SEC Proposed New Cybersecurity Rules

The Securities and Exchange Commission (“SEC”) recently published proposed rulemaking regarding cybersecurity for (1) investment advisers and funds and (2) public companies. If implemented, these rules will have significant impact regarding cybersecurity governance, risk management by management, oversight by boards of directors, and the maintenance and update of policies, procedures, and compliance programs regarding cybersecurity.

For more regarding the related proposed SEC Rules for Public Companies, please click here.

For Investment Advisers and Funds

The SEC proposed strengthened cybersecurity requirements for investment advisers and funds1 in a notice of proposed rulemaking (the “Proposed Rule”) published in the Federal Register on March 9, 2022 and announced on February 9, 2022.2 The Proposed Rule includes requirements for written cybersecurity policies and procedures to address risk; annual review of such policies and procedures, written reports, and approval by the board of directors; reporting of “significant cybersecurity incidents”3 to the SEC; inclusion of cybersecurity risks and incidents in various forms and disclosures; and new recordkeeping requirements. The Proposed Rule does not currently exempt any advisers; however, consideration will likely be given to certain exemptions at the entity-level based on size4 and existing regulatory frameworks. Additionally, certain types of data may be exempt. Comments are due on or before April 11, 2022.

Current Guidance

Under the existing SEC rules, advisers subject to Section 203 of the Investment Advisers Act of 1940 (the “Act”)5 are required to adopt and implement written policies and procedures reasonably designed to prevent violation of the Act and the rules that the Commission has adopted under the Act.6 Funds have similar requirements, though the failure to implement appropriate policies does not deem the provision of investment advice unlawful.7 Regulation S-P and subsequent guidance requires registered advisers and funds to adopt written policies that address safeguards for the protection of customer data.8 Outside of SEC regulations for registered advisers, some existing industry and state regulations impose data protection and policy requirements on financial services, e.g., the Gramm-Leach-Bliley Act and New York Department of Financial Services Cybersecurity Regulations. However, the Proposed Rule includes requirements that may go beyond current requirements.

The Proposed Rule

Importantly, the Proposed Rule states: “As a means reasonably designed to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business within the meaning of section 206(4) of the Act (15 U.S.C. 80b6(4)), it is unlawful for any investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3) to provide investment advice to clients unless the adviser adopts and implements written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks…”9 As drafted, failure to follow this requirement of the Proposed Rule, if finalized and after going into effect, will render all investment advice given during the period of noncompliance unlawful. Further, not having reasonably designed cybersecurity policies would be considered a fraudulent, deceptive, or manipulative act.

The Proposed Rule requires that these policies and procedures include risk assessments, user security and access controls, information protection, cybersecurity threat and vulnerability management, and cybersecurity incident response and recovery. We briefly outline key portions of these requirements below.

1. Cybersecurity policies and procedures of investment advisers.

Risk assessments must be done at least annually, documented in writing, and include at a minimum: (i) categorization and inventory of information systems, data maintained, and potential impact of a cybersecurity incident; and (ii) identification of service providers that process or access data, and cybersecurity risks associated with the use of these service providers. The data mapping associated with this requirement is significant, and therefore noncompliant advisers should begin this process as soon as practical.
User security and access controls include requirements related to acceptable use, authentication measures, password policies, “need to know” data access, and remote access. Of note, the Proposed Rule does not outright require multi-factor authentication, as some financial regulations have in part.
Information protection and monitoring measures are required. While there are not any specific requirements enumerated, assessments should address sensitivity of business and personal information, storage and transmission of this data, access controls and malware protection, and the potential impact of a cybersecurity incident on ability to continue services. These requirements extend to oversight of service providers that have access to this data. Ensuring that existing third-party vendors and providers will be compliant with this requirement may be a lengthy process.
Policies and procedures are required to include cybersecurity threat and vulnerability management, including detection, monitoring, and remediation. There are no specific requirements, e.g., penetration testing.
Lastly, advisers and funds must address cybersecurity incident response and recovery. Specific requirements include: (i) measures to detect and respond to incidents; and (ii) written documentation of any incident, along with the adviser’s response to same.

Existing policies and procedures built to comply with alternative regulatory frameworks may not be sufficient.

2. Annual review and written report.

At least once a year, advisers are required to: (i) review and assess the design and effectiveness of the cybersecurity policies and procedures required by pertinent parts of the Proposed Rule; and (ii) prepare a written report that, at a minimum, describes the review, the assessment, and any control tests performed, explains their results, documents any cybersecurity incident that occurred since the date of the last report, and discusses any material changes to the policies and procedures since the date of the last report.10

A fund’s board of directors must initially approve the fund’s cybersecurity policies and procedures, as well as review the required annual written report on cybersecurity incidents and material changes to the cybersecurity policies and procedures.11

We note that while advisers were previously required to implement policies and procedure designed to prevent a violation of the Act,12 and while an annual review was required, the Proposed Rule adds additional requirements such as a written report.

3. Cybersecurity incident reporting.

Under the Proposed Rule, financial advisers and funds will be required to report within 48 hours any “significant adviser cybersecurity incident.”13 The clock starts when the adviser has “a reasonable basis to conclude that any such incident has occurred or is occurring…”14 This requirement shortens the time period followed by other pertinent regulations, such as the 72 hour requirement under NY DFS’ Cybersecurity Regulation. Incident reporting will be done electronically via fillable Form ADV-C, submitted through the Investment Advisor Registration Depositary (IARD). It is important to note that where other filings under state law and 210(a) the Advisers Act must be made public, the SEC has identified the implications of making this report public and plans to treat them as confidential.

4. Updated recordkeeping requirements.

As expected, the preceding new requirements are accompanied by corresponding updated recordkeeping requirements. The record retention spans five years. Both advisers and funds must maintain cybersecurity policies and procedures formulated pursuant to the Proposed Rule; written reports documenting the annual review (for advisers and funds) and provided to the board (for funds); any Form ADV-C filed by an adviser; records documenting the occurrence of any cybersecurity incident, including any response and recovery from such an incident; and records documenting cybersecurity risk assessments.

5. New and amended forms.

The last material change to the regulatory framework as a result of the Proposed Rule is a flurry15 of corresponding amendments to existing forms and disclosures. Brochure disclosure Form ADV Part 2A will now include required information on: cybersecurity risks that could materially affect the advisory services offered and how adviser assesses, prioritizes, and addresses these risks; and the occurrence of any cybersecurity incidents within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.

What to Do Today

Comments on the Proposed Rule are due on or before April 11, 2022. If finalized without material change, cybersecurity risks to each financial institution will now be public knowledge and subject to SEC scrutiny. Further, pursuant to Section 275.206(4)-9 as drafted, noncompliance could result in unlawfulness in the provision of financial advice unrelated to cybersecurity. Technical and legal evaluation of existing policies and procedures is recommended to ensure compliance and favorable business development. Dentons continues to monitor these developments closely to aid clients in taking appropriate steps regarding SEC and other cybersecurity compliance matters. SOURCE

Advisor ArmorMarch 31, 2022