On February 9, 2022, the SEC proposed new and amended rules relating to cybersecurity risk management and disclosures for registered investment advisers and funds.

Specifically, the SEC is proposing:

The SEC is proposing new Rule 206(4)-9 under the Advisers Act to require all investment advisers to adopt and implement written cybersecurity policies and procedures. The proposed rule would enumerate certain elements that must be addressed in their cybersecurity policies and procedures, while still providing flexibility to allow advisers to tailor their policies and procedures to fit the nature and scope of their business.

In addition, investment advisers would also have flexibility to determine the person or group of people who implement and oversee the effectiveness of its policies and procedures. For example, advisers can choose to utilize internal resources with appropriate knowledge and expertise or a third-party cybersecurity risk management service, with appropriate oversight, to implement its cybersecurity policies and procedures.

The SEC is also proposing new rule 38a-2 under the ICA to adopt similar cybersecurity risk management rules for funds. Both advisers and funds would be required to review their cybersecurity policies and procedures at least annually and prepare a written report discussing, among other things, the annual review, assessment, and any material changes to the policies and procedures since the last report.

Under the SEC's proposal, new Advisers Act Rule 204-6 would require investment advisers to report significant cybersecurity incidents to the SEC, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. Incident reporting on Form ADV-C would be confidential, and is intended to help the SEC monitor and evaluate the effects of cybersecurity incidents on an adviser and its clients, as well as assess potential systemic risks.

The SEC is also proposing to add new Item 20 entitled "Cybersecurity Risks and Incidents" to Part 2A of Form ADV. Item 20 would require investment advisers to describe cybersecurity risks that could materially affect the advisory services offered and how they assess, prioritize, and address risk created by the nature and scope of their business. Further, the SEC is proposing to amend Rule 204-3(b) to require investment advisers to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of cybersecurity incident or materially revises information about a previously disclosed incident. For more information on the brochure rule, see Practice Note, Investment Adviser Regulation: Overview: Brochure Rule.

The proposal also includes amendments to a number of forms that would require funds to provide prospective and current investors with cybersecurity-related disclosures.

The SEC's proposal would also amend Advisers Act Rule 204-2 to require investment advisers to maintain certain records related to the proposed cybersecurity risk management rules and occurrence of cybersecurity incidents. For more information on the recordkeeping requirements for investment advisers, see Practice Note, Investment Adviser Regulation: Overview: Recordkeeping.

As with other aspects of the proposal, the SEC is proposing to add similar recordkeeping requirements to funds under new Rule 38a-2 under the ICA.

The comment period will be open until 30 days after the proposed rule is published in the Federal Register or April 11, 2022 (60 days after issuance), whichever is later.