On February 9, 2022, the SEC released proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for registered investment advisers (“RIAs”) and funds that would impose sweeping new cybersecurity obligations for RIAs to private equity funds. The proposals reflect the consistent priority that Chair Gary Gensler has placed on rulemaking, examinations and enforcement regarding both private funds and cybersecurity, as well as the Staff’s observations that “certain advisers and funds” continue to “show a lack of cybersecurity preparedness, which puts clients and investors at risk.” The proposed rules will significantly impact the private equity industry given the size and rapid growth of the sector. As Chair Gensler noted in his May 2021 congressional testimony, there are 18,000 private equity funds with over $5 trillion in assets under management, which represents a five-year growth rate of 116%.
The proposed rules are significant because they promulgate an entirely new cybersecurity regulatory regime for RIAs to private funds, requiring an expansion of cybersecurity risk management practices to cover all systems and data for such entities. While Risk Alerts from the SEC’s Division of Examinations have provided guidance regarding cybersecurity-related issues during the past few years, and many RIAs have strengthened their programs in response to that guidance, the proposed rules set forth definitive requirements. If adopted, the proposed rules would require RIAs to private equity funds to implement cybersecurity risk management programs, new incident notification protocols and new disclosures. The notice-and-comment period for the proposed rules closed on April 11, 2022.
The proposed rules would thus increase the compliance obligations on RIAs to private equity funds and also increase regulatory risk due to new grounds for cybersecurity exam deficiency findings and enforcement actions. As such, RIAs to private funds should prepare now for the potential change in the regulatory landscape.
Key Requirements under the Proposed Rules
(1) Incident Reporting: Proposed rule 204-6 under the Investment Advisers Act of 1940 would require RIAs, “including on behalf of a client that is a registered investment company or business development company, or a private fund” (collectively, “covered clients”), to report any significant cybersecurity incidents, which are defined as any event that:
- “significantly disrupts or degrades the adviser’s” or private fund client’s “ability to maintain critical operations”; or
- “leads to the unauthorized access or use of adviser information,” resulting in substantial harm to the RIA or to a client or an investor in a private fund whose information was accessed.
RIAs, on behalf of themselves and their covered clients, must report to the SEC “promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring.”
RIAs must use the new Proposed Form ADV-C for incident notification to the SEC. The notification must include a detailed description of the nature and scope of the incident and any disclosures about it. RIAs will be expected to update any previously submitted Forms ADV-C when there has been a material change in facts. The proposed rule states that submitted Forms ADV-C will remain confidential and not be disclosed to the general public.
(2) Cybersecurity Risk Management Policies and Procedures: Proposed Advisers Act Rule 206(4)-9 would require RIAs to private funds to adopt and implement policies and procedures that are “reasonably designed” to address cybersecurity risks. These policies and procedures need to address:
- risk assessment practices;
- user security and access;
- preventing unauthorized access to funds; and
- threat and vulnerability management and incident response and recovery.
The proposed rules also require RIAs to private funds, on an annual basis, to:
- review and assess the design and effectiveness of their cybersecurity policies and procedures; and
- prepare a report describing the review, explaining the results, documenting any incident that has occurred since the last report and discussing any material changes to the policies and procedures since the last report.
Finally, the SEC’s proposed amendments to Advisers Act Rule 204-2 would impose additional recordkeeping requirements on RIAs. Rule 204-2 would be amended to require RIAs to retain, among other items, a copy of their cybersecurity policies and procedures and of any Form ADV-C filed by the RIA under Rule 204-6 in the last five years.
(3) Disclosure Obligations for RIAs: The proposed rules would also amend Form ADV Part 2A for RIAs to include Item 20 (“Cybersecurity Risks and Incidents”), requiring disclosure of (a) cybersecurity risks and incidents that could materially affect the advisory relationship with current and prospective clients and (b) any significant cybersecurity incidents that have occurred within the last two fiscal years. The amendment would require that RIAs describe the cybersecurity risks that could materially affect the services they offer and how they plan to assess and address those risks. Under the proposed rules, the disclosures must include information about the likelihood that and extent to which the cybersecurity risk or incident:
- could occur and what safeguards are in place to prevent it;
- could disrupt or has disrupted the RIA’s ability to provide services;
- could result or has resulted in the loss or compromise of sensitive data; and
- has or could harm clients.
Additionally, Proposed Amendment 204-3(b) would require RIAs to deliver interim brochure amendments to clients if:
- the RIA was subject to a cybersecurity incident after the dissemination of its brochure; or
- the information already disclosed in its brochure about an incident materially changes based on new discoveries.
Key Takeaways
- Prepare for 48-Hour Breach Notice Deadline: RIAs may find it challenging to meet the 48-hour reporting timeline of the SEC’s proposed rules. To meet the tight notification deadline and gain credibility with regulators, it is important for RIAs to have clear protocols for escalating incidents, drafting notifications and obtaining the necessary approvals. Specifically, RIAs should consider:
- Who Is Covered: Confirming which advisory entities and private funds are subject to the new notification deadline and assessing which data, information systems and employees are associated with the covered entities.
- Who Is Responsible: Determining the person responsible for notifying the SEC of the incident and who else must approve the notification. It may be prudent to designate multiple people for each of these roles.
- Prompt Escalation: Determining which incidents may trigger the 48-hour notification requirement and therefore should be escalated to the persons responsible for the notification, as well as who should be making that escalation.
- Notification Template: Creating a sample notification template that tracks the requirements of Form ADV-C so that the actual notification does not need to be drafted from scratch during an incident.
- Adopt, Implement and Test Policies and Procedures: The proposed rules expand RIA obligations regarding cybersecurity policies and procedures and delineate the expected elements of a cybersecurity risk and incident response program, including user security and access, information protection, threat and vulnerability management and cybersecurity incident response and recovery. While preexisting policies and procedures may cover some of these components, RIAs must ensure that all of them are included. Moreover, it will be crucial to regularly test these cybersecurity policies and procedures to ensure sufficient implementation and compliance with the SEC’s proposed rules—particularly since targeting policies and procedures violations by RIAs is a common SEC enforcement approach.
- Disclosures and Evidence Preservation: The proposed rules emphasize the importance of clear and accurate disclosures regarding cybersecurity risk and incidents to investors and the SEC, formalizing takeaways from the SEC’s 2021 enforcement actions against Pearson and First American as well as the priorities emphasized by Chair Gensler’s January 24, 2022 speech. Once they are enacted, the SEC likely will use the proposed rules to scrutinize cybersecurity-related disclosures and recordkeeping violations through exams and enforcement actions. RIAs should ensure that their disclosures are both accurate and supported by objective documentation, which will require analysis of privilege considerations.
Incident Response Planning: RIAs should review their incident response and business continuity plans and consider testing those plans through tabletop exercises. Given that the proposed rules create obligations for RIAs to disclose cybersecurity incidents affecting private fund clients’ systems or information, tabletop exercises can test how incidents are escalated and the engagement of all the relevant players in the incident-response process.