In February 2022, the U.S. Securities and Exchange Commission (SEC) unveiled a set of proposed cybersecurity regulations aimed at bolstering the preparedness of registered investment advisers (“advisers”) and funds in the face of growing cybersecurity threats and incidents.
The SEC's primary objective with these new guidelines is to safeguard investors and ensure the stability of financial markets by enhancing the availability of cybersecurity-related information and streamlining SEC inspection and enforcement processes. While these regulations are currently in the proposal stage, there are proactive steps fund advisers can take to proactively establish a robust framework.
Understanding the Proposed Rules
The SEC's proposed regulations, which fall under the Investment Advisers Act of 1940 and the Investment Company Act of 1940, mandate that, if adopted, private fund advisers and funds implement comprehensive policies and procedures designed to mitigate cybersecurity risks. The key provisions of these proposed regulations include:
- Implementation of Comprehensive Cybersecurity Policies: The proposed rule would require advisers and funds to adopt and implement policies and procedures reasonably designed to address cybersecurity risks that could harm investors or lead to the unauthorized access of adviser or fund information, like personal information.
- Reporting Significant Incidents: Under the new proposed rule 204-6, advisers would be required to report significant cybersecurity incidents to the SEC by submitting Form ADV-C. These confidential reports are intended to bolster the efficiency and effectiveness of the SEC's efforts to protect investors by helping the SEC monitor and evaluate the effects of a cybersecurity incident on an adviser and its clients.
- Public Disclosure of Cybersecurity Risks: The SEC has proposed amendments to Form ADV Part 2A to include the disclosure of cybersecurity risks and incidents to an adviser's clients and prospective clients. Funds would also be required to provide prospective and current investors with cybersecurity-related disclosures, including a description of any significant fund cybersecurity incident that occurred in the last two fiscal years in funds' registration statements.
- Enhanced Recordkeeping: The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2, that set forth requirements for maintaining, making, and retaining books and records relating to an adviser's investment advisory business. The proposal would amend the rule to require advisers to maintain certain records related to cybersecurity incidents. In addition, under proposed rule 38a-2 of the Investment Company Act, funds would be required to maintain copies of their cybersecurity policies and procedures and other related records.
Preparing for the New Rules
While there are no immediate actions required, fund advisers can initiate preparations in anticipation of the potential adoption of these rules.
- Engage with Legal Counsel and Advisors: Initiate discussions with your firm's legal counsel to assess the impact of these rules on your organization. These conversations can serve as the foundation for a proactive plan.
- Conduct a Comprehensive Audit: Evaluate vendors, systems, applications, and third-party resources in use. Identifying gaps early on will enable your firm to take appropriate measures before a potential cybersecurity incident occurs.
- Establish Written Processes: Develop and implement documented processes and procedures to ensure that all personnel within your organization adhere to best practices in information security. Annual cybersecurity training and scheduled phishing tests can bolster your staff's awareness and preparedness.
- Review Cybersecurity Insurance: Revisit your cybersecurity insurance policies to ensure they offer adequate coverage. Many policies may limit coverage if specific preventative measures (e.g., implementing firmwide two-factor authentication) are not in place.
Looking Ahead
The SEC is likely to implement a cybersecurity rule with the aim of safeguarding investors and market stability in the near future. Fund advisers can utilize the time they have now to engage in early dialogues with key stakeholders and formulate an action plan to stay ahead of regulatory developments.
How Petra can help
Petra FundsGroup’s compliance team has decades of experience managing SEC regulatory compliance programs for private fund advisers. The group’s expertise enables them to provide insight and guidance on a wide range of regulatory compliance services, from investment adviser registration to ongoing compliance support to performing SEC mock examinations. Learn more about Petra’s comprehensive compliance offering here.
Please get in touch with a member of Petra's compliance team with any questions you have about the SEC’s proposed cybersecurity rule or other regulatory compliance matters.
