SEC to issue its Final Rules on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies in October

SEC’s Predictive Analytics and Safeguarding Rules on the Backburner with Outsourcing and Cybersecurity Risk Management Rules on October’s Agenda

The SEC’s Spring 2024 Current Agenda was released on July 5, 2024, providing advisers with a mix of good news and bad news. On the good news side, the SEC decided to repropose the rules that would require investment advisers (Advisers Act Rule 211(h)(2)-4) and broker-dealers (Exchange Act Rule 15(l)-2) to eliminate or neutralize conflicts of interest that arise from the use of predictive analytics, artificial intelligence, or other covered technologies. The financial industry harshly criticized the proposal, including calls for a full withdrawal of the rule. According to the agenda, these rules will be reproposed in October 2024.

Additionally, the agenda indicates that the SEC is considering reproposing the Safeguarding Advisory Client Assets Rule (Advisers Act Rule 223-1) in October 2024. The original proposal broadened the scope of the Advisers Act Custody Rule (Rule 206(4)-2), presumably to provide greater protection to investors by broadening the scope of assets and demanding more from custodians.

And now for the bad news. The SEC’s proposed rule on Outsourcing by Investment Advisers (Final Advisers Act Rule 206(4)-11) is scheduled to be finalized by October 2024. As discussed by the SEC in its press release, “[t]he proposed rule would require advisers to conduct due diligence prior to engaging a service provider to perform certain services or functions. It would further require advisers to periodically monitor the performance and reassess the retention of the service provider in accordance with due diligence requirements to reasonably determine that it is appropriate to continue to outsource those services or functions to that service provider.”

And in more bad news, the SEC also intends to issue its final rules on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies. (Advisers Act Rule 206(4)-9). These rules will require investment advisers and investment companies to “adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the Commission about certain cybersecurity incidents, and maintain related records,” according to the SEC’s press release. The agenda indicates these new rules will be finalized by October 2024. SOURCE