(Article from Registered Funds Regulatory Update, April 2022)
For more information, please visit the Registered Funds Resource Center.
On February 9, 2022, the SEC proposed new Rule 38a-2 under the Investment Company Act and Rule 206(4)-9 under the Advisers Act, which, if adopted, will require registered investment companies, business development companies and registered investment advisers to adopt and implement written cybersecurity policies and procedures. The proposed rules are designed to address concerns about the growing sophistication of cyber threat actors in the industry by enhancing investor protection against cybersecurity risks and providing the SEC with more comprehensive oversight of such risks and incidents. The proposed rules and related amendments would require:
- advisers and funds to adopt and implement written cybersecurity policies and procedures, including specific enumerated elements, reasonably designed to address cybersecurity risks that could harm fund investors and advisory clients;
- reporting of significant adviser and fund cybersecurity incidents within 48 hours to the SEC on proposed Form ADV-C, a new confidential reporting form;
- enhanced disclosures relating to cybersecurity risks and incidents to existing and potential investors; and
- advisers and funds to maintain, make, and retain certain cybersecurity-related books and records.
Highlights of the proposed rules and related amendments include the following:
Adoption of Cybersecurity Policies and Procedures. The first element of the proposed rules addresses the SEC’s concerns that advisers and funds have not implemented reasonably designed policies and procedures to sufficiently defend against increasingly complex cybersecurity threats. If adopted, the proposed rules would require advisers and funds to adopt and implement written policies and procedures that would include, among other things, five enumerated elements but would allow them the flexibility to tailor their cybersecurity policies and procedures to the specific nature and scope of their businesses and specific cybersecurity risks. These required elements include:
- performance of periodic written risk assessments to categorize and prioritize cybersecurity risks;
- user security and access controls designed to minimize user-related risks and prevent unauthorized access to information;
- information system monitoring to protect information from unauthorized access;
- threat and vulnerability management to detect, mitigate, and remediate cybersecurity threats and vulnerabilities; and
- cybersecurity incident response and recovery measures to detect, respond to, and recover from cybersecurity incidents.
Annual Review of Cybersecurity Policies and Procedures. Under the proposed rules, advisers and funds would be required to review and assess the design and effectiveness of the written policies and procedures at least annually, including whether the policies and procedures reflect changes in cybersecurity risks over the review period, and prepare a written report of cybersecurity risks and incidents. The written report should, at a minimum, describe and explain the results of the annual review, assessment, and any control tests performed, document cybersecurity incidents that occurred since the date of the last report, and discuss any material changes to the policies and procedures since the date of the last report.
Board Oversight. A fund’s board of directors, including a majority of its independent directors, would be required to initially approve the cybersecurity policies and procedures and no less than annually review the written report. This requirement is designed to provide directors with the information necessary to make informed decisions about the effectiveness and implementation of the cybersecurity policies and procedures and whether the fund has adequate resources with respect to cybersecurity matters.
Reporting Requirements for Cybersecurity and Incidents. The proposed rules provide that advisers must report significant cybersecurity incidents to the SEC on new Form ADV-C, including on behalf of a client that is a registered investment company, a business development company or a private fund. Form ADV-C must be submitted to the SEC within 48 hours after there is a reasonable basis to conclude that a significant cybersecurity incident has occurred. The proposed rules define a “significant cybersecurity incident” as:
a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
The SEC believes that collecting information about significant cybersecurity incidents in a structured format on Form ADV-C will enhance its ability to carry out its risk-based examination program, assess trends in cybersecurity incidents across the industry, and better protect investors from any patterned cybersecurity threats.
Disclosure of Cybersecurity Risks and Incidents. The proposed rules would also require enhanced, plain-English disclosure of cybersecurity risks and incidents to investors by modifying Form ADV Part 2A for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6 for funds. The proposed rules would require advisers to describe cybersecurity risks that could materially affect their advisory services offered. Additionally, advisers would be required to provide a description of any cybersecurity incident that has occurred within the last two years that has significantly disrupted their ability to maintain critical operations, or has led to the unauthorized access or use of adviser information, resulting in substantial harm to advisers or their clients.
For purposes of disclosure, funds should also consider whether cybersecurity risks are “principal risks” to the fund. For example, a fund that has had multiple cybersecurity incidents in a short period of time may need to reflect this information in its prospectus disclosure.
Recordkeeping. The proposed rules and amendments would require advisers and funds to maintain current and previous records (dating back five years) related to cybersecurity risk management, including any cybersecurity incidents.
In a formal statement released following the publication of the proposed rules, SEC Chair Gary Gensler noted that the proposed rules are “designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.” In her dissenting statement, Commissioner Hester Peirce expressed concerns that the proposed rules would require micromanagement of companies and that they would cast the SEC “as the nation’s cybersecurity command center, a role that Congress did not give [the SEC].” She went on to state that “[w]hile the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business—not SEC—judgment.”
The proposed rules and related amendments are subject to comment for 30 days after publication in the Federal Register or April 11, 2022, whichever is later.
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Rel. No. 34-94197 (Feb. 9, 2022), available at: https://www.sec.gov/rules/proposed/2022/33-11028.pdf.