In 2022, the Securities and Exchange Commission (SEC) proposed changes to its rules related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures.
The proposed rules would require registered investment advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks based on an ongoing analysis of specific elements, such as the nature of the adviser’s or fund’s activities and the sensitivity of the information they hold.
Additionally, the proposed rules would require registered investment advisers and funds to establish a cybersecurity program that includes:
- Identifying and assessing cybersecurity risks
- Developing and implementing written policies and procedures to manage those risks
- Designating a chief information security officer (CISO) or equivalent to oversee the cybersecurity program
- Training employees on the policies and procedures
- Conducting periodic testing and annual assessments of the effectiveness of the cybersecurity program
Registered investment advisers and funds would also be required to report cybersecurity incidents to the SEC within 72 hours, unless they are able to demonstrate that the incident would not have a material impact on their operations or clients.
The proposed rules are intended to improve the cybersecurity risk management practices of registered investment advisers and funds and enhance investor protection.