On February 9, 2022, the United States Securities and Exchange Commission (“SEC”) released a proposal to improve cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisors”), investment companies and business development companies. (“funds”). Overall, the proposal addresses the following rule changes and additions:
- Cybersecurity policies and procedures
Under the proposal, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks, including requiring:
- Periodic assessments of cybersecurity risks associated with computer systems and the information residing therein;
- Security controls designed to minimize user risk and prevent unauthorized access to computer systems and the information they contain;
- Measures designed to monitor computer systems and protect those systems and the information they contain from unauthorized access;
- Monitoring of service providers who have access to computer systems and information;
- Maintaining a cybersecurity threat and vulnerability management program; and
- Measures to detect, respond to, and recover from a cybersecurity incident, including an incident response plan addressing SEC reporting obligations (see below) and escalation protocols to senior management and to the board of directors.
In the proposal, the SEC acknowledges that there is no “one-size-fits-all approach” and therefore whether the applicable policies and procedures are “reasonably designed” ultimately depends on the nature and extent of the particular interests of the adviser and/or the fund. business. However, the board of directors of the adviser or fund should (i) initially approve the cybersecurity policies and procedures; and (ii) annually review the written report prepared on cybersecurity incidents and significant changes to cybersecurity policies and procedures.
- 48-hour reporting requirement for “significant” cybersecurity incidents
SEC proposes to enact Rule 204-6, which would require advisers to report promptly, but no later than 48 hours, material cybersecurity incidents to the SEC, including on their behalf and on behalf of a client which is a registered investment company or a commercial company or a private fund. The 48-hour clock begins as soon as the advisor has a “reasonable basis for concluding” that a significant incident has occurred or is occurring.
The proposal broadly defines a “significant advisor cybersecurity incident” as follows:
[A] cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the ability of the advisor, or the ability of a client of private funds of the advisor, to maintain critical operations, or leads to the unauthorized access or use of advisor information, where the unauthorized access or use of such information results in (1) substantial harm to the advisor, or (2) substantial harm to a client or investor in a private fund, the information of which was consulted.
Although essentially the same definition, a “significant fund cybersecurity incident” is defined as an incident, or a group of related incidents, that “(1) significantly disrupts or degrades the ability of the fund to maintain its critical operations, or (2) results in the unauthorized access or use of fund information, resulting in substantial harm to the fund or to the investor whose information was accessed . »
Upon discovery of a material cybersecurity incident, advisers would be required to electronically file a Form ADV-C proposal through the SEC’s Investment Advisor Registration Depository (“IARD”) platform. The proposed Form ADV-C would include both specific and general questions relating to the cybersecurity incident. Notably, advisors would also have an obligation to amend prior submissions within 48 hours of discovering material new information relating to the incident or if a previous report becomes materially inaccurate.
- Publicly disclose material cybersecurity risks and incidents
In addition, the proposal would require advisors and funds to disclose certain cybersecurity risks and incidents to current and potential clients through certain forms for advisors (Form ADV) and funds (N-1A, N-2, N -3, N-4, N-6, N-8B-2 and S-6). For advisors, Part 2A of Form ADV would be amended to require advisors to describe, in plain language, cybersecurity risks that could materially impact the advisory services they provide as well as cybersecurity incidents at over the past two fiscal years. A cybersecurity risk would be material “if there is a substantial likelihood that a reasonable customer would consider the information to be material based on all the facts and information.” Advisors would also be required to “promptly” provide an amended or completed Form ADV to existing clients if an advisor adds or materially changes a disclosure regarding a cybersecurity incident. Funds would be required to disclose in registration statements “any material fund cybersecurity incident that has occurred in their last two financial years.”
- Record keeping requirements
Proposed rules (204-2(a)(17)(i), (iv)-(vii) and 38a-2) would require advisers and funds to retain documents relating to cybersecurity policies and procedures for five years and other – related reports required under the proposed rules, such as regulatory filings related to cybersecurity incidents.
Take away food
One of the most important proposals is the obligation to report cybersecurity incidents to the Commission within 48 hours, which will require advisers and funds to quickly investigate incidents, assess reporting obligations and submit a report. to the Commission. Due to this short time frame, members of the legal and compliance teams (as well as outside attorneys) will need to be promptly notified of such incidents by the information security team to meet reporting obligations, ideally by through written escalation protocols and response procedures that incorporate and compliance from the outset of the detection and response process. Additionally, new prescriptive requirements for cybersecurity policies and procedures, as well as the role of senior management and the board in program oversight, will require many advisors and funds to significantly mature their cybersecurity programs to comply with the proposed requirements. Although the final form of the rules remains to be seen, legal and compliance teams should begin to assess the technical and administrative steps needed to comply with the proposed requirements.