Four Takeaways from the SEC’s Proposed Cybersecurity Rules

Posted by Charu Chandrasekhar, Avi Gesser, and Julie Riewe, Debevoise & Plimpton LLP, on Monday, March 7, 2022

Editor’s Note: Charu Chandrasekhar is counsel, and Avi Gesser and Julie Riewe are partners at Debevoise & Plimpton LLP. This post is based on a Debevoise memorandum by Ms. Chandrasekhar, Mr. Gesser, Ms. Riewe, H Jacqueline Brehmer, Christopher Ford, and Matthew Rametta.

On February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.

Chair Gensler recently emphasized that cybersecurity rulemaking in this area is one of his priorities, and placed particular emphasis on establishing standards for cybersecurity hygiene and incident reporting for registrants. The proposed rules, which are the most detailed cybersecurity rules that Chair Gensler’s SEC has issued thus far, reflect the SEC’s intense attention to cybersecurity risk and its willingness to deploy the full scope of its regulatory authority to promulgate standards that address this risk.

These proposed rules would impose significant new requirements on registered investment advisers and funds, and are generally consistent with cybersecurity requirements imposed on other companies by New York’s Part 500 Cybersecurity Regulation and the Federal Trade Commission’s updated Safeguards Rule.

Key Requirements under the Proposed Rules

(1) Cybersecurity Risk Management Policies & Procedures: The proposed rules would require advisers and funds to adopt and implement policies and procedures that are “reasonably designed” to address cybersecurity risks. There are several “general elements” that advisers and funds will need to address in their cybersecurity policies and procedures, including risk assessment practices, user security and access, preventing unauthorized access to funds, threat and vulnerability management, and incident response and recovery. The proposed rules require advisers and funds, on an annual basis, to: (1) review and assess the design and effectiveness of their cybersecurity policies and procedures; and (2) prepare a report describing the review, explaining the results, documenting any incident that has occurred since the last report, and discussing any material changes to the policies and procedures since the last report.

(more…)

Read Previous

Inflexion buys Astrak Group

Read Next

Griffin Gaming Partners raises $750m for one of VC’s biggest-ever gaming-focused funds

Most Popular

We use cookies to offer you a better browsing experience. If you continue to use this site, you consent to our use of cookies.
We use cookies to offer you a better browsing experience. If you continue to use this site, you consent to our use of cookies.