SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds
At an open meeting on February 9, 2022, the Securities and Exchange Commission voted three-to-one to propose new and amended rules regarding cybersecurity risk management, cyber incident reporting and cyber risk disclosure under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 (collectively, Proposal). The Proposal applies to SEC-registered investment advisers (RIAs), SEC-registered investment companies (RICs) and closed-end funds that have elected to be treated as business development companies under the Investment Company Act (together with RICs, registered funds). The proposing release (Proposing Release) states that the Proposal is intended to address the SEC’s concerns about the “efficacy of adviser and fund practices industry-wide to address cybersecurity risks and incidents” and the effectiveness of related disclosures to investors.1 The Proposing Release notes that the SEC staff “continues to observe that certain advisers and funds show a lack of cybersecurity preparedness, which puts clients and investors at risk.”
If adopted in its current form, the Proposal would be the most significant update to federal privacy law as applied to registered funds and RIAs in nearly 20 years, and would have a substantial impact on the asset management industry. Specifically, the Proposal would: (i) require RIAs and registered funds (collectively, Covered Entities) to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; (ii) require RIAs to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery, including such incidents related to the adviser or registered funds or private funds that the adviser manages; (iii) create enhanced disclosure requirements for Covered Entities regarding cybersecurity risks and significant cybersecurity incidents, including new requirements to file an amended Form ADV or a prospectus supplement in the event of a significant cybersecurity incident; and (iv) require Covered Entities to maintain certain books and records related to cybersecurity. The SEC is seeking comments on the Proposal.
This Dechert OnPoint summarizes the main elements of the Proposal and identifies next steps and key takeaways for Covered Entities.
While existing SEC rules require Covered Entities to implement policies and procedures that address the privacy and security of individual, natural person customer information,2 the components of the Proposal are much more prescriptive and apply not only to customer information, but also to Covered Entities’ information systems and cybersecurity practices more broadly.3
Cybersecurity Risk Management Rules
The Proposal includes new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act, each of which would require relevant Covered Entities to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks (together, Cyber Risk Management Rules). The Cyber Risk Management Rules set forth the general elements that a Covered Entity would need to include in its policies and procedures, with the SEC expecting Covered Entities to tailor their policies and procedures to fit the nature and scope of their business and individual cybersecurity risks. These general elements include, but are not limited to, the following:
- Periodic Risk Assessments. Covered Entities would need to conduct, and document in writing, periodic assessments of cybersecurity risks associated with firm information and information systems. This would include identification of service providers that receive, maintain, process or otherwise are permitted to access RIA or registered-fund information or information systems on behalf of Covered Entities.
- User Security and Access. Each Covered Entity’s policies and procedures would need to: include controls designed to minimize user-related risks and prevent unauthorized access to relevant information and information systems (e.g., through the use of multi-factor authentication, password management rules and other access controls).
- Information Protection. Each Covered Entity’s policies and procedures would need to incorporate measures designed to monitor the Covered Entity’s information systems and protect information from unauthorized access or use, based on a periodic assessment of the information systems and information that resides on these systems. In addition, these policies and procedures would need to include oversight of service providers that receive, maintain, or process, or otherwise are permitted to access Covered Entity information systems and information residing therein. Such oversight would need to document that these service providers are required by written contract to implement and maintain appropriate information-protection measures.
- Threat and Vulnerability Management. Covered Entities’ policies and procedures would need to include measures to detect, mitigate and remediate any cybersecurity threats and vulnerabilities with respect to Covered Entity information and information systems.
- Incident Response and Recovery. Covered Entities’ policies and procedures would need to include measures to detect, respond to, and recover from, a cybersecurity incident.
