Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.
This brings us back to another initiative by the SEC. Noting the lack of cybersecurity preparedness it has observed by registered investment advisers (“advisers”) and investment companies (“funds”), and the significant impact that a cybersecurity breach could have on clients and markets, the SEC proposed rules on February 9, 2022 to fill the gaps it believes are left by the current regulatory framework, such as Regulations S-P and S-ID. Entitled “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies,” (https://www.sec.gov/rules/proposed/2022/33-11028.pdf ) the proposed rules would impose significant obligations on covered entities, including obligations to adopt and implement written cybersecurity policies and procedures containing certain elements (described below), disclose significant cybersecurity risks and incidents and amend those disclosures as needed, retain relevant records for five years, and report significant cybersecurity incidents to the SEC.
The SEC’s introduction to the proposed rules reveals its concerns not only with loss of data and exposure of client personal information, but also interference with the ability of funds and advisers to access information and systems needed to engage in trading and execute on investment strategies. Similar to what we have seen in recent years under state laws requiring businesses to engage in reasonable measures to address cybersecurity of personal data, the SEC’s proposed rules emphasize the need for covered entities to conduct cybersecurity assessments of vendors and other third parties and impose security obligations in the covered entities’ written contracts with such third parties. As we’ve also seen with other comprehensive privacy and cybersecurity legislation and regulation, the SEC recognizes that the programs to be developed by covered entities should be risk-based and “tailored based on [the covered entity’s] business operations, including its complexity, and attendant cybersecurity risk.”
While the time to submit comments on the rule proposals has passed, advisers and funds should be aware of this initiative in order to watch for any further information from the SEC related to these proposals and to plan for any procedure or control enhancements that may need to be made in the future based on them. Notably, the proposed rules appear to mirror in certain ways other cybersecurity rules (such as the Safeguards Rule described below) that may apply to an adviser’s clients, suggesting that advisers and funds may find guidance in how those rules are implemented and enforced. Regardless of the basis for the proposed rules, they continue the SEC’s focus on cyber threats to the investment management industry and provide a hook for future enforcement actions, such as those seeking cease and desist orders, censures, fines, suspensions, bars and, in some incidents that violate the SEC’s antifraud authority, potential criminal sanctions. The following addresses major components and issues under the proposed rules.
Who is Covered?
Parts 275 and 279 of the proposed rules would apply to investment advisers who are registered or are required to be registered with the SEC under the Investment Advisers Act of 1940. Exempt reporting advisers would not generally be subject to the substantive requirements of the proposed rules, although they would be required to file certain required information included in revised Form ADV. Parts 270 and 274 of the proposed rules would apply to business development companies and funds that are registered or are required to be registered with the SEC.
Securities broker-dealer firms are subject to FINRA oversight and are not covered by these particular SEC proposed rules, which are applicable to investment advisers and funds. However, firms that are registered as both broker-dealers and as investment advisers would be subject to both FINRA’s cybersecurity requirements, any applicable state law provisions, and the proposed rules here for investment advisers, which raises the possibility that certain cybersecurity processes or reporting obligations may apply to different cybersecurity incidents, depending on whether the incident affects the broker-dealer, the investment adviser or both.
Why Does the SEC Believe Current Regulation is Insufficient?
As the SEC recognized in its release, investment advisors already have fiduciary obligations to protect client interests from being placed at risk because of the adviser’s inability to provide advisory services. As such, advisers currently consider different regulatory requirements that indirectly address cybersecurity and should take steps to minimize cybersecurity incidents. In addition, advisers must adopt, implement, and annually audit policies and procedures under the Advisers Act compliance rule (17 CFR 275.206(4)-7), and the SEC has recognized that advisers consider cybersecurity risks when developing those procedures to address those risks. In addition, Regulation S-P (the “Safeguards Rule”) under the Gramm Leach Bliley Act (GLBA) clearly requires financial institutions (as broadly defined under GLBA) to have adequate administrative, physical and technical measures to protect nonpublic personal information of customers who are individuals. The SEC noted in its release that Reg S-P applies to advisers and funds. In addition, Regulation S-ID (17 CFR 248.201 through 202)—the subject of the recent enforcement action against JPMS, UBS and TradeStation-- requires advisers and funds to develop and implement an identity theft program. Various federal regulators enforce Regulation S-P with regard to regulated entities. For example, the SEC enforces Regulation S-P for SEC registrants, such as investment advisers and broker-dealers. Conversely, the FTC regulates compliance with Regulation S-P for other “financial institutions” not subject to the enforcement authority of another federal regulator. However, relevant to investment advisers, private funds (i.e., investment companies exempt from registration under the Investment Company Act) are subject to the FTC’s Safeguards Rule. As a result, private fund advisers have frequently adopted cybersecurity policies consistent with this modified Safeguards Rule in their role as managers and advisers. Between the various federal regulatory authorities responsible for enforcement of Reg S-P, and differing cybersecurity requirements adopted under state law, the landscape for cybersecurity regulation potentially applicable to investment advisers and funds can appear fragmented.
