Prepare, Report, Record: SEC Proposes New Cybersecurity Requirements for Investment Advisers and Funds

In the latest move by a regulator aimed at bolstering cyber defenses, on February 9, 2022, the U.S. Securities and Exchange Commission voted to propose new rules to address the cybersecurity risks faced by registered investment advisers (advisers) and registered investment companies (funds).

The SEC emphasized that advisers and funds are increasingly reliant on interconnected systems and networks of technology vendors to fulfill their mission, which exposes them to cybersecurity threats and attacks. To mitigate these risks, the SEC is requiring advisers and funds to adopt cyber risk management policies and procedures, disclose significant cyber risks and events and maintain related records.

Plan for Cyber Attacks. Under the proposed rules, Rules 206(4)-9 under the Investment Advisers Act of 1940 (IAA) and 38a-2 under the Investment Company Act of 1940 (ICA) would require advisers and funds to implement policies and procedures to address cybersecurity risks.

The SEC did not opt for a one-size-fits-all set of minimum requirements. Rather, the proposed rules call for advisers and funds to tailor their plans to their individual business operations and attendant cybersecurity risks, and identify service providers that process investor or operational information or that can access adviser and fund networks. The SEC would also require advisers and funds to assess their plans annually to account for changes to the threat landscape.

Report Significant Risks and Incidents. Next, the proposed rules would require advisers and funds to disclose significant cybersecurity risks and incidents, adding to the patchwork of state and federal breach notification obligations. The SEC proposes two new reporting streams:

• First, advisers would be required to report significant cyber incidents promptly (i.e., within 48 hours of becoming reasonably aware) to the SEC by filing a new Form ADV-C. The SEC proposes to define reportable incidents as those that significantly disrupt critical operations or lead to the unauthorized access or use of adviser information resulting in substantial harm to the adviser, client or investor whose information was accessed.
• Second, the SEC also would require certain notices to the investing public. The proposal would amend Form ADV Part 2A to require advisers to disclose cybersecurity risks and incidents to current and prospective clients. Additionally, funds, in their registration statements, would have to disclose any significant cybersecurity incidents within the last two fiscal years.

Keep Records. Finally, advisers and funds would be required to maintain records related to their new cybersecurity planning and reporting obligations, through amendments to IAA Rule 204-2 and ICA Rule 38a-2.

The proposals continue the SEC’s push to boost cyber preparedness and accountability in the financial sector. In public remarks in January, SEC Chairman Gary Gensler cited the growing frequency of large-scale cyberattacks as justifying the agency’s attention on cyber resiliency. He suggested more proposals may be forthcoming, potentially including rules aimed at enhancing the cybersecurity governance, strategy and risk management of public issuers. With this in mind, the Fenwick team will be watching this space and monitoring for developments.

The proposed cybersecurity rules for advisers and funds are open for public comment until 30 days after the date of publication in the federal register or April 11, 2022, whichever is later.