On February 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for registered advisers and funds. [1] The proposal reflects the first SEC rules specifically addressing cybersecurity programs and reporting.
Most notably, the rules would impose a rapid reporting requirement when advisers face serious cyberattacks. Advisers would have to report any “significant cybersecurity incident” within 48 hours of its discovery by confidentially filing a proposed new Form ADV-C.
The reporting requirement would be triggered if (1) a cyberattack “significantly disrupts or degrades” the ability of an adviser or its private fund clients to “maintain critical operations,” or (2) the attack results in unauthorized access to “adviser information” or “fund information” resulting in “substantial harm” to the adviser, its clients, a fund, or investors. The proposed rule offers specific examples of “significant cybersecurity incidents,” including a malware attack that shuts down an adviser’s “websites or email functions” or a system breach that impedes a fund’s ability to “conduct its business” or results in the “theft of fund information.”
The 48-hour clock begins to tick as soon as an adviser has a “reasonable basis to conclude” that a significant incident has or is occurring. Certainty is not the standard. The proposed rules make clear that advisers must not wait until they “definitively conclude[] that an incident has occurred or is occurring.”
