Home/Federal/Federal Register/2022-03145

Proposed Rule2022-03145

Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

March 9, 2022

Issuing agencies

Securities and Exchange Commission

Abstract

The Securities and Exchange Commission is proposing new rules under the Investment Advisers Act of 1940 ("Advisers Act") and the Investment Company Act of 1940 ("Investment Company Act") to require registered investment advisers ("advisers") and investment companies ("funds") to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks. The Commission also is proposing a new rule and form under the Advisers Act to require advisers to report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission. With respect to disclosure, the Commission is proposing amendments to various forms regarding the disclosure related to significant cybersecurity risks and cybersecurity incidents that affect advisers and funds and their clients and shareholders. Finally, we are proposing new recordkeeping requirements under the Advisers Act and Investment Company Act.

Full Text

<html>
<head>
<title>Federal Register, Volume 87 Issue 46 (Wednesday, March 9, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 46 (Wednesday, March 9, 2022)]
[Proposed Rules]
[Pages 13524-13595]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-03145]

[[Page 13523]]

Vol. 87

Wednesday,

No. 46

March 9, 2022

Part IV

Securities and Exchange Commission

-----------------------------------------------------------------------

17 CFR Parts 230, 232, 239, et al.

Cybersecurity Risk Management for Investment Advisers, Registered
Investment Companies, and Business Development Companies; Proposed Rule

Federal Register / Vol. 87 , No. 46 / Wednesday, March 9, 2022 /
Proposed Rules

[[Page 13524]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 230, 232, 239, 270, 274, 275, and 279

[Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22]
RIN 3235-AN08

Cybersecurity Risk Management for Investment Advisers, Registered
Investment Companies, and Business Development Companies

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission is proposing new rules
under the Investment Advisers Act of 1940 (``Advisers Act'') and the
Investment Company Act of 1940 (``Investment Company Act'') to require
registered investment advisers (``advisers'') and investment companies
(``funds'') to adopt and implement written cybersecurity policies and
procedures reasonably designed to address cybersecurity risks. The
Commission also is proposing a new rule and form under the Advisers Act
to require advisers to report significant cybersecurity incidents
affecting the adviser, or its fund or private fund clients, to the
Commission. With respect to disclosure, the Commission is proposing
amendments to various forms regarding the disclosure related to
significant cybersecurity risks and cybersecurity incidents that affect
advisers and funds and their clients and shareholders. Finally, we are
proposing new recordkeeping requirements under the Advisers Act and
Investment Company Act.

DATES: Comments should be received on or before April 11, 2022.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

<bullet> Use the Commission's internet comment form (<a href="https://www.sec.gov/rules/submitcomments.htm">https://www.sec.gov/rules/submitcomments.htm</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#fb898e979ed6989496969e958f88bb889e98d59c948d">[email&#160;protected]</a>. Please include
File Number S7-04-22 on the subject line.

Paper Comments

<bullet> Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number S7-04-22. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="https://www.sec.gov/rules/proposed.shtml">https://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.

FOR FURTHER INFORMATION CONTACT: Juliet Han, Senior Counsel; Thomas
Strumpf, Senior Counsel; Christopher Staley, Branch Chief; or Melissa
Gainor, Assistant Director, at (202) 551-6787, Investment Adviser
Regulation Office, Division of Investment Management, (202) 551-6787 or
<a href="/cdn-cgi/l/email-protection#074e4675726b62744774626429606871">[email&#160;protected]</a>; Y. Rachel Kuo, Senior Counsel; Amanda Hollander
Wagner, Branch Chief; or Brian McLaughlin Johnson, Assistant Director,
Investment Company Regulation Office, Division of Investment
Management, (202) 551-6792 or <a href="/cdn-cgi/l/email-protection#71383c5c23041d1402310214125f161e07">[email&#160;protected]</a>; David Joire, Senior
Special Counsel, at (202) 551-6825, Chief Counsel's Office, Division of
Investment Management, (202) 551-6825 or <a href="/cdn-cgi/l/email-protection#f4bdb9bbb7b7b4879197da939b82">[email&#160;protected]</a>, Securities and
Exchange Commission, 100 F Street NE, Washington, DC 20549-8549.

SUPPLEMENTARY INFORMATION: The Securities and Exchange Commission
(``Commission'') is proposing for public comment 17 CFR 275.206(4)-9
(``proposed rule 206(4)-9'') and 17 CFR 275.204-6 (``proposed rule 204-
6'') under the Advisers Act [15 U.S.C. 80b-1 et seq.]; 17 CFR 270.38a-2
(``proposed rule 38a-2'') under the Investment Company Act [15 U.S.C.
80a-1 et seq.]; and new Form ADV-C [referenced in 17 CFR 279.7] under
the Advisers Act; amendments to 17 CFR 275.204-2 (``rule 204-2'') and
17 CFR 275.204-3 (``rule 204-3'') under the Advisers Act; amendments to
Form ADV [referenced in 17 CFR 279.1] under the Advisers Act;
amendments to Form N-1A [referenced in 17 CFR 274.11A], Form N-2
[referenced in 17 CFR 274.11a-1], Form N-3 [referenced in 17 CFR
274.11b, Form N-4 [referenced in 17 CFR 274.11c], Form N-6 [referenced
in 17 CFR 274.11d], Form N-8B-2 [referenced in 17 CFR 274.12], and Form
S-6 [referenced in 17 CFR 239.16] under the Investment Company Act and
the Securities Act of 1933 (``Securities Act'') [15 U.S.C. 77a et
seq.]; amendments to 17 CFR 232.11 (``rule 11 of Regulation S-T'') and
17 CFR 232.405 (``rule 405 of Regulation S-T'') under the Securities
Exchange Act of 1934 (``Exchange Act'') [15 U.S.C. 78a et seq.];
amendments to 17 CFR 230.485 (``rule 485'') under the Securities Act;
and amendments to 17 CFR 230.497 (``rule 497'') under the Securities
Act.\1\
---------------------------------------------------------------------------

\1\ Unless otherwise noted, when we refer to the Investment
Company Act, we are referring to 15 U.S.C. 80a, and when we refer to
rules under the Investment Company Act, we are referring to title
17, part 270 of the Code of Federal Regulations [17 CFR 270]. In
addition, unless otherwise noted, when we refer to the Advisers Act,
we are referring to 15 U.S.C. 80b, and when we refer to rules under
the Advisers Act, we are referring to title 17, part 275 of the Code
of Federal Regulations [17 CFR 275].
---------------------------------------------------------------------------

Table of Contents

I. Introduction
A. Adviser and Fund Cybersecurity Risks
B. Current Legal and Regulatory Framework
C. Overview of Rule Proposal
II. Discussion
A. Cybersecurity Risk Management Policies and Procedures
1. Required Elements
2. Annual Review and Required Written Reports
3. Fund Board Oversight
4. Recordkeeping
B. Reporting of Significant Cybersecurity Incidents to the
Commission
1. Proposed Rule 204-6
2. Form ADV-C
C. Disclosure of Cybersecurity Risks and Incidents
1. Proposed Amendments to Form ADV Part 2A
2. Cybersecurity Risks and Incidents Disclosure
3. Requirement To Deliver Certain Interim Brochure Amendments to
Existing Clients
4. Proposed Amendments To Fund Registration Statements
III. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Cybersecurity Risks and Practices
2. Regulation
3. Market Structure
D. Benefits and Costs of the Proposed Rule and Form Amendments

[[Page 13525]]

1. Cybersecurity Policies and Procedures
2. Disclosures of Cybersecurity Risks and Incidents
3. Regulatory Reporting of Cybersecurity Incidents
4. Recordkeeping
E. Effects on Efficiency, Competition, and Capital Formation
F. Alternatives Considered
1. Alternatives to the Proposed Policies and Procedures
Requirement
2. Modify Requirements for Structuring Disclosure of
Cybersecurity Risks and Incidents
3. Public Disclosure of Form ADV-C
IV. Paperwork Reduction Act Analysis
A. Introduction
B. Rule 206(4)-9
C. Rule 38a-2
D. Rule 204-2
E. Rule 204-6
F. Form ADV-C
G. Form ADV
H. Rule 204-3
I. Form N-1A
J. Form N-2
K. Form N-3
L. Form N-4
M. Form N-6
N. Form N-8B-2 and Form S-6
O. Investment Company Interactive Data
P. Request for Comment
V. Initial Regulatory Flexibility Act Analysis
A. Reason for and Objectives of the Proposed Action
B. Legal Basis
C. Small Entities Subject to the Rules and Rule Amendments
D. Projected Reporting, Recordkeeping and Other Compliance
Requirements
E. Duplicative, Overlapping, or Conflicting Federal Rules
F. Significant Alternatives
G. Solicitation of Comments
VI. Consideration of Impact on the Economy
VII. Statutory Authority

I. Introduction

A. Adviser and Fund Cybersecurity Risks

Advisers and funds play an important role in our financial markets
and increasingly depend on technology for critical business
operations.\2\ Advisers and funds are exposed to, and rely on, a broad
array of interconnected systems and networks, both directly and through
service providers such as custodians, brokers, dealers, pricing
services, and other technology vendors. Advisers also increasingly use
digital engagement tools and other technology to engage with clients
and develop and provide investment advice.\3\ As a result, they face
numerous cybersecurity risks and may experience cybersecurity incidents
that can cause, or be exacerbated by, critical system or process
failures.\4\
---------------------------------------------------------------------------

\2\ Unless otherwise noted, the term ``fund'' means a registered
investment company or a closed-end company that has elected to be
treated as a business development company under the Investment
Company Act (``BDC'').
\3\ Request for Information and Comments on Broker-Dealer and
Investment Adviser Digital Engagement Practices, Related Tools and
Methods, and Regulatory Considerations and Potential Approaches;
Information and Comments on Investment Adviser Use of Technology to
Develop and Provide Investment Advice, Investment Advisers Act
Release No. 5833 (Aug. 27, 2021) [86 FR 49067 (Sept. 1, 2021)].
\4\ See, e.g., Financial Services Information Sharing and
Analysis Center, Navigating Cyber 2021 (Mar. 2021), available at
<a href="https://www.fsisac.com/navigatingcyber2021-report">https://www.fsisac.com/navigatingcyber2021-report</a> (detailing cyber
threats that emerged in 2020 and predictions for 2021).
---------------------------------------------------------------------------

