Why prepare for the SEC's cybersecurity proposal now has been saved
Why prepare for the SEC's cybersecurity proposal now
Considerations for investment advisers and funds
The SEC’s proposed cybersecurity rules for investment advisers and funds aim to enhance cybersecurity preparedness and serve as an opportunity for firms that are lagging in their cyber practices to accelerate their pace of investment. Explore the evolution of SEC’s approach to cybersecurity, the proposed rules, and implications and next steps for firms in our report.
On February 9, 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity risk management rules applicable to investment advisers and funds. The SEC’s cybersecurity focus has now geared particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under federal securities laws. In proposing cybersecurity rules for investment advisers and funds, the SEC staff makes clear that it continues to observe a lack of cybersecurity preparedness.
What is in the proposal for investment advisers and funds?
Designed to improve investor confidence in the resiliency of investment advisers and funds against cybersecurity threats and attacks, the proposed rules require:
- Funds and investment advisers to implement cyber risk management policies and procedures
- Investment advisers to report significant cyber incidents, including significant incidents to the Commission within 48 hours on new Form ADV-C
- Investment advisers and funds to disclose cybersecurity risks and incidents to their investors and other market participants
- Investment advisers and funds to maintain cybersecurity-related books and records
Policies and procedures
Proposed new rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. The proposal describes five “general elements” of cybersecurity policies and procedures:
New Form ADV-C and enhanced disclosure of cyber incidents
The proposed new rule 204-6 under the Advisers Act would require registered advisers to report any significant adviser cybersecurity incident or significant fund cybersecurity incident—via a new Form ADV-C within 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring. The proposal would also amend Form ADV Part 2A for advisers’ and funds’ registration statements.
Actions you can take now
The proposal raises a host of considerations for advisers and funds regarding their cybersecurity practices. Some actions for firms to consider include elevating the governance of cyber risk management, conducting a gap assessment of your cyber program against leading practices and regulatory expectations, accelerating the timeline for enhancing your cyber core, identifying a team with primary responsibility for cyber compliance, and conducting tabletop exercises. Download our report to learn more.
Get in touch
Ways to address investment management regulations in 2024
Stakeholders weigh in on proposed guidelines