4 Ways SEC's New Proposed Rules Put Cybersecurity Front and Center
At least annually, advisors and funds would need to review and evaluate the design and effectiveness of their cybersecurity policies and procedures in response to new and changing cyber threats and technologies and to amend them as appropriate.
Require advisors to report significant cybersecurity incidents to the SEC on proposed Form ADV-C, with similar reporting for funds.
The submission of these confidential reports would allow the SEC to monitor and evaluate the effects of a cybersecurity incident on an advisor, a fund or its clients and determine whether the incident creates any potential systemic risks.
Enhance advisor and fund disclosures related to cybersecurity risks and incidents.
The proposed rules would amend advisor and fund disclosure requirements. Specifically, Form ADV Part 2A would require disclosure of cybersecurity risks and incidents to the advisor’s clients and prospective clients. Funds would be required to provide prospective and current investors a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in the fund’s registration statements.
Require advisors and funds to maintain, make and retain certain cybersecurity-related books and records.
Rule 204-2 under the Advisers Act would also be amended to require advisors to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents, and Proposed Rule 38-2 would require funds to maintain copies of its cybersecurity policies and procedures and other related records.
Bottom line: The SEC expects advisors and funds to implement information security controls designed to prevent interruptions to mission-critical services, protect investor information, records and assets, and ensure business continuity.
That would mean that advisors and funds would have to devote the necessary time, money and expertise to enhance their cybersecurity programs, as the proposed rules would require advisors and funds to protect more data and ensure that all of their information systems are adequately protected and captured by a comprehensive risk management process. This includes data shared with and accessed by third-party service providers.
Rule 206(4)-9 has its roots in the anti-fraud provision of the Advisers Act, which is typically applied broadly by the SEC in enforcement actions and would likely lead to significant fines. The comment period on the proposed rules ended on April 11 with significant pushback from the industry. Regardless, most advisors and funds will need to make substantial changes to their cybersecurity program and should begin working with legal counsel to consider the potential application of the proposed rules to their current cybersecurity practices and oversight.
Thomas D. Giachetti is chairman of the Investment Management and Securities Practice Group of Stark & Stark. He can be reached at [email protected].