The Securities and Exchange Commission is introducing new rules around cybersecurity risk management for registered investment advisors (RIAs), registered investment companies and business development companies (funds), as well as amendments to certain rules that govern investment advisor and fund disclosures.
Citing the “numerous cybersecurity risks and incidents that advisors and funds face due to their interface with numerous interconnected systems and networks, the rules and amendments are designed to address concerns around preparedness and cybersecurity-related risks to clients and investors.
Earlier reports signaled that cybersecurity would be a significant focus of the regulatory agency in 2022. Last year, the SEC instigated civil penalties against a handful of broker-dealers and investment advisors as a result of various cybersecurity incidents that exposed the personal data of customers and clients. They also settled with additional companies who were not transparent about cybersecurity incidents.
The proposal is multilayered and would require advisers and funds to engage as follows:
- Adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
- Report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC via a new confidential form (ADV-C);
- Cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years must be publicly disclosed in their brochures and registration statements; and lastly,
- Implement new recordkeeping requirements to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities.
SEC Chair Gary Gensler noted that the recommended rules and amendments are “designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisors and funds against cybersecurity threats and attacks.”
Advisors can weigh in with comments when the proposed rules are posted on SEC.gov and in the Federal Register. The public comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.