The rule stems from the regulator’s recognition of the increasing frequency of cybersecurity breaches and their impact on investor confidence:
In addition to providing clients and investors with additional cybersecurity-related information about advisers and funds, we expect the proposed amendments to increase investors’ confidence in the operational resiliency of advisers and funds and safety of their investments held through those firms.
The threat landscape for investment advisers and investment companies have grown more complex due to the dependency on technology and technology suppliers for critical business operations. Due to the amount of sensitive, non-public information maintained by funds and advisors, both are enticing targets for malicious cyber actors.
In the light of the increased reliance on technology by finds and advisors (and thereby expanded opportunities for malicious cyber actors), in its request for comments on the proposed rules, the SEC cites “underinvestment” in cybersecurity safeguards by smaller organizations as one of the motivating factors for the new requirements. The SEC expects the rules to ensure that funds and advisors allocate a minimum baseline of effort toward cybersecurity and could help “level the competitive playing field for funds and advisers by simplifying prospective investors’ and clients’ decision making.”