Cybersecurity Risk Management
WHAT HAPPENED?
On February 9th, 2022, the SEC announced its proposed rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act (collectively, the “proposed cybersecurity risk management rules”). The proposed cybersecurity risk management rules codify the requirement for advisers to maintain comprehensive cybersecurity policies and procedures and adhere to certain disclosure and recordkeeping requirements, further described below.
Risk Assessment
Advisers must assess the risk of their firm and document the assessment at least annually or more if necessary to reflect changes in risk or firm business practices. Annual risk assessments should include categorization and prioritization of risks.
Policies and Procedures
Currently, advisers are required to follow Regulation S-ID, which is aimed at preventing and detecting identity theft, and Regulation S-P, also known as the “safeguards rule,” which establishes standards for protecting client information. The proposed cybersecurity risk management rules significantly increase the current standards. While the proposed cybersecurity risk management rules permit advisers to design policies and procedures to fit the needs of the particular firm, certain core elements must be included if the proposed cybersecurity risk management rules are adopted as proposed.
Disclosing Cybersecurity Risks and Reporting of Significant Cybersecurity Incidents
The proposed cybersecurity risk management rules would require Advisers to disclose cybersecurity risks and incidents in Form ADV Part 2A. A reporting requirement under the proposed cybersecurity risk management rules would require advisers to report significant cybersecurity incidents to the Commission via a new Form ADV-C. This new requirement and Form ADV-C would allow the Commission to monitor cybersecurity incidents and evaluate potential systemic risks.
Recordkeeping
Rule 204-2 under the Advisers Act currently lists requirements regarding maintaining, making, and retaining books and records related to an adviser’s investment advisory business. The proposed amendments would change Rule 204-2 and require advisers to maintain records related to the proposed cybersecurity risk management rules and occurrence of cybersecurity incidents.
Rule 38a-2 under the Investment Company Act would require a fund to maintain copies of its cybersecurity policies and procedures and other related records detailed under the proposed rule.
WHAT DOES THIS MEAN FOR ME?
Advisers and funds should consider what changes would be necessary to comply with the SEC’s proposed cybersecurity risk management rules. Fairview Cyber will be working closely with its clients to prepare for any necessary updates.
If your business requires assistance interpreting these proposed cybersecurity risk management rules, adopting adequate cybersecurity policies and procedures, or is seeking further guidance on cybersecurity issues, Fairview Cyber can help. Contact us today for more information about our services.