On February 9, 2022, the Securities Exchange Commission (“SEC” or “Commission”) voted 3-1 to propose rules, forms and amendments concerning cybersecurity risk management, as well as registered investment adviser and fund disclosures. As we have previously discussed, the proposal under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of 1940 (Investment Company Act) seeks to set out specific requirements for cybersecurity risk management for registered investment advisers (RIAs), registered investment companies (“RICs,” including mutual funds, exchange-traded funds (ETFs), unit investment trusts (UITs), and closed-end funds) and business development companies (BDCs)1 and related amendments to certain rules and forms that govern RIA and fund disclosures.
The proposed rules would require registered advisers and funds to “adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks,” report significant cybersecurity incidents to the SEC, and disclose cybersecurity risks and incidents occurring in the past two years in Form ADV, Part 2A and fund registration statements.2 According to SEC Chair Gary Gensler, this proposal aims to “enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”3 Additionally, the proposal’s reporting requirements would seek to provide the SEC with key information about cybersecurity incidents and responses to enhance its examination and enforcement capabilities.
Although the proposed rules remain subject to comment, in many ways they reflect preexisting SEC expectations for how regulated entities should manage cybersecurity risks and report cybersecurity incidents.4 For example, the SEC has repeatedly included information security among its examination priorities for RIAs and funds. In March 2021, the SEC announced that its 2021 exams would focus on a variety of information security measures, including “controls surrounding online and mobile application access to investor account information,” and “policies and procedures to protect investor records and information,” among others.5 The SEC has highlighted cybersecurity risks arising out of its observations from such examinations. For example, in September 2020, the Office of Compliance Inspections and Examinations (OCIE) released a risk alert to highlight the threat of “credential stuffing,” and encouraged firms and advisers to “review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks.”6
In addition to building on the Commission’s long-established focus on cybersecurity, the proposal also highlights the preexisting regulatory framework applicable to RIA and fund cybersecurity. For investment advisers, this includes fiduciary duties, the Advisers Act compliance rule,7 and, for most investment advisers, Regulation S-P,8 which requires the adoption of written policies and procedures to protect customer information, and Regulation S-ID,9 which requires the implementation of an identity theft program. For funds, this includes the Investment Company compliance rule,10 as well as, for many funds, Regulation S-P and Regulation S-ID.11
Taken together, under these and other rules, as well as based on SEC Risk Alerts, examination priorities and recent enforcement actions, most RIAs and funds currently consider and address cybersecurity risks. However, the Commission acknowledges that “there are no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs” and that, based on examinations, it appears that not all funds and advisers are taking the appropriate steps to mitigate cybersecurity risks.12 This perspective is reflected in recent SEC enforcement actions premised on cybersecurity issues. Most notably, in August 2021, the SEC announced multiple actions sanctioning broker-dealers and/or investment advisory firms for deficiencies in their cybersecurity policies and procedures and disclosures following incidents.13
This Legal Update builds on our previous discussion of this proposal and discusses some of its major implications for registrants. Notably, the proposal imposes new cybersecurity incident reporting and related disclosure requirements on registered investment advisers and funds. In addition, the impact of the proposal would likely extend beyond the registered funds and advisers directly subject to them. Although funds and advisers generally do, and are expected to, oversee their service providers, including with respect to cybersecurity, the proposal imposes specific cybersecurity oversight responsibilities on registered advisers and funds for certain third parties they engage, including those that are not otherwise directly regulated by the SEC. If adopted in its current form, this proposal might trigger new pressures on service providers and vendors across the registered adviser and fund ecosystem to meet the cybersecurity expectations of advisers and funds. Because registered advisers and funds would be required to evaluate their existing vendor and service provider relationships and related cybersecurity risks, advisers and funds might choose to only work with service providers that are committed to proactive cybersecurity mitigation and otherwise meet the cybersecurity expectations of their adviser and fund business partners.
Below, we highlight some key takeaways from the SEC’s proposal. We then examine specific elements of the proposal, which include: (1) cybersecurity risk management policies and procedures, (2) annual review and required written reports, (3) fund board oversight, (4) recordkeeping, (5) reporting of significant cybersecurity incidents to the SEC and (6) disclosure of cybersecurity risks and incidents. Finally, we consider the prospect for additional regulation of cybersecurity in the securities industry.
