In February 2022, the US Securities and Exchange Commission proposed its first-ever cybersecurity rules for registered investment advisers (RIAs) and funds. This includes RIAs to private funds, and registered investment companies and closed-end funds that have elected to be treated as business development companies under the Investment Company Act of 1940.
The proposed rules impose significant new regulatory burdens, including a new 48-hour cybersecurity incident notification requirement, detailed cybersecurity policies and procedures, and additional disclosure and recordkeeping requirements. Here is how to prepare:
48-Hour notification
The proposed rules require RIAs to notify the SEC within 48 hours after “having a reasonable basis to conclude that a significant adviser or fund cybersecurity incident has occurred or is occurring.” A “significant cybersecurity incident” is one that “significantly disrupts or degrades” the “ability to maintain critical operations” or “leads to the unauthorized access or use of” information that results in “substantial harm” to the adviser, a client, or an investor in a private fund whose information was accessed.
How to prepare: RIAs can establish protocols ahead of time for incident reporting, including identifying decision-makers; establishing protocols for documenting incidents; and drafting notification templates.
Policies and procedures
The proposed rules require comprehensive policies and procedures addressing cybersecurity risk. They mandate a risk assessment, as well as policies and procedures on user security, information protection, vulnerability management, and incident response. The proposed rules also mandate an annual cybersecurity review and written report.
How to prepare: RIAs can conduct a gap analysis between existing policies and the proposed rules’ requirements. Policies and procedures must be both compliant and actionable. For the annual review, RIAs can incorporate feedback from the broader threat landscape as well as firm-specific risks.
Disclosure obligations
RIAs will need to disclose cybersecurity risks and incidents that could materially impact advisory relationships and describe safeguards, as well as disclose significant cybersecurity incidents from the preceding two years. RIAs will need to deliver interim brochure amendments to clients if the RIA was subject to a cybersecurity incident after the dissemination of its brochure, or the information already disclosed in its brochure about an incident materially changes based on new discoveries. Funds will have to make cybersecurity disclosures in their registration statements.
How to prepare: RIAs can prepare protocols for assessing, updating, and timely disseminating disclosures to reflect these new requirements.
Incident response and business continuity
The proposed rules emphasize the need to minimize harm from incidents through incident response and business continuity planning.
How to prepare: RIAs should test their plans through tabletop exercises to ensure they are current and actionable.
Books and records
RIAs and funds will need to maintain records, including for risk assessments, annual reviews and cybersecurity events.
How to prepare: because books and records requirements often serve as a foothold for future exam deficiencies and enforcement actions, RIAs should plan to document virtually every facet of the obligations imposed by the proposed rules.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: