On February 9, 2022, the Securities and Exchange Commission (SEC) proposed a series of new cybersecurity risk management, reporting, and recordkeeping requirements for registered investment advisers and funds designed to enhance the Investment Advisers Act of 1940 and the Investment Company Act of 1940.
The rule stems from the regulator’s recognition of the increasing frequency of cybersecurity breaches and their impact on investor confidence:
In addition to providing clients and investors with additional cybersecurity-related information about advisers and funds, we expect the proposed amendments to increase investors’ confidence in the operational resiliency of advisers and funds and safety of their investments held through those firms.
The threat landscape for investment advisers and investment companies have grown more complex due to the dependency on technology and technology suppliers for critical business operations. Due to the amount of sensitive, non-public information maintained by funds and advisors, both are enticing targets for malicious cyber actors.
In the light of the increased reliance on technology by finds and advisors (and thereby expanded opportunities for malicious cyber actors), in its request for comments on the proposed rules, the SEC cites “underinvestment” in cybersecurity safeguards by smaller organizations as one of the motivating factors for the new requirements. The SEC expects the rules to ensure that funds and advisors allocate a minimum baseline of effort toward cybersecurity and could help “level the competitive playing field for funds and advisers by simplifying prospective investors’ and clients’ decision making.”
The proposed rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act can be broken down into two broad categories: 1) a requirement to implement a comprehensive cybersecurity risk management program, and 2) cyber incident reporting and disclosure obligations.