SEC Reopens Comment Period for Proposed Cybersecurity Rules

The rules from the February 2022 proposal include new recordkeeping requirements, and industry actors requested more time to review them.

The Securities and Exchange Commission today reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure.

The rule proposals were put forward by the SEC on February 9, 2022. Under the proposals, registered investment advisers and fund companies would be required to adopt and implement written cybersecurity policies and procedures “reasonably designed to address cybersecurity risks.”

The new rules operating under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 had an initial comment period ending April 11, 2022. RIAs, investment companies and business development companies now have 60 additional days to comment once the reopening release is published in the Federal Register, according to the SEC.

The proposed rule includes a new form requiring advisers to report “significant cybersecurity incidents” affecting the adviser, or its fund or private fund clients, to the regulator. The SEC also proposed new recordkeeping requirements. The additional time shows an acknowledgment by the SEC that interested parties need further review and preparation to provide organized comment.

Gail Bernstein, general counsel at the Investment Adviser Association, issued a statement of appreciation for the extended window, as well as another proposed rule that requires advisers be responsible for vetting third-party firms—such as cybersecurity providers.

“The IAA appreciates that the SEC has heard us on the interrelatedness of its current proposals and is reopening the comment period on its cybersecurity proposal,” she wrote. “We’re assessing the potential implications for advisers and how these proposals interact with each other and with other recently issued proposals, like outsourcing.”

The SEC also proposed enhancements to Regulation S-P, which is designed to protect the privacy of consumer financial information. The regulation requires institutions to notify individuals affected by certain data breaches that may be harmful.

“We appreciate the SEC’s recognition that an adviser’s policies and procedures should be calibrated based on its business, size, and risks,” Bernstein wrote. “Preliminarily, we expect to have questions around the scope of how customer information is defined in the proposal, the duplicative and potentially inconsistent obligations imposed on advisers by the proposal in relation to other similar proposed rules, and the implications of proposed timeframes.”