SEC Proposes Cybersecurity Risk Management Requirements for Investment Advisers and Registered Funds

On Feb. 9, 2022, the Securities and Exchange Commission (SEC or Commission) proposed a suite of new rules and amendments concerning cybersecurity risk management for registered investment advisers (advisers) and registered investment companies, including business development companies (funds). Proposed under the authority of the Investment Advisers Act of 1940 (the Advisers Act) and the Investment Company Act of 1940 (the 1940 Act), the rules and amendments would require investment advisers and funds to adopt and implement extensive “cybersecurity risk management policies and procedures.” In addition, the proposals would modify recordkeeping, disclosure and reporting requirements, obligating investment advisers and funds to maintain records of significant cybersecurity incidents, to disclose such incidents to their clients, and — for investment advisers only — to promptly report significant cybersecurity incidents to the SEC.

Proposed Requirements for ‘Cybersecurity Risk Management’ Policies

The central element of the SEC’s proposals is the obligation to adopt, implement and record in writing cybersecurity risk management policies and procedures. Setting forth nearly identical provisions, proposed Rule 206(4)-9 under the Advisers Act and Rule 38-a-2 under the 1940 Act would require that advisers and funds formulate cybersecurity risk management policies and procedures characterized by six components: (i) a cybersecurity risk assessment, (ii) user security and access policies, (iii) information protection policies, (iv) cybersecurity threat and vulnerability management procedures, (v) cybersecurity incident response and recovery procedures, and (vi) written documentation of the original policies. Advisers and funds would also be required to conduct an annual review of the policies, culminating in a report discussing any changes from the prior year.

The Cybersecurity Risk Assessment

The proposed rules require that advisers and funds draft written documentation of cybersecurity risks associated with the entity’s “information systems” and the “information” the systems house.^[1] The risk assessment must “categorize and prioritize” cybersecurity risks based on the components of the firm’s information systems and the potential effect of a cybersecurity incident on the firm stemming from such risk. A cybersecurity incident is defined as an “unauthorized occurrence on or conducted through” the adviser’s or fund’s information systems “that jeopardizes the confidentiality, integrity, or availability” of the adviser’s or fund’s information systems or any adviser or fund information they contain.

The risk assessment must also identify “service providers that receive, maintain or process” adviser or fund information or are “otherwise permitted to access” adviser or fund information systems and the information therein. The risk assessment must assess the cybersecurity risks associated with use of the provider’s services. This and other aspects of the proposed rules require a reassessment of relationships with fund administrators and transfer agents, and may require advisers and funds to inquire about service providers’ business continuity and disaster recovery protocols with respect to cybersecurity incidents.

User Security and Access Policies

The proposed rules require advisers and funds to adopt “controls designed to minimize user-related risks” and prevent unauthorized access to information systems and the information housed in those systems. The controls must include the following five components:

• Standards of behavior for individuals authorized to access adviser or fund information or information systems.
• Policies for identifying and authenticating users, including measures that require two or more credentials for access verification, such as multifactor authentication.
• Procedures for the timely distribution, replacement and revocation of passwords.
• Restrictions on access to information systems and information, limiting access to only those personnel who require access to perform their responsibilities and functions on behalf of the adviser or fund.
• Measures for securing remote access to adviser and fund information systems and information.

These policy requirements would supplement the requirements already imposed on advisers and funds by 17 CFR 248.1 through 248.31 (Regulation S-P). Regulation S-P requires policies and procedures that protect nonpublic personal information about consumers by ensuring that advisers and funds observe specified precautions while processing such information. The proposed requirements for user security and access policies would bolster that protection with controls that prevent and detect unauthorized access to all information that advisers and funds hold in their information systems.

Information Protection Policies

The proposed rules require periodic assessment and monitoring of the information contained in information systems for unauthorized use and access. These periodic information system assessments must take into account the sensitivity level and importance of information to business operations; whether any information is personal information; where and how information is accessed, stored and transmitted; access controls and malware protection; and the potential impact that a cybersecurity incident could have on the adviser or fund and their clients/investors, including the adviser’s ability to continue serving its clients. Information protection policies must also include procedures for overseeing service providers receiving, maintaining or processing adviser or fund information. Along with the cybersecurity risk assessments discussed above, these oversight policies must involve documentation that the adviser or fund is requiring service providers, through a written contract, to implement and maintain measures to ensure the security of adviser or fund information. Advisers and funds should also generally include other oversight measures such as due diligence procedures or periodic contract review processes that allow the advisers and funds to assess the extent to which agreements with service providers contain such requirements. 

