United States: SEC Proposes Cybersecurity Rules And Amendments For Registered Investment Advisers, Registered Investment Companies And BDCs

On February 9, 2022, the Securities and Exchange Commission (the "SEC" or the "Commission") voted 3-1 to propose rules related to cybersecurity risk management for registered investment advisers ("investment advisers"), and registered investment companies and business development companies ("funds"), as well as amendments to certain rules that govern adviser and fund disclosures (the "Proposal").¹ The Proposal is the latest in a series of actions taken by the SEC and its staff focusing on cybersecurity risk management, most recently including two Risk Alerts issued in 2020 by the Division of Examinations (formerly known as the Office of Compliance Inspections and Examinations or OCIE)² and a series of SEC enforcement actions, which resulted in a total of $750,000 in civil money penalties for failure to secure personal investor information.³  

At the Commission's open meeting in connection with the Proposal, SEC Chair Gary Gensler commented that "[t]he proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks." The Proposal would require: (i) investment advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; (ii) investment advisers to report significant cybersecurity incidents, including those affecting clients that are funds, to the SEC on proposed Form ADV-C; and (iii) investment advisers and funds to provide clients and investors with disclosure related to cybersecurity risks and incidents. As discussed below, however, the Proposal provides only vague guidance to affected firms as to how they should go about implementing its complicated provisions while seeming to disregard well-established cybersecurity standards and frameworks.

Current Regulatory Framework

The SEC generally has viewed investment advisers' obligations relating to cybersecurity through the lens of an adviser's fiduciary duty to clients, which derives in part from Section 206 of the Investment Advisers Act of 1940 (the "Advisers Act"). Thus, investment advisers, as fiduciaries, are required to act in the best interest of their clients at all times.⁴ Investment advisers owe their clients a duty of care and a duty of loyalty.

In addition to these general principles, the SEC has adopted a number of rules that are used indirectly to address cybersecurity concerns associated with investment advisers and funds. For example, Rule 206(4)-7 under the Advisers Act requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. Since cybersecurity incidents could create significant operational disruptions and losses to clients and investors, investment advisers often consider the cybersecurity risks created by their particular circumstances when developing their compliance policies and procedures.

Similarly, Rule 38a-1 under the Investment Company Act of 1940 (the "Investment Company Act") requires funds to adopt and implement written policies and procedures reasonably designed to prevent violations of the Federal securities laws by the fund. Funds often take into account any specific cybersecurity risks they face when developing their compliance policies and procedures required by Rule 38a-1 under the Investment Company Act.

Regulation S-P, adopted in 2000 and amended in 2004, addresses cybersecurity concerns relating to personal financial information of certain advisory clients and fund investors by requiring investment advisers and funds to, among other things, adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.⁵ These policies and procedures must be reasonably designed to protect the security and confidentiality of customer records and information against (i) any anticipated threats or hazards, and (ii) unauthorized access to, or use of, customer records or information that could result in a substantial harm or inconvenience to any customer.

In addition, Regulation S-ID requires certain investment advisers and funds to develop and implement a written identity theft program.⁶ A Regulation S-ID program must, among other things, include reasonable policies and procedures to identify and detect relevant red flags, as well as respond appropriately to red flags so as to prevent and mitigate identify theft.

Implications of the Proposal

Separate from the specifics of the Proposal, broader potential implications of the Proposal if it were to be adopted as proposed are significant. The Proposal generally takes a step in the right direction to improve cybersecurity for investment advisers and funds. However, despite vague references to existing cybersecurity standards and frameworks,⁷ the Proposal appears to depart from both current financial services cybersecurity regulation and from existing standards and frameworks. Many investment advisers and funds have already adopted such standards, which are prevalent in the cybersecurity industry.⁸ It is puzzling that the SEC does not even reference the Financial Services Sector Coordinating Council ("FSSCC") Cybersecurity Profile—a cybersecurity framework that references SEC, Federal Reserve Board, Commodity Futures Trading Commission and international regulations and guidance (the "FSSCC Framework"). The FSSCC Framework maps the regulatory requirements and guidance to widely used standards. The FSSCC Framework was developed over the course of two years by a consortium of financial services stakeholders that included the SEC.⁹

To view the full article click here

Footnotes

1. See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Exchange Act of 1934 (the "Exchange Act") Release No. 94197 (Feb. 9, 2022), available here (the "Proposing Release").

2. See Cybersecurity: Safeguarding Accounts against Credential Compromise, OCIE Risk Alert (Sept. 15, 2020), available here; Cybersecurity: Ransomware Alert, OCIE Risk Alert (July 10, 2020), available here.

3. See In the Matter of Cetera Advisor Networks LLC, Exchange Act Release No. 92800 (Aug. 30, 2021), available here; In the Matter of Cambridge Investment Research, Inc., Exchange Act Release No. 92806 (Aug. 30, 2021), available here; In the Matter of KMS Financial Services, Inc., Exchange Act Release No. 92807 (Aug. 30, 2021), available here.

4. See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180, 194 (163); see also Commission Interpretation Regarding Standard of Conduct for Investment Advisers, Advisers Act Release No. 5248 (June 5, 2019), available here.

5. See 17 C.F.R. 248.30(a); Disposal of Consumer Report Information, Exchange Act Release No. 50781 (Dec. 2, 2004), available here; Privacy of Consumer Financial Information ("Regulation S-P"), Exchange Act Release No. 42974 (Nov. 13, 2000), available  here.

6. See 17 C.F.R. 248.201; Identity Theft Red Flags Rules, Exchange Act Release No. 34-69359 (May 20, 2013), available  here.

7. See, e.g., Proposing Release at n.24 (noting that funds and advisers "may" wish to consult such resources).

8. Examples of widely used cybersecurity standards include the ISO/IEC 27000:2018 Family of Standards ("ISO 27000"); the National Institute of Standards and Technology ("NIST") Special Publication 800-53 Rev. 5 ("NIST 800-53"); and COBIT 2019 from ISACA.

9. The current FSSCC Framework is available here.

Originally published 18 February 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.