No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

SEC Proposes New Cybersecurity Risk Management Rules for Investment Advisers and Funds

Measures Would Mandate Certain Oversight and Recordkeeping Procedures for Boards

by Alisa Chestler and Greta Messer
February 17, 2022
in Cybersecurity, Financial Services
sec building

Kristi Blokhin, Shutterstock.


New rules proposed by the Securities Exchange Commission could change the way the advisors and funds communicate cyber risk to investors. If adopted, funds would be required to maintain records of cybersecurity polices and procedures, and report incidents within a 48 hour window, among other measures.

In a show of continued emphasis on cybersecurity enforcement from U.S. government agencies in the wake of the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity (Exec. Order No. 14028, May 12, 2021), on February 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940 (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act), aimed at enhancing the cybersecurity policies and procedures, reviews, and reporting and disclosure requirements of registered investment advisers (advisers) and investment companies (funds).

“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC Chair Gary Gensler, in a statement. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”

The SEC proposed rules related to cybersecurity risk management for registered investment advisers, and registered investment companies and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures. (1/2)

— U.S. Securities and Exchange Commission (@SECGov) February 9, 2022

As currently drafted, the proposed rules include the following key requirements:

Maintenance of Cybersecurity Policies and Procedures

The proposed rules would require advisers and funds to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks. In order to address risks to advisory clients and fund investors, these policies and procedures would be required to address:

  1. User security and access,
  2. Information protection,
  3. Risk assessments,
  4. Threats and vulnerability management, and
  5. Incident response and recovery.

Advisers and funds would further be required to review and assess the efficacy of their policies and procedures annually, including a report on the assessments performed and any material changes to the policies and procedures.

Disclosure of Cybersecurity Risks and Incidents

Through amended forms for advisers (Form ADV Part 2A) and funds (Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6), the proposed rules would require disclosure of cybersecurity risks and incidents to current and prospective clients that could materially affect the advisory relationship; including, in the case of funds, a requirement to disclose cybersecurity incidents that have occurred in the fund’s past two fiscal years.

Reporting of Cybersecurity Incidents

The proposed rules would require advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund, by submitting a newly proposed Form ADV-C within 48 hours of discovery of the incident. A “significant cybersecurity incident” in this context includes an isolated or group of related cybersecurity incidents that significantly disrupts or degrades the adviser’s or fund’s ability to maintain critical operations, or leads to the unauthorized access or use of adviser or fund information, where the unauthorized access or use of such information results in, in the case of an adviser incident: (1) substantial harm to the adviser; or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed, or, in the case of a fund incident: substantial harm to the fund or to an investor whose information was accessed.

Recordkeeping

Under the proposed rules, advisers and funds would be required to maintain, for a period of five years:

  1. Copies of cybersecurity policies and procedures,
  2. Copies of annual reviews thereof,
  3. Documentation related to such annual reviews,
  4. Regulatory filings related to cybersecurity incidents,
  5. Documentation of cybersecurity incidents, and
  6. Cybersecurity risk assessments.

Board Oversight

The proposed rules would require particular cybersecurity oversight activities to be performed by a fund’s board, including a requirement to approve the fund’s initial cybersecurity policies and procedures, as well as a requirement to review the annual report reviewing such policies and procedures.

Next Steps

With the growing threat of malicious cyber-actors who pose risk of harm to both advisory clients and fund investors, the SEC has proposed these more direct cybersecurity requirements with an aim of supporting the agency’s goals of protecting investors and maintaining orderly markets. Although a final rule may vary from the current proposed rules, advisers and funds should be prepared to review their current cybersecurity practices and consider how they will implement stricter policy, review and reporting requirements in the near future.

Likewise, in evaluating confidence in any new or existing investment relationship, advisory clients and fund investors should consider how such investment managers are acting to protect them against increasing technological risks in the market. These proposed rules may be the first of several cybersecurity requirements for entities subject to SEC regulation.

The proposed rules are currently open to public comment through the later of April 11, 2022 or 30 days following publication of the proposed regulations in the Federal Register.


Tags: Cyber RiskSEC
Previous Post

Where Central Banks Stand on Digital Currency

Next Post

10 Questions You Should Ask About Risk Management

Alisa Chestler and Greta Messer

Alisa Chestler and Greta Messer

Chestler
Alisa Chestler, a shareholder in Baker Donelson’s Nashville and Washington, D.C. offices and chair of the firm’s Data Protection, Privacy and Cybersecurity Team, concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters. She can be reached at achestler@bakerdonelson.com.
MesserGreta Messer is an associate in Baker Donelson’s Nashville office and focuses her practice on commercial transactions and assists in the development of platform agreements, terms of use, and compliance policies related to client privacy, cybersecurity, and information practices. She can be reached at gmesser@bakerdonelson.com.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

Next Post
10 Questions you should ask about risk management

10 Questions You Should Ask About Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT