SEC May Require Advisers and Funds to Draft Cybersecurity Policies and Disclose Incidents

Following the rise of cybercrime and on the coattails of the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgating final rules concerning cybersecurity requirements for the financial services sector, we knew that the U.S. Securities and Exchange Commission (SEC) was not far behind.

On January 24, 2022, SEC Chair Gary Gensler, during a speech at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute, already previewed the SEC's effort to boost the cybersecurity posture and resiliency of the financial sector. During that speech, Gensler indicated the SEC might move to apply Regulation Systems Compliance and Integrity (Reg SCI) to broker-dealers and market-makers, but outside the Reg SCI scope, investments advisers should expect recommendations from the SEC to boosting cybersecurity, cyber hygiene, and incident reporting.

On February 9, 2022, the SEC did just that by proposing new rules that would establish detailed cybersecurity requirements for registered investment advisers, registered investment companies and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures. By a vote of three to one, the Commission released the 243 page proposal, which would require:

• Written Policies and Procedures. Requirement to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
• Reporting of Significant Cybersecurity Incidents. Requirement to report significant¹ cybersecurity incidents to the Commission on proposed Form ADV-C— a sort of confidential appendix to the publicly available Form ADV regulatory filings that advisers submit;
• Disclosure of Cybersecurity Risks and Incidents. Requirement to disclosure cybersecurity risks and incidents to clients and prospective clients, as well as disclosing incidents that occurred in the last two fiscal years; and
• Recordkeeping. Requirement to maintain, make, and retain certain cybersecurity-related books and records.

The proposal would also require advisers and funds to publicly disclose cybersecurity risks and cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements. Additionally, the proposal will also set forth new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission's inspection and enforcement capabilities. The public comments period will remain open for 60 days following the publication of the proposing release on the SEC's website.

Cyber risk has long been a concern of the SEC especially when cybersecurity incidents affecting advisers and funds can cause substantial harm to their clients and investors, and may incur substantial remediation costs.² Most recently, in June 2021, the SEC announced its first-ever enforcement against a financial services company for deficient disclosure controls and procedures concerning cybersecurity risk. The SEC found that the company's deficient disclosure controls and procedures relating to cybersecurity risks violated Rule 13a-15(a) under the Securities Exchange Act of 1934 (Exchange Act), which requires issuers registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures to ensure the timely and accurate reporting of information as required by the SEC's rules and forms.

In August 2021, the SEC sanctioned eight firms for cybersecurity failures that resulted in email account takeovers exposing the personal information of thousands of clients at each firm. The SEC's orders against each of the firms found that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.  The incidents involved penalties of hundreds of thousands of dollars.

In light of the recent proposed rule and previous enforcement action, it is very clear that the SEC is ready to increase cyber enforcement. The proposed rule's additional disclosures and reporting requirements involving cyber incidents could lead to additional examination and enforcement by the SEC. Therefore, financial services companies should develop and implement comprehensive cybersecurity programs, design internal controls for immediate disclosure of cybersecurity incidents and risks, and foster a culture of cybersecurity compliance to prevent the imposition of steep penalties and other injunctive relief by the SEC.

¹ According to the proposed rules, a "significant" cybersecurity incident is defined as "a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser's ability…to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client . . . whose information was accessed." 

² See, e.g., Ponemon Institute and IBM Security, Cost of Data Breach Report 2021 (July 2021), available at https://www.ibm.com/security/data-breach ("Cost of Data Breach Report") (noting the average cost of a data breach in the financial industry in the United States is $5.72 million).