Sponsors have more time to weigh in on the SEC’s proposed cybersecurity rule for registered advisers after the regulator re-opened the comment period. But sources tell Private Funds CFO that GPs don’t need to wait – and shouldn’t – for the commission to order them to fortify their digital defenses.
The rule would require advisers to have written policies and procedures covering cybersecurity risk management and to review them at least annually. The SEC is accepting new comments under the re-opened period until May 22 and has posted existing ones on its website. The policies and procedures include assessments of advisers’ own operations and identification of service providers with access to their information. The proposal calls for advisers to get written contracts with service providers that outline their own cybersecurity policies and procedures.
The rule would mandate advisers to confidentially report “significant cybersecurity incidents” to the commission within 48 hours after determining on “a reasonable basis” that they happened. Advisers would also have to disclose cybersecurity incidents and risks to clients under Form ADV Part 2A.
Mind the existing rules
The proposal isn’t a radical departure from the status quo because several of its tenets are already applicable to advisers, notes Jeremy Bergsman, a managing director at ACA Group.
“The rule doesn’t add that many new things that weren’t previously understood through previous SEC actions,” he says.
The commission is aiming to both consolidate information and to clarify its existing language by adding the rule.
“One, it’s codifying in a rule a lot of stuff that was broadly understood previous to the rule,” Bergsman says. “The other thing that it’s doing is making a few of the expectations that were previously vague more concrete, and in particular, it’s making them stricter.”
Bergsman cites the 48-hour reporting window and annual risk assessments as stricter requirements.
Advisers can turn to the National Institute of Standards and Technology’s cybersecurity framework to shape their programs, says Louis Bruno, a partner at EisnerAmper. NIST’s framework is comprised of functions spanning identification, detection and response. Those functions are broken into smaller further areas of responsibility.
Bruno notes the SEC has similar existing rules that affect advisers. He cites Regulation S-ID, which covers identity theft prevention, and Regulation S-P, which covers handling customer information and is subject to a proposal that would make it stricter.
Experts shared particular steps for firms to take that resemble parts of the rule.
Advisers should adopt cybersecurity policies and procedures regardless of the rule’s status, says Neel Maitra, a partner at Wilson Sonsini who previously worked in the SEC’s division for trading and markets. He also suggests that advisers have staff with expertise in cybersecurity.
Maitra says “there’s a pretty good chance” the regulator will adopt the rule largely as proposed.
Private funds advisers should already be compiling inventories of the types of data that they possess and deciding what to retain, says Ethan Corey, senior counsel at Eversheds Sutherland. He adds that advisers should conduct due diligence of outsourcing providers to learn how they safeguard information.
Corey also says that advisers should have policies and procedures for data breaches, ensure that breaches don’t spread across data sources and train staff on how to spot phishing attempts.
Addressing cybersecurity risk is important for business and reputational reasons, notes Gail Bernstein, who is general counsel at the Investment Adviser Association.
“It really is ‘don’t sit and forget your risk management, don’t sit and forget your assessment of reputational risk, your assessment of business risk, your assessment of client risk,’” Bernstein says.
She adds that advisers have internal governance rules set out and include cybersecurity in due diligence of portfolio companies.
The IAA supports the SEC’s policy rationale behind the rule. Bernstein notes there is “strong alignment between the objectives of advisers and the objectives” of regulators. But she says some of proposed rule entails an impractical “prescriptive one-size-fits-all approach,” pointing to the 48-hour reporting window and the requirement for obtaining written contracts with service providers.
Bernstein notes that most advisers lack the leverage to get the kind of contractual requirements with providers that the SEC wants. She also says smaller advisers should be exempted from the reporting period.
What about cybersecurity for portfolio companies?
The SEC’s proposed cybersecurity rule for advisers doesn’t address practices for sponsors’ portfolio companies, but that doesn’t mean GPs are off the hook.
Igor Rozenblit, managing partner with Iron Road Partners, says while “there’s no single regulation that explicitly outlines advisor’s obligations for due diligence and monitoring of how their portfolio companies handle cybersecurity.” He adds that “it is implied in multiple aspects already.”
Experts tell Private Funds CFO that an obligation is implicitly covered by a 2019 fiduciary duty interpretation by the SEC for advisers.
ACA’s Bergsman says that a portion within the document’s duty of care section says advisers must conduct ongoing monitoring of investments, which can be interpreted as a requirement to keep track of portfolio companies’ handling of cybersecurity.
Rozenblit, who previously co-led the private funds unit at the commission’s Division of Examinations, agrees that the 2019 interpretation is among the implied obligations. He also cites sponsors’ due diligence processes for investing as an implicit requirement that covers portfolio companies.
“It’s implied that you will conduct due diligence on that kind of investments you put your investors into, and this is just a logical part of due diligence,” he says.
Rozenblit notes that GPs also have cybersecurity obligations related to their portfolio companies if they include cybersecurity as due diligence and monitoring factors in their marketing materials. Additionally, sponsors have reporting obligations to investors when events occur that can significantly impact the companies’ value, which includes data breaches.
GPs need to do more than their pre-acquisition due diligence, but many are only taking “ad hoc” cybersecurity approaches with their companies during investment periods, Bergsman notes.