What You Need to Know
- Advisors would have to report significant cybersecurity incidents to the SEC on a new proposed Form ADV-C.
- Proposed rules would require advisors and funds to adopt and implement written cybersecurity policies and procedures.
In a first for the agency, the Securities and Exchange Commission on Wednesday proposed rules requiring advisors to adopt written policies and procedures that address cybersecurity risks, as well as to report “significant cybersecurity incidents” to the SEC on a new proposed Form ADV-C.
The SEC’s plan also aims to enhance advisor and fund disclosures related to cybersecurity risks and incidents, while requiring advisors and funds to maintain, make and retain certain cybersecurity-related books and records.
“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC Chairman Gary Gensler during the open meeting.
“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” Gensler explained.