SEC Proposes to Expand Cybersecurity Obligations of Registered Investment Advisers and Registered Funds
The SEC recently proposed a series of new rules and amendments (the Proposed Rules) under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 concerning cybersecurity risk management for registered investment advisers (registered advisers) as well as registered investment companies (registered funds). If adopted, these rules would require registered advisers and registered funds to implement extensive written cybersecurity policies and procedures and significantly augment their cybersecurity reporting, disclosure and recordkeeping obligations. Coming on the heels of SEC Chair Gary Gensler’s recent vow to improve the “overall cybersecurity posture and resiliency of the financial sector,” the Proposed Rules are the latest demonstration of the SEC’s heightened focus on bolstering regulations to better prevent and respond to cybersecurity attacks on securities markets. Issuance of the Proposed Rules is also driven by the SEC’s expressly stated concern that, notwithstanding observations the SEC has made in recent risk alerts and enforcement actions, registered advisers and registered funds have not adopted reasonably designed cybersecurity programs to sufficiently address an increasingly sophisticated and volatile cyberthreat landscape. Comments on the Proposed Rules are due on the later of April 11, 2022 or 30 days after their publication in the Federal Register.
Background on Registered Advisers and Registered Funds
The Proposed Rules would impose substantially similar obligations on registered advisers—such as money managers, investment consultants and financial planners—and registered funds—such as mutual funds, exchange-traded funds, registered closed-end funds, business development companies, and unit investment trusts—but there are some distinctions, particularly with respect to reporting and disclosure requirements. While both registered advisers and registered funds would be obligated to disclose significant cybersecurity incidents to clients and investors, only registered advisers would be required to report such incidents to the SEC. Because registered advisers would have to report incidents of their fund clients, limiting the SEC-reporting obligation to registered advisers would help avoid the SEC’s receipt of duplicative reports of incidents that affected both kinds of entities.
Notably, although the Proposed Rules would not apply to private funds (which, as entities exempt from the Investment Company Act of 1940, are subject to the Gramm-Leach-Bliley Act’s Amended Safeguards Rule published on December 9, 20211), they would apply to registered advisers who advise those private funds. Therefore, significant cybersecurity incidents with private funds may well end up being swept in and reported via their registered advisers.
Reporting Significant Cybersecurity Incidents to the SEC
The Proposed Rules would require registered advisers, including on behalf of clients that are registered investment companies, business development companies or private funds, to report significant cybersecurity incidents to the SEC in a confidential Form ADV-C within 48 hours after having a reasonable basis to conclude such an incident had occurred. As currently proposed, “significant cybersecurity incidents” are those that significantly affect the critical operations of a registered adviser or registered fund or lead to unauthorized access or use of information that results in substantial harm2 to the registered adviser or its clients or a registered fund or its investors. The 48-hour requirement would require registered advisers and registered funds to report cybersecurity incidents to regulators on a faster timeline than any other law or regulation they are currently subject to, including the European General Data Protection Regulation’s requirement to notify supervisory authorities within 72 hours of becoming aware of a reportable data breach, and the regulator reporting requirements contained in some US state data breach notification statutes.3 Moreover, this requirement would cover a broader range of cybersecurity incidents than the aforementioned laws, which are limited to incidents involving the breach of personal information.
Registered advisers also would be obligated to amend any previously filed Form ADV-C within 48 hours after (i) learning that any information about a cybersecurity incident previously reported on such Form is materially inaccurate, (ii) discovering any new material information pertaining to a significant cybersecurity incident previously reported or (iii) the resolution of any significant cybersecurity incident or closure of any internal investigation pertaining to such an incident.
The Proposed Rules do not impose similar requirements on internally managed registered funds, but the SEC is inviting comment on whether the final rules should do so. The SEC also is requesting comments on whether: (i) registered advisers should be obligated to report significant cybersecurity incidents of other pooled investment vehicle clients, (ii) the 48-hour notification timeframe is too long or too short (or if a timeframe requirement should be dispensed with entirely) and (iii) the Form ADV-C should remain confidential as proposed.
Much like the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers4 recently issued by the Office of the Comptroller of Currency, Federal Deposit Insurance Corporation and Board of Governors of the Federal Reserve (which impose a 36-hour notification reporting requirement on affected institutions), these reporting requirements would aid the SEC in assessing and mitigating harm posed by cybersecurity incidents that may impact the financial industry more broadly. Specifically, the SEC noted in its preamble to the Proposed Rules that it aims to better identify “patterns and trends across registrants, including widespread cybersecurity incidents affecting multiple advisers and funds.”
