SEC Proposes New Cybersecurity Risk Management Rules

SEC Proposes New Cybersecurity Risk Management Rules

During its examinations of advisers and funds, the Securities and Exchange Commission has observed a lack of cyber preparedness, determining that existing rules and regulations are likely insufficient to protect clients and investors. Although Rule 206(4)-7 under the Investment Advisers Act already requires registrants, pursuant to their fiduciary duties, to adopt policies and procedures reasonably designed to address applicable risks, cybersecurity risk management is not specifically mandated under current rules. Similarly, Rule 38a-1 under the Investment Company Act requires funds to have written policies and procedures for their compliance programs but stops short of mandating procedures addressing cybersecurity. Other existing regulations, such as Reg. S-P and Reg. S-ID, remain principles-based and have left room for interpretation.

On February 9, 2022, the SEC voted to propose new rules designed to enhance cybersecurity practices among advisers and funds, and to increase the effectiveness of cybersecurity-related disclosures to clients and investors. The new Cybersecurity Risk Management Rules would be Rule 206(4)-9 under the Advisers Act and new Rule 38a-2 under the Investment Company Act.

As proposed, the new Cybersecurity Risk Management Rules can be distilled to four essential components applicable to both investment advisers and investment funds. Under the proposed rules, advisers and funds would be required to:

  1. 1. Adopt and implement a written cybersecurity risk management program that includes 5 enumerated components:
    1. Periodic risk assessment and inventory
    2. User Security and Access
    3. Information Protection
    4. Threat and Vulnerability Management, and
    5. Incident Response and Recovery.

      CSS Tip:  The rules will require a written Information Security Policy / Program. The proposed rules require the written InfoSec Policy to include documentation of specific controls within each of these areas. These are discussed in more detail below.
  2. Conduct a formal review, at least annually, of the design and effectiveness of their cybersecurity policies and procedures and prepare a written report. The report should note, among other things, the review process, types of cyber testing conducted, results of such cyber testing, any cyber incidents occurring since the last review, and any material changes to policies and procedures.

    CSS Tip:  This formal review can be thought of as an annual cyber review, similar to the annual compliance review. It must be documented in a written report. This formal review is in addition to the periodic cyber risk assessments that these rules would require be conducted on an interim basis upon internal and external changes. The rules would require this annual cyber report to be prepared by or overseen by individuals who administer the firm’s cybersecurity policies and procedures. The SEC acknowledges that some firms do not have this expertise in-house and will need to outsource this review and report, but states that adviser/fund personnel should participate in the review.
  3. For funds, the rules would also require a fund’s board of directors (including a majority of independent directors) to approve the fund’s initial InfoSec Policy and to review the annual cyber review report.
  4. Disclose cybersecurity risks publicly on regulatory disclosure forms. For advisers, Form ADV should include this detail. For funds, these risks should be reported on Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6. The Form ADV Part 2A Brochure would include a new Item 20 (“Cybersecurity Risks and Incidents”).

    All advisers would need to describe (1) cyber risks that could materially affect the adviser’s services, and how the firm assesses, prioritizes, and addresses these cybersecurity risks, and (2) a description of any cyber incident that has occurred within the last two fiscal years that has “significantly disrupted or degraded” the firm’s critical operations, or has led to the unauthorized access or use of adviser information, resulting in substantial harm to the firm or its clients. Specific information describing each such incident would be required, including entities affected, dates, whether the incident is resolved or ongoing, whether data was stolen, altered, accessed, or used in an unauthorized manner, the effect of the incident on the firm’s operations, and whether the firm or any service provider has remediated the issue.

    CSS Tip:  For an RIA, this will likely entail describing on Form ADV Part 2A a list of commonly anticipated threats, together with how the adviser specifically safeguards against such threats. The disclosure of cyber incidents will vary from firm to firm, and a determination of “substantial harm” to the firm or clients will be the threshold for disclosure under the second prong, because the term “adviser information” is defined broadly to include all electronic information related to the adviser’s business, including PII that the adviser receives, maintains, creates, or processes.

