SEC Proposes Cybersecurity Rule for Advisers, Investment Companies

On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.

Relying on the Commission’s mission to protect investors and ensure orderly markets, the Release cites increasing cybersecurity threats and emphasized the disruptive consequences and costs (to advisers, funds and investors) of unpreparedness. The Release grounds the Proposal in advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies and procedures to ensure compliance with that fiduciary duty (and other SEC regulations). 17 C.F.R. § 275.206(4)-7; 17 C.F.R. § 270.38a-1 (“Investment Company compliance rule”). The Release asserts the Proposed Rules are necessary, even as it cites existing Rules already addressing cybersecurity issues: Reg. S-P, 17 C.F.R. 248.1 through 248.31, already requires safeguarding customer records and information, so encompasses cybersecurity – as does existing Reg. S-ID, 17 C.F.R. 248.201-.202, which requires a written identity-theft program.

Generally, the Proposed Rule has four key pillars, requiring firms to: (1) ”adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks,” Proposed Rules 206(4)-9 and 38a-2; (2) ”report cybersecurity incidents affecting the adviser, its fund or clients;” (3) disclose significant cybersecurity risks and incidents, by Proposed Amendments to Form ADV and various Fund forms; and (4) implement concomitant recordkeeping requirements.

In summary, the Proposed Rule requires:

Cybersecurity Risk Management Policies and Procedures

Written Policies and Procedures

Risk Assessment – Conduct periodic risk assessments, with written documentation, to address

  • inventory, categorize, prioritize
  • vendors and service providers

Periodically, no less than annually, or as otherwise necessary to address changes to the business or its threat landscape.

User Security and Access policies and procedures that must include:

  • Standards of behavior for authorized users
  • Two-factor user identification and authorization
  • Timely distribution, replacement and revocation of passwords
  • Least-necessary user access
  • Securing remote technologies

Information Protection – Monitoring and periodic assessment of information systems and data, considering:

  • Data sensitivity and importance
  • Personal information
  • Data access, storage and transmission
  • Access controls and malware protection
  • Potential consequences of a security incident

Threat and Vulnerability Management, including monitoring, remediation, and response training

Incident Response and Recovery, addressing operational continuity, data protection, incident information sharing and reporting to the Commission, including written compliance policies and procedures.

Annual Review and Written Reports

Fund Board Oversight

Fund Board Oversight and approval by a Fund’s board, including a majority of independent directors.

Recordkeeping

Recordkeeping for the standard five-year retention, including at a minimum: (a) the cybersecurity policies and procedures; (b) report of annual review; (c) any Form ADV-C filed; (d) records regarding any incident; (e) records of risk assessment.

Reporting to the Commission

Proposed Rule 204-6 would require completion and filing of new Form ADV-C by an adviser not more than 48 hours after having a reasonable basis to believe a “significant cybersecurity incident” has occurred or is occurring, together with material updates within 48 hours. A “significant incident” is proposed as one that significantly disrupts or degrades critical operational continuity or results substantial harm to the adviser, fund or investors.

Disclosure of Cybersecurity Risk and Incidents

Disclosure of Cybersecurity Risk and Incidents as part of existing disclosure requirements for advisers (Form ADV) and funds, including delivery of interim amendments to existing clients.

Commissioner Peirce dissented, stating that while well-intentioned, the Proposed Rule is:

  • Too prescriptive for an issue that requires constant flexibility, innovation and is better suited for a public-private cooperative initiative;
  • Improperly grounded in the anti-fraud rules, because it addresses operational risk and compliance issues in situations where the adviser most often is the victim, not the perpetrator; and
  • Perhaps unnecessary, given the existing Rules addressing cybersecurity in part.

Her dissent can be found here. Indeed, although the Commission can regulate broker-dealers, the Proposed Rule does not address them. Instead, its delegated self-regulatory organization , FINRA, has taken a far less prescriptive approach to cybersecurity under various of its existing rules. See 2022 Report on FINRA’s Examination and Risk Monitoring Program at 10 et seq., here.

Comments on the Proposal are due submitted to the Commission within the later of 30 days after publication in the Federal Register or April 11, 2022.

The SEC’s press release is here. The Proposal, Release No. 34-94197, IA-5956, IC-34497 (file S7-04-22), is here.

Thomas K. Potter, III (tpotter@burr.com) is a partner in the Securities Litigation Practice Group at Burr & Forman LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters.

Posted in: Cyber Security, SEC
Burr
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.


Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.