August 8, 2022

Volume XII, Number 220

Advertisement
Advertisement

August 08, 2022

Subscribe to Latest Legal News and Analysis

SEC Proposes Cybersecurity Regulations for Advisers and Funds

Following recent comments by the Chair of the Securities and Exchange Commission (SEC) on cybersecurity policy, this week a divided SEC proposed new rules related to cybersecurity for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  Citing the growing threat of malicious cyber actors, the SEC’s proposal emphasizes that cybersecurity incidents may cause harm to clients of advisers and funds, as well as to the operation and reputation of the financial markets generally.  With respect to the need for new regulations, the SEC observes that certain advisers and funds still lack robust cybersecurity practices and that current regulations—such as the Advisers Act compliance rule and Regulation S-ID—only indirectly address cybersecurity for advisers and funds.  The SEC’s proposal includes four areas of new rules specific to cybersecurity:

  1. Adoption of Written Cybersecurity Policies and Procedures

The first set of proposed rules (206(4)-9 and 38a-2) would require advisers and funds to adopt and implement written policies and procedures “reasonably designed to address cybersecurity risks.”  The rules enumerate general elements that written policies and procedures would be required to address—including cybersecurity risk assessments, user access controls, sensitivity levels of firm information, and cybersecurity incident detection—but the rules would allow advisers and funds to tailor their cybersecurity policies and procedures based on their circumstances and sophistication.  The proposed rule would require that the written cybersecurity policies and procedures be approved initially by the adviser or fund’s board of directors.  In addition, advisers and funds would be required to 1) annually review the effectiveness of their policies and procedures and 2) provide a written report to their board of directors describing the review and any cybersecurity incidents and assessments since the previous report.

  1. Confidential Reporting by Advisers of Cybersecurity Incidents to the SEC

The proposal includes a new rule (204-6) requiring advisers to file a report with the SEC when a “significant cybersecurity incident” occurs at the adviser or clients of the adviser.  As to what constitutes a “significant” incident, the proposed rule defines “significant adviser cybersecurity incident” to include cybersecurity incidents that result in substantial harm to the adviser or to the adviser’s client whose information was accessed.  As for timing, the adviser would be required to file the report “promptly, but in no event more than 48 hours, after having a reasonable basis to conclude” that a cybersecurity incident has occurred or is occurring.  The adviser would also be required to amend previous reports within 48 hours after obtaining new material information or if a previous report becomes materially inaccurate.

  1. Public Disclosure of Cybersecurity Incidents and Risks

The SEC also proposes amendments to certain forms for advisers (ADV Part 2A) and funds (N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6) that are given to current or prospective clients.  For advisers, the amended “brochure” form would require firms to include both a description of cybersecurity incidents over the past two fiscal years and a description of how the adviser addresses material cybersecurity risks.  In addition, advisers would be required (under proposed rule 204-3(b)(4)) to “promptly” provide interim brochure amendments or supplements to existing clients if the adviser makes a material revision about a cybersecurity incident.  Similarly, funds would be required to disclose in their registrations statements “any significant fund cybersecurity incident that has occurred in its last two fiscal years” in a certain machine-readable format.

  1. Recordkeeping Obligations

Lastly, the proposed rules (204-2(a)(17)(i), (iv)–(vii) and 38a-2(e)) would require funds and advisers to maintain certain records related to the above cybersecurity rules.  Among other things, funds and advisers would need to maintain, for at least five years, 1) their written cybersecurity policies and procedures, 2) reports provided to the board of directors about the review of cybersecurity policies and procedures, 3) records relating to the occurrence of any cybersecurity incident.

The proposed rules are open to public comment and may be revised before an eventual SEC vote for final approval.  In the meantime, we expect the SEC to continue to push cybersecurity policy.  In his statement accompanying the proposal, SEC Chair Gary Gensler reiterated that he has asked the SEC to make cybersecurity-related recommendations with respect to broker-dealers, Regulation SCI, Regulation S-P, and third-party service providers.  And a day prior to the proposal, a bipartisan group of U.S. Senators urged the SEC in a letter to propose cybersecurity disclosure requirements for public companies and financial sector registrants.  In other words, there may be much more to come. 

James Brennan also contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 42
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Joseph Weinstein, Litigation Attorney, squire Patton Boggs Law Firm
Partner

Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation. 

216-479-8426
Sean L. McGrane Attorney Litigation Squire Patton Boggs Cleveland
Partner

Sean McGrane is a litigation partner who focuses his practice on defending corporations and their officers and directors against civil securities-fraud claims, shareholder derivative actions, and mergers and acquisition lawsuits. His practice includes representing clients in investigations or proceedings brought by governmental or other regulatory agencies, including the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority. Before joining the firm, Sean practiced securities litigation in the New York offices of Skadden, Arps, Slate...

216-479-8538
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement