SEC Proposes Cybersecurity Management Rules for Investment Advisers and Funds

Published On - March 10, 2022

admin IT Risk Management, Regulations, Vendor Risk Management
LinkedIn


Complete Source of information : https://www.klgates.com/SEC-Proposes-Cybersecurity-Risk-Management-Rules-for-Investment-Advisers-and-Funds-3-9-2022.

All Language quoted and attributed to the article

On 9 February 2022, the U.S. Securities and Exchange Commission (the SEC) proposed new rules and amendments to existing rules (together, the Proposed Rules) addressing cybersecurity risk management under the Investment Advisers Act of 1940, as amended (the Advisers Act) and the Investment Company Act of 1940, as amended (the 1940 Act). 

The Proposed Rules would apply to investment advisers that are registered or required to be registered with the SEC (advisers) and registered investment companies and closed-end companies that elect to be treated as business development companies under the 1940 Act (BDCs, and, together with registered investment companies, registered funds) and would require:

  • Policies and Procedures – Advisers and registered funds to adopt and implement written policies and procedures, including specific enumerated elements, reasonably designed to address cybersecurity risks
  • Reporting – Advisers to report certain cybersecurity incidents to the SEC on new Form ADV-C within 48 hours, including on behalf of any registered funds or private funds that experience such incidents
  • Disclosure – Advisers and registered funds to disclose cybersecurity risks and incidents in their disclosure documents

In addition, the SEC proposed corresponding amendments to certain recordkeeping rules that would obligate advisers and registered funds to maintain for five years copies of cybersecurity policies, reports of annual reviews, Form ADV-C filings, incident records, and risk assessments.

Although  the Proposed Rules apply specifically to registered funds and advisers that are registered or required to be registered with the SEC, private funds, non-U.S. investment funds and other investment products managed by such advisers will be indirectly impacted by the implementation of the compliance, reporting and disclosure requirements being applied to their advisers.

Cybersecurity Risk Management Policies and Procedures

  • The Proposed Rules would require advisers and registered funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks based on an ongoing analysis of specific elements.
  • Proposed new Rule 206(4)-9 under the Advisers Act and proposed new Rule 38a-2 under the 1940 Act would require advisers to registered funds, separately managed accounts, and private funds (e.g., hedge funds), and registered funds, respectively, to adopt and implement policies and procedures reasonably designed to address “cybersecurity risks” (the Proposed Risk Management Rules). The Proposed Risk Management Rules would define a “cybersecurity risk” as the “financial, operational, legal, reputational, and other adverse consequences that could stem from cybersecurity incidents, threats, and vulnerabilities.”

The Proposing Release notes that reasonably designed cybersecurity policies and procedures should indicate

  • Which groups, positions, or individuals (whether in-house or third-party) are responsible for implementing and administering the policies and procedures
  • Communicating incidents internally
  • Making decisions with respect to reporting to the SEC and disclosing to clients and investors certain incidents.

Such policies and procedures must also be reasonably designed to protect against any anticipated threats or hazards, unauthorized access to, or use of customer records or information that could result in substantial harm or inconvenience to any customer.

a. Required Elements

The Proposed Risk Management Rules identify certain “core” areas that would be required when adopting, implementing, reassessing, and updating cybersecurity policies and procedures:

Risk Assessment

Advisers and registered funds would be required “periodically” to assess, categorize, prioritize, and draft written documentation of the cybersecurity risks associated with their information systems and the information residing therein in light of the firm’s particular operations.

The Proposed Risk Management Rules would require advisers and registered funds to review their cybersecurity policies and procedures no less frequently than annually and reassess and reprioritize their cybersecurity risks periodically as changes that affect these risks occur, rather than at specified intervals. Such changes might include internal changes relating to the online nature of the business or external changes driven by the evolution of cybersecurity threats.

This may imply that the SEC intends for this assessment to occur on a more frequent real-time basis dependent on the adviser’s or registered fund’s specific circumstances. The Proposing Release notes international operations, insider threats, or remote/travelling employees as examples of the different risks that may arise from a firm’s specific operations.