I. Major Takeaways from the Proposal
- Broad scope. The proposal has a broad scope, encompassing activities and operations central to an advisory business (including valuation, trading, issuer and other data access and importing)14 as well as operations beyond the provision of advisory services. For example, the proposed rules appear to impose substantive cybersecurity requirements on all aspects of the adviser’s business operations, including internal and non-client facing business activities, and potentially reach non-advisory lines of business conducted by the adviser, as well as the operations and systems of certain advisory affiliates.
- New confidential Form ADV-C requirements. The proposal would require registered advisers to adhere to strict incident reporting requirements. First, advisers must report a “significant cybersecurity incident” to the SEC within 48 hours of having a “reasonable basis” to conclude that an incident has occurred or is occurring. Second, advisers must amend any previously filed notice promptly but no later than 48 hours after discovering new, material information, learning that information previously reported has become materially inaccurate, or resolving or closing an investigation regarding a previously reported incident. Responding to a cybersecurity incident is a fluid and time-sensitive process. Newly identified information can rapidly alter a firm’s understanding of an incident’s scope or impact. If adopted as proposed, advisers will need to consider how to actively and responsibly manage these new reporting requirements throughout the incident response process.
- Service provider oversight. The proposal highlights the risks posed by certain fund and adviser third-party service providers. Under the proposal, funds and advisers would be required to identify the service providers that receive, maintain or process fund or adviser information (as applicable), or are otherwise permitted to access fund or adviser information systems and any fund or adviser information residing therein (Service Providers), and assess the cybersecurity risks associated with the fund’s/adviser’s use of the Service Providers.15 In addition, the proposed cybersecurity policy requirements would mandate that funds and advisers: (i) require oversight of Service Providers and, (ii) through that oversight, document that the Service Providers, pursuant to a written contract between the fund/adviser and the Service Provider, are required to implement and maintain “appropriate” measures that are designed to protect fund/adviser information and fund/adviser information systems, including certain specified practices described in the proposed cybersecurity policy rules. Thus, the risk assessments that would be required under the proposal must account for the potential impact of a cybersecurity incident impacting a Service Provider. This will require evaluation of the system access available to the Service Provider, the types of services it provides, and the type of data it possesses. Advisers and funds will be required to evaluate their exposure to Service Provider cybersecurity risk and consider what steps are needed to comply with the proposal’s requirements regarding Service Providers.
- Increased costs. The proposed requirements are expected to result in increased costs for funds and advisers. For example, the proposal recognizes that advisers and funds may need to retain a cybersecurity expert or specialist to assist in the review of written cybersecurity protocols or to further educate the board of directors on these issues.
- Potential for overlapping regulatory regimes. The SEC’s proposal appears to acknowledge that the regulatory framework it proposes to develop will create overlapping obligations for certain firms with other regulatory regimes, including those instituted by the federal banking agencies and the Federal Trade Commission. If the proposal is adopted, advisers should examine their preexisting obligations under such regulatory frameworks and consider how the new SEC requirements interact with them.
II. Proposal Analysis
1. Cybersecurity Risk Management Policies and Procedures
The proposal would require registered funds and advisers to adopt and implement cybersecurity policies and procedures addressing a range of specifically enumerated topics. The stated goal of this requirement is to require advisers and funds to appropriately “consider and mitigate cybersecurity risk.”16 The SEC acknowledges that “there is not a one-size-fits-all approach to addressing cybersecurity risks” and the proposal thus would allow firms to structure their policies and procedures to fit the “nature and scope of their business and address their individual cybersecurity risks.”17 While allowing for flexibility in specific protections, all registered advisers and funds would need to adopt policies that address the following specific issues: risk assessments, user security and access, information protection, threat and vulnerability management, and cybersecurity incident response and recovery.18 The SEC also set out expectations for general administration of the policies.
