SEC Reopens Comment Period on Cybersecurity Proposal
The SEC reopened the comment period on proposed cybersecurity risk management and reporting requirements. The proposed requirements apply to registered investment advisers, registered investment companies and business development companies and would amend certain rules that govern investment adviser and fund disclosures.
As previously covered, the proposed requirements are intended to (i) address concerns relating to advisers and funds' cybersecurity preparedness and to reduce cyber risk, (ii) improve adviser and fund disclosures and (iii) improve the SEC’s ability to assess systemic risk resulting from cyber incidents.
The proposed rules would require:
- advisers and funds to adopt and implement written policies reasonably designed to address cybersecurity risks;
- advisers to report significant cybersecurity incidents to the SEC on proposed form ADV-C; and
- advisers and funds to create cybersecurity-related books and records.
The proposal also expands adviser and fund disclosures relating to cybersecurity risks and incidents.
Comments are due 60 days after publication in the Federal Register.
Related Articles
-
The SEC proposed cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.
-
In remarks before the European Parliament Committee on Economic and Monetary Affairs, SEC Chair Gary Gensler described investor protection implications of evolving financial technologies.
-
SEC Chair Gary Gensler honed in on three policy areas concerning the SEC's role in protecting the financial sector from cyber risks: (i) cyber hygiene and preparedness, (ii) reporting of certain cyber incidents to the government, and (iii) disclosure of cyber incidents to the public.