Specifically, when conducting this assessment, an adviser or registered fund would need to:

  • Categorize and prioritize cybersecurity risks based on an inventory of their information systems, the information they contain, and the potential effect of a cybersecurity event on the adviser or registered fund; and
  • Identify those of their service providers that receive, maintain, or process adviser or registered fund information or that are permitted to access their information systems.

In addition, the proposed rule would require written documentation of any risk assessment.

User Security and Access

Advisers and registered funds would be required to implement controls designed to minimize user-related risks and prevent the unauthorized access to information and systems. Specifically, policies and procedures must:

  • Require standards of behavior for individuals authorized to access adviser or registered fund information systems and any adviser or registered fund information residing therein, such as an acceptable use policy
  • Identify and authenticate individual users, including by implementing authentication measures that require users to present a combination of two or more credentials for access verification
  • Establish procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication 
  • Restrict access to specific adviser or registered fund information systems or components thereof and adviser or registered fund information residing therein solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions on behalf of the adviser or registered fund
  • Secure remote access technologies used to interface with adviser or registered fund information systems.

In implementing the proposed controls, the Proposing Release notes that advisers and registered funds should consider what measures are necessary for clients and investors—not just their own adviser or registered fund personnel—that have access to information systems and information. 

The Proposing Release notes as an example that an adviser or registered fund may implement measures that monitor unauthorized login attempts, account lockouts, and the handling of customer requests (e.g., username and password changes). It also notes that advisers and registered funds should also consider their practices with respect to securing remote network access and teleworking when defining the network perimeter and take into account the types of technology through which its users access adviser or registered fund information systems (e.g., mobile devices or personal or employer-owned equipment).

Information Protection

Advisers and registered funds would be required to monitor information systems and protect information from unauthorized access or use based on a “periodic” assessment of the advisers’ or registered funds’ systems and the information residing therein to determine what methods to implement to prevent unauthorized access or use of the data. These assessments should consider:

  • The sensitivity level and importance of adviser or registered fund information to its business operations 
  • Whether any adviser or registered fund information is personal information
  • Where and how adviser or registered fund information is accessed, stored, and transmitted, including the monitoring of information in transmission
  • Information system access controls and malware protection
  • The potential effect of a cybersecurity incident including the ability to continue providing investment advice or, with respect to a registered fund, the ability to continue providing services 

This element would also require advisers and registered funds to oversee any service providers that receive, maintain, or process adviser or registered fund information or are otherwise permitted to access their information systems and any information residing therein.

In identifying cybersecurity risks, an adviser or registered fund should consider the service provider’s cybersecurity practices, including whether any systems used have the resiliency and capacity to process transactions in an accurate, timely, and efficient manner and their capability to protect information and systems.

This could require advisers and registered funds to amend numerous existing contracts to modernize or add terms relating to cybersecurity, information protection, and business continuity and could potentially extend liability for service provider cybersecurity incidents to advisers and registered funds that have not adequately engaged in this required oversight.

Threat and Vulnerability Management

Advisers and registered funds would be required to have measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to their information and systems.

 The Proposed Risk Management Rules would define a “cybersecurity threat” as “any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity or availability of [an adviser’s or a registered fund’s] information systems or any [adviser or registered fund] information residing therein.” 

A “cybersecurity vulnerability” is proposed to be defined as “a vulnerability in [an adviser’s or a registered fund’s] information systems, information system security procedures, or internal controls, including vulnerabilities in their design, maintenance, or implementation that, if exploited, could result in a cybersecurity incident

In implementing this element, the Proposing Release notes that advisers and registered funds should monitor vulnerabilities on an ongoing basis,

  • By conducting network, system, and application vulnerability reviews
  • Considering new threat and vulnerability information from industry and government sources

The Proposing Release also notes that advisers and registered funds should

  • Adopt policies and procedures that establish accountability for handling vulnerability reports
  • Establish processes for intake, assignment, escalation, remediation, and remediation testing
  • Consider role-specific cybersecurity threat and vulnerability response training

Cybersecurity Incident Response and Recovery

Advisers and registered funds would be required to have measures to detect, respond to, and recover from a cybersecurity incident, including policies and procedures reasonably designed to ensure: 

  • Continued operations of the adviser or registered fund;
  • Protection of adviser or registered fund information systems and the adviser or registered fund information residing therein
  • External and internal cybersecurity incident information sharing and communications; and
  • Reporting of significant cybersecurity incidents to the SEC.

