Commission seeks public comment on wide range of issues in proposal
On 9 February 2022, the Securities and Exchange Commission (SEC or “Commission“) voted 3-1, with Commissioner Peirce, the lone remaining Republican appointee opposed, to propose new rules under the Investment Advisers Act of 1940 (“Advisers Act“) and the Investment Company Act of 1940 (“Investment Company Act“) related to cybersecurity risk management, reporting of breach events, and recordkeeping for registered investment advisers and investment funds.1
If adopted, the proposal would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address the cybersecurity risks relevant to their specific businesses, which could impact their clients and investors. Perhaps more notable, the proposal also mandates that advisers self-report certain cybersecurity events to the Commission on a newly created – though confidential – form. This detailed information would only go to the SEC and not be shared with clients or the public. However, the proposal does require that advisers and funds disclose both cybersecurity risks and significant cybersecurity events that occurred during the prior two fiscal years in their Form ADV brochures and registration statements. Finally, the rule proposal adds additional recordkeeping requirements related to cybersecurity, which, according to the SEC, is intended to assist the Commission’s examination and enforcement capabilities.
In the proposing release, the Commission specifically seeks comment on some 64 different issues, including issues as broad as whether certain advisers or funds should be exempt from these new rules to items as specific as whether cybersecurity data should be tagged in XBRL reporting, and everything in between. Although this proposal is the result of considerable work by the SEC staff, over a long period, plainly the Commission has some sense that the comment process will be useful in getting to a workable rule set. The public comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.
These are important issues. Do let us know if anyone on our team can be helpful to you in considering or crafting your firm’s or organization’s comments to this proposal.
By way of some background, in the Commission’s view, advisers and funds are broadly exposed to cyber threats, given, among other things, the interconnectedness of systems and networks, as well as the use of digital technology and platforms to interface with clients, investors and business partners. The personal data on these systems is attractive to ever more sophisticated threat actors. Based on information from its examination program, the SEC has concluded that many advisers and funds are not appropriately prepared for cyber threats that pose significant risks to their businesses, given the impact of cybersecurity events, in the form of client/investor remediation, litigation, regulatory risk, increased insurance costs and reputational damage. These costs do not even begin to account for the risks to individual investors from exposure of their personal information.
In the release, the SEC notes, that as fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty and, as such, already owe an obligation to protect their clients’ interests, which includes minimizing risks that could lead to operational disruptions or the loss or theft of clients’ personal information. Along the same lines, under the Investment Company compliance rule,2 funds are required to implement written policies and procedures reasonably designed to prevent securities laws violations, either by the fund or by those who provide services to the fund. On these bases, the Commission has proposed this new rulemaking.
The SEC proposes rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, which require advisers and funds to implement cybersecurity policies and procedures reasonably based on the firm’s business operations and cybersecurity risks. The proposal incorporates general elements designed to provide those core areas that firms must address when drafting, implementing, revising and updating their cybersecurity policies and procedures. The Commission acknowledges that all firms are different depending on size, structure and resources, for example, so flexibility in the proposal is intentional, but the SEC expects to see real specificity in the processes the firms design.
To understand a particular firm’s cybersecurity risks, the proposal contemplates a cybersecurity risk assessment and mandates a written report of that assessment. Needless to say, such assessments are considered to be periodic requirements and not a “one and done” event, as businesses, technologies, and threats all change over time. The proposal anticipates at least an annual review of cybersecurity policies and procedures. Further, the Commission advises that policies and procedures would not be complete without, among other items, specifics about monitoring and testing of systems and procedures, as well as a process for how the firm will respond to a cybersecurity event, including documenting and remediating any such incident.
The Commission has also proposed rule 204-6, which would require advisers to report to the SEC within 48 hours, on a new Form ADV-C, “significant” cybersecurity events, including reporting such events on behalf of a client that is a registered investment company, BDC or private fund.3 The new Form ADV-C includes questions about the nature and scope of the cybersecurity event being reported and contemplates updating, should new or different material information become available or require correction. These reports are confidential to the Commission. The SEC has stated that it believes the information contained in these ADV-C reports will assist the agency in evaluating the impacts of cybersecurity incidents on advisers and their clients, as well as assessing the potential for systemic risks across the broader financial markets.
Although the reporting of specific cyber events in detail is confidential, the new rule proposal does contemplate additional public reporting of cybersecurity risks and events by advisers, through an amendment to Form ADV Part 2A, and for funds through amendments to Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6.
For investment advisers, the proposed rule amendments add to the firm’s brochure, Part 2A of Form ADV, a new Item 20 entitled “Cybersecurity Risks and Incidents.” This plain English, narrative format document, which is publicly available and a primary disclosure for firm clients, would have to include information about: (1) material cybersecurity risks based on the firm’s business and services; (2) any cybersecurity events that have occurred within the last two fiscal years, and have (a) caused meaningful business disruption or significant harm to the adviser or to its clients, or (b) resulted in unauthorized use of or access to the adviser’s information. Along the same lines, funds also would be required to provide similar disclosures to investors about cybersecurity events, which is contemplated to be included using Inline eXtensible Business Reporting Language (or Inline XBRL).
Finally, the rulemaking contemplates new recordkeeping requirements through an amendment to Advisers Act rule 204-2, the books and records rule, and for funds proposed rule 38a-2 under the Investment Company Act. By the proposal, advisers and funds would be required to maintain for five years, under the books and records requirements in each statute, their cybersecurity policies and procedures, as well as the firm’s annual report of its review of those policies and procedures, any Forms ADV-C filed by advisers with the Commission, documentation of and from any cybersecurity incident, and any cyber risk assessments. In addition, for funds, reports related to these issues that have been submitted to the fund board must also be retained.4
Given the broad scope of these changes, including the novel self-reporting requirement, which could have far-reaching impacts, we will certainly monitor developments here. However, this proposal is currently just that, and the Commission is broadly seeking input from the industry, the market and the public about how stakeholders believe the conclusions the SEC and its staff have reached might be altered to better serve the needs of investors and the investment community.
If we can be helpful to you in developing and articulating your comments, please reach out to one of us.
1 In this context, the SEC uses the term “fund” to mean a registered investment company or a closed-end investment company that has elected for treatment as a business development company under the Investment Company Act.
2 17 CFR § 270.38a-1.
3 The proposal defines a “significant” cybersecurity incident as “a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.” See Proposed Rule release at p. 47.
4 Proposed rule 38a-2 also would require a fund’s board to approve the fund’s cybersecurity policies and procedures and to review a report on cybersecurity events and any material changes to the fund’s cybersecurity policies and procedures that would be prepared at least annually.