Upping the Ante on Cybersecurity: The Securities and Exchange Commission charts out an aggressive linear path to increasing the current regulatory ask on Cybersecurity for Investment Advisers and Funds.
On February 9, 2022, the Securities and Exchange Commission (the “Commission”) voted 3-1 in proposing new cybersecurity compliance, reporting and disclosure rules for the investment management industry. The magnitude of change contemplated by the proposed rules (the “Proposed Rules”) would be hard to overstate, and the Commission’s release is in line with a growing anxiety surrounding cybersecurity threats globally and nationally surrounding infrastructure and, as demonstrated here, within the capital markets.
If adopted, these Proposed Rules would apply to registered investment advisers (“RIAs”) and certain registered investment companies and business development companies (together, “Registered Funds”).
Align Team Analysis:
The Proposed Rules, if adopted as they stand today, would increase the substance, complexity, frequency and sophistication of the work product and deliverables required to demonstrate a model cybersecurity program.
However, many of these requirements have long been mandated as part of the current regulatory landscape, by way of the Gramm-Leach-Bliley Act, which gave rise to Regulation S-P (the Safeguards Rule), as well as Regulation S-ID (Identity Theft Red Flags Rule) and numerous other express directives from the Commission in the form of Risk Alerts, Guidance Updates and other interpretive materials as well as enforcement actions by the Commission.¹
In this sense, the Proposed Rules are merely a formalization and natural evolution of these requirements and whether in the form of Commission enforcement actions, regulatory examinations, cyber sweeps, ODD reviews and/or investor expectations, these requirements remain as absolute core cybersecurity controls that both RIAs and Registered Funds must implement and be able to demonstrate. Still, the Proposed Rules seek to substantially increase the current regulatory ask on cybersecurity, with sweeping changes to the nature, processes and substance of the underlying compliance requirements and for that reason, all registrants and even non-registered and exempt advisers and managers, should be paying attention as this plays out.
What You Need to Know:
Pending the advancement of the Proposed Rules through the comment period and the agency rule making processes, here’s what investment advisers and fund managers need to know:
1) Cybersecurity Risk Management Policies and ProceduresThe first category of controls mandates a more formalized approach to cybersecurity compliance and requires RIAs and Registered Funds to adopt a “Cybersecurity Risk Management Program,” similar in spirit and substance to those Compliance Programs currently imposed on RIAs by the Investment Advisers Act of 1940 (the “Advisers Act”). The Commission would seek to create new Rule 206(4)-9 under the Advisers Act, which would require RIAs to adopt and implement various cybersecurity policies and procedures that are commensurately tailored to the size, sophistication and resources of the firm and which should include the following components:
- Required Elements of Policies and Procedures:
- Annual Risk Assessments that address the cybersecurity risks associated with the underlying information systems and the information processed by such systems, including the risks associated with service providers that process such information
- User security controls that limit user related risks while also limiting unauthorized access and use of personal information
- Information monitoring protection, including performing periodic assessments of the underlying information systems and the information that resides on the systems
- Threat and vulnerability protections to detect, mitigate and remediate information and system breaches
- Cybersecurity incident response measures to detect, respond and recover from cyberattacks
- Board Oversight. The Proposed Rules would also require a Registered Fund’s board of directors, including most of its independent directors, to approve the fund’s cybersecurity policies and procedures, as well as to review the written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures annually.
- Annual Review and Required Written Reports. All RIAs and Registered Funds would also need to prepare a report that identifies and evaluates all its cybersecurity controls, policies, and procedures. The annual reviews would need to address the design and effectiveness of such controls and whether the overall Cybersecurity Program reflects changes in the cybersecurity risks over time.
