On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions:
1. Cybersecurity Policies and Procedures
Under the proposal, advisers and funds would be required to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks, including requiring:
- Periodic risk assessments of cybersecurity risks associated with IT systems and information residing thereon;
- Security controls designed to minimize user-related risk and prevent unauthorized access to IT systems and information thereon;
- Measures designed to monitor IT systems and protect such systems and information thereon from unauthorized access;
- Oversight of service providers that have access to IT systems and information;
- Maintenance of a cybersecurity threat and vulnerability management program; and
- Measures to detect, respond to, and recovery from a cybersecurity incident, including an incident response plan addressing reporting obligations to the SEC (discussed below) and escalation protocols to senior officers and board of directors.
In the proposal, the SEC recognizes that there is no “one-size-fits-all approach” and therefore whether the applicable policies and procedures are “reasonably designed” ultimately depend on the nature and scope of the adviser’s and/or the fund’s particular business. However, the fund’s board of directors would have to (i) initially approve the cybersecurity policies and procedures; and (ii) annually review the written report prepared a on cybersecurity incidents and materials changes to the cybersecurity policies and procedures.
2. 48-Hour Reporting Requirement for “Significant” Cybersecurity Incidents
The SEC proposes to enact Rule 204-6, which would require advisers to promptly, but no later than 48-hours, report significant cybersecurity incidents to the SEC, including on behalf of itself and on behalf of a client that is a registered investment company or business company or a private fund. The 48-hour clock starts as soon as the adviser has a “reasonable basis to conclude” that a significant incident has occurred or is occurring.
The proposal broadly defines “significant adviser cybersecurity incident” as:
[A] cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
While essentially the same definition, a “significant fund cybersecurity incident” is defined as an incident, or a group of related incidents, that “(1) significantly disrupts or degrades the fund’s ability to maintain critical operations, or (2) leads to the unauthorized access or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.”
Upon discovering a significant cybersecurity incident, advisers would be required to electronically file a proposed Form ADV-C through the SEC’s Investment Advisor Registration Depository (“IARD”) platform. The proposed Form ADV-C would include both specific and general questions relating to the cybersecurity incident. Notably, advisers would also have an obligation to amend prior submissions within 48 hours of discovering new material information relating to the incident or if a previous report becomes materially inaccurate.
3. Publicly Disclose Material Cybersecurity Risks and Incidents
In addition, the proposal would require advisers and funds to disclose certain cybersecurity risks and incidents to current and prospective clients through certain forms for advisors (Form ADV) and funds (N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6). For advisers, Form ADV Part 2A would be amended to require advisers to, in plain English, describe cybersecurity risks that could materially affect the advisory services they offer as well as cybersecurity incidents over the past two fiscal years. A cybersecurity risk would be material “if there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information.” Advisers would also be required to “promptly” provide an amended or supplemented Form ADV to existing clients if an adviser adds, or materially revises, a disclosure about a cybersecurity incident. Funds would be required to disclose in registration statements “any significant fund cybersecurity incident that has occurred in its last two fiscal years.”
4. Recordkeeping Requirements
The proposed rules (204-2(a)(17)(i), (iv) – (vii) and 38a-2) would require advisers and funds to maintain for five years, documents relating to cybersecurity policies and procedures and other cybersecurity-related reports required under the proposed rules, such as regulatory filings related to cybersecurity incidents.
One of the more significant proposals is the requirement to report cybersecurity incidents to the Commission within 48 hours, which will require advisers and funds to quickly investigate incidents, assess reporting obligations, and submit a report to the Commission. Because of this short time period, members of legal and compliance teams (as well as outside counsel) will need to quickly be made aware of these incidents by the information security team to address reporting obligations, ideally through written escalation protocols and response procedures incorporating legal and compliance early on in the detection and response process. In addition, the new prescriptive requirements for cybersecurity policies and procedures, as well as senior leaders’ and the board of directors’ role in overseeing the program, will require many advisers and funds to substantially mature their cybersecurity programs to comply with the proposed requirements. Although the final form of the rules remains to be seen, legal and compliance teams should begin assessing the technical and administrative steps necessary comply with the proposed requirements.