As described in the Proposing Release, incident response plans should designate personnel to perform specific roles in the case of a cybersecurity incident and have a clear escalation protocol to ensure that senior officers, and for a registered fund, the board, receive necessary information regarding cybersecurity incidents on a timely basis.

In connection with this element, the SEC is requesting comment on whether advisers and registered funds should be required to respond to cybersecurity incidents within a specific timeframe.

b. Annual Reviews and Written Reports

The Proposed Risk Management Rules would also require advisers and registered funds to, at least annually:

  • Review and assess the design and effectiveness of the cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risks over the time period covered by the review  
  • Prepare a written report that, at a minimum, describes the annual review, assessment, and any control tests performed; explains the results thereof;
  • Documents any cybersecurity incidents that occurred since the date of the last report
  • Discusses any material changes to the policies and procedures since the date of the last report.

c. Registered Fund Board Oversight

Registered fund boards would be required to actively engage in the oversight of a registered fund’s cybersecurity policies and procedures.

Proposed Rule 38a-2 would require a registered fund’s board of directors/trustees (directors), including a majority of its independent directors, to initially approve the registered fund’s cybersecurity policies and procedures and review the written report on cybersecurity incidents and any material changes to the registered fund’s cybersecurity policies and procedures described above. 

The Proposing Release states:

  • These requirements are designed both to facilitate the board’s oversight of the [registered] fund’s cybersecurity program and provide accountability for the administration of the program.
  • These requirements also would be consistent with a board’s duty to oversee other aspects of the management and operations of a [registered] fund.
  • Board oversight should not be a passive activity, and the requirements for the board to initially approve the [registered] fund’s cybersecurity policies and procedures and thereafter to review the required written reports are designed to assist directors in understanding a [registered] fund’s cybersecurity risk management policies and procedures, as well as the risks they are designed to address
  • Board should consider whether, based on the registered fund’s operations, the level of the board’s oversight over the registered fund’s service providers with regard to cybersecurity is appropriate

Although the Proposing Release does not connect a board’s oversight of cybersecurity risk management to the annual review of an advisory contract under Section 15(c) of the 1940 Act, a registered fund’s Board may consider whether to expand information requests relating to cybersecurity, business continuity, and disaster recovery as part of the Section 15(c) process in light of the Proposed Rules. Directors may also determine to oversee cybersecurity in a manner consistent with compliance program reviews performed pursuant to Rule 38a-1 of the 1940 Act

Reporting Significant Cybersecurity Incidents to SEC

The Proposed Rules define “significant cybersecurity incidents” for advisers and funds that would need to be reported to the SEC.

Under proposed Rule 204-6 of the Advisers Act, advisers would be required to report significant cybersecurity incidents to the SEC on new Form ADV-C, including on behalf of any registered funds and private funds (defined as issuers that would be investment companies as defined in the 1940 Act but for Section 3(c)(1) or 3(c)(7) of the 1940 Act) that experience such incidents.

The reports would have to be made promptly but in no event later than 48 hours after having a reasonable basis to conclude that a “significant adviser cybersecurity incident” or “significant fund cybersecurity incident” has occurred or is occurring.

 The new Form ADV-C would gather information regarding

  • The nature and scope of the incident (e.g., actions to recover and whether information was stolen, altered, or accessed)
  • Whether shareholders/clients or law enforcement were notified
  • Whether the incident is covered under a cybersecurity insurance policy

 The term “significant adviser cybersecurity incident” would mean a cybersecurity incident or group thereof that

  • Significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations
  • Leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in substantial harm to the adviser, or substantial harm to a client, or an investor in a private fund, whose information was accessed.

Although the Proposed Rules do not define the term “substantial harm,” the Proposing Release indicates that

  • Significant monetary loss
  • Theft of intellectual property
  • Theft of personally identifiable or proprietary information of personnel, directors, clients or investors
  • Disruptions to critical operations, such as the ability to implement investment strategies, process or record transactions, or communicate with clients or investors, would be some examples of substantial harm.

