SEC Votes to Propose New Cybersecurity Policy Rules

Under the proposal, registered investment advisers and investment companies would have to adopt and implement written cybersecurity policies and procedures ‘reasonably designed to address cybersecurity risks.’

The U.S. Securities and Exchange Commission voted earlier this week in favor of proposing new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 related to the cybersecurity policies of registered investment advisers and fund companies.

Under the proposal, which is detailed in regulatory text stretching to nearly 250 pages, RIAs and fund companies will be required  to adopt and implement written cybersecurity policies and procedures “reasonably designed to address cybersecurity risks.”

The commission also proposed a new rule and form under the Advisers Act to require advisers to report “significant cybersecurity incidents” affecting the adviser, or its fund or private fund clients, to the regulator. With respect to disclosure, the SEC proposed amendments to various forms regarding the disclosure related to significant cybersecurity risks and cybersecurity incidents that affect advisers, funds, their clients and shareholders. Further, the SEC proposed new recordkeeping requirements under the Advisers Act and Investment Company Act related to cybersecurity.

These regulatory actions come as the SEC—like many other regulators—ramps up its focus on cybersecurity issues. In fact, for several years now, the SEC has specifically identified on its annual priorities list such a focus on cybersecurity.

The list warns that the SEC’s enforcement division will “continue to evaluate whether regulated entities have established, maintained and enforced written cybersecurity policies and procedures as required.” The priorities list indicates areas of focus will include information technology governance, IT asset management, cyber threat management/incident response, business continuity planning and third-party vendor management, including utilization of cloud services.

Demonstrating its resolve, last year, the SEC announced a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures that resulted in what the agency describes as “email account takeovers” which exposed the personal information of thousands of customers and clients at each firm.