The SEC recently issued a proposed rule related to cybersecurity risk management for registered investment advisers (RIAs), and registered investment companies and business development companies (funds). If finalized, the proposed rule would require:
- RIAs and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks that could harm RIA clients and fund investors or lead to the unauthorized access to or use of RIA or fund information. Such an RIA’s or fund’s cybersecurity policies and procedures generally should be tailored based on its business operations, including its complexity, and attendant cybersecurity risks. However, the proposed rule requires these policies and procedures to address certain general elements, including risk assessment, user security and access, information protection, threat and vulnerability management, and incident response and recovery.
- RIAs and funds, at least annually, to (a) review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and (b) prepare a written report. The report would, at a minimum, describe the annual review, assessment and any control tests performed; explain the results thereof; document any cybersecurity incident that occurred since the date of the last report; and discuss any material changes to the policies and procedures since the date of the last report. The written report should be prepared or overseen by the person(s) who administer the RIA’s or fund’s cybersecurity policies and procedures and should consider any risk assessments performed by the RIA or fund.
- A fund’s board of directors, including a majority of its independent directors, initially to approve the fund’s cybersecurity policies and procedures, as well as to review the written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures that would be required to be prepared at least annually.
- RIAs to report significant cybersecurity incidents affecting the RIA, or its fund or private fund clients, to the SEC on new confidential Form ADV-C, within 48 hours after having a reasonable basis to conclude that a significant RIA cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring. Amendments to Form ADV-C would be required within 48 hours, if new material information about a previously reported incident is discovered; information reported on the form becomes materially inaccurate; and after resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident.
- RIAs to publicly disclose in their brochures (Form ADV Part 2A) cybersecurity risks that could materially affect the advisory services they offer and describe how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business; and any cybersecurity incidents that occurred in the last two fiscal years that have significantly disrupted or degraded the RIA’s ability to maintain critical operations, or that have led to the unauthorized access or use of RIA information, resulting in substantial harm to the RIA or its clients. Likewise, funds also would be required to provide prospective and current investors with disclosure about significant cybersecurity incidents that have occurred in the last two fiscal years and make certain disclosures in its registration statement.
- RIAs to maintain (a) a copy of their cybersecurity policies and procedures that are in effect, or at any time within the past five years were in effect; (b) a copy of the RIA’s written report documenting the annual review of its cybersecurity policies and procedures in the last five years; (c) a copy of any Form ADV-C filed by the RIA pursuant to the proposed rules in the last five years; (d) records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident, in the last five years; and (e) records documenting an RIA’s cybersecurity risk assessment in the last five years.
The proposal sets forth a number of requests for comment. Industry participants should carefully consider the implications of the proposal, and consider submitting feedback to the SEC on the proposed changes. The public comment period will remain open for 30 days after the proposal is published in the federal register.