SEC Proposes New Cybersecurity Reporting & Disclosure Requirements

On February 9, 2022, the SEC proposed several rules under the authority of the Investment Advisers Act of 1940 and the Investment Company Act of 1940, the rules and amendments would require investment advisers and funds to adopt and implement extensive “cybersecurity risk management policies and procedures.” The proposal supports the SEC’s views on best practices for cybersecurity risk management and encompasses the following:

Cybersecurity Risk Management Policies and Procedures

Under this amended rule, RIAs would be required to formally implement policies and procedures to address cybersecurity risks, which should be tailored to meet the firm’s unique business operations. The policies and procedures should also be evaluated at least annually and findings should be summarized in a written report. Mandatory elements of these policies and procedures would include periodic risk assessment and information systems assessment, implementation of controls designed to minimize user-related risks and prevent unauthorized access to information and systems, protocols for threat and vulnerability management, and plans for incident response and recovery.

Reporting Significant Cybersecurity Incidents

If the proposed amendments go into effect, the SEC would establish a new reporting regime where RIAs would be required to confidentially report to the SEC any significant cybersecurity incident within 48 hours of discovery. Reported cybersecurity incidents would need to be disclosed on the SEC’s new proposed Form ADV-C. The objective with this proposal it to help the SEC assess the effects of the incident on the reporting RIA and obtain enhanced visibility into systemic risks.

Enhanced Disclosure of Cybersecurity Risks and Incidents

The SEC’s proposed amendments to existing RIA and fund disclosure requirements would require firms to provide enhanced disclosure regarding cybersecurity risks and incidents.

Recordkeeping Requirements

The proposed amendment would subject RIAs to new recordkeeping requirements for cybersecurity-related books and records. The rule states that records must be maintained for five years.

The SEC’s new proposed rules serve as a significant step toward formalization of national standards and regulatory expectations for corporate approaches to cybersecurity risk management, public disclosure of cyber-related risks, and timely regulatory and public notification of significant cyber incidents. As cybersecurity threats become ever more sophisticated, companies should carefully consider the SEC’s proposed amendments and consider whether any of these components should be integrated into their existing cybersecurity risk management systems and procedures.