The SEC is seeking comment on multiple areas related to the proposed elements of the Cyber Risk Management Rules. For example, the SEC is looking for input on: (i) whether the risk assessment should include specific required components; (ii) best practices that advisers and funds currently have in place; (iii) whether the SEC should require Covered Entities to respond to cybersecurity incidents in a specific timeframe; and (iv) current practices regarding service providers, including practices regarding current practices for service-provider due diligence and oversight and use of cyber-specific contractual provisions in service-provider agreements. Noting that there is not a “one-size-fits all” approach to addressing cybersecurity risk, the SEC also is seeking comment on whether it should exempt certain types of Covered Entities from the Cyber Risk Management Rules, and in what circumstances. The SEC also is seeking comment on: (i) whether the required elements of the Cyber Risk Management Rules should be scaled based on the size of the Covered Entity; (ii) which elements would not be required in those scaled-back programs; and (iii) what the requirements should be for being able to rely on the exemption (e.g., size of the Covered Entity’s staff, assets under management, or another threshold).
At least annually, Covered Entities would need to: review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and prepare a corresponding written report.4
The SEC is requesting comment on the proposed requirements for a review and assessment of policies and procedures and the written report, including on: (i) the scope of requirements for the annual review and written report; (ii) the length of the minimum review period; and (iii) whether conflicts of interest may arise if the same adviser or fund officers implement the cybersecurity program and also conduct the annual review.
In addition, Investment Company Act Rule 38a-2 would require a registered fund’s board of directors5 to initially approve the registered fund’s cybersecurity policies and procedures, as well as review annual written reports on any cybersecurity incidents and material changes to those policies and procedures.
The SEC is seeking comment regarding board approval of fund cybersecurity policies and procedures and annual review of written reports, including regarding: (i) whether a fund’s board, including a majority of its independent directors, should be required to approve the cybersecurity policies and procedures as proposed; (ii) whether fund boards should be required to approve the cybersecurity policies and procedures of certain of the fund’s service providers; and (iii) whether a fund’s board, or committee or expert, should have such oversight roles.
Reporting of Significant Cybersecurity Incidents to the SEC
In a significant change from current practice, new Rule 204-6 under the Advisers Act would require RIAs to report “significant” cybersecurity incidents6 to the SEC, including such incidents related to the adviser or registered fund or private funds that the adviser manages, by submitting a new confidential Form ADV-C electronically on the Investment Adviser Registration Depository (IARD) no more than 48 hours “after having a reasonable basis to conclude that any such incident has occurred or is occurring.” This includes both “significant fund cybersecurity incidents” and “significant adviser cybersecurity incidents,” defined as an incident or a group of related cybersecurity incidents, that “significantly disrupts or degrades” an adviser’s or fund’s ability to “maintain critical operations,” or leads to the unauthorized access or use of RIA or fund information, where the unauthorized access or use of such information results in “substantial harm” to the Covered Entity, or to an investor or client whose information was accessed. We note that this standard appears to set a higher bar than state data breach notification laws, which generally require notification only if an individual’s personally identifiable information is accessed and many of which require notification only if there is “reasonable likelihood” of harm to individuals.
Among other things, the new Form ADV-C would require RIAs to report the nature and scope of the incident, actions taken or planned to recover and respond to the incident, whether the incident has been disclosed to clients or investors, and whether the incident is covered under a cyber-insurance policy.
Advisers would also be required to submit amended Form ADV-Cs within 48 hours: (i) after information reported on the previous form becomes materially inaccurate; (ii) new material information about a previously reported incident is discovered; or (iii) after resolving or closing an internal investigation regarding a previously disclosed incident.
The SEC has asked for comment on whether any items in the proposed Form ADV-C should be added or eliminated, and whether any portions of Form ADV-C should be made public. The SEC has also asked for comment regarding “significant cybersecurity incidents,” including whether the current definitions are appropriate and clear, who should be responsible for concluding there has been such an event (i.e., should a particular person or role be designated with this responsibility) and whether there should be a separate reporting requirement for such events under the 1940 Act for registered funds.
Disclosure of Cybersecurity Risks and Incidents to Clients and Shareholders Annually, and After Significant Cybersecurity Incidents
The Proposal would amend Form ADV Part 2A to require disclosure of cybersecurity risks and significant cybersecurity incidents that have occurred in the last two fiscal years to a RIA’s clients and prospective clients. In addition, the Proposal would amend Rule 204-3 of the Advisers Act to require RIAs to deliver interim brochure amendments or supplements to existing clients if an amended brochure or supplement adds disclosure regarding a new significant cyber incident or if a material revision is made to disclosure about a cybersecurity incident.
