With cybersecurity incidents increasing in frequency and notoriety, the Securities and Exchange Commission (the “SEC”) has set its sights on fortifying cybersecurity regulations across the entire financial industry, including SEC-registered investment advisers (“RIAs”) and registered investment companies and business development companies (collectively, “Funds”).[1] On February 9, 2022, the SEC proposed new rules and amendments (the “Proposal”) that, if adopted as proposed, would create specific disclosure and reporting obligations for RIAs and Funds’ on cybersecurity matters as well as create specific requirements for policies and procedures with respect to cybersecurity matters. Notably, the Proposal was released on the same day the SEC released another significant set of proposed rules applicable to private fund advisers, which was the topic of our earlier post, SEC Proposes Significant Regulatory Overhaul for Private Fund Advisers.[2]

A highlight of some of the key elements of the Proposal are described below:

Cybersecurity Risk Management Policies and Procedures

Under the Proposal, RIAs and Funds would have to adopt and implement policies and procedures reasonably designed to address cybersecurity risks.[3] These policies and procedures would, among other things, require that RIAs and Funds: (1) conduct a periodic assessment of their cybersecurity risk exposure, (2) implement controls designed to minimize user-related risks and prevent unauthorized access to the firm’s systems and data, (3) adopt appropriate measures to monitor exposure to the firm’s systems and protect firm information from unauthorized access or use, (4) adopt measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities, and (5) develop measures to identify, respond to, and recover from cybersecurity incidents.[4] Moreover, RIAs and Funds would need to annually review these policies and procedures, and prepare a report describing such assessment.[5]

Significant Cybersecurity Incidents Reporting

The Proposal would require RIAs to report significant cybersecurity incidents to the SEC.[6] Importantly, RIAs would also be obligated to report significant cybersecurity incidents[7] on behalf of Fund or private fund clients.[8] The Proposal would require the RIAs to report any significant cybersecurity incident to the SEC within 48 hours of the time that the RIA has a reasonable basis to conclude that such event has occurred.[9] An RIA would report such an incident by submitting the proposed new Form ADV-C, which would provide a structured format for reporting significant cybersecurity incidents.[10]

Cybersecurity Risks and Incidents Disclosure

The Proposal would also amend Form ADV Part 2A (an RIA’s “Brochure”) to require an RIA to disclose: (1) cybersecurity risks that could materially affect its services, (2) how it assesses, prioritizes, and addresses such risks, and (3) any cybersecurity incidents in the past two fiscal years that have significantly disrupted or degraded the RIA’s ability to maintain critical operations, or that resulted in substantial harm to itself or its clients.[11] Further, the Proposal would require an RIA to deliver interim Brochure amendments to existing clients if an RIA adds a cybersecurity incident or materially revises information about a disclosed cybersecurity incident.[12]

Similarly, the Proposal would require disclosure of any significant Fund cybersecurity incidents that have occurred in the last two fiscal years in the Fund’s registration statement.[13]

Recordkeeping

The Proposal would also impose additional recordkeeping requirements for RIAs and Funds to maintain certain records related to the Proposal’s requirements.[14]

***

The public comment period for the Proposal will remain open for at least sixty days following publication of the proposing release on the SEC’s website. While most RIAs and Funds already have compliance policies and procedures that address cybersecurity, if the Proposal is adopted as proposed, it would provide specific requirements for those procedures and would create new reporting and disclosure obligations with respect to cybersecurity matters. While, the Proposal is still pending, we suggest that RIAs and Funds review their cybersecurity policies, procedures, and practices and consider how the Proposal, if adopted, would affect current practices, particularly in light of the SEC’s increasing focus on cybersecurity issues.