On February 9, 2022, the SEC approved a notice of proposed rulemaking (Proposal) that would establish new rules governing cybersecurity risk management. In particular, the Proposal would: require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; require advisers to report significant cybersecurity incidents to the SEC on proposed Form ADV-C; enhance adviser and fund disclosures related to cybersecurity risks and incidents; and require advisers and funds to maintain cybersecurity-related books and records.
Key aspects of the Proposal as it relates to funds include the following:
Reasonably designed policies and procedures to address cybersecurity risks. If finalized, the Proposal would establish a new Rule 38a-2 under the Investment Company Act. Rule 38a-2 would require funds to adopt and implement policies and procedures reasonably designed to address cybersecurity risks and outline the general elements required to be covered, which would include operational risks and risks of disclosure of personal information. Furthermore, Rule 38a-2 would require Boards to initially approve and annually review a fund’s cybersecurity policies and procedures. The policies and procedures required under Rule 38a-2 are more detailed and prescriptive than currently required under Regulation S-P.
Adviser reporting of significant cybersecurity incidents. The Proposal would also establish a new Rule 204-6 under the Advisers Act, which would require advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. Form ADV-C would be a confidential report.
Disclosure related to cybersecurity risks and incidents. In addition, the Proposal includes amendments to disclosure forms for investment companies, such as Form N-1A (and for advisers, Form ADV). These amendments would require funds to provide prospective and current investors a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in fund registration statements.
Maintenance of cybersecurity-related records. Finally, Rule 38a-2 would require funds to maintain copies of their cybersecurity policies and procedures, as well as certain related records (the general adviser recordkeeping rule, Rule 204-2, would also be amended to require advisers to retain records relating to cybersecurity risk management and incidents).
The SEC press release can be found here.
The Proposal can be found here.
A fact sheet on the Proposal can be found here.
Commissioner Peirce dissented from the Proposal and expressed her opposition in a statement that can be found here.