SEC’s Cybersecurity Risk Management Rules for Funds and Advisers

Following the Securities and Exchange Commission’s (“SEC’s”) new and updated cybersecurity risk management rules, proposed in February 2022, for investment advisors, registered investment companies, and business development companies, entities classified as “advisors” and “funds” registered with the SEC have taken action to ensure compliance. 

This new proposal aims to enhance cybersecurity preparedness, improve disclosure of cybersecurity risks and incidents to clients and investors, and strengthen SEC oversight. The four key components are

1.  Cybersecurity Risk Management Rules 

Proposed Rule 206(4)-9 under the Advisors Act and Rule 38a-2 under the Investment Company Act aim to have advisors and funds adopt and implement cybersecurity policies addressing various risks. These rules outline general elements for cybersecurity policies and procedures to mitigate operational risks and unauthorized access to sensitive information.

2.  Reporting of Significant Cybersecurity Incidents 

New Rule 204-6 mandates advisors report significant cybersecurity incidents to the SEC, including on behalf of funds or private fund clients, via Form ADV-C submissions. Confidential reports attempt to enhance the SEC's investor protection efforts by aiding in the evaluation of incident impacts on advisors and clients as well as assessing potential systemic risks in financial markets.

3.  Disclosure of Cybersecurity Risks and Incidents 

Proposed amendments to Form ADV Part 2A require advisors to disclose cybersecurity risks and incidents to clients and prospective clients, enhancing transparency in client-facing disclosure documents. Similarly, funds must disclose significant cybersecurity incidents in their registration statements using structured data language across various forms.

4.  Recordkeeping 

Amendments under the Advisors Act and Investment Company Act introduce new recordkeeping requirements. Advisors must maintain records related to cybersecurity risk management rules and incidents, while funds are required to retain copies of their cybersecurity policies and procedures and related records. 

The SEC proposed these heightened cybersecurity rules due to an increased reliance on technology in day-to-day operations. These are to ensure that those groups maintain robust cybersecurity practices not yet covered by other regulations, such as the Sarbanes-Oxley Act, as well as guide the reporting, disclosure, and recordkeeping process for cybersecurity incidents. This will help maintain resilient cybersecurity environments thereby further protecting investors. 

The SEC’s new proposed cybersecurity rules seek to prevent both public companies and investment advisors from falling victim to data breaches, because these groups increasingly rely heavily on technology. Historically, public companies have been subject to many control and reporting regulations; however, they are expanding to cover cybersecurity risk. Prior to this new SEC proposal, non-public funds and advisors have not been subject to a regulatory cybersecurity standard. The increasing reliance on technology for simple and complex business functions exposes an increasing amount of data to hackers. Without a robust cybersecurity environment, firms and their service providers will be at risk. This lack of provision allows malicious actors to exploit critical and sensitive data. 

Individual instances of cyberattacks on non-public funds, at a minimum, need to be reported to the proper authorities. Also, the SEC Division of Enforcement has reported findings and been vigilant in ensuring that market participants reasonably disclose material cybersecurity risks and incidents.Additionally, a survey conducted by Agio evaluated 121 hedge funds and found that the frequency of cyberattacks in insourced environments increased to 77% in 2023 from 39% in 2022. Furthermore, the severity of attacks increased to 87% in 2023 from 58% in 2022. Likewise, cybersecurity incidents are also becoming more expensive, especially over the internet. Over the past five years, the FBI Internet Crime Complaint Center received 3.8 million complaints with reported losses totaling $37.4 billion. The amount lost per year has risen over this period, with $12.5 billion reported as lost in 2023 alone. This includes cyberattacks on business email, phishing, and ransomware, to name a few. Although this is applicable to multiple industries, the data collection in aggregate further demonstrates the need for the increased management of cybersecurity.  

More recently, generative artificial intelligence has been successfully writing computer code that enables hackers to cast a wider net. Much like a student utilizing ChatGPT to generate essay ideas, a malicious actor can use the same technology to suggest attack vectors using prompts to have it write preliminary code and phishing emails. While ChatGPT may not be the perfect medium to do this due to new updates, other platforms, like WormGPT and various text-to-SQL systems, enable this without the ethical boundaries. 

One primary goal of the SEC’s proposal is to protect investors in non-public small and mid-sized firms. Although the SEC has observed cybersecurity functions within these firms, it continues to report a lack of holistic cybersecurity preparedness, posing a serious risk to funds’ business operations and their clients’ personal data. With the new proposals, these funds will be required to uphold policies and procedures that will increase cybersecurity spending. This is all to decrease the occurrence of breaches and hacks, which, as previously noted, can be extremely expensive. 

There are many ways to ensure funds and advisors comply with this new regulation in a way that helps both investors and advisors. Establishing a roadmap aligned to a unique risk profile is key to a successful outcome. For example, implementing updated cybersecurity training, conducting annual reviews of policies and procedures, and hiring outside technology risk experts are just a few best practices to help ensure compliance. Funds and public companies should consider partnering with a trusted advisor who specializes in creating and maintaining robust cybersecurity procedures that comply with these new proposed rules.