Browse by last name:
View All Practices
View All Industries
Time to Read: 15 minutes Practices: Investment Advisers, Private Funds, Data, Privacy & Cybersecurity, Asset Management, Registered Funds
On February 9, 2022, the SEC published a release addressing Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Release”). The Release contained proposed new rules under the Advisers Act (Rules 206(4)-9 and 204-6) and the Investment Company Act of 1940 (Rule 38a-2) and amendments (collectively, the “Proposals”), which would require registered investment advisers (“advisers”) and registered investment companies (“registered funds”) to implement cybersecurity risk management programs and new incident notification regimes. If adopted, the Proposals would:
The proposed rules would not apply to private funds, which are exempt from the Investment Company Act of 1940 and thus are subject to the FTC’s Safeguards Rule for cybersecurity. The proposed SEC rules would, however, apply to registered investment advisers who advise those private funds. Fortunately, the proposed rules appear to be largely consistent with the FTC’s revised Safeguards Rule.
I. New Disclosure Requirements Regarding Cybersecurity Risks and Incidents
The Proposals would amend Form ADV for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for registered funds to require the disclosure of cybersecurity risks and incidents.
Form ADV. The Proposals would add a new Item 20 “Cybersecurity Risks and Incidents” to Form ADV, or Part 2A, which currently requires disclosures related to business practices, fees, risks, and conflicts. In amended form, advisers would be required to describe cybersecurity risks that could materially affect the services they offer and disclose how they assess, prioritize, and address such risks.
Fund Registration Statements.2 The Proposals would require a registered fund to disclose in its registration statement whether a “significant fund cybersecurity incident” has affected or is currently affecting the registered fund or its service providers. Specifically, the Proposals would require a description of each incident, including the following information to the extent known:
A registered fund would be required to disclose this information regarding any significant fund cybersecurity incident if the incident occurred during the registered fund’s last two fiscal years.
The Release provides further guidance on disclosing cybersecurity-related matters. It notes that, in order for registered funds to “make timely disclosures of cybersecurity risks and significant fund cybersecurity incidents, a fund would amend its prospectus by filing a supplement.” Moreover, registered funds should include a discussion of such risks and incidents in annual reports to shareholders “to the extent that these were factors that materially affected performance of the fund over the past fiscal year.” The Proposals would require all registered funds to tag information about significant fund cybersecurity incidents in a structured, machine-readable data language. The Proposals include conforming amendments to Rules 485 and 497 under the Securities Act.
Note: The registered fund registration form amendments would require disclosure about whether the cybersecurity incident at issue has been or is being remediated, and the SEC staff may look to the support for such disclosure during exams.
II. Mandatory Cybersecurity Incident Reporting
The Proposals include a new reporting obligation under proposed Rule 204-6 that would require advisers to report to the SEC on a confidential basis “significant adviser cybersecurity incidents” (which may be with respect to private funds or clients) and “significant fund cybersecurity incidents” (for registered funds) within 48 hours of having a reasonable basis to conclude that any such incident has occurred or is occurring. These reports would be transmitted by filing new Form ADV-C electronically on the Investment Adviser Registration Depository (the “IARD”).
Rule 204-6 also would require each adviser to amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after:
Note: Though the proposed reporting obligation distinguishes “significant adviser cybersecurity incident” from “significant fund cybersecurity incident,” the definitions, as outlined in the Appendix, generally overlap. The Release defines a “significant cybersecurity incident” that triggers reporting as a “cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.” Relatedly, the Release broadly defines “cybersecurity incident” as an “unauthorized occurrence on or conducted through [an adviser’s or a registered fund’s] information systems that jeopardizes the confidentiality, integrity, or availability of [an adviser’s or a registered fund’s] information systems or any [adviser or registered fund] information residing therein.” This definition notably goes farther than state notification laws.
The proposed reporting obligation is one of a few notification requirements that has been recently adopted or proposed by federal regulators. The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (“Banking Rule”), issued by the Office of the Comptroller of Currency, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve, requires organizations to notify their primary federal regulator of significant “computer-security incidents,” no later than 36 hours after the organization “determines” such an incident has occurred. The Banking Rule provides for confidential notification, unlike the proposed FTC Safeguards Rule amendment, which seeks public incident reporting. The proposed FTC Safeguards amendment requires institutions that experience a “security event,” in which the misuse of customer information has occurred or is reasonably likely to occur, to provide notice of the event to the FTC no later than 30 days after “discovery” of the event if it affected or reasonably may have affected at least 1,000 consumers.
