SEC Proposes New Rules Aimed at Mitigating Cyber Risk

February 14, 2022

By Aaron Charfoos,
& Bianca G. Ponziani

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed new rules under the Investment Advisers Act of 1940 (the “Advisers Act”) and the Investment Company Act of 1940 aimed at mitigating cyber risk and improving the resiliency of the American financial sector against the same. Specifically, the proposed rules would require registered investment advisers (“advisers”) and investment companies (“funds”) to implement written cybersecurity policies and procedures, reviewed at least annually, that are responsive to exposures identified through written risk assessments. The rules would also require advisers and funds to assess the cybersecurity risk posed by service providers that process information on their behalf or that have access to their information systems.

Further, the SEC’s proposed rules under the Advisers Act would require advisers to confidentially report “significant cybersecurity incidents affecting the adviser, or its fund or private fund clients” to the SEC within 48 hours through a form that identifies the nature and scope of the incident and any related notifications (Form ADV-C), and to make similar disclosures to clients, prospective clients and investors.^[1] The SEC would also require advisers and funds to maintain records of the foregoing, citing evidence to suggest widespread underinvestment in cybersecurity.^[2] The rules are in part aimed at reducing information asymmetry and assessing the potential systemic risks to financial markets posed by a given cybersecurity incident.

The SEC is accepting public comment on the proposed rules for the longer of either 60 days following publication on the SEC’s website or 30 days following their publication in the Federal Register. SEC-regulated entities should continue to expect increased SEC focus on cyber risk and should continue to monitor how the rules evolve once stakeholders have had the opportunity to comment.

If you have any questions concerning these developing issues, please do not hesitate to contact any member of our team.

^[1] Securities and Exchange Commission, “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies,” Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22 (February 9, 2022) at 14, available here.

^[2] Id. at 94.