SEC Proposes Expansive New Cyber Risk Management Rules for Investment Advisers and Funds

February.22.2022

On February 9, 2022, the Securities and Exchange Commission proposed expansive new rules addressing cybersecurity risk management for registered investment advisers (“advisers”) and investment companies (“funds”). The proposal includes a new rule 206(4)-9 under the Investment Advisers Act of 1940 and a new rule 38a-2 under the Investment Company Act of 1940, as well as amendments to other rules governing adviser and fund disclosures. The proposed cybersecurity rules go far beyond Regulation S-P’s and S-ID’s focus on customer records and identity theft by including a new obligation for advisers to report[1] significant cyber incidents to the SEC within 48 hours, and requiring advisers and funds to comprehensively assess, mitigate,[2] and disclose cyber risk[3] in a manner that formalizes and builds upon the SEC’s prior guidance,[4] examination activity,[5] and enforcement actions.[6] Highlights of the proposed cyber risk management rules include:

1. 48-Hour Reporting Requirement: Advisers must report to the SEC within 48 hours of the occurrence of any cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s or its fund’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or that leads to the unauthorized access or use of the adviser’s or its fund’s information, where the unauthorized access or use of such information results in (a) substantial harm to the adviser or its fund, or (b) substantial harm to a client, or an investor whose information was accessed.

2. Comprehensive Cybersecurity Risk Management Program: The proposed rules require advisers and funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks, including policies and procedures to:

Assess Risk: Periodically assess, categorize, prioritize, and document cybersecurity risks, including risks from the use of service providers.[7]

Secure User Access: Implement policies for acceptable use of devices, multifactor authentication, password controls, need-to-know access, secure remote access, and secure mobile device access, as well as corresponding user training.

Protect Information:

  • Monitor and protect information systems based on data sensitivity and type, system use, and available malware protection (e.g., through encryption or network segmentation).
  • Implement and document oversight of service providers, including with appropriate contracts and diligence.

Manage Vulnerabilities: Detect, mitigate, and remediate any cyber threats and vulnerabilities.

Respond and Recover from Incidents: Detect, respond to, and recover from a cybersecurity incident, including by complying with obligations to report breaches.

Annual Review: At least annually, review and prepare a report of cyber incidents and material changes. For funds, the review must include a board review of initially adopted policies and procedures and an annual report.

Recordkeeping: Retain records for five years of policies and procedures, cyber incident reports, and reviews and assessments.

3. Disclosures: The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.

The period for public comment on the proposed rules will remain open for 60 days from the data the SEC published the rules on its website or 30 days from the publication of the proposed rules in the Federal Register, whichever is later. We are continuing to digest the SEC’s voluminous proposal and will provide further guidance and information as it becomes available.



[1] Rule 204-6.

[2] Rules 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act.

[3] Amendments to Form ADV for advisers and Forms N-1A, N-2, N-3, N-4M N-6, N-8B-2, and S-6 for funds.

[4] Cybersecurity Guidance, No. 2015-02 (April 2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf

[5] Cybersecurity and Resiliency Observations (Jan. 27, 2020), available at https://www.sec.gov/news/press-release/2021-169; Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf; Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (April 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.

[6] See, e.g., SEC Announces Three Actions Charging Cybersecurity Procedures, No. 2021-169 (Aug. 30, 2021), available at https://www.sec.gov/news/press-release/2021-169.

[7] Requirement covers systems that process any electronic information related to the adviser/fund’s business, including any personal information, defined to include any information that can be used, alone or in conjunction with any other information, to identify an individual. For advisers, personal information also includes any other non-public information regarding a client’s account.