- Recordkeeping Requirements. The Proposed Rules also seek to amend the current “Books and Records Rule” (Rule 204-2) and looks to expand the requirement that RIA’s and Registered Funds keep certain records and documents for no less than five (5) years. For RIA’s, these books and records include:
- A copy of its Cybersecurity Policies and Procedures, as required by Rule 206(4)-9
- A copy of its Written Annual Reports, as required by Rule 206(4)-9
- Any Form ADV-C filings, as required by Rule 206(4)-9
- Records regarding cyber events and responses
- Annual Cyber Risk Assessments
- For Registered Companies, the following books and records will be required:
- Cybersecurity Policies and Procedures
- Written Reports made to Board or Directors
- Records evidencing Board approvals
- Records regarding cyber events and responses
2) Reporting of Significant Cybersecurity Incidents to the Commission:
The Proposed Rules would create new Rule 204-6 under the Advisers Act, requiring entirely new and onerous reporting and disclosure requirements for every significant cybersecurity incident. The most meaningful components here include:
Advisers would be required to confidentially report significant cybersecurity incidents on new Form ADV-C, within 48 hours of concluding that a significant cybersecurity incident has occurred or is occurring. Significantly, once a Form ADV-C has been filed, there is a continuing obligation to amend it if there is new material information about a previously reported incident or if the incident has been resolved.
A “significant cybersecurity incident” is defined as one or more cyber incident(s) that significantly disrupt or degrade the adviser’s ability, or the ability of a fund or private fund client of the adviser, to maintain critical operations. A “significant cybersecurity incident” will also be deemed when sustained harm is done to the adviser, client or an investor in a private fund through unauthorized access to the adviser’s information. The Commission believes the reporting of this information will allow it and its staff to better evaluate the potential systematic risk to the financial market.
3) Disclosure of Cybersecurity Risks and Incidents:
The Proposed Rules would require disclosure of cybersecurity incidents to investors for every significant cybersecurity incident. The most meaningful components here include:
The Proposed Rules would also amend Form ADV Part 2A, to require RIAs to disclose cybersecurity risks and incidents to advisory clients and prospective clients. A Registered Fund would be required to disclose same in its registration statement any significant cybersecurity incidents that have occurred in the last two fiscal years. The SEC believes the disclosure requirements will enhance investor protections and allow investors to make informed decisions.
Cybersecurity risk management goes beyond just investor information.The SEC’s proposing release posits that significant fund cybersecurity incidents may include cyber intruders interfering with a fund’s ability to redeem investors, calculate net asset value, enter or exit into investments or trading positions or otherwise responsibly operating its business and acting as a fiduciary. The proposing release also observes that other significant cybersecurity incidents may involve the theft of fund information, such as non-public portfolio holdings or personally identifiable information of the fund’s employees, directors, or shareholders. Despite the industry-wide misperception that the requirements to create and maintain these fundamental cybersecurity controls are conditioned on an RIA’s or Registered Fund’s use and/or storage of investor PII, the Commission has made clear this is not the case and these required controls are necessary to every RIA or Registered Fund, whether it deals with investor information or not.
Disclosure of “Significant Cybersecurity Incidents.”Form ADV-C would include both general and specific questions related to the significant cybersecurity incident, such as the nature and scope of the incident, as well as whether any disclosure has been made to any clients or investors. Such information would include, among other things:
- The date the incident occurred, if known
- The approximate date the incident was discovered
- Whether the incident is still ongoing
- Whether law enforcement or any government agency other than the Commission has been notified
- A description of the nature and scope of the incident, including any effect on critical operations
- Actions taken or planned to respond to and recover from the incident
- Whether any data was stolen, altered, accessed, or used for any unauthorized purpose
- Whether any personal information was lost, stolen, modified, deleted, destroyed, or accessed without authorization
- Whether disclosure has been made to clients or investors
- Whether the incident is covered under a cybersecurity insurance policy.
If you have any questions about the Proposed Rules, the current requirements surrounding cybersecurity controls, please contact John Araneo (email@example.com), Vinod Paul (firstname.lastname@example.org) or our cyber team via email at email@example.com.
¹ As to the proposition that the actual requirements to implement various cybersecurity controls have not yet been formally codified into a rule(s) or regulation(s), is an observation more theoretical than astute or helpful, as the Commission has earned itself numerous successful enforcement actions commenced by the Commission and its Cyber Unit, imposing millions of dollars in aggregate fines and penalties against investment advisers and fund managers for not meeting these requirements.