Written by Robert Quinn
Founder & CEO
On February 9th, the Securities and Exchange Commission (“SEC”) proposed new and amended rules regarding cybersecurity risk management, reporting and disclosures. The proposal applies to registered investment advisers (“advisers”), registered investment companies (“RICs”) and closed-end funds that have elected to be treated as business development companies (collectively, “registered funds”) under the Investment Company Act of 1940 (the “Investment Company Act”). Comments on the proposed rules are due on April 11, 2022, or 30 days after their publication in the Federal Register, whichever is later.
The SEC has expressed concern over the effectiveness of advisers and funds, both private and registered, addressing cybersecurity risk and incidents as well as whether appropriate disclosure is being provided to investors. The SEC noted that there are no specific rules that require advisers or funds to adopt and implement comprehensive cybersecurity risk management programs, and as a result, advisers and funds have not adopted adequate and effective controls.
The proposed rules include:
1. Cybersecurity Risk Management
Proposed new Rule 206(4)-9 under the Advisers Act of 1940 (the “Advisers Act”) and proposed new Rule 38a-2 under the Investment Company Act would require advisers to adopt and implement written policies and procedures that are reasonably designed for their business to address cybersecurity risks.
The following elements are proposed:
- Periodic written risk assessments, which will require:
- Covered entities to categorize and prioritize cybersecurity risks based on an inventory of the components of the advisers’ and funds’ information systems, and the potential effect of a cybersecurity incident
- Identify service providers that receive, maintain or process information, or are otherwise permitted to access information systems, and assess the cybersecurity risks associated with such
- Further considerations which potentially may require the identification of vulnerabilities and threats
</ul style=”padding-bottom: 2em;”>
- User security and access controls designed specifically to minimize user-related risks and prevent unauthorized access to information and systems
- Information protection oversight, and ongoing monitoring based on the risk assessment and designed to detect cybersecurity threats and vulnerabilities
- Documented Cybersecurity Incident Response and Recovery
2. Disclosure to the SEC
Rule 204-6 under the Advisers Act proposes that advisers would be required to report to the SEC significant cybersecurity incidents and events that affect the adviser, or its fund or private fund clients. Advisers would have to submit proposed Form ADV-C to the SEC promptly and on a confidential basis. “Promptly” in this case has been defined as 48 hours, after having a reasonable basis to conclude that a significant cybersecurity incident had occurred at the adviser or fund.
3. Disclosure to Clients
The proposed rules would amend Rule 204-3 under the Advisers Act to require advisers to deliver interim brochure amendments and supplements to existing clients if the adviser has added a new disclosure on a significant cyber incident or if a material revision is made to disclosure about a cybersecurity incident.
The proposed rules would require registered and private funds to disclose any significant fund cybersecurity incidents that have occurred in the last two fiscal years via a new Item 20 on Form ADV Part 2A entitled “Cybersecurity Risks and Incidents”. To the extent known, a fund would need to detail each such incident with (1) the entities affected; (2) when the incident was discovered and whether it is ongoing; (3) whether any data was stolen, altered, or accessed or used for any other unauthorized purpose; (4) the effect of the incident on the fund’s operations; and (5) whether the fund or service provider has remediated or is currently remediating the incident.
The proposed rules for registered funds would amend Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2 and Form S-6 to require them to describe in their registration statements any significant fund cybersecurity incidents that are occurring or have occurred in the prior two fiscal years. Further, the SEC regulation stated that registered funds should consider cybersecurity risks when preparing risk disclosures in their registration statements, and generally should include in their annual reports to shareholders a discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent these were factors that materially affected performance of the fund over the prior fiscal year. In addition, a registered fund would be required to supplement its prospectus in the event of a significant cybersecurity incident.
4. Annual Reviews
Covered entities would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures at least annually, including whether there have been changes to cybersecurity risk over the time period. Such reviews would need to be documented.
5. Board Oversight
For RICs, proposed rule 38a-2 would require the fund’s board of directors to actively oversee the implementation and administration of the fund’s cybersecurity policies and procedures. The fund’s board would be required to initially approve the cybersecurity policies and procedures and review the documented annual review regarding cybersecurity incidents and material changes to the fund’s policies and procedures.
Like the proposed rules for private fund advisers introduced on the same day, the industry will note that cybersecurity has been a priority for many years. In January 2020, the Office of Compliance Inspections and Examinations issued “Cybersecurity and Resiliency Observations.” The paper focused on what it expected from firms in their consideration of how to enhance cybersecurity preparedness and operational resiliency and addressed the following areas:
- Governance and risk management
- Access rights
- Data loss
- Mobile security
- Incident response and resiliency
- Vendor management
- Training and awareness
It is clear that advisers and funds will need to spend time thoughtfully constructing their cybersecurity policies and procedures. Senior management will need to understand the fundamental changes to their obligations as well as the importance of timely and accurate disclosure of cybersecurity incidents.
Prevention is often better than cure. At RQC Group we offer Introductory and Comprehensive online cybersecurity training courses, which you might consider for upskilling your staff on good preventative practices to apply in order to help avoid the substantive risks associated with cybersecurity breaches in both their personal and professional environments.