At the same time, cyber threat actors have grown more sophisticated
and may target advisers and funds, putting them at risk of suffering
significant financial, operational, legal, and reputational harm.\5\
Cybersecurity incidents affecting advisers and funds also can cause
substantial harm to their clients and investors. For example,
cybersecurity incidents caused by malicious software (also known as
malware) can cause the loss of adviser, fund, or client data.
Cybersecurity incidents can prevent an adviser or fund from executing
its investment strategy or an adviser, fund, client, or investor from
accessing an account, which can lead to financial losses for clients or
investors. In addition, cybersecurity incidents can lead to the theft
of intellectual property, confidential or proprietary information, or
client assets.
---------------------------------------------------------------------------

\5\ See, e.g., Federal Bureau of Investigation, 2020 Internet
Crime Report (Mar. 17, 2021), at 5, available at <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf</a> (``FBI 2020
Internet Crime Report'') (noting the FBI's Internet Crime Complaint
Center received more than 791,790 complaints in 2020); see also SEC,
Office of Compliance, Inspections and Examinations (``OCIE'') (as of
December 17, 2020, OCIE was renamed the Division of Examinations
(``EXAMS''); SEC, EXAMS Risk Alert, Cybersecurity: Ransomware Alert
(July 10, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf</a> (``EXAMS Ransomware Risk Alert'')
(observing an apparent increase in sophistication of ransomware
attacks on SEC registrants); SEC, EXAMS Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf</a> (``EXAMS Credential Stuffing Risk
Alert''). Any staff statements represent the views of the staff.
They are not a rule, regulation, or statement of the Commission.
Furthermore, the Commission has neither approved nor disapproved
their content. These staff statements, like all staff statements,
have no legal force or effect: They do not alter or amend applicable
law; and they create no new or additional obligations for any
person.
---------------------------------------------------------------------------

An adviser or a fund may incur substantial remediation costs due to
a cybersecurity incident.\6\ It may need to reimburse clients for
cybersecurity-related losses as well as implement expensive
organizational or technological changes to reinforce its ability to
respond to and recover from a cybersecurity incident. It may also see
an increase in its insurance premiums. In addition, an adviser or fund
may face increased litigation, regulatory, or other legal and financial
risks or suffer reputational damage, and any of these outcomes could
cause its clients or investors to lose confidence in their adviser or
fund, or the financial markets more generally. Cybersecurity risk
management is therefore a critical area of focus for advisers and
funds, and many advisers and funds have taken steps to address
cybersecurity risks.
---------------------------------------------------------------------------

\6\ See, e.g., Ponemon Institute and IBM Security, Cost of Data
Breach Report 2021 (July 2021), available at <a href="https://www.ibm.com/security/data-breach">https://www.ibm.com/security/data-breach</a> (``Cost of Data Breach Report'') (noting the
average cost of a data breach in the financial industry in the
United States is $5.72 million); FBI 2020 Internet Crime Report,
supra footnote 5, at 15 (noting that cybercrime victims lost
approximately $4.2 billion in 2020).
---------------------------------------------------------------------------

The Commission and its staff have and continue to focus on
cybersecurity risks to advisers and their clients, and funds and their
investors.\7\ We are concerned about the efficacy of adviser and fund
practices industry-wide to address cybersecurity risks and incidents,
and that less robust practices may not address investor protection
concerns. We are also concerned about the effectiveness of disclosures
to advisory clients and fund shareholders concerning cybersecurity
risks and incidents. The staff has observed a number of practices with
respect to firms addressing cybersecurity risk and has provided its
observations on a number of occasions to assist firms in enhancing
their cybersecurity preparedness.\8\ Despite these efforts and in the
face of ever-increasing cybersecurity risk, staff continues to observe
that certain advisers and funds show a lack of cybersecurity
preparedness, which puts clients and investors at risk. We believe that
clients and investors would be better protected if advisers and funds
were required to have policies and procedures that include specific
elements to address cybersecurity risks.
---------------------------------------------------------------------------

\7\ See, e.g., Division of Investment Management Cybersecurity
Guidance, IM Guidance Update No. 2015-02 (Apr. 2015), available at
<a href="https://www.sec.gov/investment/im-guidance-2015-02.pdf">https://www.sec.gov/investment/im-guidance-2015-02.pdf</a>; Division of
Investment Management, Business Continuity Planning for Registered
Investment Companies, IM Guidance Update No. 2016-04 (June 2016),
available at <a href="https://www.sec.gov/investment/im-guidance-2016-04.pdf">https://www.sec.gov/investment/im-guidance-2016-04.pdf</a>.
\8\ See, e.g., SEC, EXAMS, Cybersecurity and Resiliency
Observations (Jan. 27, 2020), available at <a href="https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf">https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf</a>
(``EXAMS Cybersecurity and Resiliency Observations''); EXAMS
Cybersecurity Initiative (Apr. 15, 2014), available at https://
www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert_Appendix_-
4.15.14.pdf; EXAMS' 2015 Cybersecurity Examination Initiative (Sept.
15, 2015), available at <a href="https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf">https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf</a>.

---------------------------------------------------------------------------

[[Page 13526]]

Moreover, the staff has observed that while many advisers and funds
already provide disclosure about cybersecurity risks, we are concerned
that clients and investors may not be receiving sufficient
cybersecurity-related information, particularly with respect to
cybersecurity incidents, to assess the operational risk at a firm or
the effects of an incident to help ensure they are making informed
investment decisions. We therefore seek to improve cybersecurity-
related disclosures by addressing cybersecurity more directly.
Finally, we believe that, in the face of ever-increasing
cybersecurity risk, advisers and funds should report certain
cybersecurity incidents to the Commission to assist in its oversight
role. As further discussed below, this would allow the Commission and
its staff to understand better the nature and extent of cybersecurity
incidents occurring at advisers and funds, how firms respond to such
incidents to protect clients and investors, and how cybersecurity
incidents affect the financial markets more generally. We believe
requiring advisers and funds to report the occurrence of significant
cybersecurity incidents would bolster the efficiency and effectiveness
of our efforts to protect investors, other market participants, and the
financial markets in connection with cybersecurity incidents.
Accordingly, we are proposing a set of comprehensive reforms to address
cybersecurity risks for advisers and funds, enhance disclosure of
information regarding cybersecurity risks and significant cybersecurity
incidents, and require the reporting of significant cybersecurity
incidents to the Commission.

B. Current Legal and Regulatory Framework

As fiduciaries, advisers are required to act in the best interest
of their clients at all times.\9\ Advisers owe their clients a duty of
care and a duty of loyalty. An adviser's fiduciary obligation to its
clients includes the obligation to take steps to protect client
interests from being placed at risk because of the adviser's inability
to provide advisory services.\10\ These include steps to minimize
operational and other risks that could lead to significant business
disruptions or a loss or misuse of client information. Under this
framework, advisers today consider a number of rules and regulations,
which indirectly address cybersecurity. As discussed above,
cybersecurity incidents can lead to significant business disruptions,
including lapses in communication or the inability to place trades. In
addition, these disruptions can lead to the loss of access to accounts
or investments, potentially resulting in the loss or theft of data or
assets. Thus, advisers should take steps to minimize cybersecurity
risks in accordance with their fiduciary obligations.
---------------------------------------------------------------------------

\9\ SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180,
194 (1963); see also Commission Interpretation Regarding Standard of
Conduct for Investment Advisers, Investment Advisers Act Release No.
5248 (June 5, 2019) [84 FR 33669 (July 12, 2019)], at 6-8.
\10\ See Compliance Programs of Investment Companies and
Investment Advisers, Investment Advisers Act Release No. 2204 (Dec.
17, 2003) [68 FR 74714 (Dec. 24, 2003)], at n.22 (``Compliance
Program Release'') (noting this fiduciary obligation in the context
of business continuity plans).
---------------------------------------------------------------------------

Additionally, 17 CFR 275.206(4)-7 (``Advisers Act compliance
rule'') requires advisers to consider their fiduciary and regulatory
obligations and formalize policies and procedures reasonably designed
to address them.\11\ While the Advisers Act compliance rule does not
enumerate specific elements that an adviser must include in its
compliance program, an adviser generally should first identify
conflicts of interest and other compliance factors creating risk
exposure for the firm and its clients in light of the firm's particular
operations and then design policies and procedures that address those
risks.\12\ Because cybersecurity incidents could create significant
operational disruptions and losses to clients and investors, we
understand that advisers often consider the cybersecurity risks created
by their particular circumstances when developing their compliance
policies and procedures under the Advisers Act compliance rule and
tailor their policies and procedures to address those risks.
---------------------------------------------------------------------------

\11\ The Advisers Act compliance rule requires an adviser that
is registered, or required to be registered, with the Commission to:
(1) Adopt and implement written policies and procedures reasonably
designed to prevent violations of the Advisers Act by the adviser
and its supervised persons; (2) designate a chief compliance officer
(``CCO'') responsible for administering the policies and procedures;
and (3) review the adequacy of the policies and procedures and the
effectiveness of their implementation at least annually.
\12\ See Compliance Program Release, supra footnote 10, at n.22
and accompanying text. The Commission included business continuity,
safeguards for the privacy of client records and information, as
well as the accuracy of disclosures made to investors, clients and
regulators in a list of general areas it believes, at a minimum, an
adviser's compliance program should address to the extent they are
relevant to the adviser. Id.
---------------------------------------------------------------------------

