Cybersecurity risk management for investment advisers, registered investment companies, and business development companies
On February 9, 2022, the Securities and Exchange Commission (SEC) released a notice of proposed rulemaking addressing cybersecurity practices and incident notification requirements for registered investment advisers (RIAs), registered investment companies and business development companies (collectively, the funds). The notice invites comments on the proposed rule by April 11, 2022. This announcement is the latest in a series of regulations developed by financial regulators concerned about cyber risk and its impact to the financial sector.
The current regulatory framework does make some considerations for cyber risk and security, in the sense that both the Investment Advisers Act of 1940 and the Investment Company Act of 1940 include compliance rules requiring written policies and procedures to address topics such as fiduciary duty, regulatory obligations and oversight of compliance. Further, regulation S-P requires financial institutions to, among other things, “adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records”.
However, the SEC highlights the absence of rules specifically requiring financial institutions to adopt and implement comprehensive cybersecurity programs and the potential harm this presents to funds and investors. To address this, the SEC’s proposed rule, (206(4)-9 under the advisers act and 38a-2 under the Investment Company Act) if approved, would require the following:
The SEC is seeking comments on numerous topics related to the proposed rule. Of note is question #18 on page 38, which inquires about the extent to which funds and RIAs consider their service providers’ insurance policies when responding to cybersecurity incidents. While most funds and RIAs typically impose comprehensive insurance requirements upon their service providers, the proposed rule may lead to greater scrutiny as it relates to cyber and technology errors and omissions insurance. Service providers not currently maintaining these coverages may feel increased pressure to do so, while those that do maintain such coverage may be encouraged to increase their limits if current levels are deemed inadequate by advisers and funds.
The previously noted 48-hour notice requirement applies after the RIA has “a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring.” There are additional requirements to amend such notification in the event the information has been deemed materially inaccurate or if there are material updates. If adopted, these reporting requirements have the potential to materially impact existing internal incident response and compliance procedures.
If adopted, rule 38a-2 would impose requirements on the fund board of directors to approve the fund’s cybersecurity policies and procedures. Further, the fund board would be required to review the written report on cybersecurity incidents, as well as any material changes to the fund’s cybersecurity policies and procedures. Such requirements are intended to support and encourage active participation by fund board members on cybersecurity issues while creating accountability for the administration of the fund’s cybersecurity policies and procedures.
Though this rule remains in draft stage, it is important to be mindful of its potential insurance implications.
Such considerations include:
WTW’s global Financial, Executives and Professional Risks team (FINEX) will continue to monitor the progress of this and other regulations as they develop. If you have any questions relating to the SEC’s proposed rules, please contact your WTW broker.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc. (in Canada).