SEC proposes new rules for investment advisors on cybersecurity risk management

The U.S. Securities and Exchange Commission (SEC) has proposed new rules related to registered investment advisers and business development companies on cybersecurity risk management.

© Shutterstock

The proposed rules would require advisers and funds to implement written cybersecurity policies and procedures to safeguard advisory clients and fund investors. It would require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC on a new confidential form.

“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” SEC Chair Gary Gensler said. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”

Further, the proposed rule changes would require advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents in the last two fiscal years in their brochures and registration statements.

It also outlines new recordkeeping requirements for advisers and funds to improve the availability of cybersecurity-related information and facilitate the SEC’s inspection and enforcement capabilities.

The proposal will be published on SEC.gov and in the Federal Register. The public comment period will remain open for 60 days following publication on the SEC’s website or 30 days after publication in the Federal Register, whichever is longer.