SEC Reopens Comment Period for Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds

The U.S. Securities and Exchange Commission, SEC, has published a press release to announce the re-opening of the comment period on its consultation concerning the management and disclosure of cyber security risks and incidents of investment funds and their managers (advisers).
To recall, in its corresponding consultation the Commission sought to enhance the awareness of and the management of cyber security risks and to ensure that investors are adequately informed of any such risk and incidents. Therefore, the SEC proposed to implement some new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 pertaining to the following – as mainly cited from our original publication in EventID 14450:
(1) Cyber security Risk Management Rules: The Commission proposed to introduce new rules to require both fund management companies and fund advisers (managers) to develop, maintain, and regularly review cyber security policies and procedures. The policies and procedures would thereby have to cover issues such as a fund’s and adviser’s own information systems, systems of third parties, user access, behavioral standards for those using the IT-systems, policies on information and data protection, recovery plans, and many others.
(2) Cyber security Incident Reporting: The SEC proposed to require fund advisers to report „significant“ security incidents on new Form ADV-C. The form would be confidential and would require information on the incident itself (date and time of occurrence, nature of the incident, systems involved, etc.), possible effects and outcomes of the incident, steps that have been taken to mitigate the effects, an indication as to whether or not investors or law enforcement agencies have been informed, and many others.
(3) Cyber security Disclosures: The Commission proposed to require fund management companies and their advisers to disclose in fund prospectuses and related marketing material all „significant“ incidents that have occurred in the past two years. The disclosures would have to include the following
the name of the affected firm; „when the incident was discovered and whether it is ongoing; whether any data was stolen, altered, or accessed or used for any other unauthorized purpose; the effect of the incident on the Fund’s operations; and whether the Fund or service provider has remediated or is currently remediating the incident.“
The disclosures would have to be made in a structured data format. To make these disclosures, the SEC proposed to amend the current forms N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6 and – pertaining to fund advisers – Form ADV Part 2A accordingly.
(4) Recordkeeping: The Commission proposed to amend existing rules under the Acts to require both advisers and fund management companies to maintain records of „significant“ cyber security incidents for a minimum of five years, whereby during the first two years, the documents would have to be available at an easily accessible place. The recordkeeping would entail copies of all information regarding „significant“ incidents, ranging from the forms filed with the SEC, to documentation on the policies and procedures, to the protocols of the annual reviews.
As the above summary only briefly describes the proposed changes, please review the original document for more detailed, comprehensive information.