On February 9, 2022, the Securities and Exchange Commission ("SEC") proposed new rule 38a-2 ("Proposed Rule 38a-2") under the Investment Company Act of 1940, as amended ("1940 Act"), which would require registered investment companies and business development companies ("funds") to adopt and implement written cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks.[1] The Proposing Release also includes a similar new rule that would apply to registered investment advisers under the Investment Advisers Act of 1940, as amended.
Summary
Currently, there is no SEC rule that specifically requires funds to adopt and implement comprehensive cybersecurity programs. However as a matter of good business practices and at the urging of fund boards, most funds have already incorporated cybersecurity oversight programs into their compliance arsenal in an effort to manage cybersecurity risks and as part of complying with certain other rules and regulations, such as Rule 38a-1, Regulation S-P[2] and Regulation S-ID[3]. Proposed Rule 38a-2 would require funds to adopt and implement written cybersecurity policies and procedures that address a number of specified elements, but are also tailored based on the fund’s business operations and associated cybersecurity risks. Proposed Rule 38a-2 would also require funds to review and evaluate the design and effectiveness of the cybersecurity policies and procedures at least annually. Additionally, the SEC is recommending amendments to fund disclosure requirements to provide current and prospective shareholders with information about cybersecurity risks and incidents.
The various aspects of Proposed Rule 38a-2 and the proposed fund disclosure amendments are discussed in more detail below.
Proposed Rule 38a-2
KEY DEFINED TERMS
- Cybersecurity incident – an unauthorized occurrence on or conducted through a fund’s information system that jeopardizes the confidentiality, integrity, or availability of a fund’s information systems or any fund information residing therein.
- Cybersecurity risk – the financial, operational, legal, reputational, and other adverse consequences that could stem from cybersecurity incidents, threats, and vulnerabilities.
- Cybersecurity threat - any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of a fund’s information systems or any fund information residing therein.
- Cybersecurity vulnerability - a vulnerability in a fund’s information systems, information system security procedures, or internal controls, including vulnerabilities in their design, configuration, maintenance, or implementation that, if exploited, could result in a cybersecurity incident.
- Fund information - any electronic information related to the fund’s business, including personal information, received, maintained, created, or processed by the fund.
- Fund information systems - the information resources owned or used by the fund, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of fund information to maintain or support the fund’s operations.
- Personal information - any information that can be used, alone or in conjunction with any other information, to identify an individual, such as name, date of birth, place of birth, telephone number, street address, mother’s maiden name, Social Security number, driver’s license number, electronic mail address, account number, account password, biometric records or other nonpublic authentication information.
- Significant fund cybersecurity incident - a cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the fund’s ability to maintain critical operations, or leads to the unauthorized access or use of fund information, where the unauthorized access or use of such information results in substantial harm to the fund or to an investor whose information was accessed
ADMINISTRATION OF THE CYBERSECURITY POLICIES AND PROCEDURES
Under Proposed Rule 38-2, each fund will determine who will implement and oversee the effectiveness of its cybersecurity policies and procedures – such individuals may be internal or from outside third-party cybersecurity expert ("Cyber Program Administrators"). If internal individuals are utilized to administer the cybersecurity policies and procedures, such individuals must have appropriate knowledge and expertise. If it is determined that a third-party is to administer the cybersecurity policies and procedures, the fund must ensure there is proper oversight of such third-party. If a fund is sub-advised, the responsibilities for overseeing the cybersecurity policies and procedures may be delegated to the sub-adviser but the fund is still subject to its oversight responsibilities.
Included in a fund’s cybersecurity policies and procedures must be authorization for the Cyber Program Administrators to make decisions and escalate issues to senior officers as necessary to allow such Cyber Program Administrators to effectively carry out their responsibilities. The Proposing Release notes that this could include adding an explicit escalation provision. The cybersecurity policies and procedures should also specify which groups, positions or individuals, whether they are internal or external third-parties, are acting as Cyber Program Administrators. Furthermore, the cybersecurity policies and procedures should specify who has responsibility to communicate incidents internally, who assists with recovery from a cybersecurity incident and who makes decisions about reporting certain incidents to the SEC and/or to investors.
ELEMENTS OF THE CYBERSECURITY POLICIES AND PROCEDURES
While the Proposing Release notes that certain cybersecurity risks are applicable to all funds and therefore would be required to be addressed in all funds’ cybersecurity policies and procedures, Proposed Rule 38a-2 provides flexibility to allow funds to address each of these required items based on their specific facts and circumstances.
Each fund must include the following in its cybersecurity policies and procedures:
Periodic assessment, categorization, prioritization, and written documentation of the cybersecurity risks associated with its information systems and the information residing therein. This assessment would be required to include the following and must be documented in writing:
- categorization and prioritization of cybersecurity risks based on an inventory of the components of the fund’s information systems, the information residing therein, and the potential effect of a cybersecurity incident on the fund; and
- identification of the service providers that receive, maintain or process fund information, or that are permitted to access the fund’s information systems, including the information residing therein, and identification of the cybersecurity risks associated with the use of these service providers.
