Cybersecurity Risk Management for Investment Advisers ...

1 Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 230, 232, 239, 270, 274, 275, and 279. [Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22]. RIN 3235-AN08. Cybersecurity Risk Management for Investment Advisers , Registered Investment Companies, and Business Development Companies AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission is proposing new rules under the Investment Advisers Act of 1940 ( Advisers Act ) and the Investment Company Act of 1940.

2 ( Investment Company Act ) to require registered Investment Advisers ( Advisers ) and Investment companies ( funds ) to adopt and implement written Cybersecurity policies and procedures reasonably designed to address Cybersecurity risks. The Commission also is proposing a new rule and form under the Advisers Act to require Advisers to report significant Cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission. With respect to disclosure, the Commission is proposing amendments to various forms regarding the disclosure related to significant Cybersecurity risks and Cybersecurity incidents that affect Advisers and funds and their clients and shareholders.

3 Finally, we are proposing new recordkeeping requirements under the Advisers Act and Investment Company Act. DATES: Comments should be received on or before April 11, 2022. ADDRESSES: Comments may be submitted by any of the following methods: Electronic Comments: Use the Commission's internet comment form ( ); or Send an email to Please include File Number S7-04-22 on the subject line. Paper Comments: Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-04-22.

4 The file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( ). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street, NE, Washington, DC 20549, on official business days between the hours of 10 and 3 Operating conditions may limit access to the Commission's Public Reference Room.

5 All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission's website. To ensure direct electronic receipt of such notifications, sign up through the Stay Connected option at to receive notifications by email.

6 FOR FURTHER INFORMATION CONTACT: Juliet Han, Senior Counsel; Thomas Strumpf, Senior Counsel; Christopher Staley, Branch Chief; or Melissa Gainor, Assistant Director, at (202) 551-6787, Investment Adviser Regulation Office, Division of Investment Management , (202) 551-6787 or Y. Rachel Kuo, Senior Counsel; Amanda Hollander Wagner, Branch Chief; or Brian McLaughlin Johnson, Assistant Director, Investment Company Regulation Office, Division of Investment Management , (202) 551-6792 or IM- David Joire, Senior Special Counsel, at (202) 551- 6825, Chief Counsel's Office, Division of Investment Management , (202) 551- 6825 or Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-8549.

7 SUPPLEMENTARY INFORMATION: The Securities and Exchange Commission ( Commission ) is proposing for public comment 17 CFR (4)-9 ( proposed rule 206(4)- 9 ) and 17 CFR ( proposed rule 204-6 ) under the Advisers Act [15 80b-1 et seq.]; 17 CFR ( proposed rule 38a-2 ) under the Investment Company Act [15 80a-1 et seq.]; and new Form ADV-C [referenced in 17 CFR ] under the Advisers Act;. amendments to 17 CFR ( rule 204-2 ) and 17 CFR ( rule 204-3 ) under the Advisers Act; amendments to Form ADV [referenced in 17 CFR ] under the Advisers Act; amendments to Form N-1A [referenced in 17 CFR ], Form N-2 [referenced in 17 CFR ], Form N-3 [referenced in 17 CFR , Form N-4 [referenced in 17 CFR ], Form N-6 [referenced in 17 CFR ], Form N-8B-2 [referenced in 17 CFR ], and Form S-6 [referenced in 17 CFR ] under the Investment Company Act and the Securities Act of 1933 ( Securities Act ) [15 77a et seq.]]

8 ]; amendments to 17. CFR ( rule 11 of Regulation S-T ) and 17 CFR ( rule 405 of Regulation S-T ). under the Securities Exchange Act of 1934 ( Exchange Act ) [15 78a et seq.];. amendments to 17 CFR ( rule 485 ) under the Securities Act; and amendments to 17. CFR ( rule 497 ) under the Securities Act. 1. TABLE OF CONTENTS. I. Introduction A. Adviser and Fund Cybersecurity Risks B. Current Legal and Regulatory Framework 1. Unless otherwise noted, when we refer to the Investment Company Act, we are referring to 15 80a, and when we refer to rules under the Investment Company Act, we are referring to title 17, part 270 of the Code of Federal Regulations [17 CFR 270].

9 In addition, unless otherwise noted, when we refer to the Advisers Act, we are referring to 15 80b, and when we refer to rules under the Advisers Act, we are referring to title 17, part 275 of the Code of Federal Regulations [17 CFR 275]. C. Overview of Rule Proposal II. Discussion A. Cybersecurity Risk Management Policies and Procedures 1. Required Elements 2. Annual Review and Required Written Reports 3. Fund Board Oversight 4. Recordkeeping B. Reporting of Significant Cybersecurity Incidents to the Commission 1. Proposed Rule 204-6.

10 2. Form ADV-C. C. Disclosure of Cybersecurity Risks and Incidents 1. Proposed Amendments to Form ADV Part 2A. 2. Cybersecurity Risks and Incidents Disclosure 3. Requirement to Deliver Certain Interim Brochure Amendments to Existing Clients 4. Proposed Amendments to Fund Registration Statements III. Economic Analysis A. Introduction B. Broad Economic Considerations C. Baseline 1. Cybersecurity Risks and Practices 2. Regulation 3. Market Structure D. Benefits and Costs of the Proposed Rule and Form Amendments 1. Cybersecurity Policies and Procedures 2.