On February 9, 2022, the SEC announced proposed rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. The proposed rule is available here.
The SEC’s fact sheet on the proposed rule notes that the proposal would:
- Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
- Require advisers to report significant cybersecurity incidents to the Commission on proposed Form ADV-C;
- Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
- Require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records.
In the economic analysis section of the proposal, the SEC discusses existing rules and regulations involving cybersecurity that are applicable to investment companies or investment advisors. The proposal notes that advisers, as fiduciaries, have a fiduciary obligation that includes “taking steps to minimize cybersecurity risks that could lead to significant business disruptions or a loss or misuse of client data.” If further notes that “the Advisers Act compliance rule requires advisers to consider their fiduciary and regulatory obligations and formulate policies and procedures to address them.” The Advisers Act does not include specific cybersecurity requirements, but the SEC has previously stated that advisers should consider factors that create risk for their firm and clients and then design policies and procedures to militate those risks. Other SEC rules that implicate cybersecurity include the Investment Company Act’s compliance rule, which requires that a fund adopt and implement written policies and procedures in order to prevent violations of federal securities laws. Further rules implicating cybersecurity include Regulation S-P and Regulation S-ID. Some registrants may also be subject to the FTC’s recently amended Safeguards Rule.
Comments are due thirty days after publication in the Federal Register or April 11, 2022, whichever is later. Comments can be submitted via the SEC’s internet comment form, by mail, or via email. The comments will be available on the SEC’s website.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.