A. Risk Assessment
Under the proposal, all registered advisers and funds would need to “periodically  assess, categorize, prioritize, and draft written documentation of, the cybersecurity risks associated with their information systems and the information residing therein.” The SEC specifies that compliant risk assessments would:
- “categorize and prioritize cybersecurity risks based on an inventory of the components of information systems and the data therein by analyzing the potential effect of cybersecurity incidents on the advisers and funds”; and
- ”identify . . . service providers that receive, maintain or process adviser or fund information, or that are permitted to access their information systems . . . and identify the cybersecurity risks” related to the use of such providers.19
The risk assessment component is essential to ensuring that a firm’s cybersecurity program is appropriately tailored to the specific risks it faces. The SEC also acknowledges that risks can evolve over time and would therefore require advisers and funds to “reassess and re-prioritize their cybersecurity risks periodically as changes that affect these risks occur.”20 Examples of developments that could prompt a firm to undertake such a reassessment include “changes to its business, online presence, or client web access, or external changes, such as changes in the evolving technology and cybersecurity threat landscape.”21 Notably, the proposal recommends that advisers and funds monitor and consider implementing updates and guidance from “private sector and governmental resources, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Department of Homeland Security’s CISA.”22
B. User Security and Access
Another required cybersecurity risk management measure under the proposed rules would be the implementation of “controls designed to minimize user-related risks and prevent the unauthorized access to information and systems.” The proposal would require these protocols to:
- “[r]equir[e] standards of behavior for individuals authorized to access adviser or fund information systems” (i.e., an acceptance use policy);
- “[i]dentify and authenticat[e] individual users” including via multi-factor authentication;
- “[e]stablish procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication”;
- “[r]estrict access to specific adviser or fund information systems or components thereof . . . solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions”; and
- “[s]ecur[e] remote access technologies used to interface with adviser or fund information systems.”23
The SEC found that these controls were “necessary to prevent and detect unauthorized access to systems or client or investor data or information,” especially in the increasingly hybrid, remote work environment prevailing at many financial institutions. The SEC does not identify specific technological solutions or requirements, but rather acknowledges that there are multiple approaches a firm could take based on its risk profile, including “issuance of user credentials, digital rights management with respect to proprietary hardware and copyrighted software, authentication and authorization methods (e.g., multi-factor authentication and geolocation), and tiered access to sensitive information and network resources.”24 Moreover, this aspect of a firm’s cybersecurity program must address not only employee access controls, but also access controls applicable to clients and investors. Many of the SEC enforcement actions noted above specifically related to user access issues. These enforcement actions further highlighted to the industry the SEC’s views regarding cybersecurity controls and what is necessary for compliance with Regulation S-P.
C. Information Protection
The proposed cybersecurity rules would also require an adviser or fund to implement procedures that enable it to “monitor information systems and protect information from unauthorized access or use.” These procedures must consider:
- “[t]he sensitivity level and importance of adviser or fund information”;
- “[w]hether any adviser or fund information is personal information”;
- “[w]here and how adviser or fund information is accessed, stored and transmitted”;
- “[a]dviser or fund information systems access controls and malware protection”; and
- “[t]he potential effect of a cybersecurity incident involving adviser or fund information . . . including the ability for the adviser to continue to provide investment advice or the fund to continue providing service.”25
The specific measures used to monitor for and prevent unauthorized information and system access should be tied to an evaluation of a firm’s specific risks, but examples of measures could include, “encryption, network segmentation, and access controls to ensure that only authorized users have access to sensitive data or information or critical systems.” In addition, firms may consider implementing measures designed to identify suspicious behavior, such as generating and reviewing user activity logs, identifying “potential anomalous activity,” and escalating such issues to senior officers.26
In addition, firms also have the obligation to “oversee any service providers that receive, maintain, or process adviser or fund information, or are otherwise permitted to access their information systems” and associated data. In particular, firms must require service providers to agree via contract to implement their own cybersecurity policies and procedures. Advisers and funds should also employ “due diligence procedures or periodic contract review processes” to ensure proper oversight of Service Providers.27
D. Threat and Vulnerability Management
The proposal would also require advisers and funds to implement procedures “to detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to” adviser or fund information and systems. The SEC highlights the importance of “ongoing monitoring” to detect threats and vulnerabilities. Specific examples of ongoing monitoring activities include “network, system, and application vulnerability assessments,” such as “scans or reviews of internal systems, externally-facing systems, new systems, and systems used by service providers.” The SEC also identifies certain mitigation measures firms could implement once such threats or vulnerabilities have been identified. These include “implementing a patch management program,” “establish[ing] accountability for handling vulnerability reports,” and developing “processes for intake, assignment, escalation, remediation, and remediation testing.”28
E. Cybersecurity Incident Response and Recovery
The proposal would also require advisers and firms to have measures “to detect, respond to, and recover from a cybersecurity incident.” Such measures would need to ensure:
- “[c]ontinued operations of the fund or adviser”;
- “[t]he protection of adviser information systems and the fund or adviser information residing therein”;
- “[e]xternal and internal cybersecurity incident information sharing and communications”; and
- “[r]eporting of significant cybersecurity incidents to the Commission.”29
In addition, the proposal would require firms to document their response and recovery actions from any cybersecurity incident and to identify personnel responsible for specific roles in an incident response.
