SEC addresses cybersecurity risk in proposed rules for the investment management industry
Cybersecurity risk governance has been a focus of the Securities and Exchange Commission (SEC) since at least 2011 and a priority in its examination of regulated market participants and the subject of numerous risk alerts since 2014. On February 9, 2022, the SEC took another step to address such risks with proposed new rules related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies (funds).
The proposal also includes amendments to existing rules that govern investment adviser and fund disclosures.
The proposed rules
The proposed rules focus on four key areas: risk management through policies and procedures, incident reporting to the SEC, investor disclosure, and recordkeeping, all summarized below.
Cybersecurity risk management through policies and procedures, reviews and fund board oversight
The proposal includes a new rule entitled the “proposed cybersecurity risk management rules” which would require advisers and funds to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks. The SEC would require that the policies and procedures contain certain elements, including:
- Conducting and documenting a risk assessment to categorize and prioritize cybersecurity risks and potential affects, and to identify service providers
- User security and access controls designed to minimize user-related risks and prevent unauthorized access to information and systems.Policies and procedures must include at least the following:
(a) an acceptable use policy or equivalent
(b) two factor identification and authentication of users
(c) procedures to govern password distribution, replacement, revocation and authentication
(d) access restrictions and
(e) securing remote access technologies
- Monitoring of information systems to protect information from unauthorized access or use, including oversight of service providers
- Threat and vulnerability management to detect, mitigate, and remediate cybersecurity threats and vulnerabilities;
- Cybersecurity incident response and recovery measures to detect, respond to, and recover from a cybersecurity incident, including written documentation of any cybersecurity incident and the adviser or fund response to i and
- Specifying who will be responsible for implementing and administering the policies and procedures, including those responsible for communicating incidents internally and reporting them to the SEC and clients/investors.
The proposed cybersecurity risk management rules also would require advisers and funds to review the design and effectiveness of their cybersecurity policies and procedures at least annually, including whether they reflect changes in cybersecurity risk over the time period covered by the review, and to prepare a written report of that review. Additionally, a fund’s board of directors would be required to approve the fund’s cybersecurity policies and procedures and to review the report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures prepared annually.
The proposed rules recognize that there is no one-size-fits-all approach to addressing cybersecurity risks. As a result, the proposed cybersecurity risk management rules caution that firms should tailor their cybersecurity policies and procedures to fit the nature and scope of their business and to address their individual cybersecurity risks. Further they require that governance controls evidence the ever-changing landscape of cybersecurity risk.
Noting that cybersecurity threats constantly evolve, the SEC’s proposal also states that its approach will allow advisers and funds to evolve their policies and procedures as they reassess their cybersecurity risks. Market participants should recognize that the SEC will expect them to update their cybersecurity policies and procedures to address emerging risks – and that failure to do so could result in SEC enforcement action.
Reporting requirement for significant cybersecurity incidents
The proposal includes a reporting requirement which would require advisers to report significant cybersecurity incidents on new Form ADV-C, including on behalf of a client that is a registered investment company, a business development, or a private fund.
Using this new form, an adviser must report the incident to the SEC within 48 hours after having a reasonable basis to conclude that a significant cybersecurity incident has occurred. The filing would include both general and specific questions related to the significant cybersecurity incident, such as the nature and scope of the incident as well as whether any disclosure has been made to any clients and/or investors.
Advisors would also be required to amend any previously filed Form ADV-C no later than 48 hours after (i) information reported on the form becomes materially inaccurate; (ii) new material information about the reported incident is discovered; and (iii) the previously reported incident is resolved, or an internal investigation of the incident is closed. The proposing release describes the proposed form in detail. Currently, the SEC contemplates that Form ADV-C would be confidential to guard against the premature release of sensitive information.
The proposal defines significant cybersecurity incident as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in (1) substantial harm to the adviser or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
Significant cybersecurity incidents that degrade the adviser’s ability or the ability of a private fund client of the adviser to maintain critical operations would include such things as the inability to implement its investment strategy, process or record transactions or communicate with clients. For instance, malware could shut down a website or take down the company’s email system. Such attacks could have a significant effect on the adviser’s ability to provide services and could in turn affect the market, particularly if other advisers are similarly targeted.
Significant cybersecurity incidents leading to unauthorized access or use of adviser information could result in substantial harm, such as significant monetary loss or theft of intellectual property or personally identifiable or proprietary information. For example, after gaining access to systems, an attacker could use this access to disclose, modify, delete, or destroy data and steal intellectual property and client assets. Any of these actions could result in substantial harm to the adviser and/or to the client.
Disclosure of cybersecurity risks and incidents
The proposal would require advisers to describe, in plain English, cybersecurity risks that could materially affect the advisory services they offer and how the adviser assesses, prioritizes, and addresses cybersecurity risks created by the nature and scope of the business. Enhanced disclosures of cybersecurity risks would be required in Form ADV Part 2A (“brochure”) for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6 for funds.
