SEC Votes to Propose Rules For Cybersecurity Concerning RIAs

As discussed in the prior update, the Securities and Exchange Commission (SEC), and specifically the Chair of the SEC, Gary Gensler, emphasized the SEC’s cybersecurity focus during his address at the 2022 Annual Securities Regulation Institute.  During that address, Gesler discussed different areas where the SEC is analyzing cybersecurity regulations given the importance of cybersecurity to our economy and national cybersecurity initiatives.

 

Gensler and the SEC followed through.  On February 9, 2022, the SEC voted to propose cybersecurity rules related to risk management for registered investment advisers (RIAs), registered investment companies, as well as funds, including amendments to certain rules that govern disclosures.  See https://www.sec.gov/news/press-release/2022-20

 

The proposed rules require the implementation of written cybersecurity policies and procedures to mitigate risk to advisory clients and fund investors as well as requiring “advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission.”  The reporting requirement, as with other agencies, is open to interpretation and, thus, fraught with risk if not handled properly.  Specifically, the proposed rules would require a rapid reporting requirement concerning a “significant cybersecurity incident” within forty-eight hours of its discovery by filing a new confidential form.

 

As we have expressed in prior updates, national agencies are primarily following the template set forth by the New York State Department of Financial Services (NYDFS), which has been in place for the last few years.  In other words, if you are familiar with those requirements, the proposed SEC regulations should feel familiar.  For example, the above-referenced SEC reporting requirement is triggered when (1) a cyberattack “significantly disrupts or degrades” the ability of an adviser or its private fund clients to “maintain critical operations,” or (2) the attack results in unauthorized access to “adviser information” or “fund information” resulting in “substantial harm” to the adviser, its clients, a fund, or investors.

 

Given the inherent ambiguity (e.g., substantial harm, significant disruption), it is important to take advantage of the public comment period to coordinate with counsel and your respective industry associations.   Specifically, the proposal will be published on SEC.gov and in the Federal Register and public comment period is sixty days “following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.”