The SEC further encourages advisers and funds to take certain steps that could enhance the effectiveness of their incident response programs. These include: maintaining physical copies of response plans in case of system outages, backing up data, and testing their incident response plans through tabletop or full-scale exercises.
F. General Administration
According to the SEC, under the proposed cybersecurity risk management rules, an adviser or fund may choose to administer its cybersecurity policies and procedures using in-house resources with appropriate knowledge and expertise. The proposed framework also does not preclude an adviser or fund from using a third party’s cybersecurity risk management services, subject to appropriate oversight. Similarly, subject to appropriate oversight, a fund’s adviser or sub-adviser could administer any of the functions of the fund’s required policies and procedures. Whether the administrators of an adviser’s or fund’s cybersecurity policies and procedures are in-house or a third party, reasonably designed policies and procedures must empower these administrators to make decisions and escalate issues to senior officers as necessary for the administrator to carry out the role effectively (e.g., the policies and procedures could include an explicit escalation provision to the adviser’s or fund’s senior officers). Reasonably designed cybersecurity policies and procedures generally should specify which groups, positions or individuals, whether in-house or third-party, are responsible for implementing and administering the policies and procedures, including specifying those responsible for communicating incidents internally and making decisions with respect to reporting to the Commission and disclosing to clients and investors certain incidents.
2. Annual Review and Required Written Reports
The proposal would require registered global advisers and funds to no less frequently than annually review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review and prepare a written report reflecting this review. “The report would, at a minimum, describe the annual review, assessment, and any control tests performed, explain the results thereof, document any cybersecurity incident that occurred since the date of the last report, and discuss any material changes to the policies and procedures since the date of the last report.” The stated purpose of the review and report requirement is to ensure that registrants’ cybersecurity programs are working as designed and identify any necessary changes in response to changed conditions. The SEC acknowledges that this may require the expertise of additional internal and external expertise, including cybersecurity experts.30
3. Fund Board Oversight
The proposed rules would also require a fund’s board of directors, including a majority of the independent directors, to both initially approve the fund’s cybersecurity policies and procedures, and to review the written annual reports on the fund’s procedures and incident reports.31 Consistent with current practice under Rule 38a-1, directors may review and approve “summaries of the cybersecurity program prepared by persons who administer the fund’s cybersecurity policies and procedures.” The goal behind this requirement is to “assist directors in understanding a fund’s cybersecurity risk management policies and procedures, as well as the risks they are designed to address.”32
The proposed rules also impose new recordkeeping obligations on advisers and funds. Most notable amongst these is a requirement to retain “records documenting the occurrence of any cybersecurity incident, including records related to any response and recovery” from that incident from the past five years.33 Depending on how this is interpreted, such documentation could be voluminous and include material that could qualify for legal privileges and protections. Also required are records documenting the adviser’s/fund’s cybersecurity risk assessment in the past five years. Compliance with these and other recordkeeping requirements might require advisers and funds, and by extension their Service Providers, to impose new administrative and technical protocols to ensure documentation is collected and maintained appropriately.
