Recent rule changes proposed by the U.S. Securities and Exchange Commission (SEC) are focused on the growing threat of cybersecurity incidents and the vulnerability that those incidents present to Registered Investment Advisors (RIAs), Registered Investment Companies (Funds), and their clients and investors. These changes include four major requirements:
(1) The SEC must be notified within 48 hours of discovering a significant cybersecurity incident;
(2) RIAs and Funds would be required to develop comprehensive written policies and procedures including information security and incident response plans;
(3) RIAs and Funds must disclose information associated with cybersecurity incidents, and practices; and
(4) They must also keep extensive records regarding those incidents.
Regulatory Reporting to the SEC
Under the proposed rules, RIAs and Funds would be required to notify the SEC of a significant cybersecurity incident within 48 hours of discovering the incident had occurred. Reporting of this information to the SEC must be made in a confidential manner. These proposed rules go a step further, to define a significant cybersecurity incident as, “any incident that disrupts or degrades a firm’s ability to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
(1) substantial harm to the advisor, or
(2) a substantial harm to a client, or an investor in a private fund whose information was accessed.
Incidents include but are not limited to, ransomware, significant monetary and intellectual property loss, or the theft of personally identifiable information. The purpose of this requirement is to aid the SEC in assessing the effects and scope of the incident.
Development of Policies and Procedures
RIAs and Funds would be required to draft written policies and procedures to combat cybersecurity incidents and risks. These policies and procedures would need to be approved by the Board of Directors of the given company prior to being implemented. Included in the policies and procedures should be a plan to conduct risk assessments and internal reviews to protect against any possible intrusion, and also a plan to detect, monitor, remedy, and report any cybersecurity incident. These policies and procedures would need to be reviewed and analyzed on an annual basis to keep up with the most up-to-date cyber threats.
Disclosure of Significant Cybersecurity Incident
These proposed rule changes would amend form ADV to require that it includes a narrative description of the advisor, along with how that advisor assesses and addresses cybersecurity risks. The narrative must also include any significant cybersecurity incident that had occurred over the prior two years.
Extensive Record Keeping Required
RIAs and Funds would be required to maintain records of the following for a period of five years:
(1) Cybersecurity policies and procedures,
(2) Annual reviews of policies and procedures,
(3) Any documentation of the annual review,
(4) Any regulatory filing of a significant cybersecurity incident that would be required to be reported under these new rules,
(5) Any cybersecurity incident, and
(6) Any cybersecurity risk assessment.
Why is this Important?
Depending on the level of intrusion, a cybersecurity incident could potentially be catastrophic to RIAs and Funds. Existing and potential future clients and investors put trust in the RIAs and Funds to protect their information and data. By taking a proactive approach to addressing cybersecurity incidents, these companies will be able to convey the utmost confidence to their clients that they are able to withstand and respond to any potential cybersecurity incident. These new proposed rules are also aligned with RIAs and Funds fiduciary duties to protect their client’s interests, as set forth under the Investment Advisor Act of 1940 as well as the Investment Company Act of 1940.
Written by David Troiano, Esq.