Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period

Following a corresponding announcement earlier this month, the U.S. Securities and Exchange Commission, SEC, has now published in the Federal Register its notice on the re-opening of the comment period on its consultation concerning the management and disclosure of cyber security risks and incidents of investment funds and their managers (advisers).
To recall, in its corresponding consultation the Commission sought to enhance the awareness of and the management of cyber security risks and to ensure that investors are adequately informed of any such risk and incidents. Therefore, the SEC proposed to implement some new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 to
– require both fund management companies and fund advisers (managers) to develop, maintain, and regularly review cyber security policies and procedures;
– require fund advisers to report „significant“ security incidents on new Form ADV-C;
– require fund management companies and their advisers to disclose in fund prospectuses and related marketing material all „significant“ incidents that have occurred in the past two years; and
– require both advisers and fund management companies to maintain records of „significant“ cyber security incidents for a minimum of five years.
For more details on the requirements, please refer to EventID #14450.