Thought Leadership

SEC Proposes New Cybersecurity Rules for Investment Advisers and Funds

Client Updates

Last week, the U.S. Securities and Exchange Commission (“SEC”) proposed a flurry of new rules and amendments to existing rules, including new rules related to cybersecurity and cyber reporting for investment advisers (“advisers”) and investment companies (“funds”). The new proposed cyber-related rules represent the latest effort by the SEC to regulate cybersecurity matters using the framework of the securities laws. 

This update reviews the proposed amendments and key takeaways for investment advisers and funds related to cybersecurity.

Background
 

Over the last several years, the SEC has been increasingly focused on cybersecurity, as is evident from recent guidance and enforcement actions. The recently proposed rules regarding advisers and funds are in part due to their increasing dependence on technology, their adoption of remote work in response to the Covid pandemic. and the growing number of cyber events.  

Proposed Amendments

The proposed amendments were released by the SEC for public comment on February 9, 2022. Here is an overview of key features of the proposed rules.
Cybersecurity Risk Management Policies and Procedures. The SEC is proposing a new Rule 206(4)-9, promulgated under the Advisers Act and a new Rule 38a-2, promulgated under the Investment Company Act. The proposed rules would require advisers and funds to adopt and implement written policies and procedures “reasonably designed to address cybersecurity risks,” which would need to include the following elements: 

  • Written, periodic risk assessments. Advisers and funds must assess their internal cybersecurity risks, as well as those associated with the use of service providers that receive, maintain, or process fund information or that are permitted to access fund or adviser systems. Notably, the proposed rule defines “cybersecurity risk” broadly to include “financial, operational, legal, reputational, and other adverse consequences that could result from cybersecurity incidents, threats, and vulnerabilities.”

  • User and Information Security Controls. Advisers and funds, as part of their cybersecurity programs, must put in access controls to restrict system and data access to only authorized users, including by, among other things, “securing remote access technology.” 
  • Threat and Vulnerability Management. Advisers and funds must ensure they have processes in place to detect, mitigate, and remediate cybersecurity threats and vulnerabilities. 
  • Cybersecurity Incident Response and Recovery. Advisers and funds must adopt incident response and recovery policies and procedures designed to ensure limited business disruption and data and information system protection. 

  • Annual Review and Required Written Reports. Advisers and funds must prepare an annual written evaluation around the effectiveness of their cybersecurity policies and procedures.
  • Fund Board Oversight. Under proposed Rule 38a-2, funds would be required to have their Board of Directors approve their cybersecurity program. 

  • Recordkeeping. Under the amendment to Rule 204-2 of the Advisers Act, advisers would be required to maintain records documenting: (1) cybersecurity policies and procedures; (2) the annual review of these policies; (3) any Forms ADV-C filed by the adviser under Rule 204-6 (discussed below); (4) any cybersecurity incident; and (5) the  risk assessment.  Similarly, Proposed Rule 38a-2 under the Investment Company Act would require funds to maintain records documenting: (1) cybersecurity policies and procedures; (2) reports provided to its Board regarding cybersecurity; (3) the annual review of these policies and procedures and the risk assessment; and (4) cybersecurity incidents. 

Reporting of Significant Cybersecurity Incidents to the SEC.  Under proposed Rule 204-6, a registered investment adviser would also be required to promptly report to the SEC “any significant adviser cybersecurity incident or significant fund cybersecurity incident, promptly, and in no event more than 48 hours, after having a reasonable basis to conclude that any such incident has occurred or is occurring.” 

The proposed rule defines “[s]ignificant adviser cybersecurity incident” as “a cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s ability, or the  ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:(1) [s]ubstantial harm to the adviser, or (2) [s]ubstantial harm to a client, or an investor in a private fund, whose information was accessed.” (emphases added). Similarly, “a significant fund cybersecurity incident” is one that (1) significantly disrupts or degrades the fund’s ability to maintain critical operations, or (2) leads to the unauthorized access or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.”  

The information would need to be reported to the SEC on a new Form ADV-C, which contains a series of check-the-box and fill-in-the-blank questions. In proposing the new rules, the SEC noted that the Adviser’s Act would require the Form ADV-C to be publicly disclosed, unless the Commission found “that public disclosure is neither necessary nor appropriate in the public interest or for the protection of investors.” The Commission noted its “preliminary view” is that public disclosure could have adverse effects on the fund or adviser, and, therefore, its current position was that Form ADV-C’s filed with the Commission “should be confidential . . . .”

Cybersecurity Disclosures to Clients. The proposed rules would also require advisers to disclose to investors on Form ADV Part 2 any “cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business.” Further, the rules would “require advisers to describe any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its client.” Advisers would also be required to provide updates to clients if new information about a cyber incident is disclosed. Finally, the SEC is also proposing amendments to funds’ registration forms requiring disclosure of any significant cybersecurity incident during the last two fiscal years.

Takeaways and What’s Next

  • The proposed rules include 64 questions, many with multiple subparts, in which the SEC seeks comment on the proposals.  The public comment period will run through mid-April, or 30 days after the SEC publishes the proposals in the Federal Register, whichever is longer. 

  • The proposed requirement for advisers to report “significant” “cybersecurity incidents” within 48 hours deserves close attention. The proposed rule defines a “significant” cybersecurity incident as one that “significantly” disrupts operations or leads to “substantial” harm, leaving the contours of the rules, even if enacted, potentially uncertain. Further, it is axiomatic, that in any crisis situation, the initial reports from the field are rarely accurate. Thus, even if an adviser determines an incident meets the “significant” threshold, it may not be able to fully describe, for example, the “nature and scope” of the incident or the extent of any personal information lost or accessed without authorization, (as new Form ADV-C would require) within 48 hours. 

  • Even if the proposed amendments are not adopted in full, the discussion around these proposals provides insight into the SEC’s current priorities and potential areas of focus in future audits and enforcement investigations. For example, whether the rules are adopted or not, it certainly remains prudent for advisers and funds to periodically evaluate cyber risk and to do so in a systematic, thoughtful way. As we have noted in a previous client alert, the SEC has also used its existing authority to bring cyber-related enforcement actions (i.e. the Safeguards Rule).

  • And, of course, even absent litigation, cyber incidents can cause significant business and reputational risk.  


We will be following this discussion closely and stand ready to assist investment advisers and funds in evaluating their cybersecurity protocols and reporting practices under the proposed amendments.

 

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.

Related Professionals