In February of 2022, the SEC proposed Cybersecurity Risk Management Rules and Amendments (the “Proposed Rules”) that continue to focus on cybersecurity risks as an unavoidable reality for the financial markets and, specifically, for registered investment advisers who “increasingly depend on technology for critical business operations.” The SEC’s concern is understandably heightened in light of many registrants’ increased reliance on service providers to perform activities such as custody and transfer agency services.
The Proposed Rules are intended to address the SEC’s prioritization of client and investor protection and transparency of information about cybersecurity incidents. In addition, the Proposed Rules would serve to further cement the SEC’s role in the oversight of registered advisers’ and funds’ cybersecurity programs.
The Proposed Rules include four primary areas of concern.[1] In this month’s Risk Management Update, we look at these four key concerns discussed in the Proposed Rules and provide guidance on how to begin updating your compliance program to address them.
Risk Management
As part of the proposal, Advisors Act Rule 206(4)-9 and Investment Company Act Rule 38a-2 include a risk management component covering certain “core” segments that require advisers and funds to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks.
- Assessment – Advisers and registered funds would be required periodically to assess, categorize, prioritize, and draft written documentation of the cybersecurity risks associated with their information systems and the information residing therein in light of the firm’s particular operations.
- Controls – Advisers and registered funds would be required to implement controls designed to minimize user-related risks and prevent unauthorized access to information and systems. Examples include governance/risk management, vendor management, access controls, data protection, technical controls, branch controls, incident management and response, and training.
- Monitor – Advisers and registered funds would be required to monitor information systems and protect information from unauthorized access or use based on a “periodic” assessment of the advisers’ or registered funds’ systems and the information residing therein to determine what methods can be implemented to prevent unauthorized access or use of the data.
- Threats and Vulnerabilities – Advisers and registered funds would be required to have measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to their information and systems. A “cybersecurity threat” is defined as “any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of [an adviser’s or a registered fund’s] information systems or any [adviser or registered fund] information residing therein.” A “cybersecurity vulnerability” is defined as “a vulnerability in [an adviser’s or a registered fund’s] information systems, information system security procedures, or internal controls, including vulnerabilities in their design, maintenance, or implementation that, if exploited, could result in a cybersecurity incident.” Examples would include imposter websites, phishing, customer and firm employee account takeovers (ATOs), malware, ransomware, and data breaches.
- Incidents – Advisers and registered funds would be required to have measures to detect, respond to, and recover from a cybersecurity incident.
Reporting
The proposed new Rule 204-6 would create Form ADV-C, a confidential report used to submit information regarding “significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client”. This new Form ADV-C would gather information regarding the nature and scope of the incident (e.g., actions to recover and whether information was stolen, altered, or accessed), whether shareholders/clients or law enforcement were notified, and whether the incident is covered under a cybersecurity insurance policy.
Disclosures
An amendment has been proposed to add Item 20 to Form ADV Part 2A to be titled “Cybersecurity Risks and Incidents” under which investment advisers would be required to describe cybersecurity risks that could “materially affect the advisory services” offered by the firm, how the firm identifies, prioritizes, and addresses those risks, and discloses any cybersecurity events within the last two fiscal years. Additionally, an amendment to Rule 204-3(b) has been proposed to require investment advisers to “promptly” deliver interim Form ADV Part 2A amendments to current clients when a disclosure event has been added to Item 20 or when the firm “materially revises information already disclosed” about a previously disclosed cybersecurity event.
For registered funds, the proposed amendment would include reporting requirements with similar disclosures related to cybersecurity incidents in the funds’ registration statements, as well as amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.
Recordkeeping
Finally, an amendment to Rule 204-2 of the Advisers Act has been proposed to require investment advisers to create and maintain records relating to cybersecurity events and the proposed rule changes and amendments. Likewise, proposed Rule 38a-2 of the Investment Company Act would require the same for registered funds.
Conclusion
In light of the heightened regulatory focus on cybersecurity vulnerability, in particular given the SEC’s Proposed Rules, advisers and registered funds should prepare for an increased likelihood of examinations and potential enforcement actions related to cybersecurity governance and risk management. If adopted, the Proposed Rules may help to advance the SEC’s objective of investor protection, but as a result they would impose an explicit and substantial duty on advisers and registered funds to address the risks faced not only directly, but also by their respective service providers’ systems and activities. Accordingly, registrants should take a close look at their current cybersecurity programs with an eye toward potentially expanding and strengthening their existing policies, procedures, and controls.
If you have questions regarding the SEC’s Proposed Rules, reach out to our team at info@corecls.com or give us a call at 619-278-0020 for guidance.
Authors: Maggie Tavares, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
[1] U.S. SEC, CYBERSECURITY RISK MANAGEMENT FOR INVESTMENT ADVISERS, REGISTERED INVESTMENT COMPANIES, AND BUSINESS DEVELOPMENT COMPANIES (Feb. 9, 2022), https://www.sec.gov/rules/proposed/2022/33-11028.pdf