Regulatory Update: Part One - Cybersecurity
REGULATORY CHANGES ARE IN THE AIR - PART ONE!
We are only in the second month of the new year and regulatory activity has been quite active. On February 9, 2022 the SEC released proposed rules for RIAs covering the areas of Cybersecurity, and Private Fund Advisers.
1) Cybersecurity:
SEC Proposed Rules (Amendments to the Investment Advisers Act of 1940 and Investment Company Act of 1940) - Highlight of proposed requirements:
Cybersecurity Risk Management Policies & Procedures ("Cyber P&P")
Cyber P&P should be tailored based on adviser's business operations and reasonably designed to address cybersecurity risks
General Elements:
Periodic cyber risk assessment includes the following:
Categorize and prioritize cybersecurity risks based on an inventory of components of information systems, information residing on such systems, and potential effect of cybersecurity incident on the adviser and funds;
Identify certain service providers that receive, maintain, or process adviser or fund information and risks associated with such providers; and
Written documentation of assessments.
User Security and Access
Acceptable use policy for individuals authorized to access adviser or fund information systems;
Identifying and authenticating individual users including some form of multi-factor authentication;
Password handling and usage;
Restricting access to those as is necessary to perform duties on behalf of adviser; and
Securing remote access technologies used to interface with adviser or fund information systems.
Information Protection
Monitor information systems and protect information from unauthorized access or use, based on periodic assessment.
Threat and Vulnerability Management
Detect, mitigate and remediate cyber threats and vulnerabilities re adviser's information systems.
Cybersecurity Incident Response and Recovery
Continued operations of the fund or adviser;
Protection of adviser information systems and fund or adviser information maintained on the systems;
External and internal cybersecurity incident information sharing and communications; and
Reporting of significant cybersecurity incidents to the SEC.
Annual Review of Cyber P&P and written report assessing the effectiveness of cyber compliance program.
Proposed rules would broadly define covered information (both personal data and other information related to the adviser's business).
Reporting of Significant Cybersecurity Incidents to the SEC
Significant incident reports to the SEC including on behalf of a fund or private fund client, by submitting new Form ADV-C (confidential reports)
Form ADV-C includes both general and specific questions related to significant cybersecurity incidents (nature and scope of the incident including whether any disclosure has been made to any clients and/or investors);
Amend Form ADV-C within 48 hours after information was reported including if:
Information becomes materially inaccurate;
New information is discovered about a previously reported incident; or
Resolution of a previously reported incident or closing an internal investigation related to a previously disclosed incident.
Disclosure of Cybersecurity Risks and Incidents
Amend Form ADV Part 2A to require narrative disclosure of cybersecurity risks and incidents to an adviser's clients and prospective clients including funds (current and prospective investors)
ADV2A - A new Item 20 will be added to the brochure
How advisers assess, prioritize, and address cybersecurity risks;
Any significant adviser or fund cybersecurity incidents that had occurred in the past two fiscal years
Recordkeeping Requirements
Maintain certain records related to Cyber P&P and the occurrence of cybersecurity incidents
2) Private Fund Advisers; Documentation of RIA Annual Compliance Reviews
Next up: SEC Proposed Rules for Private Funds (to be continued) - Part Two!