Proposed Cybersecurity Risks and Incident Disclosure Requirements
The SEC is also proposing amendments to the narrative brochure for registered advisers known as Form ADV Part 2A and to several fund registration statements—Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6—that would increase the obligations of registered advisers and registered funds to disclose cybersecurity risks and incidents to clients and prospective clients. These disclosure requirements would supplement registered advisers and registered funds’ obligations to clients under various state data breach notification laws.
The amended Form ADV Part 2A would obligate registered advisers to articulate in “plain English” potentially material cybersecurity risks as well as their approach to assessing, prioritizing and addressing cybersecurity risks attendant to their business. The Proposed Rules also would amend Rule 204-3(b) to obligate a registered adviser to promptly deliver interim brochure amendments to existing clients if the registered adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident. Registered advisers also would have to describe in both the amended Form ADV Part 2A and fund registration statements any significant cybersecurity incidents that occurred over the prior two years. The SEC is seeking comment on whether registered funds also should be required to disclose if there has not been a significant cybersecurity incident in the last two years.
The SEC has requested comments on the question whether the requirement to report significant cybersecurity incidents to investors might put registered advisers and registered funds at risk of new cybersecurity attacks from malicious actors who might obtain the information.
Proposed Requirements for Cybersecurity Risk Management Policies and Procedures
Central to the Proposed Rules is the requirement that registered advisers and registered funds adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. Registered funds would also need to submit such policies and procedures to their boards of directors for approval and obtain board approval. The policies and procedures would have to be reviewed annually and address all of the following areas:
Each registered adviser and registered fund would need to have procedures to perform periodic risk assessments and to document those assessments in writing. The assessments would need to:
- Categorize and prioritize cybersecurity risks based on an inventory of the components of registered advisers or registered funds’ information systems, the information residing therein, and the potential effect of a cybersecurity incident on the registered advisers or registered funds; and
- Identify the registered adviser or registered fund’s service providers that receive, maintain or process registered adviser or registered fund information, or are otherwise permitted to access registered adviser or registered fund information systems and any information residing therein, and assess the cybersecurity risks associated with the registered adviser or registered fund’s use of these service providers.
The SEC is considering whether its final rules should contain additionally prescriptive requirements for these risks assessments, such as requiring their “identification and documentation of vulnerabilities and threats.”
User Security and Access
Registered advisers and registered funds’ cybersecurity policies and procedures would also have to detail controls to minimize user-related risks and prevent unauthorized access to information systems as well as information contained in those systems. These controls would include:
- Requiring standards of behavior for individuals authorized to access registered adviser or registered fund information systems and any registered adviser or registered fund information residing therein, such as an acceptable use policy;
- Identifying and authenticating individual users, including implementing authentication measures that require users to present a combination of two or more credentials for access verification (i.e., multifactor authentication);
- Establishing procedures for the timely distribution, replacement and revocation of passwords or methods of authentication;
- Restricting access to specific registered adviser or registered fund information systems or components thereof and registered adviser or registered fund information residing therein solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions on behalf of the registered adviser or registered fund; and
- Securing remote access technologies.
To best formulate the final rules’ requirements on user security and access controls, the SEC is soliciting information on the controls registered advisers currently have for mobile devices, as well as on whether it should require registered advisers and registered funds to implement specific measures to secure remote access technologies.
Information Protection Oversight
Registered advisers and registered funds’ cybersecurity policies and procedures also would need to provide for measures to monitor information systems and protect registered adviser or fund information from unauthorized access or use based on a periodic assessment of the registered adviser or fund information systems that takes into account several factors such as the sensitivity level of registered adviser or registered fund information, whether any information is personal information, and the information systems’ access controls and malware protection. Part of these measures would be provisions for oversight of service providers that possess or access registered adviser or registered fund information, including documenting service providers’ compliance with information-protection requirements in a written contract. The SEC is open to proposals as to how frequently such assessments should be undertaken, as well as input on what is current industry practice.
