SEC Proposes New Cybersecurity Rule under the 1940 Act

Client Alert
February 10, 2022

On February 9, 2022, the Securities and Exchange Commission ("SEC") proposed new rule 38a-2 ("Proposed Rule 38a-2") under the Investment Company Act of 1940, as amended ("1940 Act"), which would require registered investment companies and business development companies ("funds") to adopt and implement written cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks.[1] The Proposing Release also includes a similar new rule that would apply to registered investment advisers under the Investment Advisers Act of 1940, as amended.

Summary

Currently, there is no SEC rule that specifically requires funds to adopt and implement comprehensive cybersecurity programs. However  as a matter of good business practices and at the urging of fund boards,  most funds have already incorporated cybersecurity oversight programs into their compliance arsenal in an effort to manage cybersecurity risks and as part of complying with certain other rules and regulations, such as Rule 38a-1, Regulation S-P[2] and Regulation S-ID[3]. Proposed Rule 38a-2 would require funds to adopt and implement written cybersecurity policies and procedures that address a number of specified elements, but are also tailored based on the fund’s business operations and associated cybersecurity risks. Proposed Rule 38a-2 would also require funds to review and evaluate the design and effectiveness of the cybersecurity policies and procedures at least annually. Additionally, the SEC is recommending amendments to fund disclosure requirements to provide current and prospective shareholders with information about cybersecurity risks and incidents.

The various aspects of Proposed Rule 38a-2 and the proposed fund disclosure amendments are discussed in more detail below.

Proposed Rule 38a-2
KEY DEFINED TERMS
ADMINISTRATION OF THE CYBERSECURITY POLICIES AND PROCEDURES

Under Proposed Rule 38-2, each fund will determine who will implement and oversee the effectiveness of its cybersecurity policies and procedures – such individuals may be internal or from outside third-party cybersecurity expert ("Cyber Program Administrators"). If internal individuals are utilized to administer the cybersecurity policies and procedures, such individuals must have appropriate knowledge and expertise. If it is determined that a third-party is to administer the cybersecurity policies and procedures, the fund must ensure there is proper oversight of such third-party. If a fund is sub-advised, the responsibilities for overseeing the cybersecurity policies and procedures may be delegated to the sub-adviser but the fund is still subject to its oversight responsibilities.

Included in a fund’s cybersecurity policies and procedures must be authorization for the Cyber Program Administrators to make decisions and escalate issues to senior officers as necessary to allow such Cyber Program Administrators to effectively carry out their responsibilities. The Proposing Release notes that this could include adding an explicit escalation provision. The cybersecurity policies and procedures should also specify which groups, positions or individuals, whether they are internal or external  third-parties, are acting as Cyber Program Administrators.  Furthermore, the cybersecurity policies and procedures should specify who has responsibility to communicate incidents internally, who assists with recovery from a cybersecurity incident and who makes decisions about reporting certain incidents to the SEC and/or to investors.

ELEMENTS OF THE CYBERSECURITY POLICIES AND PROCEDURES

While the Proposing Release notes that certain cybersecurity risks are applicable to all funds and therefore would be required to be addressed in all funds’ cybersecurity policies and procedures, Proposed Rule 38a-2 provides flexibility to allow funds to address each of these required items based on their specific facts and circumstances.

Each fund must include the following in its cybersecurity policies and procedures:

Periodic assessment, categorization, prioritization, and written documentation of the cybersecurity risks associated with its information systems and the information residing therein. This assessment would be required to include the following and must be documented in writing:

Funds would be required to reassess and reprioritize their cybersecurity risks periodically, but no less frequently than annually, as they arise due to changes, be they internal (changes to their business, online presence, client web access) or external (changes in the cybersecurity threat landscape).  The Proposing Release also notes that funds should monitor and consider updates and guidance from private sector and governmental resources when assessing continuing and new cybersecurity threats. 

Controls designed to minimize user-related risks and prevent the unauthorized access to information and systems, including:

In this regard, the Proposing Release notes that funds should consider who has a need to access certain internal systems, data, functions and/or accounts and to customize access depending on an individual’s job responsibilities. 

Measures designed to monitor fund information systems and protect fund information from unauthorized access or use, based on a periodic assessment of the fund information systems and fund information that resides on the systems, which takes into account:

Additionally, funds would need to oversee any service providers that receive, maintain, or process fund information, or are otherwise permitted to access fund information systems and any fund information residing therein.  A fund would need to have written documentation that it is requiring the service provider, pursuant to a written contract between the fund and any such service provider, to implement and maintain appropriate measures, including the measures mentioned above that the fund must address, that are designed to protect fund information and fund information systems.

Measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities.

The Proposing Release notes that funds would generally seek to detect cybersecurity threats and vulnerabilities through ongoing monitoring, which could include vulnerability assessments.  Funds should also have a plan for how to remediate a cybersecurity threat once it is identified.

Measures to detect, respond to and recover from a cybersecurity incident, which are reasonably designed to ensure:

Funds would have to prepare written documentation of any cybersecurity incident, including the response and recovery. 

Proposed Rule 38a-2 would require funds to review the cybersecurity policies and procedures at least annually, assess their design and effectiveness, including whether they reflect changes in cybersecurity risk over the period covered by the report, and prepare a written report (the "Cyber Report"). The Cyber Report would be required to describe the review, assessment, any control tests performed and the results of such tests, document any cybersecurity incident during the period covered by the report, and discusses material changes.

Role of the Board of Directors

The board, including a majority of independent directors, would be required to approve the written cybersecurity policies and procedures and to receive the Cyber Report.

The Proposing Release notes that the board may satisfy its obligations to approve the cybersecurity policies and procedures by reviewing summaries of such documents prepared by the Cyber Program Administrators, similar to how reviews of other policies are conducted under Rule 38a-1. In reviewing the Cyber Report, the Proposing Release notes that boards will generally want to discuss with the Cyber Program Administrators whether the fund has adequate resources with respect to cybersecurity matters, including access to cybersecurity experts, and ask questions about the effectiveness of the policies and procedures. Boards may also want to discuss oversight of service providers and review summaries of risk assessments performed on any service providers that receive, maintain or process fund information, or that are permitted to access fund information systems.

Proposed Amendments to Fund Disclosures

The SEC is also proposing that funds would be required to provide prospective and current investors with disclosure about significant cybersecurity incidents.  Specifically, funds would be required to describe in their registration statements any significant fund cybersecurity incident that has occurred in its last two fiscal years, which affected the fund or its service providers, and that information would have to be tagged using a structured data language.  The disclosure would have to include the following information to the extent known:

Upon changes to the cybersecurity landscape or to its own cybersecurity risks, funds would need to consider whether or not supplements to the registration statements should be filed to make timely disclosures of cybersecurity risks and significant fund cybersecurity incidents.  In addition, the Proposing Release notes that funds should generally include in their annual reports to shareholders a discussion of cybersecurity risks and significant fund cybersecurity incidents, to the extent that these were factors that materially affected performance of the fund over the past fiscal year.

Comment Period

Comments on the Proposing Release should be submitted on or before (i) 30 days after the Proposing Release is published in the Federal Register or (ii) April 11, 2022, whichever is later.

[1] Release IC-34497, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (February 9, 2022) at https://www.sec.gov/rules/proposed/2022/33-11028.pdf ("Proposing Release").

[2] Regulation S-P requires written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

[3] Regulation S-ID requires written policies and procedures reasonably designed to identify and detect relevant red flags, as well as respond appropriately to red flags so as to prevent and mitigate identity theft.

Related People

Related Practices

Related Industries

Jump to Page