The SEC proposed new cybersecurity rules for investment advisers and investment companies that would require policies and procedures, annual reviews, reporting to the SEC, disclosures to investors, and recordkeeping.  The rules would subject investment advisers and investment companies to increased enforcement risk.

On February 9, 2022, the SEC that would impose significant new cybersecurity requirements for registered investment advisers and investment companies.  The proposal has five core requirements:

  • Cybersecurity policies: Registered investment advisers and investment companies would be required to adopt written cybersecurity policies 鈥渞easonably designed to address cybersecurity risks.鈥  Such policies would need to include risk assessments, controls to minimize user access risks, monitoring of information systems to prevent unauthorized access or use, threat and vulnerability detection and remediation, and incident response and recovery.
  • Annual reviews:  Advisers and investment companies would be required to review annually the effectiveness of these cybersecurity policies, including whether they reflect changes in cybersecurity risk, and prepare a written report.  The report would describe the annual review, including the tests performed, and state whether there had been any incidents or material changes to the policies since the last report.
  • Reporting: Advisers would be required to report significant cybersecurity incidents affecting the adviser or its clients to the SEC 鈥減romptly, but in no event more than 48 hours, after having a reasonable basis to conclude鈥 that a significant cybersecurity incident has occurred or is occurring.  Advisers may find it challenging to assess the extent of an incident, or whether one has occurred at all, in this tight timeframe.  Reports also would have to be updated within 48 hours of becoming materially inaccurate. 
  • Disclosures to investors: Although reports to the SEC would be confidential,[1] the proposed rules would require advisers and funds to provide a less detailed disclosure in a publicly available section of Form ADV and fund registration statements.
  • Recordkeeping: The proposed rules would require advisers and funds to maintain records of their cybersecurity policies and records related to the occurrence of any cybersecurity incident.

The proposed rules are written to cover all registered funds, although the SEC asked for comment about whether any funds should be exempt.

The SEC acknowledged that the cost of implementing these new obligations may ultimately be redirected to service providers and clients. The proposed rule would require registrants to include contractual provisions in their agreements with service providers to guarantee adherence to the required measures. In the end, however, the SEC acknowledged that 鈥渁ll of these costs may be passed on鈥攊n whole or in part鈥攖o clients and investors.鈥

The proposed rules would impose potentially significant new enforcement risk. Advisers currently are subject to Reg S-P and Reg S-ID, which generally require that they have reasonably designed policies and procedures to protect client information and detect and prevent identity theft. Our recent client update discussed several enforcement cases for violations of Reg S-P. The new rules would expand potential liability for having inadequate policies and procedures, including the multiple required sub-components, and would add new liability relating to annual reports, reporting incidents to the SEC, investor disclosures, and recordkeeping.

Other cybersecurity rulemaking

The proposed rules come less than two weeks after the SEC to include systems that trade Treasuries and other government securities. An intended consequence would be to bring such platforms with significant volume within the scope of , which imposes technology and security requirements on a limited set of SEC registrants that provide support for market infrastructure, such as stock exchanges, clearinghouses, self-regulatory organizations and similar institutions.

These proposals follow SEC Chair Gary Gensler鈥檚 , in which he said that the 鈥淪EC [is] working to improve the overall cybersecurity posture and resiliency of the financial sector鈥 and highlighted initiatives related to public companies, SEC registrants, and third-party service providers. He directed that SEC staff update guidance regarding public company cybersecurity disclosures that Commission issued in 2018. The SEC recently brought enforcement actions against two issuers, Pearson plc and First American Financial Corporation, for alleged disclosure failures.

Combined, the proposed rules, enforcement actions, expected future guidance, and additional potential rulemaking are significantly increasing the SEC鈥檚 oversight of registrants鈥 cybersecurity practices and the risk of liability for those firms when they suffer breaches, even though they usually will be in the posture of a victim of a sophisticated attack.

[1] The confidentiality of the reporting is one of the items the SEC specifically flagged for comment.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual 麻豆入口 contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.
Copy link to share post