The Proposing Release also notes that the SEC views critical operations as including investment, trading, reporting, and risk management of an adviser or fund, as well as operating in accordance with the Federal securities laws.

Proposed new Form ADV-C would be a structured check-the-box and fill-in-the-blank format and include both general and specific questions related to the significant cybersecurity incident.

Although the Proposed Rules would require certain cybersecurity-related disclosures (as described below), the Form ADV-C reports would not be publicly available.

Rather, they are intended to help the SEC monitor and evaluate the effects of a cybersecurity incident on an adviser or fund and its clients and investors and potentially market-wide events.

However, in a request for comment, the SEC asked whether it should require public disclosure of some or all of the information included in Form ADV-C in a final rule.

In connection with this reporting requirement, the SEC has requested comment on, among other things, whether it should exclude incidents that affect private fund clients or registered funds; whether advisers should be required to report on significant cybersecurity incidents affecting additional investment products, such as pooled investment vehicles that rely on the exemption from the definition of “investment company” in Section 3(c)(5)(C) of the 1940 Act; and whether advisers should also account for “inconvenience” in the definition of significant adviser and fund cybersecurity incidents (which would arguably expand the reporting requirement).

Disclosure of Cybersecurity Risks and Incidents

a. Requirements for Advisers

Advisers would be required to disclose in their Form ADV Part 2A brochures certain material cybersecurity risks and certain cybersecurity incidents that occurred within the last two fiscal year that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients

In providing these disclosures, advisers would be required to

  • Identify the entity or entities affected
  • When the incidents were discovered and whether they are ongoing
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
  • The effect of the incident on the adviser’s operations
  • Whether the adviser or service provider has remediated or is currently remediating the incident.

The SEC believes that such information would allow investors to make more informed decisions when deciding whether to initially engage – or remain with – an adviser.

Notably, although advisers are only currently required to deliver to existing clients interim brochure amendments in certain limited circumstances, the proposed rule amendments would require an adviser to deliver such amendments “promptly” if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed about such an incident

b. Requirements for Registered Funds 

Registered Funds will be required to disclose any principal cybersecurity risks and significant fund cybersecurity incidents that occurred in the last two fiscal years, as well as whether a significant fund cybersecurity incident has or is currently affecting the registered fund or its service providers.

Under the Proposed Rules, registered funds would also be required to provide prospective and current investors with disclosure about significant cybersecurity incidents.

The Proposed Rules include amendments to registered funds’ registration statement forms (e.g., Form N-1A, Form N-2) that would require a description

  • of any significant fund cybersecurity incident that has occurred in its last two fiscal years
  • Whether a significant fund cybersecurity incident has or is currently affecting the registered fund or its service providers.

The Proposing Release notes that a registered fund should also consider cybersecurity risk disclosure, and whether such disclosure should be included in its prospectus as a principal risk of investing in the registered fund.

In addition, the Proposing Release states that registered funds should generally include in their annual reports to shareholders

A discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent that these were factors that materially affected performance of the registered fund during the past fiscal year. 

Record Keeping

Under the Proposed Rules,

  • An adviser would be required to maintain for a prescribed period of time copies of the proposed new cybersecurity policies and procedures that are in effect (or at any time within the past five years were in effect)
  • The adviser’s written report documenting the annual review of its cybersecurity policies and procedures, any Form ADV-C filed by the adviser in the last five years
  • Records documenting the occurrence of any cybersecurity incident (including any records related to any response and recovery from such an incident) in the last five years
  • Records documenting the adviser’s cybersecurity risk assessment in the last five years.
  • A registered fund would be required to maintain for a prescribed period of time copies of its cybersecurity policies and procedures that are in effect (or at any time within the last five years were in effect)
  • Written reports provided to its board
  • Records documenting the registered fund’s annual review of its cybersecurity policies and procedures
  • Any report of a significant fund cybersecurity incident provided to the SEC by its adviser
  • Records documenting the occurrence of any cybersecurity incident (including any records related to any response and recovery from such an incident)
  • Records documenting the registered fund’s cybersecurity risk assessment.