New rules proposed by the Securities Exchange Commission could change the way the advisors and funds communicate cyber risk to investors. If adopted, funds would be required to maintain records of cybersecurity polices and procedures, and report incidents within a 48 hour window, among other measures.
In a show of continued emphasis on cybersecurity enforcement from U.S. government agencies in the wake of the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity (Exec. Order No. 14028, May 12, 2021), on February 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940 (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act), aimed at enhancing the cybersecurity policies and procedures, reviews, and reporting and disclosure requirements of registered investment advisers (advisers) and investment companies (funds).
“Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets,” said SEC Chair Gary Gensler, in a statement. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers…
