The Securities and Exchange Commission (“SEC”) recently published proposed rulemaking regarding cybersecurity for (1) investment advisers and funds and (2) public companies. If implemented, these rules will have significant impact regarding cybersecurity governance, risk management by management, oversight by boards of directors, and the maintenance and update of policies, procedures, and compliance programs regarding cybersecurity.
For more regarding the related proposed SEC Rules for Public Companies, please click here.
The SEC proposed strengthened cybersecurity requirements for investment advisers and funds1 in a notice of proposed rulemaking (the “Proposed Rule”) published in the Federal Register on March 9, 2022 and announced on February 9, 2022.2 The Proposed Rule includes requirements for written cybersecurity policies and procedures to address risk; annual review of such policies and procedures, written reports, and approval by the board of directors; reporting of “significant cybersecurity incidents”3 to the SEC; inclusion of cybersecurity risks and incidents in various forms and disclosures; and new recordkeeping requirements. The Proposed Rule does not currently exempt any advisers; however, consideration will likely be given to certain exemptions at the entity-level based on size4 and existing regulatory frameworks. Additionally, certain types of data may be exempt. Comments are due on or before April 11, 2022.
Under the existing SEC rules, advisers subject to Section 203 of the Investment Advisers Act of 1940 (the “Act”)5 are required to adopt and implement written policies and procedures reasonably designed to prevent violation of the Act and the rules that the Commission has adopted under the Act.6 Funds have similar requirements, though the failure to implement appropriate policies does not deem the provision of investment advice unlawful.7 Regulation S-P and subsequent guidance requires registered advisers and funds to adopt written policies that address safeguards for the protection of customer data.8 Outside of SEC regulations for registered advisers, some existing industry and state regulations impose data protection and policy requirements on financial services, e.g., the Gramm-Leach-Bliley Act and New York Department of Financial Services Cybersecurity Regulations. However, the Proposed Rule includes requirements that may go beyond current requirements.
Importantly, the Proposed Rule states: “As a means reasonably designed to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business within the meaning of section 206(4) of the Act (15 U.S.C. 80b6(4)), it is unlawful for any investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3) to provide investment advice to clients unless the adviser adopts and implements written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks…”9 As drafted, failure to follow this requirement of the Proposed Rule, if finalized and after going into effect, will render all investment advice given during the period of noncompliance unlawful. Further, not having reasonably designed cybersecurity policies would be considered a fraudulent, deceptive, or manipulative act.
The Proposed Rule requires that these policies and procedures include risk assessments, user security and access controls, information protection, cybersecurity threat and vulnerability management, and cybersecurity incident response and recovery. We briefly outline key portions of these requirements below.
Existing policies and procedures built to comply with alternative regulatory frameworks may not be sufficient.
At least once a year, advisers are required to: (i) review and assess the design and effectiveness of the cybersecurity policies and procedures required by pertinent parts of the Proposed Rule; and (ii) prepare a written report that, at a minimum, describes the review, the assessment, and any control tests performed, explains their results, documents any cybersecurity incident that occurred since the date of the last report, and discusses any material changes to the policies and procedures since the date of the last report.10
A fund’s board of directors must initially approve the fund’s cybersecurity policies and procedures, as well as review the required annual written report on cybersecurity incidents and material changes to the cybersecurity policies and procedures.11
We note that while advisers were previously required to implement policies and procedure designed to prevent a violation of the Act,12 and while an annual review was required, the Proposed Rule adds additional requirements such as a written report.
Under the Proposed Rule, financial advisers and funds will be required to report within 48 hours any “significant adviser cybersecurity incident.”13 The clock starts when the adviser has “a reasonable basis to conclude that any such incident has occurred or is occurring…”14 This requirement shortens the time period followed by other pertinent regulations, such as the 72 hour requirement under NY DFS’ Cybersecurity Regulation. Incident reporting will be done electronically via fillable Form ADV-C, submitted through the Investment Advisor Registration Depositary (IARD). It is important to note that where other filings under state law and 210(a) the Advisers Act must be made public, the SEC has identified the implications of making this report public and plans to treat them as confidential.
As expected, the preceding new requirements are accompanied by corresponding updated recordkeeping requirements. The record retention spans five years. Both advisers and funds must maintain cybersecurity policies and procedures formulated pursuant to the Proposed Rule; written reports documenting the annual review (for advisers and funds) and provided to the board (for funds); any Form ADV-C filed by an adviser; records documenting the occurrence of any cybersecurity incident, including any response and recovery from such an incident; and records documenting cybersecurity risk assessments.
The last material change to the regulatory framework as a result of the Proposed Rule is a flurry15 of corresponding amendments to existing forms and disclosures. Brochure disclosure Form ADV Part 2A will now include required information on: cybersecurity risks that could materially affect the advisory services offered and how adviser assesses, prioritizes, and addresses these risks; and the occurrence of any cybersecurity incidents within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.
Comments on the Proposed Rule are due on or before April 11, 2022. If finalized without material change, cybersecurity risks to each financial institution will now be public knowledge and subject to SEC scrutiny. Further, pursuant to Section 275.206(4)-9 as drafted, noncompliance could result in unlawfulness in the provision of financial advice unrelated to cybersecurity. Technical and legal evaluation of existing policies and procedures is recommended to ensure compliance and favorable business development. Dentons continues to monitor these developments closely to aid clients in taking appropriate steps regarding SEC and other cybersecurity compliance matters.
1 For the purposes of this overview, unless otherwise distinguished, “advisers” shall mean both: (i) advisers to separately managed accounts and pooled investment vehicles, both private and offered to the public; and (ii) funds including mutual funds, exchange-traded funds (“ETFs”), unit investment trusts, registered closed-end funds, and BDCs. 2 Proposed Rule, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, and 279), announced on Feb. 9, 2022 at https://www.sec.gov/rules/proposed/2022/33-11028.pdf (the “Proposed Rule”) as published in the Federal Register on March 9, 2022 (87 Fed. Reg. 13524) at https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business. 3 “Cybersecurity incident” means an unauthorized occurrence on or conducted through [an adviser’s or a fund’s] information systems that jeopardizes the confidentiality, integrity, or availability of [an adviser’s or a fund’s] information systems or any [adviser or fund] information residing therein; “Significant adviser cybersecurity incident” means a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed; “Significant fund cybersecurity incident” means a cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the fund’s ability to maintain critical operations, or leads to the unauthorized access or use of fund information, where the unauthorized access or use of such information results in substantial harm to the fund or to an investor whose information was accessed. 4 Under rule 0-1(a) of the Act, a small entity is generally one that: (i) has assets under management having a total value of less than $25 million; (ii) did not have total assets of $5 million or more on the last day of the most recent fiscal year; and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that has assets under management of $25 million or more, or any person (other than a natural person) that had total assets of $5 million or more on the last day of its most recent fiscal year. 5 15 U.S.C. 80b-3. 6 17 CFR 275.206(4)-7. 7 See 17 CFR 270.38a-1. 8 See generally 17 CFR Part 248. 9 17 CFR § 275.206(4)-9. 10 206(4)-9(b); see also 38a-2(b). 11 38a-2(c). 12 87 Fed. Reg. 13524, 13592 (March 9, 2022). 13 Supra endnote iii. 14 17 CFR § 275.204-6(1). 15 Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 for advisers, and form S-6 for funds.