Executive Summary
In February 2022, the U.S. Securities and Exchange Commission published a proposed rule that, if adopted as proposed, will have significant impacts for registered investment advisers, registered investment companies and business development companies.
The proposal would require registered investment advisers to:
- adopt and implement (and review at least annually) written cyber security policies and procedures reasonably designed to address cyber security risks, which would be required to cover several specific elements, including:
- risk assessment;
- user security and access;
- information protection;
- cyber security threat and vulnerability management; and
- cyber security incident response and recovery;
- report significant cyber security incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly-proposed Form ADV-C no later than 48 hours after having a reasonable basis to conclude that an incident occurred/is occurring;
- make enhanced disclosures in Form ADV Part 2A related to cyber security risks and incidents; and
- maintain, make and retain certain cyber security-related books and records.
The proposal would require registered investment companies and business development companies to:
- adopt and implement (and review at least annually) written cyber security policies and procedures;
- make enhanced disclosures in the registration statement related to cyber security risks and incidents;
- seek approval of boards of directors on the cyber security policies and procedures, as well as to review the written report on cyber security incidents and material changes to the cyber security policies and procedures; and
- maintain, make and retain certain cyber security-related books and records.
If you would like to read more about the requirements under this proposal, you can access our February 15, 2022 summary of the proposal.
Please contact James Delaney with any questions regarding this proposal.
-
![James Delaney [273x154].jpg](https://www.aima.org/static/625e9fb9-44f6-4298-9e3d67433e4a908b/forewordteammember_80b0dbf3d3f0c9d3e58a379104f7efa7/James-Delaney-273x154.jpg)
James Delaney
Managing Director, Asset Management Regulation
Potential impacts
If these changes are adopted as proposed, they will present the following practical implications for advisers and funds:
- Implement a cyber security policy, including for areas such as risk assessments, user and access controls, information protection, threat and vulnerability management, incident response and recovery.
- Produce an annual report describing the review assessment of the cyber security policy and any control tests performed, document any cyber incident that occurred since the last annual report, and discuss any material changes to the policy since the last annual report.
- Require a fund’s board, including a majority of its independent directors, to approve the fund’s cyber security policy and also consider what level of oversight of the fund’s service providers is appropriate with respect to cyber security.
- Recordkeeping on a cyber security policy, occurrence of cyber security incidents, records documenting a fund’s or adviser’s cyber security risk assessment etc.
- Reporting by advisers on significant cyber security incidents to the SEC within 48 hours and provide the SEC with substantive information about the nature and scope of the incident being reported.
- Require advisers and funds to disclose cyber security risks and incidents to their investors and other market participants.
Timeline
AIMA has categorized this proposal as Medium Priority/Medium Impact and it is therefore represented in mid-dark blue in the AIMA Regulatory Horizon Scan gantt chart.
| Estimated Compliance Date | No estimate | **New** |
| Estimated Effective Date | No estimate | **New** |
| Estimated Publication Date | No estimate | **New** |
| Further joint trades comment letter filed | July 9, 2024 | |
| AIMA letter to SEC re reporting alignment with Form PF | May 9, 2024 | |
| Extended comment deadline | May 23, 2023 | |
| SEC re-opened comment period | March 15, 2023 | |
| Comment deadline | April 11, 2022 | |
| AIMA response to proposal filed | April 11, 2022 | |
| AIMA request for extension submitted | March 3, 2022 | |
| AIMA summary for members published | February 15, 2022 | |
| Proposal published by SEC | February 9, 2022 |
Future AIMA Work