On February 9, 2022, the Securities and Exchange Commission voted 3–1 in proposing new cybersecurity rules for the investment industry. The new Proposed Rules come on the tail end of a growing anxiety from increasing cybersecurity threats on a national and global scale regarding infrastructure and within the capital markets.
The Proposed Rules would increase the substance, complexity, frequency and sophistication of the work product and deliverables required to demonstrate a model cybersecurity program. However, as these new requirements have long been mandated as part of the current regulatory landscape, the Proposed Rules are merely a formalization and natural evolution. Whether in the form of SEC enforcement actions, regulatory examinations, cyber sweeps, ODD reviews, or investor expectations, these requirements remain as absolute core cybersecurity controls that both RIAS and Registered Funds must implement and demonstrate.
Here’s what firms need to know:
The Proposed Rules apply to both registered investment advisers (Advisers) and certain investment companies (Funds). The new requirements will formalize and substantially increase the cybersecurity requirements on both Advisors and Funds in three (3) principal ways:
Cybersecurity Policies & Procedures
- Develop and maintain a formal Cybersecurity Program
- Address user security controls, monitoring of systems and data set, threat and vulnerability protections and incident response capabilities
- Internal or outsourced administration by qualified individuals with appropriate knowledge and access
- Significant five (5) year recordkeeping requirement
Reporting Significant Cybersecurity Incidents
- Obligation to report “significant cybersecurity incidents” to SEC
- Forty-eight (48) hour reporting window for each incident
- Continuing reporting obligation if new material information is discovered for each incident
- Reports will be confidential
Disclosing Cybersecurity Risks & Incidents
- Advisers and Funds will have to make clear, direct cybersecurity risks disclosures to investors
- Advisers: Form ADV Part 2A will be amended to include new Item 20, “Cybersecurity Incidents and Disclosures”
- Funds: Registration Statements
- Disclosure obligations are continuing for both Advisors and Funds
- Disclosures will include assessing and addressing cyber risks that could materially affect services