After many years of signaling potential expansion of cybersecurity rules, the Securities and Exchange Commission (SEC) has issued in the past month two new sets of proposed rules governing cybersecurity. The more recent set of proposed rules governs the disclosure of unscheduled material cyber events by public companies. These rules come on the heels of last month’s proposed cybersecurity risk management regulations, which affect registered investment advisers and registered funds. The new rules for RIAs, in particular, represent a significant expansion of the SEC’s oversight and signal the Commission’s recognition that cybersecurity is a systemic risk to the markets, affecting firms of all sizes.
New Requirements for RIAs
Current SEC rules require SEC-registered investment advisers and registered funds (collectively “Covered Entities”) to implement procedures and policies that address individuals’ privacy and security. The recently proposed updates would go beyond customer information to address cybersecurity preparedness gaps by regulating advisers’ and funds’ information systems and cybersecurity practices more generally.
The proposal would:
- Require SEC-registered investment advisers and registered funds to adopt and implement written policies and procedures that are reasonably tailored to address cybersecurity risks;
- Require SEC-registered investment advisers to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery, including incidents related to the adviser or registered funds or private funds managed by the adviser;
- Create enhanced adviser and fund disclosure requirements as they relate to cybersecurity risks and significant cybersecurity incidents; and
- Require SEC-registered investment advisers to create, maintain, and retain certain cybersecurity-related books and records.
Cybersecurity Risk Management Rules. The proposal includes a new rule 206(4) under the Advisers Act and a new rule 38a-2 under the Investment Company Act, which would both require advisers and funds to adopt and implement written procedures and policies reasonably designed to address cybersecurity risks. The proposed rules would require Covered Entities to conduct and document periodic risk assessments and implement access-minimization controls such as multi-factor authentication. The proposed rules would also require each Covered Entity to incorporate measures to enhance information protection mechanisms, including oversight of service providers with access to the Covered Entity’s information or systems and contractually requiring the service providers to implement and maintain appropriate information protection mechanisms. Additionally, the proposal would require Covered Entities to implement detection, mitigation, response, and remediation measures and policies against cybersecurity threats and vulnerabilities. The rules would also require annual review and reports on the effectiveness of their cybersecurity policies and procedures.
Reporting of Significant Incidents to the SEC and Enhanced Disclosure Requirements. The proposal also includes a new rule 204-6 under the Advisers Act that would require SEC-registered investment advisers to report “significant” cybersecurity incidents to the SEC. The rule would require the entity to electronically report the incident within 48 hours after having a reasonable basis to conclude that a significant cybersecurity incident has occurred. A “significant” cybersecurity incident—which includes “significant adviser cybersecurity incident” and “significant fund cybersecurity incident”—is a cybersecurity incident or group of related incidents that “significantly disrupts or degrades” the adviser’s or fund’s ability to “maintain critical operations.” It also includes incidents that lead “to the unauthorized access or use of adviser information” where the access or use results in “substantial harm” to the adviser, a client, or an investor in a private fund whose information was accessed.
Additionally, the proposal would require advisers to disclose cybersecurity risks and significant cybersecurity incidents from the last two fiscal years to their clients and prospective clients. The proposed rules will undergo the notice and comment period, ending April 10, 2022 or 30 days after the proposal is published in the Federal Register, whichever is longer.
SEC Chair Gensler has repeatedly emphasized the significant risk that cyber incidents can have on the operation and integrity of the financial markets, and the SEC’s recent proposed rules are clearly meant to address the risk posed to all market participants. It is highly likely that we will see additional rule making from the SEC in the near future.