SEC Proposes First Cyber Rule for RIAs and Funds
Brief Introduction
On Wednesday, February 9th, the SEC released their Proposed Rule on Cybersecurity Risk Management and Amendments for Registered Investment Advisers and Funds.
Vigilant’s Chief Operating Officer, Chuck Martin, was quoted in Ignites on Monday, February 7th, where he provided his insights on the anticipated Proposed Rule. He stated, “[The rule] should be flexible enough to take into consideration the size, complexity and IT infrastructure in place”. To view the full release and Chuck’s insights, click here.
SEC Chairman, Gary Gensler, continues to be consistent on his focus to protect investors and maintain orderly markets. He stated, “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
What Does This Mean For Advisers and Funds?
- The proposed rule requires them to adopt and implement written cybersecurity policies and procedures that are designed to address cybersecurity risk.
- Advisers would be required to report significant cybersecurity incidents affecting the adviser or its Fund clients to the Commission.
- Publicly disclosing cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years would be required for Advisers and Funds.
- Advisers and Funds would need to follow new recordkeeping requirements designed to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.
Additional Proposed Requirements
- Cybersecurity Risk Management Policies and Procedures
- Required Elements of Advisers’ and Funds’ Policies and Procedures
- Risk Assessment
- User Security and Access
- Information Protection
- Threat and Vulnerability Management
- Cybersecurity Incident Response and Recovery
- Annual Review and Required Written Reports
- Fund Board Oversight
- Recordkeeping
- Required Elements of Advisers’ and Funds’ Policies and Procedures
- Reporting of Significant Cybersecurity Incidents to the Commission
- Proposed Rule 204-6
- Form ADV-C
- Disclosure of Cybersecurity Risks and Incidents
- Proposed Amendments to Form ADV Part 2A
- Cybersecurity Risks and Incidents Disclosure
- Requirement to Deliver Certain Interim Brochure Amendments to Existing Clients
- Proposed Amendments to Fund Registration Statements
To view the full Proposed Rule, click here!
Final Conclusion
It is clear that the SEC is continuing to focus on protecting investors, and this is a continued step in the right direction with this Proposed Rule.
Following the status of this rule is going to be important, especially with adopting and implementing cybersecurity policies and procedures.
At Vigilant, we have over 300+ years of experience uniting Regulatory Compliance, Legal, and Financial Expertise. If you need assistance, or would like to learn more about Vigilant, contact us here.