Fund Managers and Investment Advisors May Soon, by Federal Regulation, be Required to Have Documented Cyber Risk Management Programs
On February 9, 2022, the Securities and Exchange Commission (SEC) voted to propose rules1 with respect to cybersecurity risk management for registered investment advisers, registered investment companies, and funds2, as well as amendments to certain rules that govern investment adviser and fund disclosures.
As a backdrop, the SEC has expressed that as vital components of the financial markets that continue to drive the integration of technology and business, both advisers and funds are subject to heightened cybersecurity risks. As threat actors have evolved over time in sophistication and capabilities, the SEC warns that advisers and funds are at the risk of incurring substantial harm operationally, financially and legally should these threat actors execute an attack or exploit advisers’ and funds’ vulnerabilities. Consequently, the SEC has expressed its concern that such incidents will significantly harm clients and investors, in turn.
While current rules in place indirectly address cybersecurity, such as the Advisers Act compliance rule,3 Investment Company compliance rule,4 Regulation S-P,5 and Regulation S-ID;6 the SEC has now proposed rules that would directly require
- advisers and funds to create and enhance cybersecurity risk management program through the adoption, implementation, and maintenance of comprehensive written policies and procedures that are reasonably designed to address cybersecurity risks;
- advisers to report significant cybersecurity incidents7 to the SEC;
- advisers and funds to disclose to clients related to cybersecurity risks and incidents; and
- advisers and funds to maintain, make, and retain certain cybersecurity-related books and records.
A. Cybersecurity Risk Management.
1. Cybersecurity Risk Management Policies and Procedures. Proposed Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act (collectively, “cybersecurity risk management rules”) would require all advisers and funds to adopt and implement cybersecurity policies and procedures. Specifically, advisors and funds would be required to
- perform periodic risk assessments, categorization, prioritization, and written documentation of cybersecurity risks, whereby assessments must include assessments of third party service providers;
- implement controls designed to minimize user-related risks and prevent the unauthorized access to information and systems;
- monitor information systems to protect information from unauthorized access or use;
- implement measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities; and
- have measures to detect, respond to, and recover from a cybersecurity incident.
2. Annual Review and Required Written Reports. The proposed cybersecurity risk management rules would also require both advisers and funds to, no less frequently than annually,
- review their cybersecurity policies and procedures;
- review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
- prepare a written report.
3. Fund Board Oversight. The SEC has proposed requirements that would require the board of directors’ oversight of their respective fund’s cybersecurity program and accountability for the administration of the program. Specifically, Proposed Rule 38a-2 would require a fund’s board of directors, including a majority of its independent directors, to
- initially approve the fund’s cybersecurity policies and procedures; and
- review the written reports on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures.
4. Recordkeeping. The SEC is proposing Amendments to the Advisers Act rule 204-2, which would require advisers to maintain
- a copy of their cybersecurity policies and procedures formulated pursuant to Proposed Rule 206(4)-9 that either are in effect or were in effect at any time within the past five years;
- a copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures pursuant to Proposed Rule 206(4)-9 in the last five years;
- a copy of any Form ADV-C8 filed by the adviser under rule 204-6 in the last five years;
- records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident, occurring within the past five years; and
- records documenting an adviser’s cybersecurity risk assessment in the last five years.
5. Proposed Rule 38a-2 under the Investment Company Act would similarly require that a fund maintain:
- a copy of its cybersecurity policies and procedures that are either in effect or were in effect at any time within the last five years;
- copies of written reports provided to its board;
- records documenting the fund’s annual review of its cybersecurity policies and procedures;
- any report of a significant fund cybersecurity incident provided to the SEC by its adviser;
- records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident; and
- records documenting the fund’s cybersecurity risk assessment for a period of five years, with the first two years in an easily accessible place.
B. Report Significant Cybersecurity Incidents. Advisers would be required
- to report significant cybersecurity incidents to the SEC, including on behalf of a client that experiences a significant cybersecurity incident;
- to submit proposed Form ADV-C promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring; and
- to amend any previously filed Form ADV-C promptly, but in no event more than 48 hours, after information reported on the form becomes materially inaccurate.
C. Disclosure of Cybersecurity Risks and Incidents. The SEC has proposed amendments to certain forms used by advisers and funds to require the disclosure of cybersecurity risks and incidents to their investors and other market participants, specifically Form ADV Part 2A for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds. The proposed amendments would also require advisers to describe any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.
As suggested by the SEC, advisers and funds are encouraged to work with trusted external parties to comply with these Proposed Rules.
Regardless of whether the Proposed Rules are adopted in their current iteration, or with some modification, advisors and funds should prepare now to implement these measures, which are already mandated by several states’ laws.
(1) Already, several states have adopted specific cybersecurity laws applicable to investment advisors, including without limitation Colorado and Vermont.
(2) A “fund” means a registered investment company or a closed-end company that has elected to be treated as a business development company (“BDC”) under the Investment Company Act.
(3) 17 CFR 275.206(4)-7.
(4) 17 CFR 270.38a-1.
(5) 17 CFR 248.1 to 248.31.
(6) 78 FR 23638.
(7) An “incident” is defined as an event “that jeopardizes the confidentiality, integrity, or availability” of the adviser’s or fund’s systems or the information they contain.
(8) This new form would be required to report any cybersecurity incidents.
Please contact your CSG Law attorney or one of the authors to help you:
- develop, implement, and review written policies and procedures;
- guide the completion of assessments, categorization, prioritization, and written documentation of cybersecurity risks; and
- develop procedures to ensure timely reporting of significant cybersecurity incidents to the SEC.