US SEC Cyber Risk Management Proposed Rules: Analysis for Investment Advisers, Investment Companies, BDCs and Broader Implications for Private Sector
On February 9, 2022, the Securities Exchange Commission (“SEC” or “Commission”) voted 3-1 to propose rules, forms and amendments concerning cybersecurity risk management, as well as registered investment adviser and fund disclosures. As we have previously discussed, the proposal under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of 1940 (Investment Company Act) seeks to set out specific requirements for cybersecurity risk management for registered investment advisers (RIAs), registered investment companies (“RICs,” including mutual funds, exchange-traded funds (ETFs), unit investment trusts (UITs), and closed-end funds) and business development companies (BDCs)1 and related amendments to certain rules and forms that govern RIA and fund disclosures.
The proposed rules would require registered advisers and funds to “adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks,” report significant cybersecurity incidents to the SEC, and disclose cybersecurity risks and incidents occurring in the past two years in Form ADV, Part 2A and fund registration statements.2 According to SEC Chair Gary Gensler, this proposal aims to “enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”3 Additionally, the proposal’s reporting requirements would seek to provide the SEC with key information about cybersecurity incidents and responses to enhance its examination and enforcement capabilities.