4 Ways SEC’s New Proposed Rules Put Cybersecurity Front and Center

In its most focused and significant response to cyber threats in nearly 20 years, the Securities and Exchange Commission released on Feb. 9 proposed new rules regarding cybersecurity risk management, risk disclosures and reporting. My partner Trina Glass spoke to me about the impact that Rule 206(4)-9 under the Investment Advisers Act of 1940 and Rule 38-2 under the Investment Company Act of 1940 could have on the advisory industry. 

The intent of the proposed rules is to address the SEC’s concerns regarding advisors’ and funds’ cybersecurity preparedness, reduce cybersecurity-related risks to clients and investors, improve advisor and fund disclosures about cybersecurity risks and incidents, and enhance the SEC’s ability to assess systemic risks, Glass explained.

Specifically, the proposed Cybersecurity Risk Management Rules would:

• Require advisors and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks.

Advisors would be required to conduct — and document in writing — periodic assessments of their cybersecurity risks and its information systems. This would need to include identification of third-party service providers that receive, maintain and process advisor or fund information or its information systems.

They would also have to include draft information of security policies and procedures reasonably designed to (1) minimize and monitor user-related risks and prevent unauthorized access, (2) include measures to detect, mitigate and remediate cybersecurity threats and vulnerability, and (3) include measures to detect, respond to and recover from a cybersecurity incident. 

At least annually, advisors and funds would need to review and evaluate the design and effectiveness of their cybersecurity policies and procedures in response to new and changing cyber threats and technologies and to amend them as appropriate.

• Require advisors to report significant cybersecurity incidents to the SEC on proposed Form ADV-C, with similar reporting for funds. 

The submission of these confidential reports would allow the SEC to monitor and evaluate the effects of a cybersecurity incident on an advisor, a fund or its clients and determine whether the incident creates any potential systemic risks.

• Enhance advisor and fund disclosures related to cybersecurity risks and incidents. 

The proposed rules would amend advisor and fund disclosure requirements. Specifically, Form ADV Part 2A would require disclosure of cybersecurity risks and incidents to the advisor’s clients and prospective clients. Funds would be required to provide prospective and current investors a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in the fund’s registration statements. 

• Require advisors and funds to maintain, make and retain certain cybersecurity-related books and records. 

Rule 204-2 under the Advisers Act would also be amended to require advisors to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents, and Proposed Rule 38-2 would require funds to maintain copies of its cybersecurity policies and procedures and other related records. 

Bottom line: The SEC expects advisors and funds to implement information security controls designed to prevent interruptions to mission-critical services, protect investor information, records and assets, and ensure business continuity.

That would mean that advisors and funds would have to devote the necessary time, money and expertise to enhance their cybersecurity programs, as the proposed rules would require advisors and funds to protect more data and ensure that all of their information systems are adequately protected and captured by a comprehensive risk management process. This includes data shared with and accessed by third-party service providers.

Rule 206(4)-9 has its roots in the anti-fraud provision of the Advisers Act, which is typically applied broadly by the SEC in enforcement actions and would likely lead to significant fines. The comment period on the proposed rules ended on April 11 with significant pushback from the industry. Regardless, most advisors and funds will need to make substantial changes to their cybersecurity program and should begin working with legal counsel to consider the potential application of the proposed rules to their current cybersecurity practices and oversight.

Thomas D. Giachetti is chairman of the Investment Management and Securities Practice Group of Stark & Stark. He can be reached at tgiachetti@stark-stark.com.