On February 9, 2022, the Securities and Exchange Commission (SEC) voted to propose new Rule 206(4)-9 under the Investment Advisers Act of 1940 (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (collectively the “Proposed Rules“) to address cybersecurity risks. The proposed rules would apply to registered investment advisers (RIAs), registered investment funds (funds) and business development companies (BDCs) (collectively “companies”). If passed, the proposed rules will impose full compliance obligations on businesses by obliging them to:
Adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks;
Report cybersecurity incidents affecting the adviser, its funds, or its clients to the SEC on a proposed Form ADV-C and “significant” cybersecurity incidents within 48 hours to the SEC;
Disclose significant cybersecurity risks and incidents; and
Require new record-keeping requirements for certain cybersecurity practices.
As described in more detail below, the proposed rules heighten SEC Chairman Gary Gensler’s continued priority and focus on cybersecurity, particularly in light of the hybrid workforce and growing dependencies. companies with regard to technology.
The proposed rules will be open for public comment for 60 days after the proposed release is posted on the SEC’s website or 30 days after the proposed release is posted in the Federal Register, whichever is longer.
Comprehensive cybersecurity program
The proposed rules would require companies to develop and implement written cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks that could adversely affect RIAs and the funds and BDCs they manage, in accordance fiduciary duties imposed on RIAs under the Advisers Act (the cybersecurity program). For funds and BDCs, the cybersecurity program will need to be approved by the board and the board must ensure that sufficient resources are committed to implement the cybersecurity program.
The cybersecurity program should include, among other things, (1) a risk assessment of service providers and information systems handling customer and fund information; (2) implementing user security and access controls to protect confidential, fund, or investor information; (3) periodic evaluation of information systems containing fund or adviser information; and (4) policies and procedures for dealing with cybersecurity incidents, threats and vulnerabilities.
The proposed rules would require a company to review its cybersecurity program at least once a year and write a report detailing that assessment. The report should detail any cybersecurity incidents that occurred during the reporting period and discuss any material changes to the cybersecurity program since the last annual report.
Reporting of Significant Cybersecurity Incidents and Proposed Form ADV-C
The proposed rules would require RIAs to submit the proposed Form ADV-C promptly, but in no event later than 48 hours, after having had a reasonable basis to conclude that a material cybersecurity incident involving an advisor or a material cybersecurity incident involving a fund has occurred or is in the process of occurring.1
Proposed Changes to Form ADV Part 2A and Disclosure of Cybersecurity Risks and Incidents
The proposed rules seek to amend the Narrative Brochure of Form ADV, or Part 2A, by adding a new Section 20 titled “Cybersecurity Risks and Incidents.” RIAs would be required to provide information to clients and potential clients about cybersecurity risks and incidents that could significantly affect the advisory services they offer and describe how they manage those risks.
The proposed rules would also require an RIA to describe all cybersecurity incidents that have occurred over the past two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to access or unauthorized use of advisor information resulting in substantial harm to the advisor or their client. In addition, the SEC is also proposing changes to fund registration statements, requiring disclosure of any significant cybersecurity incidents over the past two fiscal years.
Cybersecurity Record Keeping Requirements
The proposed rules contain new reporting and compliance requirements, requiring companies to retain certain records for five years, including: (1) cybersecurity program; (2) annual reviews thereof; (3) reports provided to the board of directors of a registered fund or BDC regarding cybersecurity; (4) any Form ADV-C filed by an RIA; (5) regulatory filings related to cybersecurity incidents; (6) any cybersecurity incident; and (7) cybersecurity risk assessments.
Recent FTC Changes to Nonpublic Personal Information Protection Standards
On October 27, 2021, the Federal Trade Commission (FTC) announced revisions to the Gramm-Leach-Bliley Act (GLBA) by changing standards for the protection of non-public personal information (NPI) under the “Safeguard Rule” of the GLBA (the Final rule). The FTC announced that the final rule was necessary because of significant consumer harm, including monetary loss, identity theft and other forms of financial distress, as a result of data breaches and other issues. of cybersecurity. The final rule was published in the Federal Register on December 9, 2021. The Final Rule takes effect on January 10, 2022, however, most of the substantive provisions of the Final Rule take effect one year from the date of publication.
The final rule requires nonbank financial institutions under the jurisdiction of the FTC under the GLBA to develop, implement, and maintain a comprehensive security system to protect NPI. Private investment funds are generally subject to the FTC’s safeguard rule. Although the final rule currently does not include the disclosure, regulatory reporting, and recordkeeping requirements of the proposed SEC rules, the final rule’s requirements for protecting against cybersecurity breaches are more prescriptive than the proposed rules. Specifically, the final rule:
Implements more detailed requirements for developing and implementing an information security program, including performing a risk assessment and incorporating written provisions for access controls, data mapping, authentication, encryption, information disposal protocols, incident response management, change management, employee training and vendor management; and
Requires financial institutions to appoint a single qualified person to oversee the information security program, and further requires that qualified person to provide periodic written reports to the institution’s board or governing body.2
Both the final rule and the SEC’s proposed rules require oversight of private fund and RIA service providers, including requiring service providers to contractually agree to implement appropriate cybersecurity safeguards.
In addition to the final rule, the FTC is also seeking public comment on whether to further modify the safeguard rule to require covered financial institutions to report certain data breaches and other security events to the FTC.3 The FTC has announced that it will soon issue a supplemental notice of proposed rulemaking, after which the public will have 60 days to submit comments.
To the extent that a private fund is managed by an SEC-registered adviser, the private fund’s RIA will need to be aware of compliance with both the requirements of the final rule and the SEC’s proposed rules as adopted. In this regard, the SEC emphasizes that the proposed rules are designed to address the cybersecurity risks created as a result of the operations of an RIA and are not limited to the protection of customer financial information by private funds as in the case of the final rule.
Navigating the complex regulatory landscape can be difficult for investment advisors, funds and BDCs. Developing a dynamic cybersecurity program to deal with the changing landscape of cybersecurity threats in the digital world can be overwhelming. If you have any questions regarding these proposed rules and changes to the Investment Advisers Act, Investment Companies Act and Form ADV, GLBA, or questions relating to the above alert , please contact us.
1 The Proposed Rules define a “significant” cybersecurity incident as “a cybersecurity incident, or group of related incidents, that significantly disrupts or degrades the advisor’s ability…to maintain critical operations, or leads to unauthorized access or use of advisor information, where the unauthorized access or use of such information results in: (1) substantial harm to the advisor, or (2) substantial harm to a client. .. whose information was consulted. »
2 The final rule provides an exemption from the requirements for written risk assessments, incident response plans and annual reports to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers .
3 The proposed amendment would require covered financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers via a form on the FTC’s website within 30 days of discovering the breach and would require certain specified disclosures.