The Securities and Exchange Commission (SEC) recently proposed a new cybersecurity risk management rule and amendments for registered investment companies (funds) under the Investment Company Act of 1940, as amended (1940 Act).1 The proposed new rule 38a-2 (Proposed Rule) under the 1940 Act would require funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks and would also impose certain related recordkeeping requirements. The SEC also proposed amendments to fund registration forms to require disclosure of any significant fund cybersecurity incident.
Key aspects of the Proposal are summarized below.
Cybersecurity Policies and Procedures
The Proposed Rule would require registered funds to adopt and implement written policies and procedures that must address certain cybersecurity risk management elements. Key required elements of the Proposed Rule are highlighted below.
Risk Assessment. Under the Proposed Rule, funds would be required to periodically assess, categorize, prioritize, and draft written documentation of, the cybersecurity risks associated with fund information systems and the information residing therein.2 When conducting the risk assessment, funds must, among other things, identify the cybersecurity risks related to the use of service providers associated with maintaining or accessing fund information and fund information systems.
User Security and Access. Funds would be required to implement controls designed to minimize user-related risks and prevent the unauthorized access to information and systems.
Information Protection. A fund would be required to conduct a periodic assessment of its information systems to ensure information protection. Such assessment must take into account specific considerations, including, among other things, whether any fund information is personal information, and fund information systems access controls and malware protection. Funds would also be required to document that the fund is requiring that the appropriate service providers, pursuant to a written contract, implement and maintain appropriate measures designed to protect fund information and systems.
Threat and Vulnerability Management. Under this element of the Proposed Rule, a fund would be required to detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to fund information and systems.
Cybersecurity Incident Response and Recovery. This element would require funds to implement measures in their policies and procedures to detect, respond to, and recover from a cybersecurity incident, which is defined as “an unauthorized occurrence on or conducted through a fund’s information systems that jeopardizes the confidentiality, integrity, or availability of a fund’s information systems or any fund information residing therein.”
Annual Review and Approval
Funds would be required to review their cybersecurity policies and procedures no less frequently than annually. The review must assess the design and effectiveness of such policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. Funds must also prepare a written report that, among other things, documents any cybersecurity incidents that occurred and discusses any material changes to the fund’s policies and procedures.
The Proposed Rule would require a fund’s board of directors, including a majority of its independent directors, to initially approve the fund’s cybersecurity policies and procedures, as well as to review annually the written report described above.
The Proposed Rule would also impose certain recordkeeping requirements on funds. If approved, funds would have to maintain the following for five years: (1) cybersecurity policies and procedures that are in effect; (2) written reports provided to the fund board; (3) documentation of the fund’s annual review of its cybersecurity policies and procedures; (4) any report of a significant fund cybersecurity incident provided to the SEC by its adviser; (5) records documenting the occurrence of any cybersecurity incident; and (6) records documenting the fund’s cybersecurity risk assessment.
Disclosure of Cybersecurity Risks and Incidents
The Proposal includes new rule 204-6 under the Investment Advisers Act of 1940, which would require advisers to confidentially report significant cybersecurity incidents to the SEC, including on behalf of a fund, by submitting new Form ADV-C. An adviser would be required to submit Form ADV-C “promptly,” but in no event more than 48 hours, after having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident (as defined in the Proposed Rule) had occurred or is occurring.
The SEC also has proposed amendments to Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds. These amendments would require a description of any significant fund cybersecurity incident that has occurred in the fund’s last two fiscal years, including, among other things, information regarding when the incident was discovered and whether it is ongoing; and the effect of the incident on the fund’s operations.3 Funds would have to tag the new information using Inline eXtensible Business Reporting Language.
In addition, the Proposal notes that funds should consider cybersecurity risks when preparing risk disclosures in fund registration statements. The Proposal states that if a fund determines that a cybersecurity risk is a principal risk of investing in the fund, this risk should be disclosed in its prospectus. The Proposal also notes that to make timely disclosures of cybersecurity risks and significant cybersecurity fund incidents, a fund would amend its prospectus by filing a supplement with the SEC.
The comment period for the Proposal will end 30 days after publication of the Proposal in the Federal Register (which has not occurred as of the date of this Client Alert) or April 11, 2022, whichever is later.
S&K Observations and Insights
While Regulation S-P provides that funds “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information,” SEC rules do not specifically require funds to adopt and implement comprehensive cybersecurity programs.
Many funds may already have adopted written policies and procedures covering cybersecurity matters and also disclose cybersecurity risks in fund prospectuses, but adoption of the Proposal may require funds to implement a more rigorous and formal process than most funds currently have in place, though some funds and advisers may currently already comply with some of the proposed requirements.4 Even if a fund or adviser has adopted a comprehensive cybersecurity program, the Proposed Rule, if adopted, may provide the SEC with an additional enforcement “hook” in the event a cybersecurity incident occurs.