Similarly, 17 CFR 270.38a-1 (``Investment Company compliance
rule'') requires funds to adopt and implement written policies and
procedures reasonably designed to prevent violations of the Federal
securities laws by the fund, including policies and procedures that
provide for the oversight of compliance by each investment adviser,
principal underwriter, administrator, and transfer agent of the fund
(``named service providers'').\13\ We understand that funds take into
account the specific risks they face, often including any specific
cybersecurity risks, when developing their compliance policies and
procedures under the Investment Company compliance rule.
---------------------------------------------------------------------------

\13\ The Investment Company compliance rule also requires the
fund to: (1) Designate a CCO responsible for administering the
policies and procedures, subject to certain requirements, including
providing the fund's board with an annual report; and (2) review the
adequacy of the policies and procedures and the effectiveness of
their implementation at least annually.
---------------------------------------------------------------------------

Other Commission rules require advisers and funds to consider
cybersecurity. For example, advisers and funds subject to 17 CFR 248.1
through 248.31 (``Regulation S-P'') are required to, among other
things, adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection
of customer records and information.\14\ These written policies and
procedures must be reasonably designed to protect the security and
confidentiality of customer records and information. They must also be
reasonably designed to protect against any anticipated threats or
hazards, unauthorized access to, or use of customer records or
information that could result in substantial harm or inconvenience to
any customer.\15\
---------------------------------------------------------------------------

\14\ See Privacy of Consumer Financial Information (Regulation
S-P), Investment Advisers Act Release No. 1883 (June 22, 2000) [65
FR 40334 (June 29, 2000)] (``Regulation S-P Release''); see also
Disposal of Consumer Report Information, Investment Advisers Act
Release No. 2332 (Dec. 2, 2004) [69 FR 71322 (Dec. 8, 2004)]
(``Disposal of Consumer Report Information Release'') (requiring
written policies and procedures under Regulation S-P); Compliance
Program Release, supra footnote 10, at n.21 and accompanying text
(stating expectation that policies and procedures would address
safeguards for the privacy protection of client records and
information and noting the applicability of Regulation S-P).
\15\ 17 CFR 248.30. Regulation S-P also establishes general
requirements and restrictions on, as well as exceptions to, the
ability of financial institutions to disclose nonpublic personal
information about customers to nonaffiliated third parties.
---------------------------------------------------------------------------

Moreover, advisers and funds subject to 17 CFR 248.201 through 202
(``Regulation S-ID'') must develop and implement a written identity
theft program.\16\ A Regulation S-ID program must include reasonable
policies and procedures to identify and detect relevant red flags, as
well as respond appropriately to red flags so as to prevent and
mitigate identity theft.

[[Page 13527]]

Regulation S-ID programs must also be reviewed periodically to ensure
that changes in the identity theft risk landscape are reflected and
provide for the continued administration of the program, including
staff training and appropriate and effective oversight of service
providers.\17\ In addition, because fraudulent activity could result
from cybersecurity or data breaches from insiders, such as advisory or
fund personnel, advisers and funds often take precautions concerning
information security specifically related to insiders.\18\
---------------------------------------------------------------------------

\16\ See Identity Theft Red Flags Rules, Investment Advisers Act
Release No. 3582 (Apr. 10, 2013) [78 FR 23638 (Apr. 19, 2013)]
(``Identity Theft Release'').
\17\ See also Appendix A to Subpart C of 17 CFR part 248
(setting out Commission guidelines for consideration when
implementing an identity theft program).
\18\ See, e.g., 17 CFR 270.17j-1; 17 CFR 275.204A-1; see also
generally Personal Investment Activities of Investment Company
Personnel, Investment Company Act Release No. 23958 (Aug. 24, 1999)
[64 FR 46821 (Aug. 27, 1999)] (stating that rule 17j-1 prohibits
fraudulent, deceptive or manipulative acts by fund personnel in
connection with their personal transactions in securities held or to
be acquired by the fund); Investment Adviser Codes of Ethics,
Investment Advisers Act Release No. 2256 (July 2, 2004) [69 FR 41696
(July 9, 2004)] (stating that rule 204A-1 will benefit advisers by
renewing their attention to their fiduciary and other legal
obligations, and by increasing their vigilance against inappropriate
behavior by employees).
---------------------------------------------------------------------------

C. Overview of Rule Proposal

While some funds and advisers have implemented cybersecurity
programs under the existing regulatory framework, there are no
Commission rules that specifically require firms to adopt and implement
comprehensive cybersecurity programs. Based on our staff's examinations
of advisers and funds, we are concerned that some funds and advisers
that are registered with us have not implemented reasonably designed
cybersecurity programs. As a result, these firms' clients and investors
may be at greater risk of harm than those of funds and advisers that
have in place appropriate plans to address cybersecurity risks.
To address these concerns, we are proposing rules 206(4)-9 under
the Advisers Act and 38a-2 under the Investment Company Act, which
would require advisers and funds that are registered or required to be
registered with us to implement cybersecurity policies and procedures
addressing a number of elements.\19\ Under the proposed rules, such an
adviser's or fund's cybersecurity policies and procedures generally
should be tailored based on its business operations, including its
complexity, and attendant cybersecurity risks. Further, the proposed
rules would require advisers and funds, at least annually, to review
and evaluate the design and effectiveness of their cybersecurity
policies and procedures, which would allow them to update them in the
face of ever-changing cyber threats and technologies. We believe that
advisers and funds should be required to adopt and implement policies
and procedures that address a number of elements to increase the
likelihood that they are prepared to face a cybersecurity incident
(whether that threat comes from an outside actor or the firm's
personnel), and that investors and other market participants are
protected from a cybersecurity incident that could significantly affect
a firm's operations and lead to significant harm to clients and
investors.
---------------------------------------------------------------------------

\19\ When discussing the requirements proposed in this release,
our use of the terms funds and advisers refers to funds and advisers
that are registered or required to be registered with the
Commission.
---------------------------------------------------------------------------

To address cybersecurity more directly, we also are proposing
amendments to adviser and fund disclosure requirements to provide
current and prospective advisory clients and fund shareholders with
improved information regarding cybersecurity risks and cybersecurity
incidents. In particular, we propose amendments to Form ADV for
advisers and Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds.
We believe these proposed cybersecurity disclosure requirements would
enhance investor protection by requiring that cybersecurity risk or
incident-related information is available to increase understanding in
these areas and help ensure that investors and clients can make
informed investment decisions.
In addition, we are proposing to require advisers to report
significant cybersecurity incidents affecting the adviser, or its fund
or private fund clients, to the Commission on a confidential basis.\20\
These reports would bolster the efficiency and effectiveness of our
efforts to protect investors in connection with cybersecurity
incidents. This reporting would not only help the Commission monitor
and evaluate the effects of a cybersecurity incident on an adviser and
its clients or a fund and its investors, but also assess the potential
systemic risks affecting financial markets more broadly.
---------------------------------------------------------------------------

\20\ See 15 U.S.C. 80b-2(a)(29) (defining a ``private fund'' as
``an issuer that would be an investment company, as defined in
section 3 of the Investment Company Act of 1940, but for section
3(c)(1) or 3(c)(7) of that Act'').
---------------------------------------------------------------------------

Taken together, these reforms are designed to promote a more
comprehensive framework to address cybersecurity risks for advisers and
funds, thereby reducing the risk that advisers and funds would be not
be able to maintain critical operational capability when confronted
with a significant cybersecurity incident. These reforms also are
designed to give clients and investors better information with which to
make investment decisions, and to give the Commission better
information with which to conduct comprehensive monitoring and
oversight of ever-evolving cybersecurity risks and incidents affecting
advisers and funds.

II. Discussion

A. Cybersecurity Risk Management Policies and Procedures

The Commission is proposing rule 206(4)-9 under the Advisers Act
and 38a-2 under the Investment Company Act (collectively, ``proposed
cybersecurity risk management rules'').\21\ The proposed cybersecurity
risk management rules would require all advisers and funds to adopt and
implement cybersecurity policies and procedures containing certain
elements. Advisers and funds of every type and size rely on technology
systems and networks and face increasing cybersecurity risks. The rules
would therefore require all of these advisers and funds to consider and
mitigate cybersecurity risk.\22\
---------------------------------------------------------------------------

\21\ Section 206(4) of the Advisers Act permits the Commission
to define, and prescribe means reasonably designed to prevent, such
acts, practices and courses of business conduct as are fraudulent,
deceptive or manipulative under the Advisers Act, and to adopt rules
reasonably designed to prevent fraud. We are proposing rule 206(4)-9
as a means reasonably designed to prevent fraud. Section 38(a) of
the Investment Company Act authorizes the Commission to ``make . . .
such rules and regulations . . . as are necessary or appropriate to
the exercise of the powers conferred upon the Commission elsewhere
in [the Investment Company Act].''
\22\ Proposed rule 206(4)-9 would apply to advisers to
separately managed accounts and pooled investment vehicles, both
private and offered to the public. Proposed rule 38a-2 would apply
to mutual funds, exchange-traded funds (``ETFs''), unit investment
trusts, registered closed-end funds, and BDCs.
---------------------------------------------------------------------------

As discussed below, while the proposed cybersecurity risk
management rules would require all such advisers and funds to implement
cybersecurity hygiene and protection measures, we recognize that there
is not a one-size-fits-all approach to addressing cybersecurity risks.
As a result, the proposed cybersecurity risk management rules would
allow firms to tailor their cybersecurity policies and procedures to
fit the nature and scope of their business and address their individual
cybersecurity risks.
We request comment on the entities subject to the proposed rules:
1. Should we exempt certain types of advisers or funds from these
proposed

