Regulatory Roundup: A Deep Dive into the SEC’s Proposed Rules on Cybersecurity

This year, the SEC made sweeping changes to the Investment Advisers Act of 1940, enhancing the regulation of hedge fund advisers and updating the existing compliance rule for all registered investment advisers. Given the substantial changes the SEC has made to these rules since their previous February 2022 amendments, many hedge funds are examining their compliance procedures to ensure they can withstand regulatory scrutiny.

To help hedge fund professionals better navigate these onerous, and oftentimes confusing, new regulations, Arootah Adviser and Cybersecurity expert, Steve Hart is providing key takeaways from the rule changes while answering hedge fund portfolio managers’ and compliance officers’ most frequently asked questions.

Proposed New Cybersecurity Policies and Procedures

Advisers owe their clients a duty of care and a duty of loyalty. An adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect client interests from risk because of the adviser’s inability to provide advisory services. These steps often include minimizing operational and other risks that could lead to a loss or misuse of client information. Under the Investment Advisers Act of 1940 (“Advisers Act”), the SEC’s Proposed Rule 204(6)-9 will require registered investment advisers (“RIAs”) to adopt and implement written cybersecurity policies and procedures designed to reasonably address such cybersecurity risks. RIAs will also be required to submit new paperwork (specifically Form ADV-C) to the Commission via the Investment Advisors Registration Depository (“IARD”) in the event a cybersecurity incident affects an adviser, its fund, or its private fund clients. Lastly, the SEC will require new forms of recordkeeping under the Advisers Act and Investment Company Act. Together, these measures provide protection to both clients and firms.

Breaking Down the Proposed Rules

The Proposed Rules would require firms to use a risk-based approach to adopt and implement written cybersecurity policies and procedures. As a baseline, the Proposed Rule would require firms to conduct and document a risk assessment; implement access controls; protect internal information; monitor and remediate vulnerabilities; detect, respond to, and report cybersecurity incidents. Additionally, advisers would be required to conduct an annual review and issue a written report assessing the design and effectiveness of their cybersecurity compliance program. Importantly, advisers who conduct this review would need to examine both information related to the regulated entity’s business and personal data. The Proposed Rules would also require a fund’s entire board of directors/advisory board to review and approve the policies and procedures.

Reporting to the SEC

The Proposed Rules would require firms to confidentially report significant cybersecurity incidents via Form ADV-C no later than 48 hours after these firms have concluded that such an incident may have occurred. As noted above, financial services institutions are required to notify their primary regulator of significant cybersecurity incidents within 36 hours, and — if a financial services institution is also registered with the SEC as an RIA — these two notification requirements one another. The SEC defines significant cybersecurity incidents as incidents that “significantly disrupt or degrade [a firm’s] ability to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the RIA, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.”

Recordkeeping Requirements

The Proposed Rules would require firms to amend recordkeeping related to their compliance program, incident management, and board notification. These amendments could increase the burden, and potentially the liability, for RIAs contracting with service providers. Although RIAs may currently engage in initial due diligence and ongoing oversight of their service providers’ practices, the proposed rules hold RIAs responsible for addressing risks their service providers face in the event of a cybersecurity incident. These amendments mean that it is now more important than ever for hedge funds to retain expert consulting services to help navigate the ever-evolving regulatory landscape.

The Bottom Line

Staying informed and being proactive when it comes to addressing regulatory challenges is paramount for hedge funds. Leaders can navigate the evolving regulatory landscape with confidence by understanding the nuances of each issue and implementing changes based on their understanding.

Want to learn more and ensure your organization is set up for success? Find out how Arootah’s Hedge Fund Advisory can support you.

U.S. SEC. & EXCH. COMM’N, RISK ALERT: CYBERSECURITY: RANSOMWARE ALERT (July 10, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf.

U.S. SEC. & EXCH. COMM’N, RISK ALERT: CYBERSECURITY: SAFEGUARDING CLIENT ACCOUNTS AGAINST CREDENTIAL COMPROMISE (Sept. 15, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf.

U.S. SEC. & EXCH. COMM’N, UNIFIED AGENDA OF REGULATORY AND DEREGULATORY ACTIONS (June 11, 2021), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202110&RIN=3235-AM89.  

Disclaimer: This article is for general informational purposes only and does not constitute legal, investment, financial, accounting, or tax advice, or establish an attorney-client relationship. Arootah does not warrant or guarantee the accuracy, reliability, completeness, or suitability of its content for a particular purpose. Please do not act or refrain from acting based on anything you read in our newsletter, blog, or anywhere else on our website.