Significant Proposals for Cybersecurity Risk Rules in the Financial Industry
On February 9, 2022, the U.S. Securities and Exchange Commission (SEC) voted to propose new rules to address cybersecurity risk management for registered investment advisers and investment companies as well as related amendments to certain rules regarding adviser and fund disclosures under the Investment Advisers Act of 1940 and the Investment Company Act of 1940.
The SEC brought forth the proposal to address multiple concerns related to cybersecurity risks to investment advisers, clients of investment advisers, private funds, and investors of private funds. These concerns are:
- The efficacy of practices industry-wide are not sufficiently robust enough to address investor protection concerns of cybersecurity risk
- The effectiveness of cybersecurity risk disclosures to advisory clients and shareholders
- The lack of cybersecurity incident reporting requirements by advisers and funds to the SEC
The proposed rules are highlighted below:
- All registered advisers and funds are required to implement reasonably designed cybersecurity policies and procedures. These can be tailored to the advisers and funds, but must address:
- A risk assessment
- User security access
- Information protection
- Threat and vulnerability management
- Cyber incident response and recovery
- Registered advisers and funds are required to review the design and efficacy of their cybersecurity policies and procedures annually and prepare a written report
- Registered funds' Boards of Directors must approve the cybersecurity policies and procedures, review the report, and have oversight and provide accountability for the program
- Registered advisers must report “significant” cybersecurity incidents to the SEC within 48 hours after the incident has been confirmed. Reporting will be confidential.
- Registered advisers and funds must disclose cyber risks and incidents to investors and other market participants
- Registered advisers and funds must maintain cybersecurity books and records
The proposals were approved by the SEC with a 3-1 vote. The SEC is still working on finalizing a rule. The public comment period will remain open for 60 days following the publication of the proposed release on the SEC’s website or 30 days following the publication of the proposed release in the Federal Register, whichever period is longer. Once the period is over, the SEC will consider the public comments in their final rule.
How we help
ACA Aponix® can help your firm develop, implement, and maintain the required information security program to meets the SEC's regulatory requirements. Learn more about our solutions here.
For questions about this alert, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your consultant or contact us.