A cybersecurity risk, regardless of whether it has led to a significant cybersecurity incident, would be material to an adviser’s advisory relationship with its clients and would be reportable in a new Item 20 of an adviser’s brochure, if there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information.
The facts and circumstances relevant to determining materiality in this context may include the likelihood and extent to which the cybersecurity risk or resulting incident:
- could disrupt (or has disrupted) the adviser’s ability to provide services, including the duration of such a disruption
- could result (or has resulted) in the loss of adviser or client data, including the nature and importance of the data and the circumstances and duration in which it was compromised and/or
- could harm (or has harmed) clients (eg, create an illiquidity, inability to access investments, or exposure of confidential or sensitive personal or business information).
Advisers and funds would also be required to provide prospective and current investors with cybersecurity-related disclosures. Specifically, the proposed amendments would require the disclosure to include a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in the adviser’s brochure and in the fund’s registration statements. The proposed amendments would also require advisers to describe any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.
Funds would also be required to disclose any significant fund cybersecurity incident that has occurred during its last two fiscal years. This would include a description of each significant fund cybersecurity incident, including the following information to the extent known: the entity or entities affected; when the incident was discovered and whether it is ongoing; whether any data was stolen, altered, or accessed or used for any other unauthorized purpose; the effect of the incident on the fund’s operations; and whether the fund or service provider has remediated or is currently remediating the incident.
Additionally, for any required risk disclosures in fund registration statements under the Investment Company Act or the Securities Act, the proposed rules would require all funds to tag this information about significant fund cybersecurity incidents in a structured, machine-readable data language.
When describing these incidents in their brochures, advisers would be required to identify the entity or entities affected; when the incidents were discovered and whether they are ongoing; whether any data was stolen, altered, or accessed or used for any other unauthorized purpose, the effect of the incident on the adviser’s operations; and whether the adviser, or service provider has remediated or is currently remediating the incident.
In addition, the proposed rules would require advisers to deliver promptly to clients an interim amendment to its brochure if the adviser adds disclosure of a cybersecurity incident or materially revises previously disclosed information in its brochure about such an incident. Funds would be required to file prospectus supplements with the SEC to timely disclose cybersecurity risks and significant fund cybersecurity incidents and to tag that information in accordance with SEC requirements.
The books and records rule under the Advisers Act sets forth requirements for maintaining, making, and retaining books and records relating to an adviser’s investment advisory business. The proposal would amend this rule to require advisers to maintain current and previous records (limited to five years) related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.
Similarly, proposed rule 38a-2 under the Investment Company Act would require that a fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule. These records would have to be maintained for five years, the first two years in an easily accessible place.
Commissioner’s statements on the proposed rules
Multiple SEC commissioners have provided formal statements on the proposed rules, both in support of, and against, the proposal. After publication of the proposed rules, SEC Chair Gary Gensler came out in favor of the proposed rules and amendments, stating that the proposed rules are “designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks." Similarly, Commissioner Caroline A. Crenshaw issued a statement supporting the proposed rules, stating that she was in support of the proposed rules as a way to “enhance cyber practices by funds and advisers.”
Commissioner Hester M. Peirce, in contrast, did not support the proposal and stated that “a cybersecurity policies and procedures rule may not even be necessary to foster the investments in strong cyber-defenses, dialogue, communication, and cooperation we seek from investment advisers and investment companies.” Commissioner Peirce cited existing regulations which are already in effect and which require much the same policies and procedures as those in the proposed rule. She suggested that guidance (as opposed to a rule) would be a more suitable approach.
The proposal contains 64 groups of questions on which the SEC has requested comment. The public comment period for the proposed rules will be open for 60 days following publication of the release on the SEC’s website, or 30 days following the publication of the proposing release in the Federal Register (whichever period is longer). Although these are only proposed rules, market participants should expect continued SEC focus on cybersecurity risk management and protection against ongoing cybersecurity threats.
Market participants should also expect more rules related to cybersecurity. In his statement on the proposed rules, Chair Gensler commented that he had asked the SEC staff to make recommendations for the SEC’s consideration with respect to broker-dealers, Regulation Systems Compliance and Integrity, Regulation S-P (related to customer notices) and third-party service providers.
As SEC Commissioner Peirce noted in her statement on the proposal, “cybersecurity prescriptions could become an easy hook for an enforcement action, even when a firm has made reasonable efforts to comply with the prescriptions.” Registered investment advisers, companies, and funds should evaluate the potential impact of the SEC’s proposed rules on their current cybersecurity programs and consider whether changes might be necessary in light of the rules that are likely to emerge from this rulemaking.
For more information, please contact the authors of this article or your DLA Piper relationship attorney.