In light of this fragmented landscape, the SEC’s apparent intent with respect to the proposed rules is to establish a common standard for cybersecurity requirements for investment advisers and funds, while also imposing more robust requirements than these entities may have otherwise adopted consistent with existing regulatory frameworks. For example, although Regulation S-P requires a written information security plan, it does not contain detailed requirements regarding security, especially compared with more comprehensive security requirements like the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (https://www.dfs.ny.gov/industry_guidance/cybersecurity) or cybersecurity requirements for personal health information under HIPAA. In addition, Regulation S-P does not mandate reporting to government regulators. Likewise, the Advisers Act compliance rule does not specifically require cybersecurity policies and procedures and does not require reporting of data incidents. Given the prevalence and potential impact on clients, covered entities and the markets, the SEC believes specific and comprehensive cybersecurity rules are needed. The proposed rules, under 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, would fill this gap.
Reporting Significant Cybersecurity Incidents to the SEC.
Proposed section 275.204-6 requires advisers to report to the SEC on proposed form ADV-C any “significant” adviser or fund cybersecurity incident within 48 hours after “having a reasonable basis to conclude that any such incident has occurred or is occurring.” Advisers must submit the report by filing a Form ADV-C (which the proposed rules amend) electronically in the Investment Adviser Registration Depository (IARD). The proposed rule also requires the adviser to amend a previously filed Form ADV-C within 48 hours after information on a previously filed form becomes materially inaccurate, any new material information related to the incident is discovered, the incident is resolved, or the internal investigation regarding the incident is closed. The adviser’s reporting obligations extends to reporting on ADV-C for its registered fund and business development company clients. The information required to be reported under the proposed rule is extensive and includes whether the incident is covered under a cyber-insurance policy. If the significant cybersecurity incident resulted from a cybersecurity incident at a service provider, the adviser must describe the services provided to the fund or the adviser by the service provider and how any degradation in the services have affected the adviser’s operations. The SEC currently proposes that information included on Form ADV-C remain confidential and not be publicly disclosed, although it has requested comment on whether certain information included in Form ADV-C should be publicly disclosed.
Notice to Clients.
The proposed rules would amend 275.204-3(b)(4) to require an adviser to treat disclosures of cybersecurity incidents as a material change to its brochure, meaning advisers will be required to “promptly” deliver amended brochures or brochure supplements, as applicable, and/or a statement, describing the significant cybersecurity incident.
What is a “significant cybersecurity incident”?
Suffice it to say that the definitions in the proposed rules are broad. Proposed Rule 204-6 and Proposed Rule 270.38 define “cybersecurity incident” and “significant cybersecurity incident” similarly. A “cybersecurity incident” is an unauthorized occurrence that jeopardizes: (i) fund or adviser information or (ii) their information systems. Fund and adviser information is limited to electronic information, but otherwise covers any information “related to” the adviser’s or the fund’s business (including information that can be used to identify an individual alone or in conjunction with other information) that is received, maintained, created or processed by the fund or adviser (as applicable). For advisers, it also includes “any other non-public information regarding a client’s account.” The SEC noted in its release on the proposed rules that “unauthorized access” includes exceeding authorized access. Thus an employee who accesses a file for which he or she does not have authorization might create a “cybersecurity incident” if it jeopardizes fund or advisor information or information systems. Readers familiar with case law under the Computer Fraud and Abuse Act will recall that even SCOTUS struggles with determining when someone “exceeds authorized access.” https://www.mvalaw.com/data-points/so-what-scotus-limits-scope-of-computer
Under the proposed rules, a cybersecurity incident, or a group of related incidents, becomes “significant” (and thus reportable) when it has certain impacts on either: (i) the adviser’s or fund’s operations; or (ii) harm to the fund, adviser, investor or client. With respect to the first prong, the cybersecurity event becomes significant if it “significantly disrupts or degrades” the fund’s or adviser’s ability to maintain critical operations. The SEC views “critical operations” as including investment, trading, reporting, and risk management of the adviser or fund, and operating in accordance with federal securities laws. (Proposed Rule Commentary, Discussion II.B. (p.47)) Thus cyber incidents (such as ransomware or malware) that would prevent (or perhaps delay) the adviser from implementing investment strategy, communicating with clients, or processing or recording transactions, could fall under the definition of a significant cybersecurity incident. Under the second prong, the cybersecurity event becomes significant if it leads to unauthorized access or use of fund or adviser information that results in “substantial harm” to the fund, adviser, or an investor or adviser client whose information was accessed. The SEC views significant monetary loss and theft of personally identifiable or proprietary information as potential “substantial harm” but notes that other disclosure, modification, deletion or destruction of adviser, fund or client data or theft of intellectual property or client assets, could result in a “substantial harm.” Advisers and funds, therefore, will need to carefully assess the risk of not reporting anything other than a deminimis harm.
In addition, under the proposed rules, a single cybersecurity incident or a group of related cybersecurity incidents can create a “significant” cybersecurity incident. Because the proposed rules require reporting of “significant” cybersecurity incidents, funds and advisers will need to continue to assess whether a single incident that does not result in harm might, in combination with other incidents, becomes significant. Also note that advisers under the proposed rule have an obligation to report both significant fund cybersecurity incidents and significant adviser cybersecurity incidents.