[[Page 13528]]

cybersecurity risk management rules? If so, which ones, and why? For
example, is there a subset of funds or advisers with operations so
limited or staffs so small that the adoption of cybersecurity risk
management programs is not beneficial?
2. Should we scale the proposed requirements based on the size of
the adviser or fund? If so, which of the elements described below
should not be required for smaller advisers or funds? How would we
define such smaller advisers or funds? For example, should we define
such advisers and funds based on the thresholds that the Commission
uses for purposes of the Regulatory Flexibility Act? Would using
different thresholds based on assets under management, such as $150
million or $200 million, be appropriate? Would another threshold be
more suitable, such as one based on an adviser's or fund's limited
operations, staffing, revenues or management?
1. Required Elements of Advisers' and Funds' Policies and Procedures
The proposed cybersecurity risk management rules would require
advisers and funds to adopt and implement written policies and
procedures that are reasonably designed to address cybersecurity risks.
We believe that these policies and procedures would help address
operational and other risks that could harm advisory clients and fund
investors or lead to the unauthorized access to or use of adviser or
fund information.\23\ The proposed cybersecurity risk management rules
enumerate certain general elements that advisers and funds would be
required to address in their cybersecurity policies and procedures.\24\
They also contain a number of defined terms that apply across the
proposed cybersecurity risk management rules as well as the other rule
and form amendments we are proposing.\25\
---------------------------------------------------------------------------

\23\ After gaining access to an adviser's or a fund's
information systems, an attacker could use this access to steal,
disclose, delete, destroy, or modify adviser or fund information, as
well as steal client or investor assets.
\24\ Funds and advisers may wish to consult a number of
resources in connection with these elements. See, e.g., National
Institute of Standards and Technology (NIST), Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.1 (Apr.
16, 2018), available at <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</a> (``NIST Framework''); Cybersecurity and
Infrastructure Security Agency (CISA), Cyber Essentials Starter
Kit--The Basics for Building a Culture of Cyber Readiness (Spring
2021), available at <a href="https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf">https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf</a>.
\25\ The proposed defined terms for advisers and funds are the
same in most instances, except where necessary to take into account
relevant differences in each of the proposed cybersecurity risk
management rules. For example, the majority of differences between
proposed rules 206(4)-9 and 38a-2 are that the rule applicable to
advisers includes the word ``adviser'' in a number of terms (e.g.,
``adviser information systems'' and ``adviser information'') whereas
the rule applicable to funds includes the word ``fund'' (e.g.,
``fund information systems'' and ``fund information.'') in a number
of terms. We understand that there are different definitions for a
number of common terms in the realm of cybersecurity, and we propose
terms derived from a number established sources. See Presidential
Policy Directive--United States Cyber Incident Coordination (July
26, 2016) (``PPD-41''); 6 U.S.C. 1501 (2021); 44 U.S.C. 3502 (2021);
44 U.S.C. 3552 (2021); see also National Institute of Standards and
Technology (NIST), Computer Security Resource Center Glossary (last
visited Feb. 2, 2022), available at <a href="https://csrc.nist.gov/glossary">https://csrc.nist.gov/glossary</a>
(``NIST Glossary''). We believe the proposed terms are sufficiently
precise and aligned with each other for advisers and funds to
understand and utilize in connection with the proposed rules. Using
common terms and similar definitions is intended to facilitate
compliance and reduce regulatory burdens.
---------------------------------------------------------------------------

The general elements are designed to enumerate core areas that
firms must address when adopting, implementing, reassessing and
updating their cybersecurity policies and procedures. We recognize,
however, that given the number and varying characteristics (e.g., size,
business, and sophistication) of advisers and funds, firms need the
ability to tailor their cybersecurity policies and procedures based on
their individual facts and circumstances. The proposed cybersecurity
risk management rules therefore give advisers and funds the flexibility
to address the general elements based on the particular cybersecurity
risks posed by each adviser's or fund's operations and business
practices. In addition, because cybersecurity threats are constantly
evolving and measures to address those threats continue to advance,
this approach would allow an adviser's or fund's cybersecurity policies
and procedures to evolve accordingly as firms reassess their
cybersecurity risks in accordance with the proposed cybersecurity risk
management rules.
The proposed cybersecurity risk management rules also would provide
flexibility for the adviser and fund to determine the person or group
of people who implement and oversee the effectiveness of its
cybersecurity policies and procedures. Wide-ranging areas of expertise
could be needed to manage cybersecurity risk. We understand that
cybersecurity may be the responsibility of many individuals within an
organization, and expertise may be provided both internally and by
third-party experts. Within an adviser or fund organization, various
officers or employees may be involved in implementing a cybersecurity
program, including those who specialize in technology, risk,
compliance, and legal matters. Some advisers and funds may be a part of
a larger company structure that shares common cybersecurity and
information technology (``IT'') personnel, resources, systems, and
infrastructure. Advisers and funds may also utilize third-party
cybersecurity experts that provide varying perspectives and are well-
positioned to understand and assist in managing risks. Multiple
perspectives may assist in building a stronger cybersecurity program,
and also would allow firms to add expertise as needed in the rapidly
changing cybersecurity environment. We believe that this approach
allows advisers and funds of differing sizes, organizational
structures, and investment strategies to tailor their cybersecurity
programs effectively to their operations.
Under the proposed cybersecurity risk management rules, an adviser
or fund may choose to administer its cybersecurity policies and
procedures using in-house resources with appropriate knowledge and
expertise. The proposed framework also does not preclude an adviser or
fund from using a third party's cybersecurity risk management services,
subject to appropriate oversight. Similarly, subject to appropriate
oversight, a fund's adviser or sub-adviser could administer any of the
functions of the fund's required policies and procedures.\26\ Whether
the administrators of an adviser's or fund's cybersecurity policies and
procedures are in-house or a third party, reasonably designed policies
and procedures must empower these administrators to make decisions and
escalate issues to senior officers as necessary for the administrator
to carry out the role effectively (e.g., the policies and procedures
could include an explicit escalation provision to the adviser's or
fund's senior officers). Reasonably designed cybersecurity policies and
procedures generally should specify which groups, positions, or
individuals, whether in-house or third-party, are responsible for
implementing and administering the policies and procedures, including
specifying those responsible for communicating incidents internally and

[[Page 13529]]

making decisions with respect to reporting to the Commission and
disclosing to clients and investors certain incidents.
---------------------------------------------------------------------------

\26\ A sub-adviser that is delegated advisory services by an
adviser is subject to its own cybersecurity obligations under the
proposed risk management rules. Delegating any or all cybersecurity-
related activities does not exempt an adviser or fund from its
oversight responsibilities.
---------------------------------------------------------------------------

We believe that this approach would help ensure that advisers and
funds adopt and implement cybersecurity policies and procedures that
are effective in mitigating cybersecurity risk without being overly
burdensome or costly to implement. Moreover, we believe the proposed
cybersecurity risk management rules would benefit advisory clients and
fund investors because advisers and funds would be better prepared to
confront a cybersecurity incident if (and when) it occurs.\27\ The
proposed rules also would help to ensure that advisers and funds focus
their efforts and resources on mitigating the cybersecurity risks
associated with their operations and business practices.\28\
---------------------------------------------------------------------------

\27\ We propose to define ``cybersecurity incident'' as ``an
unauthorized occurrence on or conducted through [an adviser's or a
fund's] information systems that jeopardizes the confidentiality,
integrity, or availability of [an adviser's or a fund's] information
systems or any [adviser or fund] information residing therein.'' See
proposed rules 206(4)-9 and 38a-2. This proposed term is derived
from the 44 U.S.C. 3552, which is incorporated into PPD-41 (defining
``cyber incident''), and included in the NIST Glossary (defining
``incident''). We believe this term is sufficiently understood and
broad enough to encompass incidents that could adversely affect an
adviser's or fund's information systems or information residing
therein, such as gaining access without authorization or by
exceeding authorized access to such systems and information that
could lead, for example, to the modification or destruction of
systems and information.
\28\ We propose to define ``cybersecurity risk'' as the
``financial, operational, legal, reputational, and other adverse
consequences that could stem from cybersecurity incidents, threats,
and vulnerabilities.'' See proposed rules 206(4)-9 and 38a-2. This
proposed term is designed to capture risks that an adviser or fund
faces when confronted with incidents, threats and vulnerabilities,
and we believe is generally well understood in connection with
integrating cybersecurity into enterprise risk management. See
generally NIST Framework, supra footnote 24.
---------------------------------------------------------------------------

a. Risk Assessment
The first step in designing effective cybersecurity policies and
procedures is assessing and understanding the cybersecurity risks
facing an adviser or a fund.\29\ As an element of an adviser's or
fund's reasonable policies and procedures, the proposed cybersecurity
risk management rules would require advisers and funds periodically to
assess, categorize, prioritize, and draft written documentation of, the
cybersecurity risks associated with their information systems and the
information residing therein.\30\ The proposed cybersecurity risk
management rules would require advisers and funds, when conducting this
risk assessment, to:
---------------------------------------------------------------------------

\29\ Risk assessments are included as an element in many
cybersecurity frameworks. See, e.g., NIST Framework, supra footnote
24.
\30\ See proposed rules 206(4)-9(a)(1) and 38a-2(a)(1).
``Adviser information systems'' is proposed to be defined as
``information resources owned or used by the adviser, including
physical or virtual infrastructure controlled by such information
resources, or components thereof, organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition
of adviser information to maintain or support the adviser's
operations.'' See proposed rule 206(4)-9; see also proposed rule
38a-2 (defining ``fund information systems''). The definitions of
these terms are designed to be broad enough to encompass all the
electronic information resources owned or used by an adviser or a
fund.
---------------------------------------------------------------------------

(i) Categorize and prioritize cybersecurity risks based on an
inventory of the components of their information systems, the
information residing therein, and the potential effect of a
cybersecurity incident on the advisers and funds; and
(ii) Identify their service providers that receive, maintain or
process adviser or fund information, or that are permitted to access
their information systems, including the information residing therein,
and identify the cybersecurity risks associated with the use of these
service providers.\31\
---------------------------------------------------------------------------

