Background

On February 9, 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity risk management rules applicable to investment advisers and funds. The SEC’s cybersecurity focus has now geared particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under federal securities laws. In proposing cybersecurity rules for investment advisers and funds, the SEC staff makes clear that it continues to observe a lack of cybersecurity preparedness.

What is in the proposal for investment advisers and funds?

Designed to improve investor confidence in the resiliency of investment advisers and funds against cybersecurity threats and attacks, the proposed rules require:

• Funds and investment advisers to implement cyber risk management policies and procedures
• Investment advisers to report significant cyber incidents, including significant incidents to the Commission within 48 hours on new Form ADV-C
• Investment advisers and funds to disclose cybersecurity risks and incidents to their investors and other market participants
• Investment advisers and funds to maintain cybersecurity-related books and records

Policies and procedures

Proposed new rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. The proposal describes five “general elements” of cybersecurity policies and procedures:

New Form ADV-C and enhanced disclosure of cyber incidents

The proposed new rule 204-6 under the Advisers Act would require registered advisers to report any significant adviser cybersecurity incident or significant fund cybersecurity incident—via a new Form ADV-C within 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring. The proposal would also amend Form ADV Part 2A for advisers’ and funds’ registration statements.

Actions you can take now

The proposal raises a host of considerations for advisers and funds regarding their cybersecurity practices. Some actions for firms to consider include elevating the governance of cyber risk management, conducting a gap assessment of your cyber program against leading practices and regulatory expectations, accelerating the timeline for enhancing your cyber core, identifying a team with primary responsibility for cyber compliance, and conducting tabletop exercises.