The Securities and Exchange Commission is proposing new rules and amendments aimed at protecting the financial industry from cybersecurity threats.
In a news release issued last week, the SEC said the proposed rules would require registered investment advisers and funds to formally implement written policies and procedures to address cybersecurity risks These policies would have to be reviewed and evaluated at least annually.
Advisers would also be required to report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients These incidents would be reported to the SEC on a new confidential form, Form ADV-C.
The commission said dealing with cyber risk is part of its mission of protecting investors and maintaining orderly markets. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.
The proposed rules, which fall under the Investment Advisers Act of 1940 and the Investment Company Act of 1940, would also require advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
In addition, advisers and funds would be given new recordkeeping requirements to make cybersecurity information more widely available.
There will be a public comment period of 60 days after the proposal is published on the SEC’s website and in the Federal Register.
RIAs are strictly regulated not only by the SEC, but also by state securities regulators. The attorneys at Lewitas Hyman have helped RIA clients better understand the constantly shifting regulatory landscape impacting RIA regulatory compliance. For more information about the services we provide to RIAs, please contact Lewitas Hyman at (312) 291-4600 or through our online contact form.