In today’s asset management landscape, cybersecurity threats are omnipresent, and with constantly evolving tools of attack, actual breaches have become increasingly prevalent. As the complexity, scope, and frequency of cyber threats and incidents have risen, the U.S. Securities and Exchange Commission (SEC) has increased its vigilance regarding regulated financial intermediaries including registered investment advisers, investment companies, and broker-dealers.
In the summer of 2020, the SEC’s Division of Examinations published risk alerts highlighting cybersecurity risks, concerns, and considerations around ransomware and physical and cybersecurity issues for business continuity, and credential stuffing and multifactor authentication. These were published in the wake of the pandemic-driven transition to widespread remote working and followed cybersecurity guidance from the SEC staff dating back nearly a decade.
Now, the SEC has proposed long-expected new rules regarding cybersecurity risk management and incident disclosure and reporting for registered advisers and funds, including business development companies (the Rule Proposal). Many advisers and funds have already adopted policies and procedures that address all or a significant portion of the requirements of the Rule Proposal. Still, as discussed in further detail in this client update, the Rule Proposal sets forth several new rules and requirements under both the Investment Advisers Act of 1940 (the Advisers Act) and the Investment Company Act of 1940 (the 1940 Act).
- Proposed Rule 206(4)-9 Under the Advisers Act and Proposed Rule 38a-2 Under the 1940 Act. These new rules would require advisers and funds to adopt, implement, and enforce written cybersecurity policies and procedures, and to review and evaluate the design and effectiveness of those policies and procedures at least annually.
- Proposed Changes to Adviser and Fund Disclosure Requirements. Existing disclosure requirements for advisers and funds would be amended to require specific disclosure regarding cybersecurity risks and cybersecurity incidents.
- Proposed Form ADV-C. Advisers would be required to report significant cyber incidents to the SEC on new Form ADV-C.
The SEC’s Cybersecurity Rule Proposal: Policies and Procedures, Enhanced Disclosures, and Additional Reporting Requirements
Cybersecurity Risk Management Rules (Proposed Cybersecurity Rules)
The Proposed Cybersecurity Rules (Rule 206(4)-9 under the Advisers Act and Rule 38a-2 under the 1940 Act) would require advisers and funds to adopt, implement, and enforce policies and procedures that are reasonably designed to address cybersecurity risks, following key framework components.
- Risk Assessment. Advisers and funds would be required, annually, to conduct a cybersecurity risk assessment in order to assess, categorize, prioritize, and draft written documentation of the cybersecurity risks associated with their information technology (IT) systems and the information residing therein. The SEC proposes that a risk assessment should (1) categorize and prioritize cybersecurity risks; (2) map out the flow of information belonging to the adviser, the funds, and their clients and investors, through the IT system to service providers, including in particular those with direct access to the firm’s IT systems; and (3) review of applicable business continuity and disaster recovery (BCDR) policies.
- User Security and Access. Advisers and funds would be required to restrict access to their IT systems and data to authorized users. This would include, among other requirements, identifying and authenticating individual users (at the level of access appropriate for each individual’s position and with heightened levels of credentials for access verification), as well as identifying users that should have their access removed. This would include individuals that are no longer employed with the adviser and individuals under heighted supervision. The key here is constant monitoring, surveillance, and enforcement of security and access controls.
- Information Protection. Advisers and funds would be required to monitor their IT systems and protect information from unauthorized access or use, based on a periodic assessment of the IT systems and the information residing therein. Advisers and funds would be required to identify suspicious behavior and test the security of their IT systems through tactics such as penetration testing. In addition, advisers and funds would be required to appropriately manage and oversee service providers that receive, maintain, process, or otherwise have access to information housed in their IT systems. In doing so, advisers and funds would be required to (1) document that they require, by contract, service providers to have in place similar cyber policies and procedures and (2) review those contracts periodically. In short, advisers and funds would need to understand each service provider’s policies and procedures and make a determination as to their adequacy.
- Threat and Vulnerability Management. Advisers and funds would be required to detect, mitigate, and remediate cybersecurity treats and vulnerabilities with respect to their IT systems and sensitive information and to conduct ongoing monitoring of vulnerabilities. Once a threat or vulnerability is identified, advisers and funds would have to consider how to mitigate and remediate the threat or vulnerability. To address the requirement, it would be prudent for advisers and funds to require contractual provisions with service providers to cover incident notification. Frequent backups of IT systems are widely viewed as one of the best ways to mitigate the risk of a successful cybersecurity attack.
- Cybersecurity Incident Response and Recovery. Advisers and funds would be required to have measures in place to detect, respond to, and recover from a cybersecurity incident. This would likely require collaboration with service providers. Advisers and funds would be required to document in writing any cybersecurity incident and the firm’s response and recovery. Their policies and procedures would be required to designate the personnel that would perform specific roles in the case of a cybersecurity incident (including who would be required to complete the necessary SEC disclosures) and to include clear escalation protocols to ensure senior officers, compliance personnel, and a fund’s board received necessary information regarding cyber incidents on a timely basis.
