On February 9, 2022, the SEC published a release addressing Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Release”). The Release contained proposed new rules under the Advisers Act (Rules 206(4)-9 and 204-6) and the Investment Company Act of 1940 (Rule 38a-2) and amendments (collectively, the “Proposals”), which would require registered investment advisers (“advisers”) and registered investment companies (“registered funds”) to implement cybersecurity risk management programs and new incident notification regimes. If adopted, the Proposals would:

  • Require advisers and registered funds to disclose detailed information about their “cybersecurity risks” and “cybersecurity incidents” to current and prospective clients and shareholders;
  • Require reporting of any “significant adviser cybersecurity incidents” (which may occur with respect to private funds or clients) and “significant fund cybersecurity incidents” (for registered funds) to the SEC within 48 hours of reasonably concluding an incident occurred; and
  • Require advisers and registered funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks.

The proposed rules would not apply to private funds, which are exempt from the Investment Company Act of 1940 and thus are subject to the FTC’s Safeguards Rule for cybersecurity. The proposed SEC rules would, however, apply to registered investment advisers who advise those private funds. Fortunately, the proposed rules appear to be largely consistent with the FTC’s revised Safeguards Rule.

For more details, you can read Ropes & Gray’s client alert on the Proposals here.