Skip to main content
0

Written by Robert Quinn
Founder & CEO

On February 9th, the Securities and Exchange Commission (“SEC”) proposed new and amended rules regarding cybersecurity risk management, reporting and disclosures. The proposal applies to registered investment advisers (“advisers”), registered investment companies (“RICs”) and closed-end funds that have elected to be treated as business development companies (collectively, “registered funds”) under the Investment Company Act of 1940 (the “Investment Company Act”). Comments on the proposed rules are due on April 11, 2022, or 30 days after their publication in the Federal Register, whichever is later.

The SEC has expressed concern over the effectiveness of advisers and funds, both private and registered, addressing cybersecurity risk and incidents as well as whether appropriate disclosure is being provided to investors. The SEC noted that there are no specific rules that require advisers or funds to adopt and implement comprehensive cybersecurity risk management programs, and as a result, advisers and funds have not adopted adequate and effective controls.

The proposed rules include:

1. Cybersecurity Risk Management

Proposed new Rule 206(4)-9 under the Advisers Act of 1940 (the “Advisers Act”) and proposed new Rule 38a-2 under the Investment Company Act would require advisers to adopt and implement written policies and procedures that are reasonably designed for their business to address cybersecurity risks.

The following elements are proposed:

  • Periodic written risk assessments, which will require:
      • Covered entities to categorize and prioritize cybersecurity risks based on an inventory of the components of the advisers’ and funds’ information systems, and the potential effect of a cybersecurity incident
      • Identify service providers that receive, maintain or process information, or are otherwise permitted to access information systems, and assess the cybersecurity risks associated with such
      • Further considerations which potentially may require the identification of vulnerabilities and threats

    </ul style=”padding-bottom: 2em;”>

  • User security and access controls designed specifically to minimize user-related risks and prevent unauthorized access to information and systems
  • Information protection oversight, and ongoing monitoring based on the risk assessment and designed to detect cybersecurity threats and vulnerabilities
  • Documented Cybersecurity Incident Response and Recovery

2. Disclosure to the SEC

Rule 204-6 under the Advisers Act proposes that advisers would be required to report to the SEC significant cybersecurity incidents and events that affect the adviser, or its fund or private fund clients. Advisers would have to submit proposed Form ADV-C to the SEC promptly and on a confidential basis. “Promptly” in this case has been defined as 48 hours, after having a reasonable basis to conclude that a significant cybersecurity incident had occurred at the adviser or fund.

 

3. Disclosure to Clients

The proposed rules would amend Rule 204-3 under the Advisers Act to require advisers to deliver interim brochure amendments and supplements to existing clients if the adviser has added a new disclosure on a significant cyber incident or if a material revision is made to disclosure about a cybersecurity incident.

The proposed rules would require registered and private funds to disclose any significant fund cybersecurity incidents that have occurred in the last two fiscal years via a new Item 20 on Form ADV Part 2A entitled “Cybersecurity Risks and Incidents”. To the extent known, a fund would need to detail each such incident with (1) the entities affected; (2) when the incident was discovered and whether it is ongoing; (3) whether any data was stolen, altered, or accessed or used for any other unauthorized purpose; (4) the effect of the incident on the fund’s operations; and (5) whether the fund or service provider has remediated or is currently remediating the incident.

The proposed rules for registered funds would amend Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2 and Form S-6 to require them to describe in their registration statements any significant fund cybersecurity incidents that are occurring or have occurred in the prior two fiscal years. Further, the SEC regulation stated that registered funds should consider cybersecurity risks when preparing risk disclosures in their registration statements, and generally should include in their annual reports to shareholders a discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent these were factors that materially affected performance of the fund over the prior fiscal year. In addition, a registered fund would be required to supplement its prospectus in the event of a significant cybersecurity incident.

 

4. Annual Reviews

Covered entities would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures at least annually, including whether there have been changes to cybersecurity risk over the time period. Such reviews would need to be documented.

 

5. Board Oversight

For RICs, proposed rule 38a-2 would require the fund’s board of directors to actively oversee the implementation and administration of the fund’s cybersecurity policies and procedures. The fund’s board would be required to initially approve the cybersecurity policies and procedures and review the documented annual review regarding cybersecurity incidents and material changes to the fund’s policies and procedures.

Like the proposed rules for private fund advisers introduced on the same day, the industry will note that cybersecurity has been a priority for many years. In January 2020, the Office of Compliance Inspections and Examinations issued “Cybersecurity and Resiliency Observations.” The paper focused on what it expected from firms in their consideration of how to enhance cybersecurity preparedness and operational resiliency and addressed the following areas:

  • Governance and risk management
  • Access rights
  • Data loss
  • Mobile security
  • Incident response and resiliency
  • Vendor management
  • Training and awareness

It is clear that advisers and funds will need to spend time thoughtfully constructing their cybersecurity policies and procedures. Senior management will need to understand the fundamental changes to their obligations as well as the importance of timely and accurate disclosure of cybersecurity incidents.

Prevention is often better than cure. At RQC Group we offer Introductory and Comprehensive online cybersecurity training courses, which you might consider for upskilling your staff on good preventative practices to apply in order to help avoid the substantive risks associated with cybersecurity breaches in both their personal and professional environments.

Click for more on our SEC Compliance services.


Accessible

All courses are accessible on our bespoke web or app platforms immediately upon purchase.

close-link


Automated

All courses are delivered through fully-automated, interactive online visual solutions.

close-link


Affordable

Courses cost from as little as £20 per Learner per Course, or £6 per Learner on Subscription.

close-link


Certified

A certificate is issued on successful completion of all courses for compliance-filing and all UK courses are CPD-certified.

close-link


Measurable

All courses include regular ‘Check Your Knowledge’ sections throughout and an end-of-course Quiz.

close-link


Fast

Courses take from 30 to 90 minutes to complete and can be viewed and completed in multiple sittings.

cross


Purchasing, Onboarding & Volume Discounts

You can purchase any combination of our broad range of e-Learning courses and onboard multiple users in your Firm, in just four quick and easy online steps:

  1. Select the courses and add them to your Basket
  2. Checkout and purchase your course(s)
  3. Sign In and Register your relevant employees/Users
  4. Allocate all your registered employees/Users to their course(s)

We’ll help you connect the dots with clear prompts and assistance throughout this quick and easy four-step process, which includes applying automated Volume Discounts depending on the number of courses you purchase, as follows:

Number of courses Volume Discount
10 – 24 Courses 2.5% Discount
25 – 49 Courses 5% Discount
50 – 99 Courses 7.5% Discount
100 – 149 Courses 10% Discount
150 – 199 Courses 12.5% Discount
200 – 249 Courses 15% Discount
250 – 299 Courses 17.5% Discount
>300 Courses 20% Discount

You will receive an enrolment email for each Course you sign Users up to.

Once registered and enrolled onto their course(s), your employees/Users will each receive a welcome email inclusive of their login credentials/instructions together with a separate enrolment confirmation for each of their courses.

All Clients have access to a centralised User Dashboard with Live Reporting on the progress of all your enrolled employees/Users and from where you can download all your employees/Users Course Certificates once they have successfully completed their courses. This is clearly explained in our Power User Guide, downloadable from your Account.

close-link