The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
Existing rules, such as Regulation S-P and S-ID, are mainly focused on protecting customer data. The proposed rules center on protecting systems, the data within them, and improving overall cybersecurity practices.
Maintain and implement cybersecurity policies and procedures
RFs and RIAs will be required to maintain and implement written policies and procedures that are reasonably designed to address the following elements:
- risk assessment;
- user security and access control;
- information protection;
- threat and vulnerability management; and
- incident response and recovery.
Examples of implementation stated in the proposed rules include conducting periodic risk assessments of information systems and third party service providers and configuring certain access controls, such as multi-factor authentication (MFA).
RFs and RIAs will be required to conduct an annual review of cybersecurity policies and procedures, and produce a written report of such review.
Adopt new recordkeeping standards
RFs and RIAs will be required to maintain records of and related to:
- cybersecurity policies and procedures;
- annual reviews of cybersecurity policies and procedures;
- cybersecurity incident filings provided to the Commission;
- the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident; and
- cybersecurity risk assessments.
Report significant cybersecurity incidents to the commission
RIAs will be required to submit a form electronically to the SEC promptly (but in no event more than 48 hours) where they reasonably believe that a Significant Adviser/Fund Cybersecurity Incident has occurred or is occurring. A Significant Adviser/Fund Cybersecurity Incident is defined as a cybersecurity incident (or group of related incidents) that:
- significantly disrupt(s) or degrade(s) the RIA/RF’s ability (or the ability of a private fund client of an RIA) to maintain critical operations; or
- leads to the unauthorized access or use of RIA/RF information, resulting in substantial harm to the RIA/RF, a client, or an investor, whose information was accessed.
Disclose cybersecurity risks and incidents to clients and investors
In registration statement forms (RFs) and disclosure brochures (RIAs), RFs and RIAs will be required to describe cybersecurity risks and significant incidents that have occurred within the last two fiscal years. RFs and RIAs will also be required to continually supplement initial disclosures with information on any new Significant Adviser/Fund Cybersecurity Incidents.
How can you prepare?
- RFs and RIAs should start to make preparations for the implementation of the new rules through internal testing and by reviewing their existing policies, procedures, and practices.
- The comment period will run for the longer of either 60 days from February 9, 2022, or 30 days after publication of the proposal in the Federal Register. Any aspects of the proposed rules that are unable to be complied with should be raised during the comment period.