SEC Proposed Rule Delineates Cybersecurity Policy Requirements for Investment Advisers and Private Funds

Last week, the U.S. Securities and Exchange Commission (SEC) doubled down on its position that enhanced cybersecurity policies, procedures, and disclosures are necessary to combat cybersecurity threats by announcing proposed cybersecurity risk management rules for investment advisers (“RIAs”) registered under the Investment Advisers Act of 1940 (“Advisers Act”) and registered funds and closed-end companies that have elected to be treated as business development companies (“BDCs” and, together with registered funds, “funds”) under the Investment Company Act of 1940 (the “1940 Act”). Although the SEC’s cybersecurity enforcement efforts in 2021 focused on RIAs (along with public companies and registered broker-dealers), proposed Rule 206(4)-9 under the Advisers Act and proposed Rule 38a-2 under the 1940 Act, if adopted, would mark the first time the SEC has established explicit cybersecurity compliance and breach notification requirements for RIAs and funds. A big focus of the proposed rules are on mitigating the risk of an RIA or fund not being able to continue to do business in the event of a cybersecurity attack, or an unauthorized person stealing personal data, fund information, intellectual property, or funds.

Key Takeaways

• A Duty to Maintain Bespoke Written Cybersecurity Policies and Procedures: The proposed rules would require RIAs and funds to implement written cybersecurity policies and procedures that are specifically tailored to address cybersecurity-related risks that could harm advisory clients and fund investors. Put differently, the proposed rules appear to recognize that cybersecurity risks can vary from entity to entity and that there is no uniform approach to risk mitigation. The proposed rules rely on the Advisers Act’s existing framework, which requires advisers to act as fiduciaries and in the best interests of their clients, and prescribes steps to minimize cybersecurity risks in accordance with advisers’ fiduciary obligations.
• Cybersecurity Risk Management Rules: The proposed rules would require all advisers and funds to adopt and implement tailored (i.e., not generic) policies and procedures that are reasonably designed to address cybersecurity risks. These policies and procedures must include (1) a risk assessment based on an inventory of information systems;
  (2) controls designed to minimize user-related risks by implementing standards for user security and access; (3) a periodic assessment of information systems to ensure information protection; (4) procedures for threat and vulnerability management, including mitigation, remediation, and training; and (5) cybersecurity incident response and recovery measures. An RIA or fund may either administer its cybersecurity policies and procedures using in-house resources with appropriate knowledge and expertise, or utilize a third-party cybersecurity risk management service, subject to appropriate oversight.
• Annual Review and Required Written Reports: The proposed rules would require RIAs and funds to review their cybersecurity policies and procedures no less frequently than annually and to prepare a written report describing the review. Among other things, the report would need to document any cybersecurity incident that occurred during the reporting period and discuss any material changes to the cybersecurity policies and procedures since the last annual report. The board of a fund, including a majority of its independent directors, would need to initially approve the fund’s cybersecurity policies and procedures, as well as review the annual written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures. In addition, board members would be expected to help ensure that a fund’s adviser has committed sufficient resources to cybersecurity and consider if the fund is exerting an appropriate level of oversight over the fund’s service providers. The SEC noted that the board’s review of a fund’s cybersecurity program should not be a passive activity.
• Reporting of Significant Cybersecurity Incidents: The proposed rules would also require advisers to report significant cybersecurity incidents to the SEC, including on behalf of clients that are registered funds, BDCs, or private funds.  Advisers would be required to submit proposed Form ADV-C “promptly” after having a reasonable basis to determine that a significant cybersecurity incident (as defined by the proposed rules) has occurred, but in any event to file within 48 hours of such determination.  
• Disclosure of Cybersecurity Risks and Incidents: The proposed rules seek to amend Form ADV Part 2A to require RIAs to disclose cybersecurity risks and incidents to their clients, investors, and other market participants. 
• Cybersecurity-Related Recordkeeping: The proposed rules contain new recordkeeping requirements, requiring advisers and funds to maintain certain records for five years including: (1) cybersecurity policies and procedures; (2) annual reviews thereof;
  (3) documents related to the annual reviews; (4) regulatory filings related to cybersecurity incidents required under the proposed amendments; (5) any cybersecurity incident; and
  (6) cybersecurity risk assessments. 

The proposed rules make it clear that the SEC will continue to look to cybersecurity policies, procedures, and disclosures to minimize cybersecurity-related threats to investors and markets. The proposed rules will be open for public comment for 60 days following the publication of the proposing release on the SEC’s website, or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer. The SEC requested commenters to address 64 specific questions relating to the proposed rules.  After the comment period closes, public comments will be considered by the SEC staff and a final rule will be presented to the SEC’s five Commissioners for a vote. 

Forming and updating a cybersecurity program can be daunting for even the most diligent of companies. Morrison & Foerster is here to help you develop policies and procedures that are tailored to your organization. We offer a multidisciplinary approach involving our highly respected Global Privacy + Data Security, Securities Litigation, Securities Enforcement, Investigations + White Collar Defense, and Investment Management Groups.

Diana Cummiskey is a Morrison & Foerster LLP law clerk pending admission to practice in the state of New York. She contributed to this article and her practice is supervised by principals of the firm admitted in New York.