June 28, 2022

Volume XII, Number 179


June 27, 2022

Subscribe to Latest Legal News and Analysis

SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued  proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures.  At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.

Highlights of the proposed rules include the following:

Adopting policies and procedures

Advisers and funds would be required to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks.  Recognizing that not all advisers and funds have uniform businesses or technology systems, the proposed rules would give advisers and funds flexibility to tailor such policies to the nature and scope of their business and their individual cybersecurity risks.  Specifically, the proposed rules would require the policies and procedures to address certain specific areas, including performance of periodic risk assessments, user security and access, information protection, threat and vulnerability management, and incident response and recovery.  Importantly, the proposed rules would provide flexibility for advisers and funds to determine the person(s) responsible for implementation and oversight of the policies, in addition to flexibility to outsource certain cybersecurity responsibilities.  

Annual review of policies and procedures

Advisers and funds would be required to, at least annually, review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review, and prepare a written report.  At a minimum, the report would describe the annual review, assessment and any control tests performed, document any cybersecurity incidents, and discuss any material changes to the policies and procedures.

Fund board oversight

Proposed rule 38a-2 would require that a fund’s board of directors initially approve its policies, written reports on cybersecurity incidents and material changes to policies that would be required to be prepared at least annually. 

New recordkeeping requirements

Under the proposed rules, advisers and funds would be subject to enhanced recordkeeping requirements, including, among other items, annual review reports and supporting records, reports of any significant fund cybersecurity incidents and supporting documentation, and records documenting the cybersecurity risk assessment, each from within the preceding five years.  

Cybersecurity-related disclosures.

The proposed rules would require disclosure of certain cybersecurity risks and incidents to current and prospective investors and clients, including through updates to an adviser’s Form ADV Part 2A, a new proposed section of Form ADV for advisers and a fund’s registration statements, as applicable.

The proposed rules are subject to change following the public comment period and further review by the SEC.  

Download PDF

© 2022 Vedder PriceNational Law Review, Volume XII, Number 42

About this Author

Rachel Behar Investment Fund Attorney Vedder Price New York

Rachel Behar is an Associate in Vedder Price’s New York office and a member of the firm’s Investment Services group.

Ms. Behar concentrates her practice on representing private and registered investment funds, investment advisers, broker-dealers and financial institutions in a variety of legal, regulatory, formation, governance and compliance matters. She frequently assists private equity clients in fund formation matters, and works with them to structure and document private investment fund complexes.

Ms. Behar has...

Joseph Mannon Investment Lawyer Vedder Price Law Firm

Joseph M. Mannon is Chair of Vedder Price's Private Fund Formation group and a member of the firm's Investment Services group.

Mr. Mannon focuses his practice on legal and compliance matters for investment advisers, mutual funds, closed-end funds and unregistered vehicles such as hedge funds, hedge fund of funds, and other investment entities.  With regard to unregistered vehicles, he frequently counsels clients on fund formation and structuring matters for funds organized both in the United States and abroad.  He also counsels clients on issues relating to commodity trading...

Jeff VonDruska Investment Services Lawyer Vedder Price Law Firm

Jeff VonDruska is a Shareholder in the Chicago office of Vedder Price and a member of the firm’s Investment Services practice group.

His practice includes the representation of investment advisers, family offices, private funds, registered mutual funds, closed-end funds, exchange-traded funds and other financial institutions on a broad range of legal, regulatory, governance, formation and compliance matters.

Mr. VonDruska has significant experience in regulatory and compliance matters affecting investment advisers, including registration and marketing. He also counsels...

312-609 7563