Why prepare for the SEC's cybersecurity proposal now

Considerations for investment advisers and funds

The SEC’s proposed cybersecurity rules for investment advisers and funds aim to enhance cybersecurity preparedness and serve as an opportunity for firms that are lagging in their cyber practices to accelerate their pace of investment. Explore the evolution of SEC’s approach to cybersecurity, the proposed rules, and implications and next steps for firms in our report.


On February 9, 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity risk management rules applicable to investment advisers and funds. The SEC’s cybersecurity focus has now geared particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under federal securities laws. In proposing cybersecurity rules for investment advisers and funds, the SEC staff makes clear that it continues to observe a lack of cybersecurity preparedness.

What is in the proposal for investment advisers and funds?

Designed to improve investor confidence in the resiliency of investment advisers and funds against cybersecurity threats and attacks, the proposed rules require:

  • Funds and investment advisers to implement cyber risk management policies and procedures
  • Investment advisers to report significant cyber incidents, including significant incidents to the Commission within 48 hours on new Form ADV-C
  • Investment advisers and funds to disclose cybersecurity risks and incidents to their investors and other market participants
  • Investment advisers and funds to maintain cybersecurity-related books and records

Policies and procedures

Proposed new rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. The proposal describes five “general elements” of cybersecurity policies and procedures:

New Form ADV-C and enhanced disclosure of cyber incidents

The proposed new rule 204-6 under the Advisers Act would require registered advisers to report any significant adviser cybersecurity incident or significant fund cybersecurity incident—via a new Form ADV-C within 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring. The proposal would also amend Form ADV Part 2A for advisers’ and funds’ registration statements.

Actions you can take now

The proposal raises a host of considerations for advisers and funds regarding their cybersecurity practices. Some actions for firms to consider include elevating the governance of cyber risk management, conducting a gap assessment of your cyber program against leading practices and regulatory expectations, accelerating the timeline for enhancing your cyber core, identifying a team with primary responsibility for cyber compliance, and conducting tabletop exercises. Download our report to learn more.

Get in touch

Maria Gattuso 
Principal | Deloitte & Touche LLP
+1 203 321 7098

Bruce Treff 
Managing Director | Deloitte & Touche LLP
+1 617 437 3087

Nitin Pandey
Managing Director | Deloitte & Touche LLP
+1 212 436 7215

Najeh Adib
Senior Manager | Deloitte & Touche LLP
+1 212 436 5750

Meghan Burns 
Manager | Deloitte & Touche LLP
+1 202 220 2780


Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?