Cybersecurity Risk Management for Investment Advisers ...

1 Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 230, 232, 239, 270, 274, 275, and 279. [Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22]. RIN 3235-AN08. Cybersecurity Risk Management for Investment Advisers , Registered Investment Companies, and Business Development Companies AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission is proposing new rules under the Investment Advisers Act of 1940 ( Advisers Act ) and the Investment Company Act of 1940. ( Investment Company Act ) to require registered Investment Advisers ( Advisers ) and Investment companies ( funds ) to adopt and implement written Cybersecurity policies and procedures reasonably designed to address Cybersecurity risks. The Commission also is proposing a new rule and form under the Advisers Act to require Advisers to report significant Cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission.

2 With respect to disclosure, the Commission is proposing amendments to various forms regarding the disclosure related to significant Cybersecurity risks and Cybersecurity incidents that affect Advisers and funds and their clients and shareholders. Finally, we are proposing new recordkeeping requirements under the Advisers Act and Investment Company Act. DATES: Comments should be received on or before April 11, 2022. ADDRESSES: Comments may be submitted by any of the following methods: Electronic Comments: Use the Commission's internet comment form ( ); or Send an email to Please include File Number S7-04-22 on the subject line. Paper Comments: Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-04-22. The file number should be included on the subject line if email is used.

3 To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( ). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street, NE, Washington, DC 20549, on official business days between the hours of 10 and 3 Operating conditions may limit access to the Commission's Public Reference Room. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission's website.

4 To ensure direct electronic receipt of such notifications, sign up through the Stay Connected option at to receive notifications by email. FOR FURTHER INFORMATION CONTACT: Juliet Han, Senior Counsel; Thomas Strumpf, Senior Counsel; Christopher Staley, Branch Chief; or Melissa Gainor, Assistant Director, at (202) 551-6787, Investment Adviser Regulation Office, Division of Investment Management , (202) 551-6787 or Y. Rachel Kuo, Senior Counsel; Amanda Hollander Wagner, Branch Chief; or Brian McLaughlin Johnson, Assistant Director, Investment Company Regulation Office, Division of Investment Management , (202) 551-6792 or IM- David Joire, Senior Special Counsel, at (202) 551- 6825, Chief Counsel's Office, Division of Investment Management , (202) 551- 6825 or Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-8549. SUPPLEMENTARY INFORMATION: The Securities and Exchange Commission ( Commission ) is proposing for public comment 17 CFR (4)-9 ( proposed rule 206(4)- 9 ) and 17 CFR ( proposed rule 204-6 ) under the Advisers Act [15 80b-1 et seq.]

5 ]; 17 CFR ( proposed rule 38a-2 ) under the Investment Company Act [15 80a-1 et seq.]; and new form ADV-C [referenced in 17 CFR ] under the Advisers Act;. amendments to 17 CFR ( rule 204-2 ) and 17 CFR ( rule 204-3 ) under the Advisers Act; amendments to form ADV [referenced in 17 CFR ] under the Advisers Act; amendments to form N-1A [referenced in 17 CFR ], form N-2 [referenced in 17 CFR ], form N-3 [referenced in 17 CFR , form N-4 [referenced in 17 CFR ], form N-6 [referenced in 17 CFR ], form N-8B-2 [referenced in 17 CFR ], and form S-6 [referenced in 17 CFR ] under the Investment Company Act and the Securities Act of 1933 ( Securities Act ) [15 77a et seq.]; amendments to 17. CFR ( rule 11 of Regulation S-T ) and 17 CFR ( rule 405 of Regulation S-T ). under the Securities Exchange Act of 1934 ( Exchange Act ) [15 78a et seq.];. amendments to 17 CFR ( rule 485 ) under the Securities Act; and amendments to 17.