The SEC is asking for comment regarding the proposed cyber disclosures that would be required in Form ADV Part 2A, including whether they will be helpful, and whether the proposed definition of “significant adviser cybersecurity incident” will allow advisers to inform investors of risks “while protecting the adviser and its client from threat actors who might use that information in current or future attacks.”
The Proposal would amend Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2 and Form S-6 to require registered funds to describe in their registration statements any significant fund cybersecurity incidents that are occurring or have occurred in the prior two fiscal years. The Proposing Release notes that registered funds should consider cybersecurity risks when preparing risk disclosures in their registration statements, and generally should include in their annual reports to shareholders a discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent these were factors that materially affected performance of the fund over the prior fiscal year. In addition, a registered fund would be required to supplement its prospectus in the event of a significant cybersecurity incident. Similar to the Form ADV supplement requirements for advisers, this requirement would be a significant change to existing requirements for registered funds.
The SEC is asking for comment on the proposed amendments to fund registration statement disclosure requirements, including: whether the prospectus disclosure requirement of significant fund cybersecurity incidents should apply to all registered funds; whether the disclosures will be helpful for shareholders and potential shareholders; whether there are “other delivery or shareholder-notification requirements that [the SEC] should consider for funds when updates to their cybersecurity disclosures are made” (e.g., an “alternate website disclosure regime, similar to how proxy voting records may be disclosed”); and whether such information should be reported in funds’ annual reports to shareholders, filed on Form N-CSR or reported on Form N-CEN.
Further, the Proposal would amend Rule 204-2, the “books and records” rule under the Advisers Act, and adopt Rule 38a-2 under the Investment Company Act to require Covered Entities to maintain certain records relating to the Cyber Risk Management Rules and cybersecurity incidents.7 This would include, for example: copies of cybersecurity policies and procedures required by the Cyber Risk Management Rules, copies of risk assessments conducted pursuant to the Cyber Risk Management Rules; copies of any reports of significant cybersecurity incidents required to be reported to the SEC by an RIA; and records documenting Covered Entities’ annual review of their cybersecurity policies and procedures required by the Cyber Risk Management Rules.
The SEC also is seeking comment on: whether the records that the Proposal requires Covered Entities to keep are appropriate; and whether Covered Entities have concerns that it would be difficult to retain any of the named documents.
What to Expect Next and Key Takeaways
Time will tell whether the Proposal will remain fully intact following what is likely to be an active comment period. It is critical that stakeholders provide their views to the SEC during the public comment period, which will remain open for the longer of: 60 days from February 9, 2022 (when the Proposal was posted on the SEC’s website); or 30 days from when the Proposal is published in the Federal Register. Covered Entities submitting comments should focus particular attention on the following key takeaways:
- The Proposal Would Require Covered Entities to Protect More Data. The SEC’s Division of Investment Management and Division of Examinations have issued tailored cybersecurity risk alerts over the past seven years that align with many elements in the Cyber Risk Management Rules, and the SEC more recently has been active in enforcement in this area. As a result, many Covered Entities have been committed to investing in and enhancing their cybersecurity programs. Such entities already likely will have implemented portions of the required elements of the Cyber Risk Management Rules. Nonetheless, with its focus on firm information and information systems, the Proposal would require Covered Entities to expand their focus beyond customer information to ensure that all of their systems and data are adequately protected and captured by their existing risk-management processes.
- Covered Entities Would Need to Account for How to Apply the New Requirements to Service Providers. Many Covered Entities rely heavily on service providers (e.g., administrators and transfer agents) to process and protect their proprietary and customer information. Conducting comprehensive periodic assessments of cybersecurity risks associated with Covered Entity information systems and information could be a time-consuming and potentially costly undertaking, particularly for RIAs that might outsource aspects of their cybersecurity to service providers, or for registered funds where most fund information is held with third-party service providers. Under the Proposal, Covered Entities also would need to revisit the contracts they have in place with third parties to ensure agreements are broad enough to meet Covered Entities’ new obligations under the Proposal, and that these entities have appropriate rights to audit the cybersecurity practices of such service providers.
