The SEC on February 9, 2022, proposed a series of new cybersecurity risk management, reporting, and recordkeeping requirements for registered investment advisers and funds.
SEC Chair Gary Gensler supported the proposal along with Commissioners Allison Herren Lee and Caroline Crenshaw, while Commissioner Hester Peirce dissented.
The SEC issued the proposal in Release No. 33-11028, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies. Comments are due 60 days following publication of the proposal on the SEC’s website, or 30 days following publication in the Federal Register, whichever is longer.
“Cybersecurity incidents can lead to significant financial, operational, legal, and reputational harm for advisers and funds. More importantly, they can lead to investor harm,” Gensler said in a statement. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
The proposal establishes new Rule 206(4)-9 under the Investment Advisers Act of 1940 and Rule 38a-2 under the Investment Company Act of 1940 dealing with cyber risk management. Under those rules, advisers and funds would need to adopt written cybersecurity policies and procedures “reasonably designed to address cybersecurity risks,” according to the proposal in Release No. 33-11028. Those policies and procedures should generally be tailored to the nature and scope of an adviser’s or fund’s business operations and cyber risks.
Rule 206(4)-9 would apply to advisers “to separately managed accounts and pooled investment vehicles, both private and offered to the public,” according to the proposal, while Rule 38a-2 would apply to mutual funds, exchange-traded funds (ETFs), unit investment trusts, registered closed-end funds, and business development companies (BDCs).
Funds and advisers would be subject to new recordkeeping requirements on those policies and procedures, as well as on cyber incidents and other information.
Also under the proposal, advisers would need to report major cybersecurity incidents confidentially to the SEC under new rule 204-6. Both funds and advisers would be required to make new disclosures to current and prospective investors and clients on cyber incidents.
Peirce couched her dissent, in part, in the argument that the rules would inappropriately punish the victims of hacks.
“No investment adviser or investment company wants to have its system hacked, its data stolen and exploited, or its investors’ funds stolen,” she said in a statement. “Most firms are investing substantial resources in defense against breaches. We should stand ready to assist advisers and funds in the fight against cyberattackers.”
Added Peirce: “Absent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
She also questioned why the commission was using its antifraud authority instead of other authorities under the Advisers Act, which “does not make sense for a generic compliance rule.”
Cybersecurity, she said, is one area that “demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal. A cybersecurity rule that is styled as a cudgel will not facilitate such cooperation.”
This article originally appeared in the February 11, 2022 edition of Accounting & Compliance Alert, available on Checkpoint.
Subscribe to our Checkpoint Daily Newsstand email to get all the latest tax, accounting, and audit news delivered to your inbox each weekday. It’s free!