New Cybersecurity Risk Management Rules Proposed by SEC

On February 9, 2022, The Securities and Exchange Commission voted to propose new rules for cybersecurity risk management for registered investment companies, registered investment advisers, business development companies, and funds, as well asa list of amendments to existing regulations on fund disclosures and investment advisers.

These new rules were instituted to enhance cybersecurity preparedness and improve investor confidence in advisers and funds’ ability to withstand cybersecurity attacks and threats.

What will the new proposed rules do? 

• Require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks.
• Require advisers to report significant cybersecurity incidents affecting the adviser or its fund to the SEC via a new confidential form.
• Require advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that have occurred in the last two fiscal years in their registration statements and brochures
• Establish new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities.

After the initial announcement in February, the new proposal was published in the Federal Register and on SEC.gov. For 60 days, a public comment period remained open. The rules are now fully instated. 

To read the full release, click here. 

If you are a financial institution or organization and want to discuss how to best comply with the upcoming rule changes related to IT and cybersecurity changes, please reach out here.