SEC Proposes Buy-Side Cybersecurity Rules

The SEC proposed  cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.

The proposed requirements are meant to (i) address concerns relating to advisers and funds' cybersecurity preparedness and to reduce cyber risk, (ii) improve adviser and fund disclosures, and (iii) improve the Commission's ability to assess systemic risks resulting from cyber incidents.

The proposed rules would require:

• advisers and funds to adopt and implement written policies reasonably designed to address cybersecurity risks;
• advisers to report significant cybersecurity incidents to the SEC on proposed form ADV-C; and
• advisers and funds to create cybersecurity-related books and records.

The proposal also expands adviser and fund disclosures relating to cybersecurity risks and incidents.

Commissioner Statements

SEC Chair Gensler supported the proposed rules and amendments stating that "[t]he proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."

SEC Commissioner Caroline A. Crenshaw supported the proposed rules and amendments stating that "robust cyber hygiene practices are critical, both to safeguard investor money entrusted to firms and advisers and to guard against market-wide instability." She noted the importance of investors having relevant information with regard to cybersecurity in order to inform their investment decisions, and commented that "[the] proposal would require advisers and funds to tell investors about the cybersecurity risks they anticipate, how they would handle those threats, and the nature and scope of any significant cybersecurity incidents that occurred in the past two years."

SEC Commissioner Allison Herren Lee supported the proposed rules and amendments, noting that they include important investor protections designed to address cybersecurity risks in a comprehensive way. She further stated that "our efforts today acknowledge that cybersecurity threats can have a profound impact on the financial system, and establish the groundwork for a more collective and collaborative approach among a variety of parties including the adviser, the fund board, and others."

Commissioner Hester M. Peirce opposed the rules and amendments, suggesting cybersecurity prescriptions could be an easy hook for enforcement even if a firm makes reasonable efforts to comply with the requirements. She further stated that the proposed rules and amendments are not grounded in the correct section of the Investment Adviser's Act, stating, "[c]entral to my opposition to the investment adviser rule proposal is that we have chosen to ground it in Section 206, the Investment Adviser Act's anti-fraud provision. Just as we regrettably did in 2003 when we established a general compliance rule for registered advisers, we cite Section 206(4) as the authority allowing us to impose cybersecurity policies and procedures. This approach does not make sense."

Primary Sources

1. SEC Press Release: SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
2. SEC-Proposed Rule: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
3. SEC Cybersecurity Risk Management Fact Sheet
4. SEC Commissioner Allison Herren Lee's Statement of Support
5. SEC Commissioner Caroline A. Crenshaw's Statement of Support
6. SEC Chair Gary Gensler's Statement of Support
7. SEC Commissioner Hester M. Peirce Statement of Dissent

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.