Threat and Vulnerability Management Procedures               

The proposed rules require the adoption of procedures for detecting, mitigating and remediating cybersecurity threats and vulnerabilities. “Cybersecurity threats” are defined as any potential occurrences that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of an adviser’s or fund’s information systems or the information residing therein. “Cybersecurity vulnerabilities” are defined as vulnerabilities in the information systems or their procedures or internal controls, including vulnerabilities in design, configuration, maintenance or implementation that, if exploited, could result in a cybersecurity incident. In discussion of this proposal, the SEC recommends “role-specific cybersecurity threat and vulnerability and response training.” This could include “secure system administration courses for IT professionals, vulnerability awareness and prevention training for web application developers, and social engineering awareness training for employees and executives.” These recommendations parallel the technical requirements imposed by the New York State Department of Financial Services on the financial institutions it regulates.

Cybersecurity Incident Response and Recovery Procedures    

The proposed rules require policies and procedures for detecting and responding to cybersecurity incidents. This incident response plan must contain policies that ensure continued operation of the adviser or fund during the cybersecurity event; protection of information systems and information during the event; external and internal cybersecurity information sharing, including protocols for escalating information about the event to senior officials; and procedures for reporting or disclosing significant cybersecurity incidents (as discussed below). The required incident response plan would conform to aspects of the incident response guidance previously released by the SEC’s Office of Compliance Inspections and Examinations.

Annual Review of Policies and Required Written Report

The proposed rules require that advisers and funds review and assess the design and effectiveness of the cybersecurity policies described above in a written report prepared annually by the persons who administer the adviser’s or fund’s cybersecurity policies and procedures (which person must be the designated CCO in the case of funds). The report should describe the review, as well as any control tests performed and the results of those tests. The annual report should also discuss any material changes to the policies and procedures since the date of the previous year’s report. Investment companies would be subject to the further obligation of obtaining approval of the cybersecurity policies and procedures from the fund’s board of directors when the policies are first adopted. The board of directors must also review the annual report on the cybersecurity policies.

Proposed Recordkeeping Requirements

The proposals include the requirement that advisers and funds maintain the following records:

• A copy of the cybersecurity risk management policies and procedures (as described above).
• Copies of written reports documenting the annual review of the cybersecurity risk management policies, including, for funds, copies of the reports submitted to the board of directors.
• Records documenting the adviser’s or fund’s cybersecurity risk assessment (as described above).
• Records documenting cybersecurity incidents, including records of the firm’s response and recovery.
• For advisers, a copy of any Form ADV-C reporting cybersecurity incidents to the SEC (as described below).

Proposed Public Disclosure Obligations for Advisers and Funds

The Commission proposed amendments to various public disclosure requirements that would extend the obligations of advisers and funds to disclose cybersecurity risks and incidents to their clients/investors and other market participants. For advisers, Form ADV Part 2A would be amended to include a new item on “cybersecurity risks and incidents” in the required narrative brochure. This item requires disclosure of cybersecurity risks “that could materially affect the advisory services” offered by the adviser and “significant cybersecurity incidents” that occurred within the past two fiscal years. “Significant cybersecurity incidents” are defined as events that “significantly disrupted or degraded [the adviser’s or their client’s] ability to maintain critical operations, or ha[ve] led to unauthorized access to use of adviser information, resulting in substantial harm.” In the Commission’s discussion of the proposed rules and amendments, substantial harm is described as including “significant monetary loss or theft of intellectual property.” The Commission also proposed amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2 and Form S-6 that would require investment companies to include a description of any significant cybersecurity incident that occurred in the past two fiscal years.

Proposed Reporting Obligations for Investment Advisers

The Commission proposed a rule requiring investment advisers to report any significant cybersecurity incident to the SEC no more than 48 hours after the adviser’s conclusion that the incident had occurred or was occurring. The report would be made through a proposed Form ADV-C. Changes to previously filed ADV-Cs would also be required within 48 hours of the discovery that information reported on the form had become “materially inaccurate.”

Looking Ahead: The Comment Period

The Commission opened these proposals to public comment. The public comment period will close on April 11, 2022, or 30 days after the publication of the proposals in the Federal Register, whichever is later. In their proposal documents, the SEC outlines many questions on which it is seeking comments, including whether certain types of advisers or funds should be exempt from the proposed rules and whether the proposed requirements should be scaled based on the size of the adviser or fund. Interested parties may also note that each of the four current commissioners published a statement on the proposed rules, and the single Republican commissioner, Hester Peirce, stated that she was “unable to support” the proposal.

^{[1] _{“Information” is defined as “any electronic information” related to the adviser’s business or the fund’s business, “including personal information[] received, maintained, created, or processed” by the adviser or fund. “Information systems” is defined as “information resources owned or used” by the adviser or fund, “including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of [adviser or fund] information to maintain or support [the adviser’s or fund’s] operations.”}}