    Rule 204-3 under the Advisers Act would also change to require ADV brochures to be delivered to clients promptly after an ADV amendment which adds or updates disclosure of an evident or incident in Form ADV Part 2A Item 9 or Item 20.B or Form ADV Part 2B Item 3. Firms should therefore be prepared to include delivery of an amended Form ADV to clients as part of their incident response.
  5. Report, confidentially to the SEC, “significant cybersecurity incidents affecting the adviser, or its fund or private fund clients” under new Rule 204-6. Advisers would need to report these incidents on new Form ADV-C “promptly,” and no more than 48 hours after having a reasonable basis to conclude that the incident has occurred or is occurring. Amendments to Form ADV-C would also need to be promptly filed within 48 hours of a previously filed ADV-C becoming materially inaccurate or new material information is discovered relating to the incident. Funds would be required to report information similar to what Form ADV-C requires from advisers.

    CSS Tip: Cybersecurity incidents are fluid and information about incidents takes shape over time. The 48-hour deadline is tight, even shorter than the 72-hour breach reporting deadline under the GDPR, and the need to constantly update the ADV-C each time new material information about the incident is discovered is likely to be a challenge. We recommend that firms designate personnel to coordinate the ADV-C filings as a component of their incident response plans. Advisers should also add Rule 204-6 provisions to their Compliance Manuals.

    “Significant cybersecurity incidents” are defined in the proposed rule and either of two prongs can satisfy the definition. For private fund advisers, significant incidents affecting the private funds would be reportable as well. The SEC expects that firms would follow their own internal escalation and reporting processes first before making the initial notification to the SEC. Information reported on Form ADV-C will be kept confidential by the SEC, but any system is theoretically susceptible to being hacked.
  6. Maintain books and records relating to these Cybersecurity Risk Management Rules. These records include new records under Advisers Act Rule 204-2(a)(17)(iv) through (vii). The new records required to be maintained by advisers are:
    1. Copies of the adviser’s written cybersecurity annual review report for the last 5 years;
    2. A copy of any Form ADV-C (and amendments thereto) filed by the adviser within the last 5 years;
    3. Records documenting the occurrence of any cyber incident (as defined in Rule 206(4)-9(c)) occurring in the last 5 years, including records relating to response and recovery from such incident;
    4. Records documenting any risk assessment conducted pursuant to the cybersecurity policies and procedures required by Rule 206(4)-9.

      Rule 38a-2 under the Investment Company Act would require similar records be maintained by a fund.

      CSS Tip: Firms would be required to keep written records of all cyber testing and risk assessments and can no longer receive such information from their cyber vendors verbally via phone/videoconference or via screensharing. Any cyber incident meeting the definition in the rule will need to be documented along with the firm’s response.

The SEC’s rule proposal includes an economic analysis in which the Commission notes that 58% of financial firms self-acknowledge that they currently underspend on cybersecurity, while recognizing that financial services are arguably the most attacked industry and that remediation costs for incidents can be costly. The proposal includes the results of a 2021 benchmarking survey finding that non-bank financial firms typically spend 0.5% of their revenue on cybersecurity. The SEC acknowledges that some or all of the increased costs of compliance with this new rule will be passed on to clients and investors. The costs include increased costs to firms who will need to enhance their cyber programs to align with best practices and with the rule provisions, as well as increased costs to service providers who would be asked for more information and documentation as a result of these rules.

The full rule proposal is available here.

For additional details about the cybersecurity policy requirements, please see this additional alert.

For More Help or Information:

CSS offers a suite of cybersecurity services and expertise to assist firms in meeting the technical, procedural, risk assessment, and annual cyber review components of the proposed Cybersecurity Risk Management Rules. For more information, please contact cybersecurity@cssregtech.com.