On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. If adopted, the proposed rules would apply to registered investment advisers (“RIAs”), certain registered investment companies (“RICs”) and business development companies (“BDCs,” together with RICs, “registered funds”). Notably, the proposal would require RIAs to notify the SEC on a confidential basis within 48 hours of discovering a significant cybersecurity incident. The proposed rules represent the first of several rule proposals on cybersecurity that SEC Chair Gensler has indicated are forthcoming from the agency.
Risk Management Rules
The proposed rules would require RIAs and registered funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules describe various elements that RIAs and registered funds would be required to address in their cybersecurity policies and procedures regarding operational and other risks that could harm advisory clients and fund investors or lead to the unauthorized access to or use of information, including personal information of clients or investors. The proposed rules would allow firms to tailor their cybersecurity policies and procedures to fit the nature and scope of their businesses and address their individual cybersecurity risks. At a minimum, however, all RIAs and registered funds would be required to conduct a periodic risk assessment; minimize user-related risks and prevent the unauthorized access to information and systems; monitor information systems and protect information from unauthorized access or use; detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to information and systems; and deploy measures to detect, respond to, and recover from a cybersecurity incident.
Annual Review and Oversight
The proposed rules would require RIAs and registered funds to review their cybersecurity policies and procedures no less frequently than annually. Accordingly, advisers and funds would be required at least annually to:
(1) review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
(2) prepare a written report.
The report would, at a minimum, describe the annual review, assessment, and any control tests performed; explain the results, document any cybersecurity incident that occurred since the date of the last report; and discuss any material changes to the policies and procedures since the date of the last report. In the case of registered funds, the proposed rules would also require a fund’s board of directors, including a majority of its independent directors, initially to approve the fund’s cybersecurity policies and procedures, as well as to review the annual written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures.
Recordkeeping
The proposal would amend the books and records rules for RIAs and registered funds. Specifically, the proposal would require advisers to maintain certain records related to cybersecurity risk management and the occurrence of cybersecurity incidents. Likewise, registered funds would be required to maintain copies of cybersecurity policies and procedures and other related records specified under the proposed rules. These records would generally have to be maintained for at least five years.
Incident Reporting to the SEC
For the first time, RIAs would be required to report significant cybersecurity incidents on a confidential basis to the SEC. Under the proposal, RIAs would be required to submit the new Form ADV-C promptly, but in no event more than 48 hours after having a reasonable basis to conclude that a “significant adviser cybersecurity incident” or a “significant fund cybersecurity incident” had occurred or is occurring. The proposal would also require RIAs to amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after information reported on the form becomes materially inaccurate, new material information about a previously reported incident is discovered, and resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident.
Under the proposal, a “significant adviser cybersecurity incident” is defined as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
(1) substantial harm to the adviser; or
(2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
Similar to a significant adviser cybersecurity incident, a “significant fund cybersecurity” incident has two prongs, e.g., that it:
(1) significantly disrupts or degrades the fund’s ability to maintain critical operations; or
(2) leads to the unauthorized access to or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.
The SEC’s proposing release posits that significant fund cybersecurity incidents may include cyber intruders interfering with a fund’s ability to redeem investors, calculate net asset value, or otherwise conduct its business. The proposing release also observers that other significant fund cybersecurity incidents may involve the theft of fund information, such as non-public portfolio holdings or personally identifiable information of the fund’s employees, directors, or shareholders.
Form ADV-C would include both general and specific questions related to the significant cybersecurity incident, such as the nature and scope of the incident, as well as whether any disclosure has been made to any clients or investors. Such information would include, among other things:
- The date the incident occurred, if known;
- The approximate date the incident was discovered;
- Whether the incident is still ongoing;
- Whether law enforcement or any government agency other than the SEC has been notified;
- A description of the nature and scope of the incident, including any effect on critical operations;
- Actions taken or planned to respond to and recover from the incident;
- Whether any data was stolen, altered, accessed, or used for any unauthorized purpose;
- Whether any personal information was lost, stolen, modified, deleted, destroyed, or accessed without authorization;
- Whether disclosure has been made to clients or investors; and
- Whether the incident is covered under a cybersecurity insurance policy.
Disclosure of Cybersecurity Risks and Incidents to Clients and Investors
The proposed rules would also enhance required disclosure around cybersecurity risks and incidents. For RIAs, the proposed rules would amend Form ADV Part 2A to mandate disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. For registered funds, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in a fund’s registration statements, tagged in a structured data language.
The public comment period on the proposed rules will remain open until the later of April 11, 2022, or 30 days following publication of the proposing release in the Federal Register.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code