- Annual Review of Cybersecurity Policies and Procedures. Advisers and funds, at least annually, would be required to review and evaluate the design and effectiveness of their cybersecurity policies and procedures.
Disclosure of Cybersecurity Risks and Incidents
For advisers, the Proposed Rules would amend Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. For funds, the proposal would also require that prospective and current investors be provided with cybersecurity-related disclosures in the fund’s applicable registration statement (Form N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6). Specifically, the Proposed Rules would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years.
Reporting of Significant Cybersecurity Incidents
The Proposed Rules include a reporting requirement that would require advisers who are—or are required to be—registered with the SEC to report significant cybersecurity incidents to the SEC, including on behalf of a registered or private fund client, by submitting a newly created Form ADV-C. The Proposed Rules include distinct definitions of “significant cybersecurity incident” for advisers and funds.
- Significant Adviser Cybersecurity Incident. A cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.
- Significant Fund Cybersecurity Incident. Significant fund cybersecurity incidents may include cyber intruders interfering with a fund’s ability to redeem investors, calculate net asset value or otherwise conduct its business. Other significant fund cybersecurity incidents could involve the theft of fund information, such as nonpublic portfolio holdings, or personally identifiable information of the fund’s employees, directors, or shareholders.
Form ADV-C would include a series of check-the-box general and specific questions about the cybersecurity incident including questions about the nature and scope of the incident and whether disclosure has been made to clients or investors. The SEC proposes that Form ADV-C filings would remain confidential.
An adviser would be required to file Form ADV-C “promptly” and no later than 48 hours upon having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. In addition, advisers would be required to amend any previously filed Form ADV-C should the adviser become aware that anything in the filing is materially inaccurate, the adviser obtains new information, or the adviser is able to close the file on a cybersecurity incident.
For advisers, the Proposed Rules would amend Rule 204-2 under the Advisers Act (the books and records rule) to require advisers to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. Similarly, Proposed Rule 38a-2 would require that a fund maintain copies of its cybersecurity policies and procedures and other related records.
Fund Board Oversight Under Proposed Rule 38a-2
Similar to the structure of the SEC’s recent Liquidity Risk Management Rule (Rule 22e-4 under the 1940 Act) and Derivatives Risk Management Rule (Rule 18f-4 under the 1940 Act), Proposed Rule 38a-2 would impose several additional oversight responsibilities on fund boards:
- Initial Approval of Cybersecurity Risk Management Program. Fund boards, including a majority of the independent directors/trustees, would be required to initially approve a fund’s cybersecurity policies and procedures under Proposed Rule 38a-2. In doing so, the board would be required to review a written report on the fund’s cybersecurity risk management program (which could be in the form of a summary prepared by those familiar with the program for the initial review).
- Annual Review of Cybersecurity Risk Management Program. Fund boards would be required to conduct an annual review of the fund’s cybersecurity risk management program and review a written report prepared by the manager of the program regarding how the program performed over the past year, any cyber incidents, and any changes to the program.
- Ongoing Responsibilities and Duties of Boards. In its proposing release, the SEC laid out the expectations on independent fund directors/trustees to successfully fulfill their responsibilities under Rule 38a-2. Specifically, the SEC stated that directors/trustees should ask questions about matters such as the effectiveness of the fund’s cybersecurity risk management program, whether there are adequate resources for the program, and weaknesses found in the fund’s risk assessment. Boards would also be expected to consider the level of oversight needed over the fund’s third-party service providers.
Implications for the Industry and Next Steps for the Proposed Rules
The SEC’s Proposed Rules would be a concrete step in the codification of cybersecurity standards, responsibilities, and duties for advisers and funds in managing cybersecurity risks and handling cyber incidents. In its proposing release for the Proposed Rules, the SEC notes that many advisers and funds already employ many of the elements included in the Proposed Rules and that their respective existing compliance rules (Rule 206(4)-7 under the Advisers Act and Rule 38a-1 under the 1940 Act) require them to address relevant risks, which could include cybersecurity matters, particularly in the cyber environment of 2022. In addition, advisers and funds already must (and will need to continue to) fulfill their obligations under Regulation S-P (regarding the privacy of consumer financial information) and Regulation S-ID (providing identity theft red flags rules).
In constructing the Proposed Cybersecurity Rules, the SEC appears to have utilized key elements of common cybersecurity frameworks including assessment, protection, detection, response, disclosure, and recovery, which are found in the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (the NIST Cybersecurity Framework) and other cybersecurity rules promulgated by other financial regulators including the New York State Department of Financial Services (NYSDFS) in its Part 500 regulation. Throughout the release for the Proposed Rules, the SEC notes how advisers and funds could address the proposed requirements internally, as well as by hiring third-party cybersecurity specialists who may already be familiar with frameworks similar to the one proposed by the SEC in its Proposed Rules.
The comment period is 30 days after the Proposed Rules are published in the Federal Register (not published as of the date of this update) or April 11, 2022, whichever is later.
Please contact experienced securities regulatory counsel with any questions about these developments and their applications to an individual or business.
© 2022 Perkins Coie LLP