On February 9th, the SEC announced that it is proposing new rules and amendments under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 that are intended to both improve cybersecurity readiness and bolster investor confidence in the resilience of investment advisers and investment companies against threats and attacks to cybersecurity.
In keeping with the SEC’s ongoing efforts to protect investors and maintain orderly markets, the proposed rules and amendments are designed to enhance adviser and fund disclosures related to cybersecurity risks and incidents and would require:
advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks
advisers to publicly report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC on a proposed confidential Form ADV-C
advisers and funds to maintain, make, and retain certain cybersecurity-related books and records to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities
The public may submit feedback during the comment period which will remain open for 30 days after publication in the Federal Register. For additional information on the proposal’s comment period and instructions on how to respond, see the Proposed Rule on sec.gov. The proposal will be published on the SEC’s website and in the Federal Register.