SEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here.) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds.” She added that “[a]bsent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. Advisers would also be required to file a confidential report for a significant cybersecurity incident to the SEC on a new form. Additionally, advisers and funds must also publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years “that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients in their brochures and registration statements.” Advisers and funds would be required to comply with new cybersecurity-related recordkeeping requirements to assist SEC inspection and enforcement capabilities. Comments on the proposal are due 60 days following publication on the SEC’s website or 30 days after publication in the Federal Register, whichever period is longer.