On February 9, 2022, the Securities and Exchange Commission (the “Commission”) voted 3-1 in proposing new cybersecurity compliance, reporting and disclosure rules for the investment management industry. The magnitude of change contemplated by the proposed rules (the “Proposed Rules”) would be hard to overstate, and the Commission’s release is in line with a growing anxiety surrounding cybersecurity threats globally and nationally surrounding infrastructure and, as demonstrated here, within the capital markets.
If adopted, these Proposed Rules would apply to registered investment advisers (“RIAs”) and certain registered investment companies and business development companies (together, “Registered Funds”).
The Proposed Rules, if adopted as they stand today, would increase the substance, complexity, frequency and sophistication of the work product and deliverables required to demonstrate a model cybersecurity program.
However, many of these requirements have long been mandated as part of the current regulatory landscape, by way of the Gramm-Leach-Bliley Act, which gave rise to Regulation S-P (the Safeguards Rule), as well as Regulation S-ID (Identity Theft Red Flags Rule) and numerous other express directives from the Commission in the form of Risk Alerts, Guidance Updates and other interpretive materials as well as enforcement actions by the Commission.¹
In this sense, the Proposed Rules are merely a formalization and natural evolution of these requirements and whether in the form of Commission enforcement actions, regulatory examinations, cyber sweeps, ODD reviews and/or investor expectations, these requirements remain as absolute core cybersecurity controls that both RIAs and Registered Funds must implement and be able to demonstrate. Still, the Proposed Rules seek to substantially increase the current regulatory ask on cybersecurity, with sweeping changes to the nature, processes and substance of the underlying compliance requirements and for that reason, all registrants and even non-registered and exempt advisers and managers, should be paying attention as this plays out.
Pending the advancement of the Proposed Rules through the comment period and the agency rule making processes, here’s what investment advisers and fund managers need to know:
The Proposed Rules would create new Rule 204-6 under the Advisers Act, requiring entirely new and onerous reporting and disclosure requirements for every significant cybersecurity incident. The most meaningful components here include:
Advisers would be required to confidentially report significant cybersecurity incidents on new Form ADV-C, within 48 hours of concluding that a significant cybersecurity incident has occurred or is occurring. Significantly, once a Form ADV-C has been filed, there is a continuing obligation to amend it if there is new material information about a previously reported incident or if the incident has been resolved.
A “significant cybersecurity incident” is defined as one or more cyber incident(s) that significantly disrupt or degrade the adviser’s ability, or the ability of a fund or private fund client of the adviser, to maintain critical operations. A “significant cybersecurity incident” will also be deemed when sustained harm is done to the adviser, client or an investor in a private fund through unauthorized access to the adviser’s information. The Commission believes the reporting of this information will allow it and its staff to better evaluate the potential systematic risk to the financial market.
The Proposed Rules would require disclosure of cybersecurity incidents to investors for every significant cybersecurity incident. The most meaningful components here include:
The Proposed Rules would also amend Form ADV Part 2A, to require RIAs to disclose cybersecurity risks and incidents to advisory clients and prospective clients. A Registered Fund would be required to disclose same in its registration statement any significant cybersecurity incidents that have occurred in the last two fiscal years. The SEC believes the disclosure requirements will enhance investor protections and allow investors to make informed decisions.
Cybersecurity risk management goes beyond just investor information.
The SEC’s proposing release posits that significant fund cybersecurity incidents may include cyber intruders interfering with a fund’s ability to redeem investors, calculate net asset value, enter or exit into investments or trading positions or otherwise responsibly operating its business and acting as a fiduciary. The proposing release also observes that other significant cybersecurity incidents may involve the theft of fund information, such as non-public portfolio holdings or personally identifiable information of the fund’s employees, directors, or shareholders. Despite the industry-wide misperception that the requirements to create and maintain these fundamental cybersecurity controls are conditioned on an RIA’s or Registered Fund’s use and/or storage of investor PII, the Commission has made clear this is not the case and these required controls are necessary to every RIA or Registered Fund, whether it deals with investor information or not.Disclosure of “Significant Cybersecurity Incidents.”
Form ADV-C would include both general and specific questions related to the significant cybersecurity incident, such as the nature and scope of the incident, as well as whether any disclosure has been made to any clients or investors. Such information would include, among other things:If you have any questions about the Proposed Rules, the current requirements surrounding cybersecurity controls, please contact John Araneo (jaraneo@align.com), Vinod Paul (vpaul@align.com) or our cyber team via email at cyber@align.com.
¹ As to the proposition that the actual requirements to implement various cybersecurity controls have not yet been formally codified into a rule(s) or regulation(s), is an observation more theoretical than astute or helpful, as the Commission has earned itself numerous successful enforcement actions commenced by the Commission and its Cyber Unit, imposing millions of dollars in aggregate fines and penalties against investment advisers and fund managers for not meeting these requirements.