Executive Summary

In February 2022, the U.S. Securities and Exchange Commission published a proposed rule that, if adopted as proposed, will have significant impacts for registered investment advisers, registered investment companies and business development companies.

The proposal would require registered investment advisers to:

adopt and implement (and review at least annually) written cyber security policies and procedures reasonably designed to address cyber security risks, which would be required to cover several specific elements, including:
- risk assessment;
- user security and access;
- information protection;
- cyber security threat and vulnerability management; and
- cyber security incident response and recovery;

report significant cyber security incidents affecting the adviser, or its fund or private fund clients, to the SEC on a newly-proposed Form ADV-C no later than 48 hours after having a reasonable basis to conclude that an incident occurred/is occurring;

make enhanced disclosures in Form ADV Part 2A related to cyber security risks and incidents; and

maintain, make and retain certain cyber security-related books and records.

The proposal would require registered investment companies and business development companies to:

adopt and implement (and review at least annually) written cyber security policies and procedures;

make enhanced disclosures in the registration statement related to cyber security risks and incidents;

seek approval of boards of directors on the cyber security policies and procedures, as well as to review the written report on cyber security incidents and material changes to the cyber security policies and procedures; and

maintain, make and retain certain cyber security-related books and records.

If you would like to read more about the requirements under this proposal, you can access our February 15, 2022 summary of the proposal.

Please contact James Delaney with any questions regarding this proposal.

James Delaney

Managing Director, Asset Management Regulation

Potential impacts

If these changes are adopted as proposed, they will present the following practical implications for advisers and funds:

Implement a cyber security policy, including for areas such as risk assessments, user and access controls, information protection, threat and vulnerability management, incident response and recovery.
Produce an annual report describing the review assessment of the cyber security policy and any control tests performed, document any cyber incident that occurred since the last annual report, and discuss any material changes to the policy since the last annual report.
Require a fund’s board, including a majority of its independent directors, to approve the fund’s cyber security policy and also consider what level of oversight of the fund’s service providers is appropriate with respect to cyber security.
Recordkeeping on a cyber security policy, occurrence of cyber security incidents, records documenting a fund’s or adviser’s cyber security risk assessment etc.
Reporting by advisers on significant cyber security incidents to the SEC within 48 hours and provide the SEC with substantive information about the nature and scope of the incident being reported.
Require advisers and funds to disclose cyber security risks and incidents to their investors and other market participants.

Timeline

AIMA has categorized this proposal as Medium Priority/Medium Impact and it is therefore represented in mid-dark blue in the AIMA Regulatory Horizon Scan gantt chart.

Key Dates
Estimated Compliance Date	No estimate	New
Estimated Effective Date	No estimate	New
Estimated Publication Date	No estimate	New
Further joint trades comment letter filed	July 9, 2024
AIMA letter to SEC re reporting alignment with Form PF	May 9, 2024
Extended comment deadline	May 23, 2023
SEC re-opened comment period	March 15, 2023
Comment deadline	April 11, 2022
AIMA response to proposal filed	April 11, 2022
AIMA request for extension submitted	March 3, 2022
AIMA summary for members published	February 15, 2022
Proposal published by SEC	February 9, 2022

Future AIMA Work

We will be preparing a summary of the final requirements and holding a webinar to walk through what the new rules will require within 4 weeks of the SEC's publication of the final rules. Watch this space for details.