On Feb. 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules related to cybersecurity risk management for registered investment advisors (“advisors”) and registered investment companies and business development companies (collectively “funds”). Amendments to existing rules governing advisor and fund disclosures and record-keeping are also proposed. These proposals are designed to enhance cybersecurity preparedness and improve investor confidence in the resiliency of advisors and funds against cybersecurity threats and attacks.

Under the SEC’s proposal, advisors and funds will have four distinct obligations:

1. Establish written cybersecurity policies and procedures to address cybersecurity risks

2. Report “significant” cybersecurity incidents on a new confidential form, proposed Form ADV-C

3. Disclose cybersecurity risks and incidents

4. Maintain cybersecurity-related books and records

01. Cybersecurity policies and procedures

Advisors and funds must establish written policies and procedures that are reasonably designed to address risks that could harm advisory clients and fund investors or lead to the unauthorized access or use of protected information. Written policies must include measures that account for:

• Periodic risk assessment.

• Design and implementation of user access controls.

• Information protection.

• Threat and vulnerability management.

• Incident response and recovery.

02. Incident reporting

Any advisor who is or must be registered with the SEC will be required to submit a proposed Form ADV-C promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that a “significant” cybersecurity incident had occurred or is occurring. The proposed Form ADV-C is a confidential report allowing the SEC to monitor the effects of a cybersecurity incident on an advisor and their clients or a fund and its investors. The ADV-C report also provides the SEC with visibility into potential systemic risks affecting financial markets more broadly.

A “significant” cybersecurity incident is one that substantially disrupts the ability to maintain critical operations or leads to the compromise of information causing substantial harm to the advisor or harm to a client or an investor in a private fund whose information was accessed.

ADV-C incident reports must include:

• Substantive information about the nature and scope of the incident being reported, including any actions and planned recovery actions.

• Whether any data was stolen, altered, or accessed or used for any other unauthorized purpose.

• Whether the incident has been disclosed to clients and/or to investors.

In addition to the above, a registrant must disclose whether the incident is covered under a cyber insurance policy(ies) and whether it has been reported to the insurer(s). This is required for the SEC to (1) understand the incident’s potential impact on clients and (2) evaluate the adequacy of the incident response as the insurer(s) may require certain remedial and mitigation measures during and after a cybersecurity incident.

03. Cybersecurity risks and incidents disclosures

Under the proposed rules, prospective and current investors will be entitled to certain cybersecurity-related disclosures, including a description of any cybersecurity risks and significant incidents. The SEC aims to enhance investor protection by increasing insight into cybersecurity history and risks.

04. Cybersecurity-related books and records

Cybersecurity policies and procedures, reports documenting the annual review of cybersecurity policies, cybersecurity incident reports, and records documenting cybersecurity risk assessments must be maintained for at least five years by advisors and funds.

• While the proposed rules are open to public comment and may be revised after the comment period, advisors and funds potentially subject to them should begin preparing for increased rule-making and enforcement activity from the SEC when it comes to cyberrisk management.

Funds and advisors should review all of their written policies and procedures about safeguarding data and information and update them to ensure that cybersecurity and cyberrisk management best practices are implemented. Adhering to cybersecurity best practices is not only crucial in light of the SEC’s proposed rules and amendments but also essential to obtaining cyber insurance. We also recommend reviewing existing cyber insurance policies and becoming familiar with the reporting obligations under those policies as well as the insurers’ loss control and incident response offerings to ensure that risk management strategies are holistically executed.

The SEC’s proposed rules and amendments are further illustration of the agency’s increased focus on cybersecurity disclosures and reporting. In 2018, the SEC released guidance on public company disclosures about cybersecurity risks and incidents. The SEC has recently undertaken several enforcement actions related to inadequate disclosure of breach information.

Organizations, both public and private, should understand how laws and regulations around cybersecurity are changing, how those laws impact the organization, and how management is tracking compliance. For more information and further assistance, contact your Cyber and Technology Practice Account Executive or email us at cyber@lockton.com.

Download alert (opens a new window)