Proposed SEC cyber rules mean new demands for asset managers


On February 9, 2022, the Securities and Exchange Commission (SEC) proposed a series of new cybersecurity risk management, reporting, and recordkeeping requirements for registered investment advisers and funds designed to enhance the Investment Advisers Act of 1940 and the Investment Company Act of 1940.

The rule stems from the regulator’s recognition of the increasing frequency of cybersecurity breaches and their impact on investor confidence:

In addition to providing clients and investors with additional cybersecurity-related information about advisers and funds, we expect the proposed amendments to increase investors’ confidence in the operational resiliency of advisers and funds and safety of their investments held through those firms.

The threat landscape for investment advisers and investment companies have grown more complex due to the dependency on technology and technology suppliers for critical business operations. Due to the amount of sensitive, non-public information maintained by funds and advisors, both are enticing targets for malicious cyber actors.

In the light of the increased reliance on technology by finds and advisors (and thereby expanded opportunities for malicious cyber actors), in its request for comments on the proposed rules, the SEC cites “underinvestment” in cybersecurity safeguards by smaller organizations as one of the motivating factors for the new requirements. The SEC expects the rules to ensure that funds and advisors allocate a minimum baseline of effort toward cybersecurity and could help “level the competitive playing field for funds and advisers by simplifying prospective investors’ and clients’ decision making.”

The proposed rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act can be broken down into two broad categories: 1) a requirement to implement a comprehensive cybersecurity risk management program, and 2) cyber incident reporting and disclosure obligations.

Specific requirements of the proposed rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act are explained below.




Cybersecurity Risk Management


  • Risk Assessment. This step serves as the foundation for the cybersecurity program. The SEC specifies the requirements to identify and categorize digital assets, identify technology partners and suppliers that receive, maintain or process adviser or fund information, or that are permitted to access their information systems, and identify and prioritize cyber risks.
  • Policies and Procedures. This part of the rule would require funds and advisors to develop and implement polices and procedures that are designed to reduce cybersecurity risk. The SEC calls out documentation on the following topics: Risk Assessment, User Security and Access, Information Protection, Threat and Vulnerability Management, and Incident Response and Recovery.
  • Annual Review and Required Written Reports. Advisers and funds will be expected, at least annually, to review and assess the effectiveness of the cybersecurity program in light of current and emerging cyber threats, and prepare a written report covering the review, any risk assessments performed, or incidents experienced during the reporting period.
  • Board Oversight. For investment funds, proposed rule 38a-2 would require a fund’s board of directors to approve the cybersecurity policies and procedures, and to review the annual written report. In addition to the other duties of the board to oversee management and operations of the fund, the board will be expected to provide oversight of the fund’s cybersecurity program.
  • Recordkeeping. Documentation covered under this requirement includes policies and procedures, risk assessments, annual reviews performed, artifacts relating to cybersecurity incidents, and copies of filed Form ADV-C (incident reporting to the SEC) within the last five years.



Incident Reporting and Disclosure


  • Reporting of Significant Cybersecurity Incidents to the Commission. Proposed rule 204-6 would require firms report any significant cybersecurity incident to the SEC within 48 hours after determining that such an incident has occurred. In the proposed rule, significant incident is described as one which results in “substantial harm to the adviser, or substantial harm to a client, or an investor in a private fund, whose information was accessed.”
  • Disclosure of Cybersecurity Risks and Incidents. Disclosure would require reporting to clients on any material cybersecurity risks whether or not it has led to a significant cybersecurity incident. Materiality is defined as having an impact on “adviser’s advisory relationship with its clients if there is a substantial likelihood that a reasonable client would consider the information important.” Funds would be required to disclose to its investors “whether a significant fund cybersecurity incident has or is currently affecting the fund or its service providers.” The rule would also require “an adviser to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.”



Our take


Requested comments can shed light into the aspects of the proposed rules that may become amended prior to becoming final. Many questions inquire whether additional requirements, precision, or guidance are needed, in particular to the role of the board in the oversight of cybersecurity risk management. With regards to recordkeeping and incident reporting, the SEC asks whether the requirements would be unduly burdensome for small advisors or funds, and whether exceptions should be considered. On the topic of disclosures, questions are posed around the clarity, sufficiency, or excessiveness of the requirements.

While the SEC cybersecurity proposed rules published for publicly traded companies on March 9, 2022 proposes requirements to attest to the competence of the individual serving in the role responsible for cybersecurity, and the board’s expertise in the topic, proposed rules 206(4)-9 and 38a-2 do not address this theme. Instead, one of the questions inquires whether commenters believe that training for the staff administering the cybersecurity program should be required by these rules. Lastly, the authors of the rules question whether cybersecurity requirements as they apply to technology suppliers and service providers are sufficiently robust. Should service providers be covered by these requirements, and should funds and advisors be responsible for their compliance? Should there be a policy requirement covering service providers? What should be the role of the board in assessing service providers?

We assess that comments may result in further clarity and definitions of the final rules, as well as further guidance on how to apply these requirements to technology suppliers and service providers. The rules, however, are unlikely to become less robust in their final form.




Actions for funds and advisors in preparation


As funds and advisors begin developing a plan that would bring their firms into compliance with the rules below are some recommended actions to start the process in preparation of aligning to the proposed rules.

  • Monitor the official SEC website and press releases for revisions to the draft of proposed rules and amendments as and when the SEC releases them
  • Consider developing / formalizing a Cybersecurity group / program (if it does not already exist) and identify an individual to lead such a group (e.g., Chief Technology Officer (CTO) or Chief Information Security Officer (CISO))
  • Begin developing and implementing formal policies and procedures designed to address cybersecurity risks and align to industry standards (such as NIST CSF, NYDFS, COBIT, FFIEC CAT, etc.) to ensure they cover all basic / foundational elements
  • As an organization, discuss and develop a definition of ‘significant cybersecurity incident’ for the fund and consider purchasing cyber insurance and implementing retainers with specialized vendors for forensic and incident response services support (if not in place already)
  • Begin allocating budget (time, money, and resources) to assist with annual cyber risk assessments and / or begin identifying partners (vendors or third-parties) to assist with such assessments and help create written reports of the assessments concluded
  • Identify individual(s) within the board of directors capable of overseeing cybersecurity risks and facilitating similar discussions at the board level. If the background / skills do not currently exist within the board of directors either consider expanding the members or partner with trusted third-parties to spearhead such discussions (could be same third-party that leads the annual cyber risk assessments).





Our asset management featured industry insights