\31\ ``Adviser information'' is proposed to be defined as ``any
electronic information related to the adviser's business, including
personal information, received, maintained, created, or processed by
the adviser.'' The term ``personal information'' is proposed to be
defined as: ``(1) any information that can be used, alone or in
conjunction with any other information, to identify an individual,
such as name, date of birth, place of birth, telephone number,
street address, mother's maiden name, Social Security number,
driver's license number, electronic mail address, account number,
account password, biometric records or other non-public
authentication information; or (2) Any other non-public information
regarding a client's account.'' See proposed rule 206(4)-9; see also
proposed rule 38a-2 (the term ``personal information'' in proposed
rule 38a-2 does not include the second prong of the same term
contained in proposed rule 206(4)-9). The definitions of ``personal
information'' for advisers and funds are derived from a number of
established sources and aim to capture a broad array of personal
information that can reside on an adviser's or a fund's information
systems. See e.g., Regulation S-ID, supra footnote 16 (defining
``identifying information''); NIST Glossary, supra footnote 24
(defining ``personal information'' and ``personally identifiable
information'').
---------------------------------------------------------------------------

The proposed rules would also require written documentation of any
risk assessment. Generally, this risk assessment should inform senior
officers at the adviser or the fund of the risks specific to the firm
and support responses to cybersecurity risks by identifying
cybersecurity threats to information systems that, if compromised,
could result in significant cybersecurity incidents.\32\ In general, an
adviser or fund's cybersecurity program should be reasonably designed
to ensure its operational capability, including resiliency and capacity
of information systems, when confronted with a cybersecurity incident,
whether at the adviser or at a service provider that may access adviser
or fund information.
---------------------------------------------------------------------------

\32\ ``Cybersecurity threat'' is proposed to be defined as ``any
potential occurrence that may result in an unauthorized effort to
adversely affect the confidentiality, integrity or availability of
[an adviser's or a fund's] information systems or any [adviser or
fund] information residing therein.'' See proposed rules 206(4)-9
and 38a-2.
---------------------------------------------------------------------------

An adviser or fund generally should assess, categorize, and
prioritize the cybersecurity risks created by its information systems
and information residing therein in light of the firm's particular
operations.\33\ For example, advisers may be subject to different risks
as a result of international operations, insider threats, or remote or
traveling employees. Only after assessing, analyzing, categorizing, and
prioritizing its risks can an adviser or fund develop and implement
cybersecurity policies and procedures designed to mitigate those risks.
The proposed cybersecurity risk management rules would also require
advisers and funds to reassess and re-prioritize their cybersecurity
risks periodically as changes that affect these risks occur. Due to the
ongoing and emerging nature of cybersecurity threats, and the proposed
requirement discussed below that advisers and funds review their
cybersecurity policies and procedures no less frequently than annually,
we are not proposing that such a reassessment occur at specified
intervals.\34\ Instead, advisers and funds should reassess their
cybersecurity risks as they arise to reflect internal changes, such as
changes to its business, online presence, or client web access, or
external changes, such as changes in the evolving technology and
cybersecurity threat landscape, and inform senior officers of the
adviser or fund of any material changes to the risk assessment. In
assessing ongoing and emerging cybersecurity threats, advisers and
funds generally should monitor and consider updates and guidance from
private sector and governmental resources, such as the Financial
Services Information Sharing and Analysis Center (``FS-ISAC'') and the

[[Page 13530]]

Department of Homeland Security's CISA.\35\
---------------------------------------------------------------------------

\33\ Some firms use an enterprise governance, risk management
and compliance (``EGRC'') system to manage cybersecurity risk and
compliance by creating policies, procedures, and internal controls
that assist in identifying cybersecurity risks related to particular
systems.
\34\ See discussion in section II.A.2 below (advisers and funds
must review their cybersecurity policies and procedures no less
frequently than annually, including preparing and reviewing a
written report that is designed to address cybersecurity risk
assessments, among other items).
\35\ Information about FS-ISAC is available at <a href="https://www.fsisac.com">https://www.fsisac.com</a>. Information about CISA is available at <a href="https://www.cisa.gov">https://www.cisa.gov</a>.
---------------------------------------------------------------------------

Because many advisers and funds are exposed to cybersecurity risks
through the technology of their service providers, a risk assessment
also must identify service providers that receive, maintain, or process
adviser or fund information, or that are permitted to access their
information systems, including the information residing therein and the
cybersecurity risks they present.\36\ For example, advisers may use
service providers who provide trade order management systems that allow
the adviser to automate all or some of the adviser's trading, and
advisers should consider any cybersecurity risks presented by these
services. In identifying cybersecurity risks, an adviser or fund should
consider the service provider's cybersecurity practices, including
whether any systems used have the resiliency and capacity to process
transactions in an accurate, timely and efficient manner, and their
capability to protect information and systems (including response and
recovery procedures in response to any incidents and any escalation
protocols contained therein).
---------------------------------------------------------------------------

\36\ Oversight of third-party service provider or vendor risk is
a component of many cybersecurity frameworks. See, e.g., NIST
Framework, supra footnote 24 (discussing supply chain risks
associated with products and services an organization uses).
---------------------------------------------------------------------------

Generally, an adviser or fund should take into account whether a
cybersecurity incident at a service provider could lead to the
unauthorized access or use of adviser or fund information or technology
or process failures. For an adviser, such unauthorized access or use or
failure could disrupt portfolio management, trade execution, or other
aspects of its operations. For example, an adviser may retain a cloud
service provider for maintaining required books and records. If all of
the adviser's books and records were concentrated at this cloud service
provider and a cybersecurity incident were to occur at the cloud
service provider--or any service provider maintaining the adviser's
books and records--there could potentially be detrimental data loss
affecting the ability of the adviser to provide services and comply
with regulatory obligations. Accordingly, as part of identifying the
cybersecurity risks associated with using this cloud service provider,
the adviser should consider how the service provider will secure and
maintain data and whether the service provider has response and
recovery procedures in place such that any compromised or lost data in
the event of a cybersecurity incident can be recovered and restored.
For a fund, similar unauthorized access or use or failure could
affect the valuation of portfolio securities or the processing of
shareholder transactions, which could significantly disrupt the fund's
operations. For example, a fund may rely on service providers to
calculate the fund's net asset value (``NAV''). The inability of an
administrator, pricing vendor, or accounting system to calculate a
fund's NAV due to a cybersecurity incident would force a fund to
consider alternatives. As part of its cybersecurity program and its
oversight of service providers, a fund that relies on any service
provider for calculating NAV generally should assess the potential
cybersecurity risks presented by that service provider and develop
procedures to respond to and mitigate disruptions, including by
identifying alternative processes or vendors to calculate the fund's
NAV.\37\ Accordingly, the fund's risk assessment generally should
involve inquiring about that service provider's business continuity and
disaster recovery protocols with respect to a cybersecurity incident.
---------------------------------------------------------------------------

\37\ See generally Good Faith Determinations of Fair Value,
Investment Company Release No. 34128 (Dec. 3, 2020) [86 FR 748 (Jan.
06, 2021)], at text accompanying nn.94-95 (determining fair value in
good faith requires the oversight and evaluation of any pricing
services used, including approval, monitoring, and evaluation).
---------------------------------------------------------------------------

b. User Security and Access
As an element of an adviser's or fund's reasonably designed
policies and procedures, the proposed cybersecurity risk management
rules would require controls designed to minimize user-related risks
and prevent the unauthorized access to information and systems.\38\
Their policies and procedures must include:
---------------------------------------------------------------------------

\38\ See proposed rules 206(4)-9(a)(2) and 38a-2(a)(2).
---------------------------------------------------------------------------

(1) Requiring standards of behavior for individuals authorized to
access adviser or fund information systems and any adviser or fund
information residing therein, such as an acceptable use policy;
(2) Identifying and authenticating individual users, including
implementing authentication measures that require users to present a
combination of two or more credentials for access verification;
(3) Establishing procedures for the timely distribution,
replacement, and revocation of passwords or methods of authentication;
(4) Restricting access to specific adviser or fund information
systems or components thereof and adviser or fund information residing
therein solely to individuals requiring access to such systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the adviser or fund; and
(5) Securing remote access technologies used to interface with
adviser or fund information systems.
The proposed cybersecurity risk management rules would require
advisers and funds, as part of their cybersecurity programs, to address
user access controls to restrict system and data access to authorized
users.\39\ Such controls are necessary to prevent and detect
unauthorized access to systems or client or investor data or
information. In addition, as remote access and teleworking have become
increasingly common, we believe that having such measures is a
necessary component of robust and comprehensive cybersecurity policies
and procedures.
---------------------------------------------------------------------------

\39\ Advisers and funds generally should consider their
potential obligations under Regulation S-P and Regulation S-ID to
implement certain access controls with respect to protecting client
or investor information.
---------------------------------------------------------------------------

In designing and implementing user access controls, advisers and
funds generally should develop a clear understanding of the need for
access to systems, data, functions, and/or accounts, including
identifying which users have legitimate needs to access particularly
critical or sensitive systems, data, functions, or accounts. For
example, a portfolio manager may have privileged access to trading
systems that permit him or her to enter trades, while a compliance
personnel's access may be limited to reviewing or approving, but not
entering, trades.
Access to systems and data can be controlled through a variety of
means, including, but not limited to, the issuance of user credentials,
digital rights management with respect to proprietary hardware and
copyrighted software, authentication and authorization methods (e.g.,
multi-factor authentication and geolocation), and tiered access to
sensitive information and network resources. Effective controls would
also generally include user security and access measures that are
regularly monitored not only to provide access to authorized users, but
also to remove access for users that are no longer authorized, whether
due to removal from a project or termination of employment.
As part of its user access controls, an adviser or fund should also
consider what measures are necessary for clients

[[Page 13531]]

and investors that have access to information systems and information
residing on the systems--not only user access controls for its own
personnel. For example, an adviser or fund may implement measures that
monitor for unauthorized login attempts and account lockouts, and the
handling of customer requests, including for user name and password
changes. Similarly, well-designed user access controls should assess
the need to authenticate or investigate any unusual customer requests
(e.g., wire transfer or withdraw requests).
In developing these policies and procedures, an adviser or fund
also should take into account the types of technology through which its
users access adviser or fund information systems. For example, mobile
devices (whether firm-issued or personal devices) that allow employees
to access sensitive data and systems may create additional and unique
vulnerabilities, including when such devices are used internationally.
An adviser or fund may consider limiting mobile or other devices
approved for remote access to those issued by the firm or enrolled
through a mobile device manager.\40\
---------------------------------------------------------------------------

