Man the Cyber Forts! – SEC Proposes New Cybersecurity Regulations for RIAs and Funds
With cybersecurity incidents increasing in frequency and notoriety, the Securities and Exchange Commission (the “SEC”) has set its sights on fortifying cybersecurity regulations across the entire financial industry, including SEC-registered investment advisers (“RIAs”) and registered investment companies and business development companies (collectively, “Funds”).[1] On February 9, 2022, the SEC proposed new rules and amendments (the “Proposal”) that, if adopted as proposed, would create specific disclosure and reporting obligations for RIAs and Funds’ on cybersecurity matters as well as create specific requirements for policies and procedures with respect to cybersecurity matters. Notably, the Proposal was released on the same day the SEC released another significant set of proposed rules applicable to private fund advisers, which was the topic of our earlier post, SEC Proposes Significant Regulatory Overhaul for Private Fund Advisers.[2]
A highlight of some of the key elements of the Proposal are described below:
Cybersecurity Risk Management Policies and Procedures
Under the Proposal, RIAs and Funds would have to adopt and implement policies and procedures reasonably designed to address cybersecurity risks.[3] These policies and procedures would, among other things, require that RIAs and Funds: (1) conduct a periodic assessment of their cybersecurity risk exposure, (2) implement controls designed to minimize user-related risks and prevent unauthorized access to the firm’s systems and data, (3) adopt appropriate measures to monitor exposure to the firm’s systems and protect firm information from unauthorized access or use, (4) adopt measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities, and (5) develop measures to identify, respond to, and recover from cybersecurity incidents.[4] Moreover, RIAs and Funds would need to annually review these policies and procedures, and prepare a report describing such assessment.[5]
Significant Cybersecurity Incidents Reporting
The Proposal would require RIAs to report significant cybersecurity incidents to the SEC.[6] Importantly, RIAs would also be obligated to report significant cybersecurity incidents[7] on behalf of Fund or private fund clients.[8] The Proposal would require the RIAs to report any significant cybersecurity incident to the SEC within 48 hours of the time that the RIA has a reasonable basis to conclude that such event has occurred.[9] An RIA would report such an incident by submitting the proposed new Form ADV-C, which would provide a structured format for reporting significant cybersecurity incidents.[10]
Cybersecurity Risks and Incidents Disclosure
The Proposal would also amend Form ADV Part 2A (an RIA’s “Brochure”) to require an RIA to disclose: (1) cybersecurity risks that could materially affect its services, (2) how it assesses, prioritizes, and addresses such risks, and (3) any cybersecurity incidents in the past two fiscal years that have significantly disrupted or degraded the RIA’s ability to maintain critical operations, or that resulted in substantial harm to itself or its clients.[11] Further, the Proposal would require an RIA to deliver interim Brochure amendments to existing clients if an RIA adds a cybersecurity incident or materially revises information about a disclosed cybersecurity incident.[12]
Similarly, the Proposal would require disclosure of any significant Fund cybersecurity incidents that have occurred in the last two fiscal years in the Fund’s registration statement.[13]
Recordkeeping
The Proposal would also impose additional recordkeeping requirements for RIAs and Funds to maintain certain records related to the Proposal’s requirements.[14]
***
The public comment period for the Proposal will remain open for at least sixty days following publication of the proposing release on the SEC’s website. While most RIAs and Funds already have compliance policies and procedures that address cybersecurity, if the Proposal is adopted as proposed, it would provide specific requirements for those procedures and would create new reporting and disclosure obligations with respect to cybersecurity matters. While, the Proposal is still pending, we suggest that RIAs and Funds review their cybersecurity policies, procedures, and practices and consider how the Proposal, if adopted, would affect current practices, particularly in light of the SEC’s increasing focus on cybersecurity issues.
If you have any questions about the Proposal, or the regulation of registered investment advisers and registered investment companies generally, please feel free to contact us.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend
This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice. Viewers should not rely on the posted materials as advice about specific legal problems. Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved. Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer. If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.
[1] See Chair Gary Gensler Speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, January 24, 2022, available at https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124.
[2] SEC Proposed Rules, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Release Nos. 33-11028; 34-94197; IA-5956; IC-34497, available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf (hereinafter, the “Proposal”); SEC Press Release, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds, February 9, 2022, available at https://www.sec.gov/news/press-release/2022-20.
[3] See Id. at 15-34.
[4] Proposal at 15.
[5] Id. at 39.
[6] Id. at 46.
[7] Under the Proposal, “significant cybersecurity incidents” are incidents that significantly affect the critical operations of an RIA or Fund or lead to unauthorized access or use of information that results in substantial harm to the RIA or its clients or a Fund or its investors. Id. at 108-109.
[8] See Id. at 46.
[9] Id.
[10] Id. at 55.
[11] See Id. at 61-62.
[12] Id. at 62-63.
[13] This includes Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6. See SEC, Fact Sheet, Cybersecurity Risk Management, available at https://www.sec.gov/files/33-11028-fact-sheet.pdf.
[14] See Id. at 44-45.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.