In a move to protect fund information, the Securities and Exchange Commission (SEC) recently proposed cybersecurity rules for registered fund advisors and investment companies. The updates to the Investment Advisers Act of 1940 would require a minimum set of cyber risk management protocols for registered funds and additional disclosure requirements for funds that experience an information security incident.
It could have an effect on the cybersecurity protocols in place in private equity and venture capital firms. The following is what your firm needs to know about the proposed requirements.
Sound cybersecurity management often starts with the same question: how does the organization know if its information security approach addresses cybersecurity risks? The short answer is a current risk assessment.
A risk assessment process is baked into the proposed cybersecurity requirements for fund advisors. Specifically, registered fund advisors will need to demonstrate that they periodically assess, categorize, prioritize, and document the risks facing their information systems. They will also need to know the information being handled by service providers and the cybersecurity risks posed by those service providers.
To demonstrate a risk assessment has been conducted, fund advisors will need a written report of the risk assessment. The SEC recommends that this risk assessment be documented at least annually unless a more frequent interval is appropriate based on changes to business practices.
Policies & Procedures
The guidance provided for a registered fund advisor’s written cybersecurity policies is purposefully broad. In its proposed rules, the SEC acknowledged that fund advisors need to have the room to tailor an approach that makes the most sense for the unique risk profile, business practices, and organizational structure. It does not, for example, prohibit the use of third-party resources to help design and implement appropriate cybersecurity strategies.
It does spell out certain characteristics that the registered advisor’s cybersecurity policies and procedures would need to have.
Reporting of Major Cybersecurity Incidents
Under the proposed rules, registered fund advisors would be required to report significant cybersecurity incidents to the SEC via a proposed Form ADV-C no later than 48 hours after the information security incident has been confirmed. The form would be updated if subsequent investigation uncovered new information and included information about the nature of the incident and the scope of the attack.
Registered fund advisors would also be required to disclose information about the fund’s cybersecurity risks and incidents. By providing more structure and requirements to cybersecurity-related disclosures, the SEC aims to increase information security risk and accountability transparency.
What Comes Next
The SEC is accepting comments on the proposed rule change. For more information about how your fund could prepare for additional cybersecurity reporting requirements, contact a member of our team.
Published on May 24, 2022
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.