On February 9, 2022, the Securities and Exchange Commission (SEC) issued a new proposed rule that would overhaul the cybersecurity regulations for registered investment advisers, registered investment companies, and funds. This post focuses on the provisions that impact private fund advisers.
These proposed rules must still go through public review and comment. The comment period will be open for 30 days after the publication of the rules in the Federal Register or April 11, 2022 (60 days after issuance), whichever is later. It will likely take at least 3 months for the SEC to produce any final rules after the conclusion of the comment period.
The new regulations have four principal components, which are summarized in the following paragraphs.1
Books and Records – Amended Rule 204-2
The SEC proposed several changes to Rule 204-2, which would require registered investment advisers to maintain the following records related to cybersecurity risk management and incidents: (i) a copy of their cybersecurity policies and procedures (formulated pursuant to proposed rule 206(4)-9) in effect at any time within the last five years; (2) a copy of written reports documenting the annual review of their cybersecurity policies and procedures conducted under proposed rule 206(4)-9; (3) a copy of any Form ADV-C (pursuant to the new proposed rule 204-6) filed in the last five years; (4) records documenting the occurrence of any cybersecurity incident in the last five years; and (5) records documenting the adviser or fund’s cybersecurity risk assessment required under proposed rule 206(4)-9 in the last five years.
Additional Brochure Delivery Requirements – Amended Rule 204-3
The SEC proposed amending Rule 204-3, which currently requires registered investment advisers to deliver a brochure (Form ADV Part 2A) to their clients on an annual basis or more frequently upon the occurrence of certain disciplinary incidents. The new rule also would require registered investment advisers to add disclosures in Form ADV Part 2A related to cybersecurity risks and significant cyber security incidents (the definition of which is discussed in more detail below).
Cybersecurity Incident Reporting – Proposed Rule 204-6
New Rule 204-6 under the Investment Advisers Act introduces a new Form ADV-C. Registered investment advisers who experience a cybersecurity incident would be required to confidentially report the incident to the Commission using the proposed Form ADV-C within 48 hours of “having a reasonable basis to conclude” that a “significant adviser cybersecurity incident” has occurred.
Under proposed Rule 204-6, a “significant adviser cybersecurity incident” is “a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client [including a private fund], or an investor in a private fund, whose information was accessed.” In other words, an incident would need to be reported if its leads to significant disruption to critical operations or to unauthorized access or use of information that results in substantial harm to either the adviser, the adviser’s private fund, or a fund investor.
Advisers must also amend any Form ADV-C within 48 hours whenever new material information about a prior reported incident is discovered or when the any incident or internal investigation is resolved.
Cybersecurity Policies and Procedures – Proposed Rule 206(4)-9
New Rule 206(4)-9 under the Investment Advisers Act requires registered investment advisers to adopt written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks. The policies and procedures must be tailored to the adviser’s business and to include the following elements: (i) periodic assessments of cybersecurity risks associated with adviser’s information systems, including those of the adviser and its service providers, (ii) user security and access controls, (iii) periodic assessment and monitoring of information systems to prevent unauthorized access as well oversight of service providers, (iv) detection and mitigation of cybersecurity threats and vulnerabilities, and (v) measures to detect, respond to, and recover from cybersecurity incidents.
Advisers would be required to, at least annually, review and assess the design and effectiveness of its cybersecurity policies and procedures and prepare a written report that describes the review, documents any cybersecurity incident that occurred since the date of the last report, and discusses any material changes to the policies and procedures since the date of the last report.
1 The proposed rule also includes provisions applicable to registered investment companies and business development companies subject to the Investment Company Act of 1940, which are not discussed in this post.
This article is for general information only. The information presented should not be construed to be formal legal advice nor the formation of a lawyer/client relationship.