February 11, 2022
On February 9, 2022, the SEC approved a notice of proposed rulemaking (Proposal) that would establish new rules governing cybersecurity risk management. In particular, the Proposal would: require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; require advisers to report significant cybersecurity incidents to the SEC on proposed Form ADV-C; enhance adviser and fund disclosures related to cybersecurity risks and incidents; and require advisers and funds to maintain cybersecurity-related books and records.
Key aspects of the Proposal as it relates to funds include the following:
Reasonably designed policies and procedures to address cybersecurity risks. If finalized, the Proposal would establish a new Rule 38a-2 under the Investment Company Act. Rule 38a-2 would require funds to adopt and implement policies and procedures reasonably designed to address cybersecurity risks and outline the general elements required to be covered, which would include operational risks and risks of disclosure of personal information. Furthermore, Rule 38a-2 would require Boards to initially approve and annually review a fund’s cybersecurity policies and procedures. The policies and procedures required under Rule 38a-2 are more detailed and prescriptive than currently required under Regulation S-P.
Adviser reporting of significant cybersecurity incidents. The Proposal would also establish a new Rule 204-6 under the Advisers Act, which would require advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. Form ADV-C would be a confidential report.
Disclosure related to cybersecurity risks and incidents. In addition, the Proposal includes amendments to disclosure forms for investment companies, such as Form N-1A (and for advisers, Form ADV). These amendments would require funds to provide prospective and current investors a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in fund registration statements.
Maintenance of cybersecurity-related records. Finally, Rule 38a-2 would require funds to maintain copies of their cybersecurity policies and procedures, as well as certain related records (the general adviser recordkeeping rule, Rule 204-2, would also be amended to require advisers to retain records relating to cybersecurity risk management and incidents).
The SEC press release can be found here.
The Proposal can be found here.
A fact sheet on the Proposal can be found here.
Commissioner Peirce dissented from the Proposal and expressed her opposition in a statement that can be found here.
November 29, 2023
November 6, 2023
October 26, 2023
October 18, 2023
October 17, 2023
October 10, 2023
October 6, 2023
September 29, 2023
September 25, 2023
September 22, 2023
September 20, 2023
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
One Battery Park Plaza
New York, NY 10004
Phone (212) 574-1200
Fax (212) 480-8421
901 K Street, NW
Washington, DC 20001
Phone (202) 737-8833
Fax (212) 480-8421