SEC Proposes Expansive New Cyber Risk Management Rules for Investment Advisers and Funds

February.22.2022

On February 9, 2022, the Securities and Exchange Commission proposed expansive new rules addressing cybersecurity risk management for registered investment advisers (“advisers”) and investment companies (“funds”). The proposal includes a new rule 206(4)-9 under the Investment Advisers Act of 1940 and a new rule 38a-2 under the Investment Company Act of 1940, as well as amendments to other rules governing adviser and fund disclosures. The proposed cybersecurity rules go far beyond Regulation S-P’s and S-ID’s focus on customer records and identity theft by including a new obligation for advisers to report^[1] significant cyber incidents to the SEC within 48 hours, and requiring advisers and funds to comprehensively assess, mitigate,^[2] and disclose cyber risk^[3] in a manner that formalizes and builds upon the SEC’s prior guidance,^[4] examination activity,^[5] and enforcement actions.^[6] Highlights of the proposed cyber risk management rules include:

1. 48-Hour Reporting Requirement: Advisers must report to the SEC within 48 hours of the occurrence of any cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s or its fund’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or that leads to the unauthorized access or use of the adviser’s or its fund’s information, where the unauthorized access or use of such information results in (a) substantial harm to the adviser or its fund, or (b) substantial harm to a client, or an investor whose information was accessed.

2. Comprehensive Cybersecurity Risk Management Program: The proposed rules require advisers and funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks, including policies and procedures to:

Assess Risk: Periodically assess, categorize, prioritize, and document cybersecurity risks, including risks from the use of service providers.^[7]

Secure User Access: Implement policies for acceptable use of devices, multifactor authentication, password controls, need-to-know access, secure remote access, and secure mobile device access, as well as corresponding user training.

Protect Information:

Monitor and protect information systems based on data sensitivity and type, system use, and available malware protection (e.g., through encryption or network segmentation).
Implement and document oversight of service providers, including with appropriate contracts and diligence.

Manage Vulnerabilities: Detect, mitigate, and remediate any cyber threats and vulnerabilities.

Respond and Recover from Incidents: Detect, respond to, and recover from a cybersecurity incident, including by complying with obligations to report breaches.

Annual Review: At least annually, review and prepare a report of cyber incidents and material changes. For funds, the review must include a board review of initially adopted policies and procedures and an annual report.

Recordkeeping: Retain records for five years of policies and procedures, cyber incident reports, and reviews and assessments.

3. Disclosures: The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.

The period for public comment on the proposed rules will remain open for 60 days from the data the SEC published the rules on its website or 30 days from the publication of the proposed rules in the Federal Register, whichever is later. We are continuing to digest the SEC’s voluminous proposal and will provide further guidance and information as it becomes available.

^[1] Rule 204-6.

^[2] Rules 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act.

^[3] Amendments to Form ADV for advisers and Forms N-1A, N-2, N-3, N-4M N-6, N-8B-2, and S-6 for funds.

^[4] Cybersecurity Guidance, No. 2015-02 (April 2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf

^[5] Cybersecurity and Resiliency Observations (Jan. 27, 2020), available at https://www.sec.gov/news/press-release/2021-169; Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf; Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (April 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.

^[6] See, e.g., SEC Announces Three Actions Charging Cybersecurity Procedures, No. 2021-169 (Aug. 30, 2021), available at https://www.sec.gov/news/press-release/2021-169.

^[7] Requirement covers systems that process any electronic information related to the adviser/fund’s business, including any personal information, defined to include any information that can be used, alone or in conjunction with any other information, to identify an individual. For advisers, personal information also includes any other non-public information regarding a client’s account.

Authors

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Kathryn Boyle Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Boston

See my bio

D:+1 617 880 1800
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kathryn Boyle Managing Associate

Boston

Katy assists clients in their data breach investigations and cybersecurity incident response, including advising clients on data breach notification responsibilities and providing strategic advice on how to manage cybersecurity risks. She advises on enhancing existing privacy and information security policies and procedures, such as online privacy notices.

Her work includes counseling on compliance with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) for day-to-day business operations and the development of new products.

Katy graduated from Boston College Law School. During that time, she externed in the Data Privacy & Security Unit at the Massachusetts Attorney General’s Office where she supported consumer protection enforcement actions. She also interned with The Future of Privacy Forum and in-house with a leading cloud-based software company.

SEC Proposes Expansive New Cyber Risk Management Rules for Investment Advisers and Funds

Also of Interest

The SEC’s Proposed New Cybersecurity Disclosure Requirements: ABS...

The SEC's Proposed New Cybersecurity Disclosure Requirements for...

SEC Cybersecurity Disclosure Rules: Top Takeaways and Action Items...