Threat and Vulnerability Management
The required cybersecurity policies and procedures would also have to establish measures to detect, mitigate and remediate any cybersecurity threat5 and cybersecurity vulnerability6 with respect to registered adviser or registered fund information systems. As demonstrated by organizations’ remediation efforts in the wake of the pervasive and dangerous Log4j vulnerability7 discovered in November 2021, acting swiftly is critical when addressing any information system flaw. In addition to mechanisms for timely patching of vulnerabilities, effective measures, according to the SEC, might include secure system administration training for IT professionals as well as social engineering awareness training for employees and executives.
Cybersecurity Incident and Recovery
The Proposed Rules specify steps registered advisers and registered funds would need to take after cybersecurity incidents occur, and the SEC is soliciting comment on whether registered advisers and registered funds should be required to respond to cybersecurity incidents within a specific timeframe, and if so, what the appropriate period should be. In its cybersecurity policies and procedures, each registered adviser and registered fund would need to specify procedures designed to ensure:
- Continued operation of the registered adviser or registered fund;
- The protection of registered adviser or registered fund information systems and registered adviser or registered fund information residing therein;
- External and internal cybersecurity incident information sharing and communications; and
- Reporting of a significant cybersecurity incident.
All cybersecurity incidents would have to be documented in writing, including the registered adviser or registered fund’s response to and recovery from such incident.
Registered Fund Board Oversight
The required cybersecurity policies and procedures would require each registered fund to obtain the initial approval of the registered fund’s board of directors—including a majority of the directors who are not interested persons of the fund—of the registered fund’s policies and procedures. The SEC is soliciting comment on whether majority of a registered fund’s independent directors should have to approve the policies and procedures, and whether registered fund board approval of certain registered fund service providers’ cybersecurity policies and procedures also should be required.
Registered Adviser and Registered Fund Annual Review
The required cybersecurity policies and procedures would require registered advisers and registered funds to, at least annually:
- Review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
- Prepare a written report that describes the review, the assessment and any control tests performed, explains their results, documents any cybersecurity incident that occurred since the date of the last report, and discusses any material changes to the policies and procedures since the date of the last report.
The SEC is seeking comment on whether the minimum review period is too long or too short, and whether the proposed annual review would raise any specific challenges for smaller or different types of registered advisers or registered funds. The SEC also is soliciting input on whether any conflicts of interests might arise if the same registered adviser or registered fund officers who implemented the cybersecurity program also were to conduct this annual review.
The Proposed Rules would require registered advisers and registered funds to retain certain records for five years, including cybersecurity policies and procedures, annual reviews thereof, documents related to the annual review, regulatory filings related to cybersecurity incidents required under the Proposed Rules, internal records related to any cybersecurity incident, and cybersecurity risk assessments. The SEC is seeking input on whether registered advisers or registered funds would find it difficult to retain such records, and if a requirement to do so would place an undue burden on smaller registered advisers or registered funds.
Opportunity for Comment on the Proposed Rules
Given the breadth and potential impact of the requirements proposed by the SEC, the agency’s invitation for comments on multiple aspects of the Proposed Rules offers a critical opportunity for registered advisers and registered funds. Through comments on the issues the SEC has highlighted for input as well as on other aspects of the Proposed Rules, registered advisers and registered funds can potentially impact the formulation of the SEC’s final rules. Parties interested in assistance with submitting comments to the SEC are encouraged to contact any of this Advisory’s authors or their Arnold & Porter contact(s).
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
You can read more about the Amended Safeguards Rule in our Advisory, FTC Amends GLBA Safeguards and Privacy Rules; Proposes New Security Incident Reporting Obligations for Financial Institutions.
See e.g., New York’s data breach notification statute (NY Gen. Bus. Law § 899-aa), which requires affected organizations to notify the state Attorney General within 10 days of determination of a security breach impacting more than 500 New York residents.
You can read more about this rule, which was published on November 23, 2021, in our Advisory, Federal Bank Regulators Adopt New Cybersecurity Incident Notification Rule for Banks and Their Third-Party Service Providers.
“Cybersecurity threat” is defined in the Proposed Rules as any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of a registered fund or registered adviser’s information systems or any registered fund or registered adviser information residing therein.
“Cybersecurity vulnerability” is defined in the Proposed Rules as a vulnerability in a registered adviser or fund’s information systems, information system security procedures or internal controls, including vulnerabilities in their design, configuration, maintenance, or implementation that, if exploited, could result in a cybersecurity incident.
You can read more about the Log4j vulnerability in our Advisory, Federal Agencies Sound Alarm on Widespread Log4j Cybersecurity Flaw: How Should Organizations Respond?.