By Jessica Penovich, Senior Director
On February 9, 2022, the U.S. Securities and Exchange Commission requested comments to its first-ever cybersecurity risk management rule proposal. The rule is another significant step in the SEC’s evolution toward enhancing the industry’s cybersecurity posture. While a few existing rules implicate cybersecurity practices, such as Regulations S-P and S-ID, the Commission’s new rule proposal articulates specific measures to address its concerns about security gaps identified in exams that continue to pose a threat to investors and the national market system. At the end of January, SEC Chair Gary Gensler hinted at possible cybersecurity rule changes to “strengthen financial sector registrants’ cybersecurity hygiene and incident reporting” during his keynote address at the Securities Regulation Institute.
The proposed rule would amend the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”) in a few of the following areas:
Policies, Procedures, and Oversight
The proposed rule specifies “certain general elements” that advisors and funds would be required to include in their cybersecurity programs. Firms would be required to “adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity.” Such programs could be tailored based on the company’s size, complexity, business operations, and other attendant cybersecurity considerations. Additionally, firms would have to address how the company responds to and reports cyber incidents, how it manages data, and measures it takes to protect data from internal and external threats (e.g., acceptable use policy, access controls).
While the Commission has not set the expectation that compliance departments become White-Hat Hackers overnight (firms would be able to delegate certain cybersecurity functions to outsourced professionals and services providers), it reminds firms that delegating cyber functions does not exempt them from their oversight responsibilities. Firms should also be prepared to perform oversight over the security practices of service providers through initial and ongoing third-party vendor due diligence.
As it relates to funds, proposed Rule 38a-2 would require a fund’s board of directors to approve the fund’s cybersecurity policies and procedures as well as material changes thereto, and review any cyber incident reports. These requirements seek to hold the board of directors accountable for the administration of the fund’s cybersecurity program.
Enhanced Disclosures & Reporting
One of the Commission’s goals is to provide the public with access to information about cybersecurity incidents so that investors can make more informed decisions about entrusting their assets with particular advisors and funds. Additionally, the Commission proposes a means of confidential reporting to notify the regulator about cyber incidents in a more timely manner and better address threats to the national market system. As such, the proposed rule would require funds and advisors to provide cyber incident disclosures in various ways. The proposed amendments to Form ADV Part 2A and certain fund registration forms would require advisors and funds to publicly disclose (in plain English) significant cybersecurity incidents. All registered investment advisors would be required to report significant cyber incidents via a new Form ADV-C within 48 hours. This requirement would include significant cybersecurity incidents with respect to the firm or any of its “covered clients” (i.e., registered investment company, business development company, or a private fund). Filings of ADV-C would be confidential, but the Commission could later report metrics derived from these reports.
Similarly, Funds would be required to provide “a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in funds’ registration statements, tagged in a structured data language. The proposal includes amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.”
What is a “significant cyber incident”? The rule proposal provides some guidance that suggests determining whether a specific cyber event is “significant,” is a facts and circumstances question involving consideration of the advisor’s ability to continue operations as well as the amount of client harm.
Books and Records
As is generally the case in all compliance matters, if it wasn’t documented, did it even happen? The proposed rule would require firms to document their cybersecurity efforts (i.e., “maintain, make, and retain certain cybersecurity-related books and records”). Among other requirements, firms would be required to maintain:
- a copy of their cybersecurity policies and procedures;
- a copy of the advisor’s written report documenting the annual review of its cybersecurity policies and procedures;
- a copy of each filed Form ADV-C; and
- records documenting the occurrence of any cybersecurity incident, including incident response records.
In its release, the Commission commented on specific cybersecurity practices that should be considered as part of firm’s current cybersecurity programs:
- The security of multi-factor authentication requirements and reliance on text message (i.e., SMS) authentication systems which provide less security than non-SMS based authentication;
- Consideration of technology lifestyles (i.e., age of systems and whether security patches are offered); and,
- Maintaining data backups in “immutable, multi-tiered online and offline storage systems.”
The public comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.