- The Proposal Would Add to Covered Entities’ Disclosure Obligations. The Proposal’s requirement to amend and provide supplemental disclosures to clients, investors and shareholders in the event of changes to cybersecurity risks and, in the wake of significant cybersecurity incidents, is likely to increase operating costs for Covered Entities. It may be expected that industry participants will seek clarification from the SEC on the timeframe for when such updates must be made, given the shifting factual landscape that can result when dealing with a sophisticated threat actor.
- The 48-Hour Incident Reporting Requirement Would Pose Serious Obstacles. The 48-hour reporting timeline in the Proposal would, if adopted, be shorter than nearly all currently applicable existing data breach laws. Specifically, most state data breach laws do not give an exact time frame for reporting an incident, and those that do provide a timeframe generally prescribe a 30- or 45-day timeframe for notification. The 48-hour proposal also is shorter than the 72-hour reporting requirement under the European Union and UK’s General Data Protection Regulation (GDPR) and the New York State Department of Financial Services Cybersecurity Regulation. If the Proposal is adopted, Covered Entities will need to identify, compile and timely report required information to the SEC at the same time as they are “all hands on deck” responding to an ongoing cyberattack8. In practice, it often takes more than 48 hours – and in many cases, several weeks – for forensic investigations to determine the scope of an attack and identify key information needed to be able to determine whether or not an event is actually a “significant” cybersecurity incident, including what, if any, data has been accessed or exfiltrated by an attacker. If the Proposed Rule goes into effect as written, the 48-hour reporting requirement will undoubtedly present a substantial challenge for Covered Entities dealing with cyberattacks.
1) Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22, (Feb. 9, 2022).
2) For example, Regulation S-P, adopted by the SEC to implement the privacy and safeguards provision of the Gramm-Leach-Bliley Act (GLBA), contains provisions referred to as the “Safeguards Rule,” which requires RIAs and registered funds to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. In addition, the SEC’s Regulation S-ID (or Red Flags Rule) requires RIAs and registered funds that maintain certain covered customer accounts to develop and implement a written program that identifies and detects the “red flags” of identity theft. Private funds may be subject to the Federal Trade Commission’s implementing versions of the Safeguards Rule and Red Flags Rule, and the Proposing Release acknowledges that to the extent a private fund is subject to the FTC’s rules, the Proposal “may result in some overlapping regulatory requirements with respect to protecting information.”
3) While existing rules do not require Covered Entities to report cybersecurity incidents to the SEC, Covered Entities nevertheless are subject to the reporting requirements of existing U.S. state data breach notification laws for breaches involving personally identifiable information.
In addition, firms that are dually registered with the National Futures Association (NFA) are required to report to the NFA certain cybersecurity incidents relating to such firms’ commodity interest business pursuant to an NFA Interpretive Notice.
Further, the FTC also has recently proposed amendments to the FTC Safeguards Rule to require covered entities, which include investment advisers that are not required to register with the SEC, to report to the FTC in the event of certain security events.
4) The written report would need (at a minimum) to: (i) describe the review and any control tests performed; (ii) explain the results thereof; (iii) “document any cybersecurity incident that occurred since the date of the last report;” and (iv) “discuss any material changes to the policies and procedures since the date of the last report.”
5) If the fund is a unit investment trust, the fund’s principal underwriter or depositor instead must approve the fund’s policies and procedures and receive all written reports.
6) A “cybersecurity incident” is defined as an unauthorized occurrence on or conducted through a Covered Entity’s information systems that jeopardizes the confidentiality, integrity or availability of a Covered Entity’s information systems, or any Covered Entity information residing therein.
7) This recordkeeping requirement would apply not only to the occurrence of “significant” cybersecurity incidents, but to any cybersecurity incidents occurring in the prior five years (as defined in the previous footnote).
8) Commissioner Hester Peirce, the lone dissenting vote against the Proposal, appears to have acknowledged this difficulty, explaining that she would prefer a “public-private partnership” to address cybersecurity issues as opposed to the “traditional regulation-examination-enforcement triad.” She also noted that most firms already are “investing substantial resources in defense against breaches,” and that the SEC should be ready to assist firms in defending against cyberattacks rather than “pil[ing] on with an enforcement action after a breach.” See Statement on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.