Proposed SEC Cybersecurity Rules: New expectations for cyber risk assessment, incident management and disclosure

On February 9, 2022, the SEC announced proposed Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, relating to Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.

In the SEC’s press release SEC Chair Gary Gensler said "The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."

Why now?

The rule proposal comes at a time when there is a prevalence of remote workers, an increase in cyber-criminals, a stronger use of cloud-based technology, more digital payment platforms, and an increased reliance on third-party providers for information technology services.

The SEC evaluated current cybersecurity disclosures and determined that they are inconsistent and lack appropriate risk disclosure to clients and investors. They found that some firms have been disclosing according to cause, scope, impact, and materiality of cybersecurity incidents, while others were struggling to even disclose anything in a timely manner. It is the SEC’s belief that the current wide variety of cyber related risk disclosures calls for more consistency through stronger regulation.

What will this new rule require?

• Investment Advisers and Funds will be required to implement cybersecurity management policies and procedures.
• Investment Advisers will need to report significant cybersecurity incidents, affecting the Adviser and/or the Fund, to the commission within 48 hours on new form ADV-C.
• Investment Advisers and Funds must disclose cybersecurity risks and incidents to investors and other market participants.
• Investment Advisers and Funds must maintain cybersecurity-related books and records.

If implemented, the new rule will increase Fund and Adviser focus on monitoring, detecting, mitigating, and remediating cybersecurity threats and vulnerabilities. The policies and procedures put in place will need to be periodically assessed, at least annually, and presented to the Board in written documentation. The rule will also require all third-party service providers, with access to Adviser/Fund information technology, to establish effective policies and procedures regarding cybersecurity as well.

What is a significant cybersecurity incident?

A significant cybersecurity incident for an Adviser is one that results in substantial harm to the adviser, substantial harm to a client, or an investor in a private fund, whose information was accessed. A significant cybersecurity incident for a Fund can be defined as one that disrupts the Fund’s ability to maintain critical operations or leads to unauthorized access or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.

What are the likely Costs?

As with most new regulation, there will be material costs associated with implementing the required programs, policies, and procedures. Other costs could potentially come from:

• evaluating cybersecurity of third-party service providers
• filing new ADV-C forms
• engaging outsourced/internal cybersecurity experts
• increased legal expenses
• higher insurance premiums
• potential future litigation fees

Some of these potential future costs may be mitigated where Advisers and Funds have already been following industry best practices regarding cybersecurity, and only need to make adjustments to meet the new SEC requirements.

What are the benefits?

The key benefit of the proposed rules will be increased protection for Funds and Advisers by being better positioned to identify a cyber incident, better prepared to manage the incident, and ultimately reduce the costs of the damage. It will also provide investors with additional risk-based information on which to base their investment decisions.

What can you do now?

• Assess your current state. Review your current cybersecurity posture and assess maturity of your program/infrastructure. Does it have enough prominence in your organization?
• Ensure policies and procedures meet industry standards. Address your specific cybersecurity risks and align your program to follow industry standards. Ensure all foundational elements are covered.
• Build expert bench strength at all levels. Identify those in your organization capable of overseeing and managing cybersecurity risks from the staff level to the board level.
• Ask, are we ready for a cybersecurity incident? What is a ‘significant cybersecurity incident’ and do we have the most effective protocols for identifying and managing one?
• Follow the rule making process. Monitor the SEC website and press releases for updates.
• Plan ahead - budget for the expense! Don’t underestimate the time, money, and resources needed to implement an effective cybersecurity risk management program.

If you have questions about what these proposed rules could mean for your business or want to discuss your current cybersecurity program; feel free to reach out to your regular PINE contact or send an email to [email protected].