SEC Proposes New Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers

February 17, 2022

On February 9, 2022, the Securities and Exchange Commission (“SEC”) proposed new cybersecurity risk management rules and amendments (collectively, the “Proposal”) for registered investment advisers (“advisers”).1 The Proposal would require advisers to (i) adopt and implement written policies and procedures that are reasonably design to address cybersecurity risks; (ii) report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly proposed Form ADV-C; and (iii) maintain, make, and retain certain cybersecurity-related books and records. The Proposal would also amend Form ADV Part 2A to require disclosure of significant cybersecurity risks and incidents that affect advisers and their clients.

Cybersecurity Risk Management Rule

The Proposal would create new Rule 206(4)-9 under the Investment Advisers Act of 1940 (the “Advisers Act”) which would require advisers to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. Under Rule 206(4)-9, advisers must adopt and implement cybersecurity policies and procedures that require:

  • Risk Assessment – no less frequently than annually, the adviser to reassess their cybersecurity risks considering both internal and external factors;
  • User and Security Access – controls designed to minimize user-related risks and prevent the unauthorized access to information and systems;
  • Information Protection – monitoring and protection of information and information systems from unauthorized access or use;
  • Cybersecurity Threat and Vulnerability Management – detection, mitigation and remediation of cybersecurity threats and vulnerabilities; and
  • Cybersecurity Incident Response and Recovery – measures to detect, respond to and recover from a cybersecurity incident.

Reporting of Significant Cybersecurity Incidents

The Proposal would create a reporting requirement under new Advisers Act Rule 204-6 that would require advisers to report significant cybersecurity incidents to the SEC confidentially on Form ADV-C, including incidents experienced by a private fund client.2 Specifically, Rule 204-6 would require advisers to:

  • report certain information regarding a significant cybersecurity incident on Form ADV-C within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident occurred or is occurring;3
  • amend any previously filed Form ADV-C promptly, but in no event more than 48 hours, (i) after information reported on the form becomes materially inaccurate; (ii) if new material information about a previously reported incident is discovered; and (iii) after resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident; and
  • file Form ADV-C electronically with the SEC through the Investment Adviser Registration Depository.

Disclosure of Cybersecurity Risks and Incidents

The Proposal would add new Item 20 entitled “Cybersecurity Risks and Incidents” to Form ADV Part 2A, which would require advisers to disclose:

  • cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business; and
  • any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.

The Proposal would also amend Advisers Act Rule 204-3(b) to require advisers to promptly deliver interim brochure amendments to existing clients if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.


The Proposal would amend Advisers Act Rule 204-2 to require advisers to maintain:

  • a copy of their cybersecurity policies and procedures formulated pursuant to Rule 206(4)-9;
  • a copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures pursuant to Rule 206(4)-9;
  • a copy of any Form ADV-C filed by the adviser pursuant to Rule 206(4)-9;
  • records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident; and
  • records documenting the adviser’ cybersecurity risk assessment.


The public comment period for the Proposal will remain open for the longer of 60 days following publication on the SEC’s website or 30 days following publication in the Federal Register.

If you have any questions regarding the information discussed above, please contact your Investment Management Group attorney at Seward & Kissel LLP.


1 See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028; IA-5956; IC-34497 (February 9. 2022) (the “Release”) available at and U.S. Securities and Exchange Commission Fact Sheet, “Cybersecurity Risk Management” (February 9, 2022) available at In the Release, the SEC also proposed new cybersecurity risk management rules and amendments for SEC-registered investment companies.

2 A significant adviser cybersecurity incident is defined in the Proposal as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.

3 In addition to information about the adviser, the adviser would need to specify whether the adviser is reporting a significant adviser cybersecurity incident or a significant fund cybersecurity incident (or both), the approximate date the incident occurred, the approximate date the incident was discovered, whether the incident is ongoing, whether the cybersecurity incident is covered under a cybersecurity insurance policy, as well as whether law enforcement or a government agency had been notified about the cybersecurity incident. In addition, advisers would be asked to disclose substantive information about the nature and scope of the incident being reported, including any actions and planned actions to recover from the incident, whether any data was stolen, altered, or accessed or used for any other unauthorized purpose, and whether the significant cybersecurity incident has been disclosed to the adviser’s clients and/or to investors.