Skip to main content
main content, press tab to continue
Article

Client Alert: SEC proposed new cybersecurity rules for financial institutions

Cybersecurity risk management for investment advisers, registered investment companies, and business development companies

By Emily Lowe and Timothy Sullivan | February 24, 2022

The new rules could impact cybersecurity risk management for investment advisers, registered investment companies and business development companies.
N/A

This article was originally written by our North American colleagues for a U.S. audience. We have shared this article for informational purposes only as it may be of interest to our global clients. Please speak to your local office contact to further discuss any of the points raised in this article.


On February 9, 2022, the Securities and Exchange Commission (SEC) released a notice of proposed rulemaking addressing cybersecurity practices and incident notification requirements for registered investment advisers (RIAs), registered investment companies and business development companies (collectively, the funds). The notice invites comments on the proposed rule by April 11, 2022. This announcement is the latest in a series of regulations developed by financial regulators concerned about cyber risk and its impact to the financial sector.

The current regulatory framework does make some considerations for cyber risk and security, in the sense that both the Investment Advisers Act of 1940 and the Investment Company Act of 1940 include compliance rules requiring written policies and procedures to address topics such as fiduciary duty, regulatory obligations and oversight of compliance. Further, regulation S-P requires financial institutions to, among other things, “adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records”.

However, the SEC highlights the absence of rules specifically requiring financial institutions to adopt and implement comprehensive cybersecurity programs and the potential harm this presents to funds and investors. To address this, the SEC’s proposed rule, (206(4)-9 under the advisers act and 38a-2 under the Investment Company Act) if approved, would require the following:

  • Cybersecurity risk management policies and procedures: Adoption and implementation of cybersecurity policies and procedures tailored to the specific cyber risk profile of the RIA and the funds. The objective is to ensure such firms are prepared to address the multitude of potential internal and external cyber risks associated with their business. The rule would also impose new recordkeeping requirements for certain elements of these policies and procedures.
  • Reporting of significant cybersecurity incidents: Notification of significant cybersecurity incidents affecting the RIA, the funds or private funds must be made promptly to the SEC via the newly proposed Form ADV-C, but in no event more than 48 hours after having a reasonable basis to believe that a relevant incident has occurred or is occurring.
  • Disclosure of cybersecurity risks and incidents: Increased disclosure requirements intended to provide investors greater insight into the cybersecurity posture and history of the cyber incidents at the RIA and funds, while also encouraging greater accountability on these issues.

Other noteworthy items

Service providers

The SEC is seeking comments on numerous topics related to the proposed rule. Of note is question #18 on page 38, which inquires about the extent to which funds and RIAs consider their service providers’ insurance policies when responding to cybersecurity incidents. While most funds and RIAs typically impose comprehensive insurance requirements upon their service providers, the proposed rule may lead to greater scrutiny as it relates to cyber and technology errors and omissions insurance. Service providers not currently maintaining these coverages may feel increased pressure to do so, while those that do maintain such coverage may be encouraged to increase their limits if current levels are deemed inadequate by advisers and funds.

Reporting requirement

The previously noted 48-hour notice requirement applies after the RIA has “a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring.” There are additional requirements to amend such notification in the event the information has been deemed materially inaccurate or if there are material updates. If adopted, these reporting requirements have the potential to materially impact existing internal incident response and compliance procedures.

Fund board oversight

If adopted, rule 38a-2 would impose requirements on the fund board of directors to approve the fund’s cybersecurity policies and procedures. Further, the fund board would be required to review the written report on cybersecurity incidents, as well as any material changes to the fund’s cybersecurity policies and procedures. Such requirements are intended to support and encourage active participation by fund board members on cybersecurity issues while creating accountability for the administration of the fund’s cybersecurity policies and procedures.

Insurance considerations

Though this rule remains in draft stage, it is important to be mindful of its potential insurance implications.

Such considerations include:

  • Cyber: As some policies contain exclusions relating to the violations of various securities laws, it may be necessary to amend such exclusion so as not to apply to this regulation, if adopted.
  • Funds: It is important to understand how funds are contemplated for coverage under a cyber policy. If coverage is not currently afforded to the funds, consideration should be given to doing so in anticipation of this new rule.
  • Directors’ & officers’ and errors and omissions liability (D&O/E&O): Review the breadth and scope of coverage afforded under adviser and fund D&O/E&O policies and be mindful of any existing or proposed cyber-related exclusions.
  • Fidelity bond: The bolstering of policies, procedures and controls in accordance with this rule can only improve an organization’s risk profile and should be highlighted in the context of fidelity bond renewals.

WTW’s global Financial, Executives and Professional Risks team (FINEX) will continue to monitor the progress of this and other regulations as they develop. If you have any questions relating to the SEC’s proposed rules, please contact your WTW broker.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc. (in Canada).

Authors


Director, FINEX Cyber team North America
email Email

Asset Management Industry Leader

Contact us