On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.
Relying on the Commission’s mission to protect investors and ensure orderly markets, the Release cites increasing cybersecurity threats and emphasized the disruptive consequences and costs (to advisers, funds and investors) of unpreparedness. The Release grounds the Proposal in advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies and procedures to ensure compliance with that fiduciary duty (and other SEC regulations). 17 C.F.R. § 275.206(4)-7; 17 C.F.R. § 270.38a-1 (“Investment Company compliance rule”). The Release asserts the Proposed Rules are necessary, even as it cites existing Rules already addressing cybersecurity issues: Reg. S-P, 17 C.F.R. 248.1 through 248.31, already requires safeguarding customer records and information, so encompasses cybersecurity – as does existing Reg. S-ID, 17 C.F.R. 248.201-.202, which requires a written identity-theft program.
Generally, the Proposed Rule has four key pillars, requiring firms to: (1) ”adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks,” Proposed Rules 206(4)-9 and 38a-2; (2) ”report cybersecurity incidents affecting the adviser, its fund or clients;” (3) disclose significant cybersecurity risks and incidents, by Proposed Amendments to Form ADV and various Fund forms; and (4) implement concomitant recordkeeping requirements.
In summary, the Proposed Rule requires:
Cybersecurity Risk Management Policies and Procedures
Written Policies and Procedures
Risk Assessment – Conduct periodic risk assessments, with written documentation, to address
- inventory, categorize, prioritize
- vendors and service providers
Periodically, no less than annually, or as otherwise necessary to address changes to the business or its threat landscape.
User Security and Access policies and procedures that must include:
- Standards of behavior for authorized users
- Two-factor user identification and authorization
- Timely distribution, replacement and revocation of passwords
- Least-necessary user access
- Securing remote technologies
Information Protection – Monitoring and periodic assessment of information systems and data, considering:
- Data sensitivity and importance
- Personal information
- Data access, storage and transmission
- Access controls and malware protection
- Potential consequences of a security incident
Threat and Vulnerability Management, including monitoring, remediation, and response training
Incident Response and Recovery, addressing operational continuity, data protection, incident information sharing and reporting to the Commission, including written compliance policies and procedures.
Annual Review and Written Reports
Fund Board Oversight
Fund Board Oversight and approval by a Fund’s board, including a majority of independent directors.
Recordkeeping
Recordkeeping for the standard five-year retention, including at a minimum: (a) the cybersecurity policies and procedures; (b) report of annual review; (c) any Form ADV-C filed; (d) records regarding any incident; (e) records of risk assessment.
Reporting to the Commission
Proposed Rule 204-6 would require completion and filing of new Form ADV-C by an adviser not more than 48 hours after having a reasonable basis to believe a “significant cybersecurity incident” has occurred or is occurring, together with material updates within 48 hours. A “significant incident” is proposed as one that significantly disrupts or degrades critical operational continuity or results substantial harm to the adviser, fund or investors.
Disclosure of Cybersecurity Risk and Incidents
Disclosure of Cybersecurity Risk and Incidents as part of existing disclosure requirements for advisers (Form ADV) and funds, including delivery of interim amendments to existing clients.
Commissioner Peirce dissented, stating that while well-intentioned, the Proposed Rule is:
- Too prescriptive for an issue that requires constant flexibility, innovation and is better suited for a public-private cooperative initiative;
- Improperly grounded in the anti-fraud rules, because it addresses operational risk and compliance issues in situations where the adviser most often is the victim, not the perpetrator; and
- Perhaps unnecessary, given the existing Rules addressing cybersecurity in part.
Her dissent can be found here. Indeed, although the Commission can regulate broker-dealers, the Proposed Rule does not address them. Instead, its delegated self-regulatory organization , FINRA, has taken a far less prescriptive approach to cybersecurity under various of its existing rules. See 2022 Report on FINRA’s Examination and Risk Monitoring Program at 10 et seq., here.
Comments on the Proposal are due submitted to the Commission within the later of 30 days after publication in the Federal Register or April 11, 2022.
The SEC’s press release is here. The Proposal, Release No. 34-94197, IA-5956, IC-34497 (file S7-04-22), is here.
Thomas K. Potter, III (tpotter@burr.com) is a partner in the Securities Litigation Practice Group at Burr & Forman LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters.
- Partner
Tom Potter is a Partner in the firm's Nashville office and has over 35 years of experience representing business interests in securities and corporate disputes.
Tom represents broker-dealers and investment bankers in disputes ...