Print
E-MailAdam Fee, Antonia M. Apps, and George S. Canellos are partners at Milbank LLP. This post is based on a Milbank memorandum by Mr. Fee, Ms. Apps, Mr. Canellos, Sean M. Murphy, Joel Harrison, and Matthew Laroche.
On February 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for registered advisers and funds. [1] The proposal reflects the first SEC rules specifically addressing cybersecurity programs and reporting.
Most notably, the rules would impose a rapid reporting requirement when advisers face serious cyberattacks. Advisers would have to report any “significant cybersecurity incident” within 48 hours of its discovery by confidentially filing a proposed new Form ADV-C.
The reporting requirement would be triggered if (1) a cyberattack “significantly disrupts or degrades” the ability of an adviser or its private fund clients to “maintain critical operations,” or (2) the attack results in unauthorized access to “adviser information” or “fund information” resulting in “substantial harm” to the adviser, its clients, a fund, or investors. The proposed rule offers specific examples of “significant cybersecurity incidents,” including a malware attack that shuts down an adviser’s “websites or email functions” or a system breach that impedes a fund’s ability to “conduct its business” or results in the “theft of fund information.”
The 48-hour clock begins to tick as soon as an adviser has a “reasonable basis to conclude” that a significant incident has or is occurring. Certainty is not the standard. The proposed rules make clear that advisers must not wait until they “definitively conclude[] that an incident has occurred or is occurring.”
Beyond the 48-hour reporting requirement, the proposed rules would impose other novel cybersecurity requirements on advisers and funds, including:
- Form ADV would be amended to require advisers to publicly disclose detailed information concerning significant cybersecurity incidents that occurred within the prior two years and any “material” cybersecurity risks, and funds would be required to make similar disclosures to their prospective and current investors.
- Advisers and funds would be required to adopt and implement cybersecurity policies and procedures containing risk assessments, controls addressing user-related risks and unauthorized access to information and systems, cybersecurity incident response and recovery, and other elements.
- New recordkeeping requirements would compel advisers and funds to maintain records relating to cybersecurity incident responses and related materials.
If adopted, these proposed rules would reflect the most detailed and onerous cybersecurity-related requirements imposed on advisers and funds at the national level. They would require many covered entities to overhaul their procedures for managing and addressing cybersecurity risks, and dramatically increase the prospect of SEC enforcement actions for noncompliance with the proposed rules.
While many viewed the pronouncement of cyber-specific rules as long overdue, this proposal reflects an especially aggressive approach by the SEC. We anticipate significant industry pushback on the breadth of the proposed rules during the public comment period, which will be the longer of either 60 days from February 9, 2022, or 30 days after publication of the proposal in the Federal Register.
Endnotes
1The SEC simultaneously published the Proposed Rules (Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies), along with a fact sheet (Cybersecurity Risk Management Fact Sheet) and press release (Press Release SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds).(go back)