Funds would be required to reassess and reprioritize their cybersecurity risks periodically, but no less frequently than annually, as they arise due to changes, be they internal (changes to their business, online presence, client web access) or external (changes in the cybersecurity threat landscape). The Proposing Release also notes that funds should monitor and consider updates and guidance from private sector and governmental resources when assessing continuing and new cybersecurity threats.
Controls designed to minimize user-related risks and prevent the unauthorized access to information and systems, including:
- standards of behavior for individuals authorized to access fund information systems and any fund information residing therein, such as an acceptable use policy;
- identification and authentication of individual users, including implementing authentication measures that require users to present a combination of two or more credentials for access verification;
- establishment of procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication;
- restriction of access to specific fund information systems or components thereof and fund information residing therein solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions on behalf of the fund; and
- securing remote access technologies.
In this regard, the Proposing Release notes that funds should consider who has a need to access certain internal systems, data, functions and/or accounts and to customize access depending on an individual’s job responsibilities.
Measures designed to monitor fund information systems and protect fund information from unauthorized access or use, based on a periodic assessment of the fund information systems and fund information that resides on the systems, which takes into account:
- the sensitivity level and importance of fund information to its business operations;
- whether any fund information is personal information;
- where and how fund information is accessed, stored and transmitted, including the monitoring of fund information in transmission;
- fund information systems access controls and malware protection; and
- the potential effect a cybersecurity incident involving fund information could have on the fund and its shareholders, including the ability for the fund to continue to provide services.
Additionally, funds would need to oversee any service providers that receive, maintain, or process fund information, or are otherwise permitted to access fund information systems and any fund information residing therein. A fund would need to have written documentation that it is requiring the service provider, pursuant to a written contract between the fund and any such service provider, to implement and maintain appropriate measures, including the measures mentioned above that the fund must address, that are designed to protect fund information and fund information systems.
Measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities.
The Proposing Release notes that funds would generally seek to detect cybersecurity threats and vulnerabilities through ongoing monitoring, which could include vulnerability assessments. Funds should also have a plan for how to remediate a cybersecurity threat once it is identified.
Measures to detect, respond to and recover from a cybersecurity incident, which are reasonably designed to ensure:
- continued operations of the fund;
- protection of the fund information systems and the fund information residing therein;
- external and internal cybersecurity incident information sharing and communications; and
- reporting of significant cybersecurity incidents to the SEC.
Funds would have to prepare written documentation of any cybersecurity incident, including the response and recovery.
Proposed Rule 38a-2 would require funds to review the cybersecurity policies and procedures at least annually, assess their design and effectiveness, including whether they reflect changes in cybersecurity risk over the period covered by the report, and prepare a written report (the "Cyber Report"). The Cyber Report would be required to describe the review, assessment, any control tests performed and the results of such tests, document any cybersecurity incident during the period covered by the report, and discusses material changes.
Role of the Board of Directors
The board, including a majority of independent directors, would be required to approve the written cybersecurity policies and procedures and to receive the Cyber Report.
The Proposing Release notes that the board may satisfy its obligations to approve the cybersecurity policies and procedures by reviewing summaries of such documents prepared by the Cyber Program Administrators, similar to how reviews of other policies are conducted under Rule 38a-1. In reviewing the Cyber Report, the Proposing Release notes that boards will generally want to discuss with the Cyber Program Administrators whether the fund has adequate resources with respect to cybersecurity matters, including access to cybersecurity experts, and ask questions about the effectiveness of the policies and procedures. Boards may also want to discuss oversight of service providers and review summaries of risk assessments performed on any service providers that receive, maintain or process fund information, or that are permitted to access fund information systems.
Proposed Amendments to Fund Disclosures
The SEC is also proposing that funds would be required to provide prospective and current investors with disclosure about significant cybersecurity incidents. Specifically, funds would be required to describe in their registration statements any significant fund cybersecurity incident that has occurred in its last two fiscal years, which affected the fund or its service providers, and that information would have to be tagged using a structured data language. The disclosure would have to include the following information to the extent known:
- the entity or entities affected;
- when the incident was discovered and whether it is ongoing;
- whether any data was stolen, altered, or accessed or used for any other unauthorized purpose;
- the effect of the incident on the fund’s operations; and
- whether the fund or service provider has remediated or is currently remediating the incident.
Upon changes to the cybersecurity landscape or to its own cybersecurity risks, funds would need to consider whether or not supplements to the registration statements should be filed to make timely disclosures of cybersecurity risks and significant fund cybersecurity incidents. In addition, the Proposing Release notes that funds should generally include in their annual reports to shareholders a discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent that these were factors that materially affected performance of the fund over the past fiscal year.
Comment Period
Comments on the Proposing Release should be submitted on or before (i) 30 days after the Proposing Release is published in the Federal Register or (ii) April 11, 2022, whichever is later.
[1] Release IC-34497, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (February 9, 2022) at https://www.sec.gov/rules/proposed/2022/33-11028.pdf ("Proposing Release").
[2] Regulation S-P requires written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
[3] Regulation S-ID requires written policies and procedures reasonably designed to identify and detect relevant red flags, as well as respond appropriately to red flags so as to prevent and mitigate identity theft.