The US Securities and Exchange Commission has proposed rules that would require investment advisers and funds to implement written policies and procedures that are reasonably designed to address cybersecurity risks. The rules, proposed pursuant to the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”), are an attempt to address concerns about advisers’ and funds’ cybersecurity preparedness and reduce cybersecurity-related risks to clients and investors; improve adviser and fund disclosures about their cybersecurity risks and incidents; and enhance the SEC’s ability to assess systemic risks and oversee advisers and fund.
The proposed rules would require advisers and funds:
- To adopt and implement cybersecurity policies and procedures that are tailored to the complexity and cybersecurity risks of each business, and are flexible enough to change as cyber threats and risks evolve;
- To make disclosures on Form ADV (for advisers) and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2 and S-6 (for funds) regarding cybersecurity risks and incidents, so that investors and clients can make informed investment decisions;
- To report significant cybersecurity incidents to the SEC, and;
- To maintain copies of cybersecurity policies and procedures, and records of cybersecurity incidents.
The public comment period for the proposed rules will be at least 60 days.