On February 9, 2021, the Securities and Exchange Commission (SEC) announced new proposed cybersecurity rules (Proposed Rules) for registered investment advisors and investment companies (funds) addressing cybersecurity risk management, reports to the SEC, and investor disclosures. The SEC has been active in policing cybersecurity shortcomings, coming to a number of high-value settlements over the summer of 2021 (see prior blog posts here and here).
The Proposed Rules are emblematic of the Biden Administration's concerted focus on addressing cyber vulnerabilities in the public and private sector and comes on the heels of several actions by the federal government on cybersecurity in the financial services industry. In November of last year, the Federal Trade Commission (FTC) tightened its cybersecurity regulations for non-bank financial institutions under the Gramm-Leach-Bliley Act's (GLBA) Safeguards Rule (see prior blog post here), and federal banking regulators announced a final rule requiring banking organizations to notify their federal regulators of significant cybersecurity incidents within 36 hours after determining that an event had occurred.
The FTC also has proposed to further amend the GLBA Safeguards Rule to require non-bank financial institutions to report to the FTC any cybersecurity incident where at least 1,000 customers' information has or is reasonably likely to have been misused. The SEC's staff examinations revealed that some funds and advisers have not implemented reasonably designed cybersecurity programs, thus exposing their clients and investors to greater risk of harm.
The Proposed Rules are grounded in advisors' fiduciary obligations to protect their clients' interests and are promulgated under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. As the SEC recognizes in the Proposed Rules, although current SEC regulations—particularly Regulation S-P and Regulation S-ID1—touch on cybersecurity, there currently are no "rules that specifically require firms to adopt and implement comprehensive cybersecurity programs." The SEC is inviting public comment on the Proposed Rules until 30 days after they are published in the Federal Register or April 11, 2022 (whichever is later).
The Proposed Rules contain four broad categories of cybersecurity requirements for firms that are registered or are required to be registered with the SEC:
1. Cybersecurity Policies and Procedures
The Proposed Rules would require firms to use a risk-based approach to adopt and implement written cybersecurity policies and procedures. As a baseline, the Proposed Rules would require firms to conduct and document a risk assessment, implement access controls, protect internal information, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents.
Additionally, advisors would be required to conduct an annual review and issue a written report assessing the design and effectiveness of their cybersecurity compliance program. Importantly, the Proposed Rules would broadly define covered information to include both personal data and other information related to the regulated entity's business. The Proposed Rules would also require a fund's board of directors, including a majority of its independent directors, to review and approve the policies and procedures, as well as review the annual written report.
The requirements of the Proposed Rules are largely in line with the FTC's updated GLBA Safeguards Rule, mentioned above, which in turn was heavily influenced by the New York Department of Financial Service's Cybersecurity Regulations.
2. Reporting to the SEC
The Proposed Rules would require firms to confidentially report significant cybersecurity incidents to the SEC no later than 48 hours after forming a reasonable basis to conclude that such an incident occurred. As noted above, banking institutions are required to notify their primary federal regulator of significant cybersecurity incidents within 36 hours, and to the extent that a banking institution is also registered with the SEC as an investment advisor, it is possible that the two notification requirements will overlap.
Significant cybersecurity incidents are defined in the Proposed Rules as any incident that "significantly disrupts or degrades [firm's] ability to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed."
3. Disclose Significant Cyber Risks and Incidents
The Proposed Rules would amend various disclosure forms to require funds and advisors to disclose information about significant cybersecurity incidents. Specifically, the Proposed Rules would amend Form ADV for advisers for prompt reporting of incidents to the SEC and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds for disclosure to prospective and current investors of significant fund cybersecurity incidents.
4. Recordkeeping Requirements
The Proposed Rules would impose various recordkeeping requirements for documents related to the firm's compliance program, incident management, and board notification.
DWT's Information Security Team advises financial institutions on their compliance with various cybersecurity regulations and will continue to monitor developments in this space.
1 Regulation S-P requires registered entities to, among other things, establish appropriate administrative, technical, and physical safeguards to protect customer records and information. Regulation S-ID requires registered entities to develop and implement a written identity theft prevention and mitigation program.