SEC Proposed Cybersecurity Risk Rules


Dan Campbell

Publish Date



  • Cybersecurity
  • SEC

The Securities and Exchange Commission (SEC) has continued to emphasize information security and operational resilience during examinations. While this attention thus far has been based on the staff guidance communicated to investment advisers, most notably in the Cybersecurity and Resiliency Observations report, the SEC voted on February 9, 2022, to propose new rules to address cybersecurity risk management for registered investment advisers and investment companies as well as related amendments to certain rules regarding adviser and fund disclosures under the Advisers Act and the IC Act.

The SEC brought forth the proposal to address multiple concerns related to cybersecurity risks to investment advisers, clients of investment advisers, private funds, and investors of private funds, specifically:

  • The efficacy of practices industry-wide are not sufficiently robust enough to address investor protection concerns of cybersecurity risk
  • The effectiveness of cybersecurity risk disclosures to advisory clients and shareholders
  • The lack of cybersecurity incident reporting requirements by advisers and funds to the SEC.

Among other requirements, the proposed rules would require all registered advisers and funds to implement reasonably designed cybersecurity policies and procedures. These could be tailored to the manager and fund, but must address:

  • A risk assessment
  • User security access
  • Information protection
  • Threat and vulnerability management
  • Cyber incident response and recovery

In addition, registered advisers and funds would be required to review the design and efficacy of their cybersecurity policies and procedures annually and prepare a written report; in the case of registered funds, the Boards of Directors would have to approve the cybersecurity policies and procedures, review the report, and have oversight and provide accountability for the program. Furthermore, registered advisers would be required to report “significant” cybersecurity incidents to the SEC within 48 hours after the incident has been confirmed, although such reporting would be confidential. Finally, registered advisers and funds would be required to disclose cyber risks and incidents to investors and other market participants, and maintain related cybersecurity books and records, including cybersecurity policies and procedures.

Watch our on demand webcast

Watch our on demand webcast to find out more about the implications of these proposed rules.

This webcast will cover the proposed new requirements for:

  • Cybersecurity policy and procedure
  • Reporting of a "significant" cybersecurity incident
  • Board of Directors oversight of cyber programs

How we help

ACA Aponix® can help your firm develop, implement, and maintain the required information security program to meets the SEC's regulatory requirements. Learn more about our solutions here.

For questions about this alert, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your consultant or contact us.

Download our Hedge Fund Quarterly Update  

This is just one of many insightful articles included in our Hedge Fund Quarterly Update 2022 Q1. Download the full newsletter to learn about:  

  • 2022 SEC Examination Priorities Relevant to Hedge Fund Managers
  • Breaking Down the Private Fund Manager Risk Alert: What Hedge Fund CCOs Should be Considering
  • Potential Impact of the Proposed Private Fund Manager Rules on Hedge Fund Managers
  • The SEC’s Sweep Enquiries Relating to Unauthorized Electronic Communications: Key Takeaways
  • SEC Proposes Rule Amendments Regarding SPACs, Shell Companies and Projections
  • Noteworthy SEC Enforcement Cases During Q1 2022
  • SEC Proposes Rule Amendments Concerning Beneficial Ownership Reporting
  • SEC Proposes Updates to Form PF Reporting