Needless to say, these broad definitions will require broad policy and reporting coverage.
Written Cybersecurity Policies and Procedures—Controls Designed to Mitigate Risk.
Under the proposed rules, the adviser’s and fund’s written cybersecurity policies and procedures also must include periodic assessments of “cybersecurity risks” to fund or adviser (as applicable) information and information systems. Both funds and advisers must categorize the risks considering the potential impact of a cybersecurity incident on the fund or adviser, as well as the risks posed by the fund’s or adviser’s service providers that “receive, maintain, or process” fund or adviser information. Thus a fund or adviser will need to engage in: (i) an inventory of the components of its information systems, (ii) data mapping to understand what data it and its service providers collect, create, maintain and process, (iii) an evaluation of its systems and current cybersecurity threats to understand risks, and (iv) due diligence on its service providers. The risk assessments must be documented in writing. Factors that could impact risk specifically noted by the SEC in its commentary include international operations, insider threats, and remote and traveling employees.
The proposed risk assessment requirement is broad and potentially costly. It will require analysis regarding who is a service provider, a term not defined by the proposed rules. In fact, a fair portion of the SEC commentary focuses on service provider risk, and the SEC specifically mentions service providers who provide trade order management systems that allow adviser’s to automate trading and cloud service providers who maintain books and records or a service used by a fund to calculate the fund’s net asset value. In addition, the SEC commentary to the proposed rules recognizes that some advisers and funds share cybersecurity and information technology resources, infrastructure and systems with a larger group or company structure. Thus assessment of these resources is important. The commentary also suggests that a risk assessment, although theoretically able to be conducted by internal personnel, would benefit from input from third-party cybersecurity experts, with oversight by the fund or adviser. The SEC expects that the assessment will be ongoing as cybersecurity risks arise, and suggests that covered entities monitor updates from private and governmental resources, such as the FS-ISAC https://www.fsisac.com/ and DHS CISA https://www.cisa.gov/ .
The proposed rules also cover written policies and procedures which must also include such familiar controls as:
- User security and access (including standards of behavior and acceptable use policies and remote access issues, user identification and two-factor authentication, password policies, and need to know access limitations to specific data);
- information protection (including oversight of and written security requirements in contracts with security providers, and monitoring of information systems and protection of such systems from malware and other unauthorized access and use);
- threat and vulnerability management (detecting, mitigating and remediating threats and vulnerability through monitoring internal systems, systems used by service providers and external threat trends);
- incident response and recovery (including measures to detect, respond to and recover from a cybersecurity incident -- even if not “significant”, procedures for reporting “significant” cybersecurity incidents, and written documentation of any cybersecurity incident);
- annual review of the design, and effectiveness of these policies and procedures. For advisors, the annual review of the cybersecurity policies must include a written report covering the annual review, control tests performed and the results, any cybersecurity incidents, and material changes to policies and procedures. The rules contemplate that the person employed by the adviser or fund to oversee the cybersecurity policies should prepare or oversee the report—not just hand it off to an external cybersecurity expert;
- for a fund, board oversight (including the fund board of directors approving the policies and procedures. The fund must also provide, for review by the fund’s board of directors, a written report prepared no less frequently than annually by the fund that, at a minimum, describes the review, the assessment, and any control tests performed, explains their results, documents any cybersecurity incident that occurred since the date of the last report, and discusses any material changes to the policies and procedures since the date of the last report; and
The proposed rules would require advisers to comply with a 5-year recordkeeping requirement with respect to their cybersecurity policies and procedures, a copy of the written reports described above, Forms ADV-C, records documenting the occurrence of cybersecurity incidents, and records documenting the risk assessment. Funds would be required to maintain, as applicable, policies and procedures, written reports to the board, documentation of the fund’s annual review, the report of significant fund cybersecurity incidents to the SEC by its adviser, records documenting the occurrence of cybersecurity incidents 5 years, and records documenting the risk assessment.
A fund must provide in its prospectus a description of any significant fund cybersecurity incident that is currently affecting, or has affected within the last two years, the fund or its service providers.
The SEC has received comments from over 60 commentators. The April 11, 2022 comments from the Investment Adviser Association (https://www.sec.gov/comments/s7-04-22/s70422-20123274-279542.pdf) notes a variety of issues posed by the breadth of the terms, including the diligence, contracting and oversight requirement on all service providers, the short 48 hour reporting and amendment to reporting requirements (which the IAA believes could interfere with the adviser’s efforts to respond to the breach), the breadth of the information required to be disclosed giving cybercriminals a “roadmap”, and the cost of compliance with the various audit and other requirements. The IAA also pushes for federal regulation to provide uniformity in data breach reporting and notices.
Advisers and funds should be on the lookout for further developments with respect to these proposed rules and also be on the lookout for further SEC guidance in the cybersecurity space based on examination observations, enforcement actions, speeches, and other SEC communications, particularly in light of the ever changing cyber-risk environment.
 The FTC recently issued helpful guidance regarding compliance with the Safeguards Rule. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know Reg-ID (17 CFR 248.201 through 202) requires covered entities to draft and implement a written identity theft program.