TheCorporateCounsel.net

In addition to proposing to shorten the settlement cycle, yesterday’s open meeting also resulted in a proposal on compliance issues for private fund advisers under the 1940 Act – which John blogged about today on DealLawyers.com – and a proposal on cybersecurity risk management for registered investment advisers and investment companies. This one was issued on a 3-1 vote, with Commissioner Peirce issuing this dissenting statement (she wants a rule that fosters more direct & transparent cooperation between regulators & financial firms) and Chair Gensler, Commissioner Lee and Commissioner Crenshaw issuing supporting statements.

The cybersecurity proposal is significant because it underscores the SEC’s (and Biden administration’s) focus on cyber threats and shows what the Commission might view as “best practices” that could be implemented even outside of the investment adviser space. The SEC’s fact sheet explains that the proposal would:

– Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;

– Require advisers to confidentially report significant cybersecurity incidents to the Commission on proposed Form ADV-C within 48 hours of discovery;

– Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and

– Require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records

A Skadden memo from earlier this week previews cyber rulemaking and suggests steps for companies and their service providers to consider. In regards to yesterday’s proposal, this Wachtell Lipton memo offers these takeaways:

We have long highlighted the critical importance for public companies of maintaining effective disclosure controls concerning cybersecurity breaches and risks, and that boards of directors maintain focus on oversight of cybersecurity risks, including cultivating an understanding of the idiosyncratic risks companies face based on the systems they use and data they collect. We have also repeatedly stressed the need to maintain robust written policies and procedures with respect to cybersecurity protective measures, incident detection and response, and disclosure protocols.

Apart from their direct applicability to RIAs and funds, the SEC’s new proposed rules constitute a significant step toward formalization of national standards and regulatory expectations for corporate approaches to cybersecurity risk management, public disclosure of cyber-related risks, and timely regulatory and public notification of significant cyber incidents. As cybersecurity threats proliferate and become ever more sophisticated, companies both within and without the investment industry should carefully consider the SEC’s prescriptions and consider whether any or all of these proposed components should be integrated into their existing cybersecurity risk management systems and procedures.

– Liz Dunshee