In the latest move by a regulator aimed at bolstering cyber defenses, on February 9, 2022, the U.S. Securities and Exchange Commission voted to propose new rules to address the cybersecurity risks faced by registered investment advisers (advisers) and registered investment companies (funds).
The SEC emphasized that advisers and funds are increasingly reliant on interconnected systems and networks of technology vendors to fulfill their mission, which exposes them to cybersecurity threats and attacks. To mitigate these risks, the SEC is requiring advisers and funds to adopt cyber risk management policies and procedures, disclose significant cyber risks and events and maintain related records.
Plan for Cyber Attacks. Under the proposed rules, Rules 206(4)-9 under the Investment Advisers Act of 1940 (IAA) and 38a-2 under the Investment Company Act of 1940 (ICA) would require advisers and funds to implement policies and procedures to address cybersecurity risks.
The SEC did not opt for a one-size-fits-all set of minimum requirements. Rather, the proposed rules call for advisers and funds to tailor their plans to their individual business operations and attendant cybersecurity risks, and identify service providers that process investor or operational information or that can access adviser and fund networks. The SEC would also require advisers and funds to assess their plans annually to account for changes to the threat landscape.
Report Significant Risks and Incidents. Next, the proposed rules would require advisers and funds to disclose significant cybersecurity risks and incidents, adding to the patchwork of state and federal breach notification obligations. The SEC proposes two new reporting streams:
Keep Records. Finally, advisers and funds would be required to maintain records related to their new cybersecurity planning and reporting obligations, through amendments to IAA Rule 204-2 and ICA Rule 38a-2.
The proposals continue the SEC’s push to boost cyber preparedness and accountability in the financial sector. In public remarks in January, SEC Chairman Gary Gensler cited the growing frequency of large-scale cyberattacks as justifying the agency’s attention on cyber resiliency. He suggested more proposals may be forthcoming, potentially including rules aimed at enhancing the cybersecurity governance, strategy and risk management of public issuers. With this in mind, the Fenwick team will be watching this space and monitoring for developments.
The proposed cybersecurity rules for advisers and funds are open for public comment until 30 days after the date of publication in the federal register or April 11, 2022, whichever is later.