SEC Proposes Cyber Rules for Registered Fund Advisors

In a move to protect fund information, the Securities and Exchange Commission (SEC) recently proposed cybersecurity rules for registered fund advisors and investment companies. The updates to the Investment Advisers Act of 1940 would require a minimum set of cyber risk management protocols for registered funds and additional disclosure requirements for funds that experience an information security incident.

It could have an effect on the cybersecurity protocols in place in private equity and venture capital firms. The following is what your firm needs to know about the proposed requirements.

Risk Assessments

Sound cybersecurity management often starts with the same question: how does the organization know if its information security approach addresses cybersecurity risks? The short answer is a current risk assessment.

A risk assessment process is baked into the proposed cybersecurity requirements for fund advisors. Specifically, registered fund advisors will need to demonstrate that they periodically assess, categorize, prioritize, and document the risks facing their information systems. They will also need to know the information being handled by service providers and the cybersecurity risks posed by those service providers.

To demonstrate a risk assessment has been conducted, fund advisors will need a written report of the risk assessment. The SEC recommends that this risk assessment be documented at least annually unless a more frequent interval is appropriate based on changes to business practices.

Policies & Procedures

The guidance provided for a registered fund advisor’s written cybersecurity policies is purposefully broad. In its proposed rules, the SEC acknowledged that fund advisors need to have the room to tailor an approach that makes the most sense for the unique risk profile, business practices, and organizational structure. It does not, for example, prohibit the use of third-party resources to help design and implement appropriate cybersecurity strategies.

It does spell out certain characteristics that the registered advisor’s cybersecurity policies and procedures would need to have.

Reporting of Major Cybersecurity Incidents

Under the proposed rules, registered fund advisors would be required to report significant cybersecurity incidents to the SEC via a proposed Form ADV-C no later than 48 hours after the information security incident has been confirmed. The form would be updated if subsequent investigation uncovered new information and included information about the nature of the incident and the scope of the attack.

 

Disclosure Requirements

Registered fund advisors would also be required to disclose information about the fund’s cybersecurity risks and incidents. By providing more structure and requirements to cybersecurity-related disclosures, the SEC aims to increase information security risk and accountability transparency.

What Comes Next

The SEC is accepting comments on the proposed rule change. For more information about how your fund could prepare for additional cybersecurity reporting requirements, contact a member of our team.

Published on May 24, 2022