The SEC recently proposed a series of new rules and amendments (the Proposed Rules)
under the Investment Advisers Act of 1940 and the Investment
Company Act of 1940 concerning cybersecurity risk management for
registered investment advisers (registered advisers) as well as
registered investment companies (registered funds). If adopted,
these rules would require registered advisers and registered funds
to implement extensive written cybersecurity policies and
procedures and significantly augment their cybersecurity reporting,
disclosure and recordkeeping obligations. Coming on the heels of
SEC Chair Gary Gensler’s recent vow to improve the
“overall cybersecurity posture and resiliency of the financial
sector,” the Proposed Rules are the latest demonstration of
the SEC’s heightened focus on bolstering regulations to better
prevent and respond to cybersecurity attacks on securities markets.
Issuance of the Proposed Rules is also driven by the SEC’s
expressly stated concern that, notwithstanding observations the SEC
has made in recent risk alerts and enforcement actions, registered
advisers and registered funds have not adopted reasonably designed
cybersecurity programs to sufficiently address an increasingly
sophisticated and volatile cyberthreat landscape.
Comments on the Proposed Rules are due on the later of
April 11, 2022 or 30 days after their publication in the Federal
Register.

Background on Registered Advisers and Registered Funds

The Proposed Rules would impose substantially similar
obligations on registered advisers—such as money managers,
investment consultants and financial planners—and registered
funds—such as mutual funds, exchange-traded funds, registered
closed-end funds, business development companies, and unit
investment trusts—but there are some distinctions,
particularly with respect to reporting and disclosure requirements.
While both registered advisers and registered funds would be
obligated to disclose significant cybersecurity incidents to
clients and investors, only registered advisers would be required
to report such incidents to the SEC. Because registered advisers
would have to report incidents of their fund…