On February 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed Rule 206(4)-9 under the Investment Advisers Act of 1940 and Rule 38a-2 under the Investment Company Act of 1940. The proposed rules would provide registered investment advisers and funds with a set of rules governing how they address cybersecurity risks.
These rules would build on existing Commission rules and regulations regarding cybersecurity. Regulation S-ID, for instance, sets rules for broker-dealers, investment advisers, investment companies and other financial institutions governing their identity theft prevention programs. Regulation S-P requires many of these same entities to adopt policies and procedures centering around protecting customer records and data.
The rules cover 10 different elements of cybersecurity protection, including:
1. Risk assessment
The first step for advisers and funds to address any cybersecurity risks is to understand what those risks are.
Advisers and funds would be tasked with categorizing and prioritizing cybersecurity risks associated with their information systems (and the information within). They’d also have to identify any service providers that receive, maintain or process adviser or fund information, or that otherwise have access to their information systems, and identify any cybersecurity risks associated with their access.
2. User security and access
Advisers and funds would also be tasked with installing controls that would minimize unauthorized access to information systems. These controls would include:
- Standards of behavior for anyone with access to adviser or fund information systems and data
- User authentication measures requiring two or more credentials for verification
- Procedures outlining distribution, replacement and revocation of passwords
- Access to information systems and data that’s restricted to what’s necessary for users to perform their responsibilities
- Securing remote access technologies to info systems and data
3. Information protection
Advisers and funds would be required to monitor and protect their information systems via periodic assessments that take into account info sensitivity; where and how data is accessed, stored and transmitted; system access controls and malware protection; and more.
Measures to identify suspicious behavior could include generating and reviewing activity logs, identifying potential anomalous activity and escalating issues to senior officers whenever appropriate.
The rule would also require oversight of service providers with access to information systems and data. Due diligence procedures and periodic contract review processes are among the methods advisers and funds could use to ensure their service providers are capable of protecting important information and data systems.
4. Threat and vulnerability management
Advisers and funds would also be required to create policies for detecting, mitigating and remediating cybersecurity threats to, and vulnerabilities of, their information and systems.
Given the importance of preventing cybersecurity threats, advisers and funds should develop plans for monitoring, tracking and patching vulnerabilities. They should also monitor industry and government sources for new threat and vulnerability information to stay on top of threat trends.
Role-specific training is also advised. Examples include system administration courses for IT professionals, vulnerability awareness and prevention training for web application developers and social engineering awareness training for employees and executives.
5. Cybersecurity incident response and recovery
The rules are designed with a back acknowledgment that not all cyberattacks can be prevented. Advisers and funds must have policies and procedures guiding the detection of, response to and recovery from a cybersecurity incident.
These policies should be designed to ensure continued operation, protection of information systems and data, internal and external cybersecurity information sharing and communications and reporting of significant cybersecurity incidents to the SEC.
6. Annual review and required written reports
The proposed rules would also require advisers and funds to conduct a review of their cybersecurity policies and procedures no less frequently than once per year. This would involve:
- An assessment of whether current cybersecurity policies are effective and reflect any changes in cyber risks during the period covered by the review
- A written report that describes the annual assessment, whether any control tests were performed (and what their results were); documents any cybersecurity incidents that occurred since the previous report; and discusses any material changes to the policies and procedures since the last report
7. Fund board oversight
The proposal explicitly states that “board oversight should not be a passive activity.” The rules would require a fund’s board of directors, including a majority of its independent directors, to approve a fund’s initial cybersecurity policies and procedures.
After that, the board should be involved in reviewing the required written reports to better understand the fund’s risk management policies and procedures; ask questions about the program’s effectiveness, implementation, resources and weaknesses; and determine the appropriate level of oversight of the fund’s service providers.
8. Form ADV-C
As part of the proposed rules, the SEC is proposing a new Form ADV-C that would require advisers to provide information about a significant cybersecurity incident in a structured format – specifically, check-the-box and fill-in-the-blank questions.
If an investment adviser had a reasonable basis to conclude that a significant adviser or fund cybersecurity incident occurred, the adviser would have to submit proposed Form ADV-C within 48 hours. The same timeframe would apply to any necessary amendments if the adviser discovered new material information about a previously reported incident, learned that information on the form became materially inaccurate, closed an internal investigation pertaining to a previously disclosed incident or resolved a previously reported incident.
9. Disclosure of cybersecurity risks and incidents
The SEC is proposing amendments to a large number of forms; namely, Form ADV Part 2A for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6 for funds.
Advisers would be required to use plain English to describe any cybersecurity risks that could affect their advisory services, and how they assess, prioritize and address those risks. They would also be required to describe any cybersecurity incidents over the past two fiscal years that caused substantial harm to the adviser or its clients. Advisers would have to deliver interim brochure amendments to existing clients if the adviser adds a cybersecurity incident disclosure to, or materially revises cybersecurity incident information already disclosed in, their brochure.
Funds also would be required to disclose significant cybersecurity incidents from the past two fiscal years to provide prospective and current investors.
The proposal additionally includes new proposed recordkeeping requirements under the Investment Advisers Act and Investment Company Act.
Advisers would be asked to include:
- A copy of cybersecurity policies pursuant to proposed Rule 206(4)-9, as well as any policies that were in effect in the last five years
- Copies of written reports documenting their annual cybersecurity reviews from the past five years
- Copies of proposed Form ADV-C filed in the past five years
- Records documenting any cybersecurity incident from the past five years
- Records documenting an adviser’s cybersecurity risk assessment from the past five years
Funds would be asked to include:
- A copy of cybersecurity policies and procedures that are currently in effect or were in effect in the past five years
- Copies of written reports provided to the board from the past five years
- Records documenting the annual review of the fund’s cybersecurity policies and procedures from the past five years
- Any report of a significant fund cybersecurity incident provided to the SEC by its adviser in the past five years
- Records documenting any cybersecurity incident from the past five years
- Records documenting the fund’s cybersecurity risk assessment from the past five years
Update: On March 15, 2023, the SEC reopened the comment period on the cybersecurity rules that were proposed by the Commission on February 9, 2022. The comment period will remain open for 60 days after the date of.