SEC Cybersecurity Rule 206(4)-9 Expected to Be Finalized in April 2023

Publish Date


Cyber Alert

  • Cybersecurity
  • Cybersecurity Resources
  • SEC

The U.S. Securities and Exchange Commission (SEC) is expected to finalize proposed cybersecurity Rule 206(4)-9 for investment advisers and private funds in April according to the recently released SEC 2023 regulatory agenda.

Originally proposed in February 2022, the rule is designed to “promote a more comprehensive framework to address cybersecurity risks for advisers and funds”, including their ability to effectively respond and recover from a cyber incident, while also strengthening investors’ confidence in the security of their investments.

In its current form, the draft rule establishes new and unprecedented requirements for firms’ cybersecurity programs, including a mandatory 48-hour incident reporting requirement, annual risk assessments, disclosure of cyber risk and incidents to investors, as well as recordkeeping requirements. More details on the proposed cyber rule requirements are detailed in our information sheet here.

To date, it is unclear what, if any, changes the SEC will make to the proposed rule, but regardless of changes, Rule 206(4)-9 is expected to pose significant implications to investment adviser and private fund cybersecurity programs moving forward.

How we help

In the coming months, ACA Aponix will be drawing on its regulatory expertise to help firms prepare for and respond to the new cybersecurity rule by hosting a series of webcasts as well as publishing playbooks and FAQs on the specific rule requirements. To learn more about the upcoming cybersecurity rule, as well as other regulations on the horizon, join us for the upcoming 2023 Regulatory Outlook webcast on January 24th at 11am EST.

In addition, our expert consultants can help your firm develop, implement, and maintain the required information security program to meet the SEC’s regulatory requirements. Learn more about our solutions or contact us here.

Contact Us