Perspectives

Why prepare for the SEC's cybersecurity proposal now

Considerations for investment advisers and funds

The SEC’s proposed cybersecurity rules for investment advisers and funds aim to enhance cybersecurity preparedness and serve as an opportunity for firms that are lagging in their cyber practices to accelerate their pace of investment. Explore the evolution of SEC’s approach to cybersecurity, the proposed rules, and implications and next steps for firms in our report.

Background

On February 9, 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity risk management rules applicable to investment advisers and funds. The SEC’s cybersecurity focus has now geared particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under federal securities laws. In proposing cybersecurity rules for investment advisers and funds, the SEC staff makes clear that it continues to observe a lack of cybersecurity preparedness.

What is in the proposal for investment advisers and funds?

Designed to improve investor confidence in the resiliency of investment advisers and funds against cybersecurity threats and attacks, the proposed rules require:

Funds and investment advisers to implement cyber risk management policies and procedures
Investment advisers to report significant cyber incidents, including significant incidents to the Commission within 48 hours on new Form ADV-C
Investment advisers and funds to disclose cybersecurity risks and incidents to their investors and other market participants
Investment advisers and funds to maintain cybersecurity-related books and records

Policies and procedures

Proposed new rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. The proposal describes five “general elements” of cybersecurity policies and procedures:

Risk assessment

Firms would be required to perform periodic assessments of cybersecurity risks associated with adviser/ fund information systems and adviser/fund information residing therein and produce written documentation of such risk assessments.

User security and access

Firms would need to design and implement identity and access management programs for managing access to assets and information based on roles and entitlements.

Information protection

Funds and advisers would be required to establish data protection programs for secure use, processing, transmission, and storage of their information and review compliance via periodic assessments.

Threat and vulnerability management

The proposal requires advisers and funds to implement threat and vulnerability management programs to monitor, detect, mitigate, and remediate cybersecurity threats and vulnerabilities.

Incident response and recovery

The proposal requires firms to establish incident and crisis response programs to detect, respond to, and recover from cybersecurity incidents and define formal processes for interfacing with the SEC and other external agencies to share incident-related information.

New Form ADV-C and enhanced disclosure of cyber incidents

The proposed new rule 204-6 under the Advisers Act would require registered advisers to report any significant adviser cybersecurity incident or significant fund cybersecurity incident—via a new Form ADV-C within 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring. The proposal would also amend Form ADV Part 2A for advisers’ and funds’ registration statements.

Actions you can take now

The proposal raises a host of considerations for advisers and funds regarding their cybersecurity practices. Some actions for firms to consider include elevating the governance of cyber risk management, conducting a gap assessment of your cyber program against leading practices and regulatory expectations, accelerating the timeline for enhancing your cyber core, identifying a team with primary responsibility for cyber compliance, and conducting tabletop exercises. Download our report to learn more.

Get in touch

Maria Gattuso Principal \| Deloitte & Touche LLP mgattuso@deloitte.com +1 203 321 7098	Bruce Treff Managing Director \| Deloitte & Touche LLP btreff@deloitte.com +1 617 437 3087	Nitin Pandey Managing Director \| Deloitte & Touche LLP npandey@deloitte.com +1 212 436 7215
Najeh Adib Senior Manager \| Deloitte & Touche LLP nadib@deloitte.com +1 212 436 5750	Meghan Burns Manager \| Deloitte & Touche LLP megburns@deloitte.com +1 202 220 2780

Submit RFP

Maria Gattuso Principal \| Deloitte & Touche LLP mgattuso@deloitte.com +1 203 321 7098	Bruce Treff Managing Director \| Deloitte & Touche LLP btreff@deloitte.com +1 617 437 3087	Nitin Pandey Managing Director \| Deloitte & Touche LLP npandey@deloitte.com +1 212 436 7215
Najeh Adib Senior Manager \| Deloitte & Touche LLP nadib@deloitte.com +1 212 436 5750	Meghan Burns Manager \| Deloitte & Touche LLP megburns@deloitte.com +1 202 220 2780

Viewing offline content

Why prepare for the SEC's cybersecurity proposal now

Considerations for investment advisers and funds

Background

What is in the proposal for investment advisers and funds?

Policies and procedures

New Form ADV-C and enhanced disclosure of cyber incidents

Actions you can take now

Get in touch

Recommendations

Link your accounts

You previously joined My Deloitte using the same email. Log in here with your My Deloitte password to link accounts. | | Deloitte users: Log in here one time only with the password you have been using for Dbriefs/My Deloitte.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.