Executive Summary
In February 2022, the U.S. Securities and Exchange Commission published a proposed rule that, if adopted as proposed, will have significant impacts for registered investment advisers, registered investment companies and business development companies.
The proposal would require registered investment advisers to:
- adopt and implement (and review at least annually) written cyber security policies and procedures reasonably designed to address cyber security risks, which would be required to cover several specific elements, including:
- risk assessment;
- user security and access;
- information protection;
- cyber security threat and vulnerability management; and
- cyber security incident response and recovery;
- report significant cyber security incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly-proposed Form ADV-C no later than 48 hours after having a reasonable basis to conclude that an incident occurred/is occurring;
- make enhanced disclosures in Form ADV Part 2A related to cyber security risks and incidents; and
- maintain, make and retain certain cyber security-related books and records.
The proposal would require registered investment companies and business development companies to:
- adopt and implement (and review at least annually) written cyber security policies and procedures;
- make enhanced disclosures in the registration statement related to cyber security risks and incidents;
- seek approval of boards of directors on the cyber security policies and procedures, as well as to review the written report on cyber security incidents and material changes to the cyber security policies and procedures; and
- maintain, make and retain certain cyber security-related books and records.
If you would like to read more about the requirements under this proposal, you can access our February 15, 2022 summary of the proposal.
Please contact James Delaney with any questions regarding this proposal.
-
James Delaney
Managing Director, Asset Management Regulation, AIMA
Potential impacts
If these changes are adopted as proposed, they will present the following practical implications for advisers and funds:
- Implement a cyber security policy, including for areas such as risk assessments, user and access controls, information protection, threat and vulnerability management, incident response and recovery.
- Produce an annual report describing the review assessment of the cyber security policy and any control tests performed, document any cyber incident that occurred since the last annual report, and discuss any material changes to the policy since the last annual report.
- Require a fund’s board, including a majority of its independent directors, to approve the fund’s cyber security policy and also consider what level of oversight of the fund’s service providers is appropriate with respect to cyber security.
- Recordkeeping on a cyber security policy, occurrence of cyber security incidents, records documenting a fund’s or adviser’s cyber security risk assessment etc.
- Reporting by advisers on significant cyber security incidents to the SEC within 48 hours and provide the SEC with substantive information about the nature and scope of the incident being reported.
- Require advisers and funds to disclose cyber security risks and incidents to their investors and other market participants.
Timeline
AIMA has categorized this proposal as Medium Priority/Medium Impact and it is therefore represented in mid-dark blue in the AIMA Regulatory Horizon Scan gantt chart.
Estimated Compliance Date3 | September 23, 2024 | **New** |
Estimated Effective Date2 | September 23, 2024 | **New** |
Estimated Publication Date1 | July 24, 2024 | **New** |
Extended comment deadline | May 23, 2023 | |
SEC re-opened comment period | March 15, 2023 | |
Comment deadline | April 11, 2022 | |
AIMA response to proposal filed | April 11, 2022 | |
AIMA request for extension submitted | March 3, 2022 | |
AIMA summary for members published | February 15, 2022 | |
Proposal published by SEC | February 9, 2022 |
1 Subject to change. We have estimated an adoption date based on the number of outstanding Division of Investment Management proposals scheduled for completion in the first half of 2024 according to the SEC's Fall 2023 Regulatory Flexibility Agenda. As the weeks pass, these dates will shift and become more compressed until either the first half of 2024 has passed or new information becomes available. Of course, this is only an estimate and may move forward or backward as actual matters develop and as the SEC's priorities change. The estimate has been provided solely to allow people to visualize the potential overlaps in compliance burdens for multiple pending rules at the same time.
2 Subject to change. The effective date has been estimated as 60 days following publication. Note that for this purpose we have assumed the SEC's publication date and the Federal Register publication date are identical for ease of calculation. This will not be the case, but the actual time between (i) the SEC approval and publication on the SEC website and (ii) the official Federal Register publication is an unknowable period ranging from a few days to several weeks depending on multiple non-transparent variables. This means that in the end the actual effective date and therefore the actual compliance date will always be later than the estimate even if the SEC approval date estimate is correct.
3 Subject to change. The compliance date has been estimated as the same day as the estimated effective date based on the proposal's total lack of commentary on transition/compliance periods. We hope the compliance period will be longer but do not have a basis for even a conservative estimate beyond the effective date.
Future AIMA Work