\40\ Advisers and funds may wish to consider multi-factor
authentication methods that are not based solely on SMS-delivery
(e.g., text message delivery) of authentication codes, because such
methods may provide less security than other non-SMS based multi-
factor authentication methods.
---------------------------------------------------------------------------

In addition, an adviser or fund should consider its practices with
respect to securing remote network access and teleworking to define its
network perimeter. Advisers and funds generally should implement
detection security capabilities that can identify threats on a
network's endpoints. For example, they may utilize software that
monitors and inspects all files on an endpoint, such as a mobile phone
or remote laptop, and identifies and blocks incoming unauthorized
communications. Advisers and funds should also consider cybersecurity
best practices in remote or telework locations. For example, if adviser
or fund personnel work remotely at home or in a co-working space,
additional cybersecurity risks, such as unsecured or less secure Wi-Fi,
may be present, resulting in sensitive information being seen, gathered
or stolen by unauthorized persons. Accordingly, firms should consider
having policies and procedures for using any mobile or other devices
approved for remote access, and implementing security measures and
training on device policies and effective security practices.
c. Information Protection
As an element of an adviser's or fund's reasonably designed
policies and procedures, the proposed cybersecurity risk management
rules would require advisers and funds to monitor information systems
and protect information from unauthorized access or use, based on a
periodic assessment of their information systems and the information
that resides on the systems.\41\ Such assessment should take into
account:
---------------------------------------------------------------------------

\41\ Proposed rules 206(4)-9(a)(3) and 38a-2(a)(3).
---------------------------------------------------------------------------

(1) The sensitivity level and importance of adviser or fund
information to its business operations;
(2) Whether any adviser or fund information is personal
information;
(3) Where and how adviser or fund information is accessed, stored
and transmitted, including the monitoring of adviser or fund
information in transmission;
(4) Adviser or fund information systems access controls and malware
protection; and
(5) The potential effect of a cybersecurity incident involving
adviser or fund information on the adviser or fund and its clients or
shareholders, including the ability for the adviser to continue to
provide investment advice or the fund to continue providing services.
Advisers and funds generally should use the information obtained
from this assessment to determine what methods to implement to prevent
the unauthorized access or use of such data. For example, an adviser or
fund could utilize processes such as encryption, network segmentation,
and access controls to ensure that only authorized users have access to
sensitive data or information or critical systems.
An adviser or fund could also implement measures reasonably
designed to identify suspicious behavior that include consistent
monitoring of systems and personnel, such as the generation and review
of activity logs, identification of potential anomalous activity, and
escalation of issues to senior officers, as appropriate. Such a program
may include rules to identify and block the transmission of sensitive
data (e.g., account numbers, Social Security numbers, trade
information, and source code) from leaving the organization. The
program could also include testing of systems, including penetration
tests. An adviser or fund could also consider measures to track the
actions taken in response to findings from testing and monitoring,
material changes to business operations or technology, or any other
significant events. Appropriate methods for preventing the unauthorized
use of data may differ depending on circumstances specific to an
adviser or fund, such as the systems used, the relationship with
service providers, or level of access granted to employees or
contractors. Appropriate methods would also generally be expected to
evolve with changes in technology and the increased sophistication of
cybersecurity attacks.
In addition, as part of an adviser's or fund's reasonably designed
cybersecurity policies and procedures, an adviser or fund would be
required to oversee any service providers that receive, maintain, or
process adviser or fund information, or are otherwise permitted to
access their information systems and any information residing therein.
Advisers and funds would be required to document that the adviser or
fund is requiring such service providers, pursuant to a written
contract, to implement and maintain appropriate measures, including
measures similar to the elements advisers and fund must address in
their own cybersecurity policies and procedures, designed to protect
adviser and fund information and systems. Such policies and procedures
generally should also include other oversight measures, such as due
diligence procedures or periodic contract review processes, that allow
funds and advisers to assess whether, and help to ensure that, their
agreements with service providers contain provisions that require
service providers to implement and maintain appropriate measures
designed to protect fund and adviser information and systems (e.g.,
notifying the adviser or fund of cybersecurity incidents that adversely
affect an adviser's or fund's information, systems, or operations).
Given the significant role played by service providers, we believe this
proposed requirement would assist advisers and funds, when considering
whether to hire or retain service providers, in assessing whether they
are capable of appropriately protecting important information and
systems.
d. Threat and Vulnerability Management
As an element of an adviser's or fund's reasonably designed
policies and procedures, the proposed cybersecurity risk management
rules would require advisers and funds to detect, mitigate, and
remediate cybersecurity threats and vulnerabilities with respect to
adviser or

[[Page 13532]]

fund information and systems.\42\ Cybersecurity threats may result in
unauthorized access to an adviser's or fund's information systems or
any information residing therein that could lead to adverse
consequences. Cybersecurity vulnerabilities present weaknesses in
adviser or fund information systems that attackers may exploit. Because
advisers and funds depend on information systems to process, store, and
transmit sensitive information and to conduct business functions, it is
essential for advisers and funds to manage cybersecurity threats and
vulnerabilities effectively.
---------------------------------------------------------------------------

\42\ Proposed rules 206(4)-9(a)(4) and 38a-2(a)(4). See proposed
definition of ``cybersecurity threat,'' supra footnote 32.
``Cybersecurity vulnerability'' is proposed to be defined as ``a
vulnerability in [an adviser's or a fund's] information systems,
information system security procedures, or internal controls,
including vulnerabilities in their design, maintenance, or
implementation that, if exploited, could result in a cybersecurity
incident.''
---------------------------------------------------------------------------

Detecting, mitigating, and remediating threats and vulnerabilities
is essential to preventing cyber incidents before they occur. Advisers
and funds generally should seek to detect cybersecurity threats and
vulnerabilities through ongoing monitoring (e.g., comprehensive
examinations and risk management processes). Ongoing monitoring of
vulnerabilities could include, for example, conducting network, system,
and application vulnerability assessments. This could include scans or
reviews of internal systems, externally-facing systems, new systems,
and systems used by service providers. Advisers and funds generally
should also monitor industry and government sources for new threat and
vulnerability information that may assist them in detecting
cybersecurity threats and vulnerabilities.\43\
---------------------------------------------------------------------------

\43\ See supra footnote 35 and accompanying text; see also,
e.g., CISA, National Cyber Awareness System--Alerts, available at
<a href="https://us-cert.cisa.gov/ncas/alerts">https://us-cert.cisa.gov/ncas/alerts</a> (last visited Feb. 2, 2022)
(providing information about current security issues,
vulnerabilities, and exploits).
---------------------------------------------------------------------------

In general, once a threat or vulnerability is identified, advisers
and funds should consider how to mitigate and remediate the threat or
vulnerability, with a view towards minimizing the window of opportunity
for attackers to exploit vulnerable hardware and software. Methods for
mitigating and remediating threats and vulnerabilities could include,
for example, implementing a patch management program to ensure timely
patching of hardware and software vulnerabilities and maintaining a
process to track and address reports of vulnerabilities.\44\ An adviser
or a fund should adopt policies and procedures that establish
accountability for handling vulnerability reports, and processes for
intake, assignment, escalation, remediation, and remediation testing.
For example, an adviser or fund may use a vulnerability tracking system
that includes severity ratings, and metrics for measuring timing for
identification, analysis, and remediation of vulnerabilities.
---------------------------------------------------------------------------

\44\ Advisers and funds should also consider the vulnerabilities
associated with ``end of life systems'' (i.e., systems in which
software is no longer supported by the particular vendor and for
which security patches are no longer issued).
---------------------------------------------------------------------------

Advisers and funds should also consider role-specific cybersecurity
threat and vulnerability and response training. For example, training
could include secure system administration courses for IT
professionals, vulnerability awareness and prevention training for web
application developers, and social engineering awareness training for
employees and executives. Advisers and funds that do not proactively
address threats and discovered vulnerabilities face an increased
likelihood of having their information systems, and the adviser or fund
information residing therein, compromised.
e. Cybersecurity Incident Response and Recovery
As an element of an adviser's or fund's reasonable policies and
procedures, the proposed cybersecurity risk management rules would
require advisers and funds to have measures to detect, respond to, and
recover from a cybersecurity incident.\45\ These include policies and
procedures that are reasonably designed to ensure:
---------------------------------------------------------------------------

\45\ Proposed rules 206(4)-9(a)(5) and 38a-2(a)(5).
---------------------------------------------------------------------------

(1) Continued operations of the fund or adviser;
(2) The protection of adviser information systems and the fund or
adviser information residing therein;
(3) External and internal cybersecurity incident information
sharing and communications; and
(4) Reporting of significant cybersecurity incidents to the
Commission.\46\
---------------------------------------------------------------------------

\46\ Incident and response recovery are common elements of many
cybersecurity frameworks. See, e.g., NIST Framework, supra footnote
24 (setting out incident response and recovery functions and
categories, such as planning, improvements (e.g., lessons learned),
and communication, in connection with an organization's risk
management processes).
---------------------------------------------------------------------------

Finally, the proposed rules would require advisers and funds to
prepare written documentation of any cybersecurity incident, including
their response and recovery from such an incident.
Cybersecurity incidents can lead to significant business
disruptions, including losing the ability to communicate or the ability
to access accounts or investments. These incidents also can lead to the
unauthorized access or use of adviser or fund information. Having
policies and procedures reasonably designed to respond to cybersecurity
incidents can help mitigate these significant business disruptions. A
cybersecurity program with a clear incident response plan designed to
ensure continued operational capability, and the protection of, and
access to, sensitive information and data, even if an adviser or fund
loses access to its systems, would assist in mitigating the effects of
a cybersecurity incident. Advisers and funds, therefore, may wish to
consider maintaining physical copies of their incident response plans--
and other cybersecurity policies and procedures--to help ensure they
can be accessed and implemented during the times they may be needed
most.
We believe it is critical for advisers and funds to focus on
operational capability, including resiliency and capacity of
information systems, so that they can continue to provide services to
their clients and investors when facing disruptions resulting from
cybersecurity incidents. The ability to recover critical systems or
technologies, including those provided by service providers, in a
timeframe that meets business requirements, is important to mitigate
the consequences of cybersecurity incidents. An adviser or fund may
consider implementing safeguards, such as backing up data, which can
help facilitate a prompt recovery to allow an adviser or fund to resume
operations following a cybersecurity incident that leads to the
unauthorized access or use of adviser or fund information.\47\
---------------------------------------------------------------------------