6 CFR ( rule 497 ) under the Securities Act. 1. TABLE OF CONTENTS. I. Introduction A. Adviser and Fund Cybersecurity Risks B. Current Legal and Regulatory Framework 1. Unless otherwise noted, when we refer to the Investment Company Act, we are referring to 15 80a, and when we refer to rules under the Investment Company Act, we are referring to title 17, part 270 of the Code of Federal Regulations [17 CFR 270]. In addition, unless otherwise noted, when we refer to the Advisers Act, we are referring to 15 80b, and when we refer to rules under the Advisers Act, we are referring to title 17, part 275 of the Code of Federal Regulations [17 CFR 275]. C. Overview of Rule Proposal II. Discussion A. Cybersecurity Risk Management Policies and Procedures 1. Required Elements 2. Annual Review and Required Written Reports 3. Fund Board Oversight 4. Recordkeeping B.

7 Reporting of Significant Cybersecurity Incidents to the Commission 1. Proposed Rule 204-6. 2. form ADV-C. C. Disclosure of Cybersecurity Risks and Incidents 1. Proposed Amendments to form ADV Part 2A. 2. Cybersecurity Risks and Incidents Disclosure 3. Requirement to Deliver Certain Interim Brochure Amendments to Existing Clients 4. Proposed Amendments to Fund Registration Statements III. Economic Analysis A. Introduction B. Broad Economic Considerations C. Baseline 1. Cybersecurity Risks and Practices 2. Regulation 3. Market Structure D. Benefits and Costs of the Proposed Rule and form Amendments 1. Cybersecurity Policies and Procedures 2. Disclosures of Cybersecurity Risks and Incidents 3. Regulatory Reporting of Cybersecurity Incidents 4. Recordkeeping E. Effects on Efficiency, Competition, and Capital Formation F. Alternatives Considered 1. Alternatives to the Proposed Policies and Procedures Requirement 2.

8 Modify Requirements for Structuring Disclosure of Cybersecurity Risks and Incidents 3. Public Disclosure of form ADV-C. IV. Paperwork Reduction Act Analysis A. Introduction B. Rule 206(4)-9. C. Rule 38a-2. D. Rule 204-2. E. Rule 204-6. F. form ADV-C. G. form ADV. H. Rule 204-3. I. form N-1A. J. form N-2. K. form N-3. L. form N-4. M. form N-6. N. form N-8B-2 and form S-6. O. Investment Company Interactive Data P. Request for Comment V. Initial Regulatory Flexibility Act Analysis A. Reason For and Objectives of the Proposed Action B. Legal Basis C. Small Entities Subject to the Rules and Rule Amendments D. Projected Reporting, Recordkeeping and Other Compliance Requirements E. Duplicative, Overlapping, or Conflicting Federal Rules F. Significant Alternatives G. Solicitation of Comments VI. Consideration of Impact on the Economy VII. Statutory Authority I.

9 INTRODUCTION. A. Adviser and Fund Cybersecurity Risks Advisers and funds play an important role in our financial markets and increasingly depend on technology for critical business operations. 2 Advisers and funds are exposed to, and rely on, a broad array of interconnected systems and networks, both directly and through service providers such as custodians, brokers, dealers, pricing services, and other technology vendors. Advisers also increasingly use digital engagement tools and other technology to engage with clients and develop and provide Investment advice. 3 As a result, they face numerous Cybersecurity risks and may experience Cybersecurity incidents that can cause, or be exacerbated by, critical system or process failures. 4. At the same time, cyber threat actors have grown more sophisticated and may target Advisers and funds, putting them at risk of suffering significant financial, operational, legal, and 2.

10 Unless otherwise noted, the term fund means a registered Investment company or a closed-end company that has elected to be treated as a business development company under the Investment Company Act ( BDC ). 3. Request for Information and Comments on Broker-Dealer and Investment Adviser Digital Engagement Practices, Related Tools and Methods, and Regulatory Considerations and Potential Approaches;. Information and Comments on Investment Adviser Use of Technology to Develop and Provide Investment Advice, Investment Advisers Act Release No. 5833 (Aug. 27, 2021) [86 FR 49067 (Sept. 1, 2021)]. 4. See, , Financial Services Information Sharing and Analysis Center, Navigating Cyber 2021 (Mar. 2021), available at (detailing cyber threats that emerged in 2020 and predictions for 2021). reputational harm. 5 Cybersecurity incidents affecting Advisers and funds also can cause substantial harm to their clients and investors.