On February 9, 2022, the Securities and Exchange Commission (“SEC”) voted to propose new rules and rule amendments relating to cybersecurity risk management and disclosures for registered investment advisers (“Advisers”), and registered investment companies and business development companies (together, “Funds”). These proposed rules and amendments (the “Proposed Rules”) under the Investment Advisers Act of 1940 (the “Adviser’s Act”) and the Investment Company Act of 1940 (the “Investment Company Act”) would require Advisers and Funds to (1) adopt new cybersecurity policies and procedures; (2) report significant cybersecurity incidents to the SEC; and (3) disclose cybersecurity risks and incidents.
Cybersecurity Policies and Procedures
Proposed new rule 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act (collectively referred to as the “Risk Management Rules”) would require all Advisers and Funds to adopt and implement written cybersecurity policies and procedures “reasonably designed to address cybersecurity risks.”
The Proposed Rules define “cybersecurity risk” to include “financial, operational, legal, reputational and other adverse consequences that could result from cybersecurity incidents, threats and vulnerabilities.” Generally, the cybersecurity policies and procedures should be reasonably designed to ensure the Adviser’s or Fund’s operational capability when confronted with a cybersecurity incident. Although such policies and procedures should be tailored to fit each firm’s cybersecurity risks, they must include the following general elements:
- Risk Assessment. Advisers and Funds would be required to periodically conduct a risk assessment and prepare written documentation of their cybersecurity security risks as well as those associated with service providers who have access to Adviser or Fund systems or information.
- User Security and Access Controls. The Risk Management Rules would require controls designed to minimize user-related risks and prevent unauthorized access to information and systems, which include (1) use standards for individuals authorized to access information and systems; (2) identification and authentication measures, including at least a two-step verification process; (3) procedures for distribution, replacement, and revocation of passwords or other methods of authentication; (4) restricted access to information and systems to individuals requiring such access; and (5) secured remote access technologies to interface with Adviser or Fund information systems.
- Information Protection. Advisers and Funds would be required to monitor information systems through periodic assessments to assure information protection, which should take into account (1) the sensitivity and importance of the information to business operations; (2) whether any information is personal information; (3) the means of accessing, storing, and transmitting information; (4) access controls and malware protection; and (5) the potential effect of a cybersecurity incident.
- Threat and Vulnerability Management. Advisers and Funds would be required to monitor cybersecurity threats and vulnerabilities, for example by conducting network, system, and application vulnerability assessments. Suggested mitigation and remediation methods include a patch management program to ensure timely patching of hardware or software vulnerabilities, and maintaining a process to track and address reports of those vulnerabilities.
- Cybersecurity Incident Response and Recovery. Reasonable policies and procedures must include measures to detect, respond to, and recover from a cybersecurity incident, specifically to ensure continued operations, protection of information and information systems, internal and external incident information sharing, and reporting of significant cybersecurity incidents to the SEC (as further described below).
An Adviser or Fund could administer such policies and procedures in-house, or through a third party, subject to appropriate oversight. Similarly, a Fund’s Adviser or sub-Adviser could administer the Fund’s policies and procedures.
Annual Review and Report
The Risk Management Rules would require Advisers and Funds to review their cybersecurity policies and procedures no less than annually to (1) assess the design and effectiveness of such policies and procedures, particularly in light of any changes in risk; and (2) prepare a written report describing the assessment and results.
Proposed rule 38a-2 would also require a Fund’s board of directors (including a majority of its independent directors) to (1) initially approve the cybersecurity policies and procedures, and (2) review the annual review report.
Reporting of Significant Cybersecurity Incidents to SEC
Under proposed rule 204-6 of the Advisers Act, Advisers would be required to submit a newly-proposed Form ADV-C promptly, but in no event more than 48 hours, after reasonably concluding that a significant cybersecurity incident has occurred or is occurring. Advisers would need to amend a previously filed Form ADV-C promptly, but in no event more than 48 hours (1) if the information reported becomes materially inaccurate; (2) if new material information is discovered; or (3) after resolving the incident or closing a related internal investigation.
The new Form ADV-C would collect information regarding a significant cybersecurity incident through a series of check-the-box and fill-in-the-blank questions, and would be filed electronically with the SEC through the Investment Adviser Registration Depository (“IARD”) platform. The SEC’s preliminary view is that Form ADV-C should be confidential.
Disclosure of Cybersecurity Risks and Incidents
Advisers. The Proposed Rules would amend Form ADV Part 2A (the “brochure”) to add a new Item 20 entitled “Cybersecurity Risks and Incidents”. Advisers would be required to describe, in plain English, the cybersecurity risks that could materially affect their advisory services, and how they assess, prioritize, and address those risks. Advisers would also be required to describe any cybersecurity incidents that occurred within the last two fiscal years that have resulted in significant disruptions in critical operations or have resulted in substantial harm to the Adviser or its clients.
Rule 204-3(b) under the Advisers Act does not require Advisers to deliver interim brochure amendments to existing clients unless the amendment includes disciplinary information. The Proposed Rules would amend rule 204-3(b) to require an Adviser to deliver interim brochure amendments to existing clients promptly if the Adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.
Funds. Funds would also be required to disclose significant cybersecurity incidents to prospective and current investors. The Proposed Rules would amend Fund registration forms, requiring a description of any significant Fund cybersecurity incident that has occurred during the last two fiscal years and whether it has or is currently affecting the Fund or its service providers. The new information must be tagged using Inline XBRL.
Additionally, Funds would need to consider cybersecurity risks when preparing risk disclosures in Fund registration statements. If a cybersecurity risk is determined to be a principal risk of investing in a Fund, that Fund should reflect that in its prospectus. The requirements for disclosure describing the incident would be similar to the information that new Form ADV-C requires. To make timely disclosures of cybersecurity risks and significant cybersecurity incidents, a Fund would file a supplement with the SEC, and include such information in its annual shareholder report.
Recordkeeping
The Proposed Rules would amend the Advisers Act books and records rule (rule 204-2) to require Advisers to maintain the certain records for five years, including (1) cybersecurity policies and procedures; (2) annual reviews thereof; (3) documents related to the annual reviews; (4) regulatory filings related to cybersecurity incidents required under the Proposed Rules, including any records related to any response and recovery from such an incident; (5) any cybersecurity incident; and (6) cybersecurity risk assessments.
Comment Period
The full text of the Proposed Rules can be found here. The SEC has requested comments to address 64 specific questions related to the Proposed Rules. Comments are due 30 days after publication in the Federal Register or April 11, 2022, whichever is later.