\47\ Because having easily accessible, accurate backup data
could be critical when responding to and recovering from a
cybersecurity incident, advisers and funds may wish to consider
storing sensitive backup data in immutable, multi-tiered online and
offline storage systems.
---------------------------------------------------------------------------

An incident response plan should also designate adviser or fund
personnel to perform specific roles in the case of a cybersecurity
incident. This would entail identifying and/or hiring personnel or
third parties who have the requisite cybersecurity and recovery
expertise (or are able to coordinate effectively with outside experts)
as well as identifying personnel who should be kept informed throughout
the response and recovery process. In addition, an incident response
plan should generally have a clear escalation protocol to ensure that
an adviser's and fund's

[[Page 13533]]

senior officers, including appropriate legal and compliance personnel,
and a fund's board (as applicable) receive necessary information
regarding cybersecurity incidents on a timely basis.
Moreover, under proposed rule 204-6 and amendments to Form ADV Part
2A, as well as amendments to funds' disclosure requirements, advisers
and funds would have to report any significant cybersecurity incidents
to the Commission and make appropriate disclosures to their clients and
investors.\48\ Accordingly, advisers and funds must include provisions
in their policies and procedures designed to ensure their compliance
with their reporting and disclosure obligations as part of their
cybersecurity incident response.\49\
---------------------------------------------------------------------------

\48\ See proposed rule 204-6; see also infra sections II.B and
C.
\49\ Although an adviser's or a fund's initial focus may be on
protecting its clients and investors, it may also wish to implement
a process to determine promptly whether and how to contact local and
Federal law enforcement authorities, such as the FBI, about an
incident. The FBI has instructed individuals and organizations to
contact their nearest FBI field office to report cybersecurity
incidents or to report them online at <a href="https://www.ic3.gov/Home/FileComplaint">https://www.ic3.gov/Home/FileComplaint</a>. See also FBI, What We Investigate, Cyber Crime,
available at <a href="https://www.fbi.gov/investigate/cyber">https://www.fbi.gov/investigate/cyber</a> (last visited
Feb. 2, 2022).
---------------------------------------------------------------------------

Advisers and funds should also consider testing their incident
response plans to assess their efficacy and to determine whether any
changes are necessary, for example, through tabletop or full-scale
exercises. As part of the annual review of their policies and
procedures, advisers and funds are required to review and assess the
design and effectiveness of the policies and procedures and should
generally consider amendments to correct any identified weaknesses in
their design or effectiveness.\50\
---------------------------------------------------------------------------

\50\ See proposed rules 206(4)-9(b) and 38a-2(b).
---------------------------------------------------------------------------

We request comment on the proposed cybersecurity risk management
rules:
3. Are the proposed elements of the cybersecurity policies and
procedures appropriate? Should we modify or delete any of the proposed
elements? Why or why not? For example, should advisers and funds be
required, as proposed, to conduct a risk assessment as part of their
cybersecurity policies and procedures? Should we require that a risk
assessment include specific components (e.g., identification and
documentation of vulnerabilities and threats, identification of the
business effect of threats and likelihood of incidents occurring,
identification and prioritization of responses), or require written
documentation for risk assessments? Should the rules require policies
and procedures related to user security and access, as well as
information protection?
4. Should there be additional or more specific requirements for who
would implement an adviser's or fund's cybersecurity program? For
example, should we require an adviser or fund to specify an individual,
such as a chief information security officer, or group of individuals
as responsible for implementing the program or parts thereof? Why or
why not? If so, should such an individual or group of individuals be
required to have certain qualifications or experience related to
cybersecurity, and if so, what type of qualifications or experience
should be required?
5. The Investment Company Act compliance rule prohibits the fund's
officers, directors, employees, adviser, principal underwriter, or any
person acting under the direction of these persons, from directly or
indirectly taking any action to coerce, manipulate, mislead or
fraudulently influence the fund's chief compliance officer in the
performance of her responsibilities under the rule in order to protect
the chief compliance officer from undue influence by those seeking to
conceal non-compliance with the Federal securities laws. Should we
adopt a similar prohibition for those administering a fund's or
adviser's cybersecurity policies and procedures? Why or why not?
6. Would advisers and funds expect to use sub-advisers or other
third parties to administer their cybersecurity programs? If so, to
what extent and in what manner? Should there be additional or specific
requirements for advisers and funds that delegate cybersecurity
management responsibilities to a sub-adviser or third party? If so,
what requirements and why?
7. Should we include any other cybersecurity program administration
requirements? If so, what? For example, should we include a requirement
for training staff responsible for day-to-day management of the
program? If we require such training, should that involve setting
minimum qualifications for staff responsible for carrying out the
requirements of the program? Why or why not?
8. Are the proposed rules' definitions appropriate and clear? If
not, how could these definitions be clarified within the context of the
proposed rules? Should any be modified or eliminated? Are any of them
proposed terms too broad or too narrow? Are there other terms that we
should define?
9. What are best practices that commenters have developed or are
aware of with respect to the types of measures that must be implemented
as part of the proposed cybersecurity risk management rules or,
alternatively, are there any measures that commenters have found to be
ineffective or relatively less effective?
10. What user measures do advisers currently have for using mobile
devices or other ways to access adviser or fund information systems
remotely? Should we require advisers and funds to implement specific
measures to secure remote access technologies?
11. Do advisers and funds currently conduct periodic assessments of
their information systems to monitor and protect information from
unauthorized use? If so, how often do advisers and funds conduct such
assessments? Should the proposed rules specify a minimum assessment
frequency, and if so, what should that frequency be?
12. Other than what is required to be reported under proposed rule
204-6, should we require any specific measures within an adviser's
policies and procedures with respect to cybersecurity incident response
and recovery?
13. Should we require that advisers and funds respond to
cybersecurity incidents within a specific timeframe? If so, what would
be an appropriate timeframe?
14. Should we require advisers and funds to assess the compliance
of all service providers that receive, maintain, or process adviser or
fund information, or are otherwise permitted to access adviser or fund
information systems and any adviser or fund information residing
therein, with these proposed cybersecurity risk management rules?
Should we expand or narrow this set of service providers? For example,
with respect to funds, should this requirement only apply to ``named
service providers'' as discussed above?
15. How do advisers and funds currently consider cybersecurity
risks when choosing third-party service providers? What due diligence
with respect to cybersecurity is involved in selecting a service
provider?
16. How do advisers and funds reduce the risk of a cybersecurity
incident transferring from the service provider (or a fourth party
(i.e., a service provider used by one of an adviser's or fund's service
providers)) to the adviser today?
17. Should we require advisers' and funds' cybersecurity policies
and procedures to require oversight of certain service providers,
including that such service providers implement and maintain
appropriate measures designed to protect a fund's or an adviser's

[[Page 13534]]

information and information systems pursuant to written contract? Do
advisers and funds currently include specific cybersecurity and data
protection provisions in their agreements with service providers? If
so, what provisions are the most important? Do they address potential
cybersecurity risks that could result from a cybersecurity incident
occurring at a fourth party? Should any contractual provisions be
specifically required as part of these rules? Should this requirement
apply to a more limited subset of service providers? If so, which
service providers? For example, should we require funds to include such
provisions in their agreements with advisers that would be subject to
proposed rule 206(4)-9? Are there other ways we should require
protective actions by service providers?
18. Do advisers or funds currently consider their or their service
providers' insurance policies, if any, when responding to cybersecurity
incidents? Why or why not?
19. Are advisers and funds currently able to obtain information
from or about their service providers' cybersecurity practices (e.g.,
policies, procedures, and controls) to effectively assess them? What,
if any, challenges do advisers and funds currently have in obtaining
such information? Are certain advisers or funds (e.g., smaller or
larger firms) more easily able to obtain such information?
2. Annual Review and Required Written Reports
The proposed cybersecurity risk management rules would require
advisers and funds to review their cybersecurity policies and
procedures no less frequently than annually.\51\ Advisers and funds
must, at least annually: (1) Review and assess the design and
effectiveness of the cybersecurity policies and procedures, including
whether they reflect changes in cybersecurity risk over the time period
covered by the review; and (2) prepare a written report. The report
would, at a minimum, describe the annual review, assessment, and any
control tests performed, explain the results thereof, document any
cybersecurity incident that occurred since the date of the last report,
and discuss any material changes to the policies and procedures since
the date of the last report.
---------------------------------------------------------------------------

\51\ Proposed rules 206(4)-9(b) and 38a-2(b). As discussed
below, the proposed rules would require funds' boards of directors
to review funds' required written reports. See infra section II.A.3.
---------------------------------------------------------------------------