III. Cybersecurity Risk Management Policies and Procedures
The Proposals require advisers and registered funds to implement written policies and procedures that are reasonably designed to address cybersecurity risks and to update the board of directors no less often than annually. Each registered fund/adviser’s cybersecurity policies and procedures would be required to include the following elements.
Risk Assessment. The cybersecurity policies and procedures would be required to provide for periodic assessments of cybersecurity risks associated with registered fund/adviser information systems and registered fund/adviser information within those systems, including policies and procedures requiring the registered fund/adviser to:
The cybersecurity policies and procedures would be required to provide that any risk assessments must be documented in writing.
User Security and Access. The cybersecurity policies and procedures would be required to contain controls that are designed to minimize user-related risks and prevent the unauthorized access to registered fund/adviser information systems, including the following:
Information Protection. The cybersecurity policies and procedures would be required to include measures designed to monitor registered fund/adviser information systems and protect registered fund/adviser information from unauthorized access or use, based on a periodic assessment of the registered fund/adviser information systems and taking into account the following factors:
This would essentially require advisers and registered funds to maintain a detailed map of their data and systems that categorizes data by risk and tracks where data in different risk categories is stored, and how it is used and transferred.
The cybersecurity policies and procedures would also be required to provide for oversight of service providers that receive, maintain, or process registered fund/adviser information and, through that oversight, document that such service providers, pursuant to a written contract between the registered fund/adviser and any service provider, are required to implement and maintain appropriate measures (including the practices described in this Section II as required elements) that are designed to protect registered fund/adviser information and information systems.
Cybersecurity Threat and Vulnerability Management. The cybersecurity policies and procedures would be required to include measures to detect, mitigate and remediate any “cybersecurity threat” and “cybersecurity vulnerability” with respect to registered fund/adviser information systems.
Cybersecurity Incident Response and Recovery. The cybersecurity policies and procedures would be required to include measures to detect, respond to and recover from a cybersecurity incident, including policies and procedures that are reasonably designed to ensure:
The cybersecurity policies and procedures also would require written documentation of any cybersecurity incident, including the registered fund/adviser’s response to and recovery from such an incident.
Note: Under the Proposals, advisers and registered funds must adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. This is particularly significant given that the SEC has held advisers liable for not implementing their own policies. In August 2021, for example, the SEC announced settlements with eight registered brokers and advisers related to alleged failures in cybersecurity safeguards that resulted in the exposure of customer information. The SEC noted that “it is not enough to write a policy requiring security measures if those requirements are not implemented or are only partially implemented,” and reflected in the settlement orders a focus on the deployment of specific technical controls, including MFA. Notably, these settlements alleged violations of Regulation S-P. While Regulation S-P does not explicitly list required security measures, the SEC’s “Cybersecurity and Resiliency Observations,” published in January 2020, provides insight into what the Commission believes are “best practices” for cybersecurity, including data mapping, vulnerability scans, log retention, data encryption, and MFA.
According to a statement on the Proposals released by Commissioner Hester M. Peirce, the only commissioner to oppose the new rules and amendments, detailed cybersecurity prescriptions could “become an easy hook for an enforcement action, even when a firm has made reasonable efforts to comply with the prescriptions.”
IV. Board Oversight
For each registered fund,3 the Proposals would require that the fund:
V. Annual Adviser Reviews
Similar requirements apply to advisers. Specifically, for each adviser, the Proposals would require the adviser to annually:
Review and assess the design and effectiveness of its cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
Prepare a written report that describes the review, the assessment and any control tests performed, explains their results, documents any cybersecurity incident that has occurred since the adviser’s last report, and discusses any material changes to the policies and procedures since the date of the last report.
The Proposals would require that registered funds and advisers maintain various records related to their cybersecurity risk management programs. Under the new recordkeeping requirements, registered funds and advisers would be required to maintain records of (i) cybersecurity policies and procedures, (ii) annual reviews thereof,4 (iii) documents related to the annual reviews, (iv) regulatory filings related to cybersecurity incidents required under the Proposals, (v) records documenting the occurrence of any cybersecurity incident, and (vi) cybersecurity risk assessments.
The Release requested comments on, among other things,
We expect a significant number of comments on the Release and Proposals from various industry participants and other interested parties. Comments on the Proposals must be received by the SEC no later than April 11, 2022 or 30 days after the date of publication of the Release in the Federal Register, whichever is later.
While the Release does not set forth a compliance date or transition period (or explicitly request comments on timing), we expect comments to address the need to provide time for advisers and funds to comply.
* * *
If you would like to learn more about the issues in this Alert, please contact your usual Ropes & Gray attorney contacts.
Copyright © 2022 Ropes & Gray LLP. All rights reserved. Attorney advertising. Prior results do not guarantee a similar outcome.