SHARE

February 11, 2022

SEC May Require Advisers and Funds to Draft Cybersecurity Policies and Disclose Incidents

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • Following the rise of cybercrime and on the coattails of the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgating final rules concerning cybersecurity requirements for the financial services sector, we knew that the U.S. Securities and Exchange Commission (SEC) was not far behind.

Following the rise of cybercrime and on the coattails of the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgating final rules concerning cybersecurity requirements for the financial services sector, we knew that the U.S. Securities and Exchange Commission (SEC) was not far behind.

On January 24, 2022, SEC Chair Gary Gensler, during a speech at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute, already previewed the SEC's effort to boost the cybersecurity posture and resiliency of the financial sector. During that speech, Gensler indicated the SEC might move to apply Regulation Systems Compliance and Integrity (Reg SCI) to broker-dealers and market-makers, but outside the Reg SCI scope, investments advisers should expect recommendations from the SEC to boosting cybersecurity, cyber hygiene, and incident reporting.

On February 9, 2022, the SEC did just that by proposing new rules that would establish detailed cybersecurity requirements for registered investment advisers, registered investment companies and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures. By a vote of three to one, the Commission released the 243 page proposal, which would require:

  • Written Policies and Procedures. Requirement to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
  • Reporting of Significant Cybersecurity Incidents. Requirement to report significant1 cybersecurity incidents to the Commission on proposed Form ADV-C— a sort of confidential appendix to the publicly available Form ADV regulatory filings that advisers submit;
  • Disclosure of Cybersecurity Risks and Incidents. Requirement to disclosure cybersecurity risks and incidents to clients and prospective clients, as well as disclosing incidents that occurred in the last two fiscal years; and
  • Recordkeeping. Requirement to maintain, make, and retain certain cybersecurity-related books and records.

The proposal would also require advisers and funds to publicly disclose cybersecurity risks and cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements. Additionally, the proposal will also set forth new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission's inspection and enforcement capabilities. The public comments period will remain open for 60 days following the publication of the proposing release on the SEC's website.

Cyber risk has long been a concern of the SEC especially when cybersecurity incidents affecting advisers and funds can cause substantial harm to their clients and investors, and may incur substantial remediation costs.2 Most recently, in June 2021, the SEC announced its first-ever enforcement against a financial services company for deficient disclosure controls and procedures concerning cybersecurity risk. The SEC found that the company's deficient disclosure controls and procedures relating to cybersecurity risks violated Rule 13a-15(a) under the Securities Exchange Act of 1934 (Exchange Act), which requires issuers registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures to ensure the timely and accurate reporting of information as required by the SEC's rules and forms.

In August 2021, the SEC sanctioned eight firms for cybersecurity failures that resulted in email account takeovers exposing the personal information of thousands of clients at each firm. The SEC's orders against each of the firms found that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.  The incidents involved penalties of hundreds of thousands of dollars.

In light of the recent proposed rule and previous enforcement action, it is very clear that the SEC is ready to increase cyber enforcement. The proposed rule's additional disclosures and reporting requirements involving cyber incidents could lead to additional examination and enforcement by the SEC. Therefore, financial services companies should develop and implement comprehensive cybersecurity programs, design internal controls for immediate disclosure of cybersecurity incidents and risks, and foster a culture of cybersecurity compliance to prevent the imposition of steep penalties and other injunctive relief by the SEC.


 

1 According to the proposed rules, a "significant" cybersecurity incident is defined as "a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser's ability…to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client . . . whose information was accessed." 

2 See, e.g., Ponemon Institute and IBM Security, Cost of Data Breach Report 2021 (July 2021), available at https://www.ibm.com/security/data-breach ("Cost of Data Breach Report") (noting the average cost of a data breach in the financial industry in the United States is $5.72 million).

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Riker Danzig Scherer Hyland & Perretti LLP

New York Insurance Disclosure Act May Cause Significant Changes In New York State Court Lawsuits

By Brian E. O’Donnell Riker Danzig Scherer Hyland & Perretti LLP February 10 , 2022

On December 31, 2021, New York Governor Kathy Hochul signed into law the Comprehensive Insurance Disclosure Act (the “Act”)

FINRA to Prioritize Cryptocurrency, Options Account Paperwork, and Expungement Reform in 2022

By Michael P. O'Mullan Riker Danzig Scherer Hyland & Perretti LLP January 24 , 2022

During a January 19, 2021, webinar with the SIFMA Compliance & Legal Society, FINRA president and CEO Robert Cook discussed with participants FINRA’s priorities for 2022.

The New Jersey Insurance Fair Conduct Act Means Big Changes for NJ Auto Insurers

By Brian E. O’Donnell Riker Danzig Scherer Hyland & Perretti LLP January 21 , 2022

On January 18, 2022, Governor Phil Murphy signed into law the New Jersey Insurance Fair Conduct Act (the “Act”).

More From Cybersecurity

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

By David A. Zetoony Greenberg Traurig September 12 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

By David A. Zetoony Greenberg Traurig September 09 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...