5. Confidential Reporting of Significant Cybersecurity Incidents to the Commission
The proposal details new confidential reporting requirements for registered advisers, using new Form ADV-C to report significant cybersecurity incidents to the SEC. Advisers would also be required to report such incidents “on behalf of a client that is a registered investment company or business development company, or a private fund.” Importantly, these reporting requirements cover not only material incidents regarding advisers, but also apply to incidents regarding private and registered fund clients, known in the proposal as “covered clients.”34
Specifically, any adviser registered or required to register with the Commission would be required to submit proposed Form ADV-C within 48 hours after having a reasonable basis to conclude that a significant cybersecurity incident had occurred or is occurring. The Form ADV-C will provide this information through a series of check-the-box and fill-in-the-blank questions.
Importantly, this requirement also requires advisers to continuously update and amend any previously filed Form ADV-C as new material information becomes available. Such updates must be provided promptly, “but in no event more than 48 hours, after information reported on the form becomes materially inaccurate; if new material information about a previously reported incident is discovered; and after resolving a previously reported incident or closing an internal investigation pertaining to a previously disclosed incident.”35
6. Public Disclosure of Cybersecurity Risks and Incidents
The proposed rules also include requirements for registered advisers and funds to publicly disclose “cybersecurity risks and incidents to their investors and other market participants.” Specifically, the Commission proposed amendments to Form ADV Part 2A for advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6 for funds.36
Form ADV Part 2A would require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. Advisers would be required to describe cybersecurity risks that could “materially”37 affect the advisory services they offer and how they assess, prioritize and address cybersecurity risks created by the nature and scope of their business. In addition, the proposal would require advisers to disclose “cybersecurity incidents”38 that occurred within the past two fiscal years and that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients. When describing these incidents in their brochures, advisers would be required to identify the entity or entities affected, when the incidents were discovered and whether they are ongoing, whether any data was stolen, altered, accessed or used for any other unauthorized purpose, the effect of the incident on the adviser’s operations, and whether the adviser, or Service Provider, has remediated or is currently remediating the incident. Also proposed is a requirement for advisers to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.39
Registered funds also would be required to provide prospective and current investors with cybersecurity-related disclosures. Specifically, the proposal would require a description of any “significant fund cybersecurity incidents” that have occurred in the past two fiscal years in funds’ registration statements. Regarding cybersecurity risks, the SEC reminded funds that they should consider cybersecurity risks when preparing risk disclosures in fund registration statements under the Investment Company Act and the Securities Act.
The goal of these required disclosures is to “enhance investor protection by ensuring cybersecurity risk or incident-related information is available to increase understanding and insight into an adviser’s or fund’s cybersecurity history and risks.”40
III. Next Steps: Additional Regulation Likely
If implemented, the proposal would represent an important rulemaking action by the SEC with respect to cybersecurity risk management for regulated entities. Advisers and funds should carefully review the proposal; track related developments; consider existing policies, procedures and practices; and consider filing comments, which may be submitted through April 11, 2022.
This SEC proposal is another significant example of expanded cybersecurity expectations and requirements for SEC-regulated entities. The proposal would impose significant new reporting and disclosure obligations on registered advisers and funds and require that they adopt cybersecurity policies and procedures meeting new specific requirements. In addition, the new requirements will provide an enhanced source of subject matter for SEC examinations and enforcement actions. Overall, the proposal is another signal of a sea-change in the SEC’s regulatory and enforcement posture, with SEC Chair Gensler at the helm. Registered funds and advisers should take heed.
Although the proposal itself would have broad impact on the registered adviser and fund landscape, it still leaves room for future regulatory action with respect to other regulated entities. For example, even though this proposal does not apply to broker-dealers or entities subject to Regulation SCI, these entities (and potentially other types of registrants in the SEC’s jurisdiction) should take note. At the February Commission meeting during which the SEC voted to propose these rules for consideration, SEC Chair Gensler announced that he would like to see similar proposals that would extend to such entities in the near future. The SEC has also complemented the above described proposal for registered advisers and funds with a similar proposal for public companies, which was announced on March 9, 2022.41
Advisers, funds and other entities within the SEC’s jurisdiction would be wise to review their current cybersecurity policies, procedures, approaches and controls and compare them with the proposal, not only to prepare for possible adoption of the same but also to determine whether revisions are appropriate at this time. Although only at the proposal stage, these proposed rules and related form and rule amendments are a clear indication of the SEC’s current expectations regarding appropriate cybersecurity measures.