rule 38a-2 under the 1940 Act. Under the proposal, advisers would be required to keep: (i) a copy of their cybersecurity policies and procedures that are in effect or have been in effect within the last five years; (ii) a copy of the advisor’s written report documenting the annual review of its cybersecurity policies and procedures conducted within the last five years; (iii) a copy of any Form ADV-C filed by the advisor within the last five years; (iv) records documenting the occurrence of any cybersecurity incident within the past five years; and (v) records documenting a cybersecurity risk assessment of advisors within the past five years. Funds would have similar record-keeping requirements under the proposal and would also have to keep copies of written reports provided to the board over the past five years. The funds would be subject to similar record keeping requirements.
Among the most impactful elements of the proposal are requirements to report material cybersecurity incidents to the SEC within 48 hours and to disclose third-party service provider cybersecurity incidents on the fund’s prospectus/advisor’s Form ADV. Advisors and Funds may consider retaining oversight of their service providers by regularly seeking e-health certifications from their service providers and negotiating the right to terminate the relationship with their service providers as a result of a cybersecurity incident, for example. Prospectus disclosure requirements may also increase the Fund’s liability for inaccuracies and omissions. Record-keeping requirements regarding cybersecurity checks, annual reviews, and cybersecurity incidents may also trigger enforcement action by the SEC using the adviser’s or the Fund’s own documented records, rather than to require the SEC to undertake a forensic examination, as is currently the case.
The SEC is currently accepting comments on the proposal until April 11, 2022 or 30 days after the publication of the proposal release in the Federal Register, whichever is longer. Whatever final form these rules take, businesses would be well advised to review the proposal and consider what steps they should take, both from a technical and legal compliance perspective. , to comply with the proposal.
1 Proposed rule: cybersecurity risk management for investment advisers, registered investment companies and business development companies.
2 United States, Executive Office of the President [Joseph R. Biden Jnr]. Executive Order 14028: Improving the Nation’s Cybersecurity. May 12, 2021. 86 FR 26633 available at: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
3 FINRA released its 2022 review priorities on February 9, 2022, which included cybersecurity. FINRA has noticed an increase in the number and sophistication of cyber threats and has issued several alerts, warning companies of a series of phishing emails that appear to come from FINRA.
4 Other federal and state agencies already require certain entities to disclose cybersecurity incidents. For example, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve all require certain financial institutions to report certain computer security incidents as soon as possible, but no later than 36 hours after the organization has determined that an incident has occurred; New York Department of Financial Services cybersecurity regulations require that notifications be made “as quickly as possible, but in no event more than 72 hours”; and all states have cybersecurity reporting rules when personal information is affected with different timelines, although most states require notification to be made “without unreasonable delay” or “as soon as possible.”