Close Close
ThinkAdvisor

Regulation and Compliance > Federal Regulation > SEC

SEC Outlines Cyber Rules, New Form for Advisors

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • Advisors would have to report significant cybersecurity incidents to the SEC on a new proposed Form ADV-C.
  • Proposed rules would require advisors and funds to adopt and implement written cybersecurity policies and procedures.

In a first for the agency, the Securities and Exchange Commission on Wednesday proposed rules requiring advisors to adopt written policies and procedures that address cybersecurity risks, as well as to report “significant cybersecurity incidents” to the SEC on a new proposed Form ADV-C.

The SEC’s plan also aims to enhance advisor and fund disclosures related to cybersecurity risks and incidents, while requiring advisors and funds to maintain, make and retain certain cybersecurity-related books and records.

“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC Chairman Gary Gensler during the open meeting.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” Gensler explained.

The proposed rules would require advisors and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors, the agency said.

The plans would require advisors to report “significant cybersecurity incidents” affecting the advisor, its funds or private fund clients to the Commission on a new “confidential” Form ADV-C.

Advisers and funds would also be asked to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.

The SEC plans for its proposal to be published on SEC.gov and in the Federal Register soon. The public comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.