On February 9, 2022, the Securities and Exchange Commission (“SEC”) proposed new cybersecurity risk management rules and amendments (collectively, the “Proposal”) for registered investment advisers (“advisers”).1 The Proposal would require advisers to (i) adopt and implement written policies and procedures that are reasonably design to address cybersecurity risks; (ii) report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly proposed Form ADV-C; and (iii) maintain, make, and retain certain cybersecurity-related books and records. The Proposal would also amend Form ADV Part 2A to require disclosure of significant cybersecurity risks and incidents that affect advisers and their clients.
Cybersecurity Risk Management Rule
The Proposal would create new Rule 206(4)-9 under the Investment Advisers Act of 1940 (the “Advisers Act”) which would require advisers to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. Under Rule 206(4)-9, advisers must adopt and implement cybersecurity policies and procedures that require:
- Risk Assessment – no less frequently than annually, the adviser to reassess their cybersecurity risks considering both internal and external factors;
- User and Security Access – controls designed to minimize user-related risks and prevent the unauthorized access to information and systems;
- Information Protection – monitoring and protection of information and information systems from unauthorized access or use;
- Cybersecurity Threat and Vulnerability Management – detection, mitigation and remediation of cybersecurity threats and vulnerabilities; and
- Cybersecurity Incident Response and Recovery – measures to detect, respond to and recover from a cybersecurity incident.
Reporting of Significant Cybersecurity Incidents
The Proposal would create a reporting requirement under new Advisers Act Rule 204-6 that would require advisers to report significant cybersecurity incidents to the SEC confidentially on Form ADV-C, including incidents experienced by a private fund client.2 Specifically, Rule 204-6 would require advisers to:
- report certain information regarding a significant cybersecurity incident on Form ADV-C within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident occurred or is occurring;3
- amend any previously filed Form ADV-C promptly, but in no event more than 48 hours, (i) after information reported on the form becomes materially inaccurate; (ii) if new material information about a previously reported incident is discovered; and (iii) after resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident; and
- file Form ADV-C electronically with the SEC through the Investment Adviser Registration Depository.
Disclosure of Cybersecurity Risks and Incidents
The Proposal would add new Item 20 entitled “Cybersecurity Risks and Incidents” to Form ADV Part 2A, which would require advisers to disclose:
- cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business; and
- any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.
The Proposal would also amend Advisers Act Rule 204-3(b) to require advisers to promptly deliver interim brochure amendments to existing clients if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.
The Proposal would amend Advisers Act Rule 204-2 to require advisers to maintain:
- a copy of their cybersecurity policies and procedures formulated pursuant to Rule 206(4)-9;
- a copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures pursuant to Rule 206(4)-9;
- a copy of any Form ADV-C filed by the adviser pursuant to Rule 206(4)-9;
- records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident; and
- records documenting the adviser’ cybersecurity risk assessment.
The public comment period for the Proposal will remain open for the longer of 60 days following publication on the SEC’s website or 30 days following publication in the Federal Register.
If you have any questions regarding the information discussed above, please contact your Investment Management Group attorney at Seward & Kissel LLP.