Executive Summary
In February 2022, the U.S. Securities and Exchange Commission published a proposed rule that, if adopted as proposed, will have significant impacts for registered investment advisers, registered investment companies and business development companies.
The proposal would require registered investment advisers to:
- adopt and implement (and review at least annually) written cyber security policies and procedures reasonably designed to address cyber security risks, which would be required to cover several specific elements, including:
- risk assessment;
- user security and access;
- information protection;
- cyber security threat and vulnerability management; and
- cyber security incident response and recovery;
- report significant cyber security incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly-proposed Form ADV-C no later than 48 hours after having a reasonable basis to conclude that an incident occurred/is occurring;
- make enhanced disclosures in Form ADV Part 2A related to cyber security risks and incidents; and
- maintain, make and retain certain cyber security-related books and records.
The proposal would require registered investment companies and business development companies to:
- adopt and implement (and review at least annually) written cyber security policies and procedures;
- make enhanced disclosures in the registration statement related to cyber security risks and incidents;
- seek approval of boards of directors on the cyber security policies and procedures, as well as to review the written report on cyber security incidents and material changes to the cyber security policies and procedures; and
- maintain, make and retain certain cyber security-related books and records.
If you would like to read more about the requirements under this proposal, you can access our February 15, 2022 summary of the proposal.
This rule proposal was formally withdrawn by the SEC on June 12, 2025. If the SEC wants to proceed with a rule in this area in the future, it will publish a new proposing release.
Please contact James Delaney with any questions regarding this proposal.
-
![James Delaney [273x154].jpg](https://www.aima.org/static/625e9fb9-44f6-4298-9e3d67433e4a908b/forewordteammember_80b0dbf3d3f0c9d3e58a379104f7efa7/James-Delaney-273x154.jpg)
James Delaney
Managing Director, Asset Management Regulation
Timeline
| Rule proposal formally withdrawn by the SEC | June 12, 2025 | **New** |
| Further joint trades comment letter filed | July 9, 2024 | |
| AIMA letter to SEC re reporting alignment with Form PF | May 9, 2024 | |
| Extended comment deadline | May 23, 2023 | |
| SEC re-opened comment period | March 15, 2023 | |
| Comment deadline | April 11, 2022 | |
| AIMA response to proposal filed | April 11, 2022 | |
| AIMA request for extension submitted | March 3, 2022 | |
| AIMA summary for members published | February 15, 2022 | |
| Proposal published by SEC | February 9, 2022 |