Earlier this year, in an effort to stress the critical nature of cybersecurity protections, the Securities and Exchange Commission (SEC) proposed new requirements for registered investment advisers which would mandate significant enhancements to an organization’s cybersecurity posture. Proposed changes would also include stringent requirements for disclosure and recordkeeping following a cybersecurity incident.
Per the SEC proposal released in February of 2022, financial firms – including RIAs, investment companies and business development companies – would be required to:
Under the current proposal, registered investment advisers will be required to report “significant” cybersecurity incidents within 48 hours of determining such an incident has occurred or is actively occurring. On a new line item that would be added to Form ADV Part 2A, advisers would need to provide detailed information regarding:
In addition to alerting the SEC of significant new cybersecurity incidents, investment funds and advisers would be required to amend Form ADV Part 2A to disclose material risks to current and prospective clients “if there is a substantial likelihood that a reasonable client would consider the information important.” The rule would also require “ an adviser to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure after such an incident.”
The SEC’s proposed changes would require financial firms to adopt and implement policies and procedures to address ongoing cybersecurity risk management. While advisers should customize policies and procedures to fit the specific nature of their business and unique cyber risks, the SEC would require the following elements:
Policies will need to be reviewed and updated on an annual basis.
Lastly, the proposal would amend the “books and records” rule and require companies to maintain records related to the above requirements including copies of cybersecurity policies and procedures, copies of risk assessments, copies of cybersecurity incident reports and records documenting annual reviews of the aforementioned policies and procedures.
Although as of this article’s publish date the SEC has yet to finalize their requirements, it is generally expected that significant changes are forthcoming. In addition to the proposal outlined above, the SEC released a second set of proposed changes in March 2022 that would impact public companies and enforce strict disclosure and governance procedures.
These proposals are consistent with the financial industry’s increasing vigilance with regard to cybersecurity, and as such, firms should begin preparing now for what’s to come. Alternative investment firms and registered advisers should begin to evaluate their current programs and investments with regard to:
The SEC’s initial vote on the above changes took place on February 9th, before undergoing a public comment period. The 60-day comment period has now ended, and we expect to the SEC is working diligently to finalize their changes (which may or may not reflect feedback from the more than 100 comments received from registered companies, service providers and other industry experts).
If you’d like to speak with Omega’s cybersecurity team to review your current protections and discuss a proactive plan to address any forthcoming SEC requirements, please contact us today.