The annual review requirement is designed to require advisers and
funds to evaluate whether their cybersecurity policies and procedures
continue to work as designed and whether changes are needed to assure
their continued effectiveness, including oversight of any delegated
responsibilities. The written report should be prepared or overseen by
the persons who administer the adviser's or fund's cybersecurity
policies and procedures and should consider any risk assessments
performed by the adviser or fund. We recognize that a cybersecurity
expert may provide needed expertise and perspective to the annual
review, but additional adviser or fund personnel generally should also
participate to provide their organizational perspective, as well as
ensure accountability and appropriate resources.
We request comment on the proposed requirements for a review and
assessment of the policies and procedures and a related written report:
20. Should there be additional, fewer, or more specific
requirements for the annual review or written report? Why or why not?
21. Is the proposed requirement for advisers and funds to review
their cybersecurity policies and procedures at least annually
appropriate? Is this minimum review period too long or too short? Why
or why not?
22. Should the annual review include whether the cybersecurity
policies and procedures reflect changes in cybersecurity risk over the
time period covered by the review? Why or why not?
23. Should management, a cybersecurity officer, or a centralized
committee be designated to conduct the annual review and prepare the
report? Would additional specificity promote accountability and
adequate resources? Should relevant expertise be required? Why or why
not?
24. Would the proposed annual review raise any particular
challenges for smaller or different types of advisers or funds? If so,
what could we do to help mitigate these challenges?
25. Are there any conflicts of interest if the same adviser or fund
officers implement the cybersecurity program and also conduct the
annual review? How can those conflicts be mitigated or eliminated?
Should advisers and funds be required to have their cybersecurity
policies and procedures periodically audited by an independent third
party to assess their design and effectiveness? Why or why not? If so,
are there particular cybersecurity-focused audits or assessments that
should be required, and should any such audits or assessments be
required to be performed by particular professionals (e.g., certified
public accountants)? Would there be any challenges in obtaining such
audits, particularly for smaller advisers or funds?
3. Fund Board Oversight
Proposed rule 38a-2 would require a fund's board of directors,
including a majority of its independent directors, initially to approve
the fund's cybersecurity policies and procedures, as well as to review
the written report on cybersecurity incidents and material changes to
the fund's cybersecurity policies and procedures that, as described
above, would be required to be prepared at least annually.\52\ These
requirements are designed both to facilitate the board's oversight of
the fund's cybersecurity program and provide accountability for the
administration of the program. These requirements also would be
consistent with a board's duty to oversee other aspects of the
management and operations of a fund.\53\ Board oversight should not be
a passive activity, and the requirements for the board to initially
approve the fund's cybersecurity policies and procedures and thereafter
to review the required written reports are designed to assist directors
in understanding a fund's cybersecurity risk management policies and
procedures, as well as the risks they are designed to address.
---------------------------------------------------------------------------

\52\ Proposed rule 38a-2(c). The board may satisfy its
obligation to approve a fund's cybersecurity policies and procedures
by reviewing summaries of those policies and procedures. This is
similar to how directors may satisfy their obligations under rule
38a-1. See Compliance Program Release, supra footnote 10, at n.33.
\53\ See, e.g., rule 38a-1 under the Investment Company Act;
Compliance Program Release, supra footnote 10, at n.31.
---------------------------------------------------------------------------

A fund's independent directors play an important role in overseeing
fund activities.\54\ We believe this should include reviewing and
initially approving a fund's cybersecurity policies and procedures to
help ensure that the fund's adviser has committed sufficient resources
to the activity. Directors may satisfy their obligation with respect to
the initial approval by reviewing summaries of the cybersecurity
program prepared by persons who administer the fund's

[[Page 13535]]

cybersecurity policies and procedures. Any documentation provided to
the board with respect to the initial approval should generally serve
to familiarize directors with the salient features of the program and
provide them with an understanding of the operation and administration
of the program. In considering whether to approve the policies and
procedures, a board may wish to consider the fund's exposure to
cybersecurity risks, including those of its service providers, as
appropriate, and any recent threats and incidents to which the fund may
have been subject.
---------------------------------------------------------------------------

\54\ Fund directors are commonly referred to as ``independent
directors'' if they are not ``interested persons'' of the fund. The
term ``interested person'' is defined in section 2(a)(19) of the
Investment Company Act [15 U.S.C. 80a-2(a)(19)]. If the fund is a
unit investment trust, the fund's principal underwriter or depositor
must approve the policies and procedures. Proposed rule 38a-2(d).
Fund boards, including a majority of independent directors, approve
fund advisory contracts, among other oversight functions. See
Section 15(c) of the Investment Company Act [15 U.S.C. 80a-15(c)].
See also rule 38a-1 under the Investment Company Act.
---------------------------------------------------------------------------

The required written reports also would provide fund directors with
information necessary to ask questions and seek relevant information
regarding the effectiveness of the program and its implementation, and
whether the fund has adequate resources with respect to cybersecurity
matters, including access to cybersecurity expertise. We anticipate
that a fund's board's review of the written reports would naturally
involve inquiries about cybersecurity risks arising from the program
and any incidents that have occurred.
Boards should also consider what level of oversight of the fund's
service providers is appropriate with respect to cybersecurity based on
the fund's operations. For example, a board may review the service
provider contract and risk assessment (or summaries thereof) of any
service providers that receive, maintain or process fund information,
or that are permitted to access their information systems, including
the information residing therein and the cybersecurity risks they
present, in the required written reports. Generally, the board should
follow up regarding any questions on the contracts or weaknesses found
in the risk assessments as well as the steps the fund has taken to
address the fund's overall cybersecurity risks, including as those
risks may change over time.
We request comment on the proposed initial board approval of the
fund's cybersecurity policies and procedures, as well as the proposed
requirement for the board to review the written reports that would be
prepared at least annually under the proposed rules:
26. Should the Commission require a fund's board, including a
majority of its independent directors, initially to approve the
cybersecurity policies and procedures, as proposed? As an alternative,
should the Commission require approval by the board, but not specify
that this approval also must include approval by a majority of the
fund's directors who are not interested persons of the fund? Why or why
not?
27. As part of their oversight function, should fund boards also be
required to approve the cybersecurity policies and procedures of
certain of the fund's service providers (e.g., its investment adviser,
principal underwriter, administrator, and transfer agent)? Why or why
not? If so, which service providers should be included and why?
28. Should a fund's board, or some designee such as a sub-committee
or cybersecurity expert, have oversight over the fund's risk
assessments of service providers? Why or why not?
29. Should the Commission require boards to base their approval of
cybersecurity policies and procedures on any particular finding, for
example, that that they are reasonably designed to prevent violations
of the Federal securities laws or reasonably designed to address the
fund's cybersecurity risks? Why or why not?
30. Does the release provide adequate guidance to funds' boards
regarding their initial approval of the cybersecurity policies and
procedures? Why or why not? Should the Commission provide any
additional guidance in this regard? If so, what guidance would assist
boards in their approval process? For example, should the Commission
provide additional guidance on documentation provided to the board with
respect to the initial approval?
31. Is the proposed requirement for fund boards to review the
required written reports appropriate? The proposed rules would require
these reports to be prepared at least annually, and a fund's board
would be required to review each such report that is prepared. Should
the Commission instead require periodic reviews of a report on the
fund's cybersecurity risk management policies and procedures, or
specify a shorter or longer frequency for review of such a report? Why
or why not?
32. Should the Commission require boards to approve any material
changes to the fund's cybersecurity policies and procedures instead of
reviewing a written report that discusses such changes? Why or why not?
4. Recordkeeping
As part of the proposed cybersecurity risk management rules, we are
proposing new recordkeeping requirements under the Advisers Act and
Investment Company Act. Advisers Act rule 204-2, the books and records
rule, sets forth requirements for maintaining, making, and retaining
books and records relating to an adviser's investment advisory
business. We are proposing to amend this rule to require advisers to
maintain: (1) A copy of their cybersecurity policies and procedures
formulated pursuant to proposed rule 206(4)-9 that are in effect, or at
any time within the past five years were in effect; (2) a copy of the
adviser's written report documenting the annual review of its
cybersecurity policies and procedures pursuant to proposed rule 206(4)-
9 in the last five years; (3) a copy of any Form ADV-C filed by the
adviser under rule 204-6 in the last five years; (4) records
documenting the occurrence of any cybersecurity incident, including any
records related to any response and recovery from such an incident, in
the last five years; and (5) records documenting an adviser's
cybersecurity risk assessment in the last five years.\55\ Records
documenting the occurrence of a cybersecurity incident may include
event or incident logs, as well as longer descriptions depending on the
nature and scope of the incident. These proposed amendments would help
facilitate the Commission's inspection and enforcement capabilities.
---------------------------------------------------------------------------

\55\ See proposed rule 204-2(a)(17)(i), (iv) through (vii).
---------------------------------------------------------------------------

Similarly, proposed rule 38a-2 under the Investment Company Act
would require that a fund maintain: (1) A copy of its cybersecurity
policies and procedures that are in effect, or at any time within the
last five years were in effect; (2) copies of written reports provided
to its board; (3) records documenting the fund's annual review of its
cybersecurity policies and procedures; (4) any report of a significant
fund cybersecurity incident provided to the Commission by its adviser;
(5) records documenting the occurrence of any cybersecurity incident,
including any records related to any response and recovery from such an
incident; and (6) records documenting the fund's cybersecurity risk
assessment.\56\ These records would have to be maintained for five
years, the first two years in an easily accessible place.\57\
---------------------------------------------------------------------------

\56\ See proposed rule 38a-2(e). If the fund is a unit
investment trust, copies of materials provided to its principal
underwriter or depositor should be maintained for at least five
years after the end of the fiscal year in which the documents were
provided.
\57\ See proposed rule 38a-2(e). A copy of the fund's policies
and procedures that are in effect, or were at any time within the
past five years in effect, must be kept in an easily accessible
place for five years. See proposed rule 38a-2(e)(1).
---------------------------------------------------------------------------

We request comments on the proposed recordkeeping requirements:
33. Are the records that we propose to require advisers and funds
to keep relating to the proposed cybersecurity risk management rules
appropriate? Why or why not? Should advisers and

[[Page 13536]]

funds have to keep any additional or fewer records, and if so, what
records?
34. Do advisers or funds have concerns it will be difficult to
retain any of documents? Could this place an undue burden on smaller
advisers or funds?

B. Reporting of Significant Cybersecurity Incidents to the Commission

We are proposing a new reporting rule requirement and related
proposed Form ADV-C. Advisers would be required to report significant
cybersecurity incidents to the Commission, including on behalf of a
client that is a registered investment company or business development
company, or a private fund (referred to in this release as ``covered
clients'') that experiences a significant cybersecurity incident.
Specifically, under proposed rule 204-6, any adviser registered or
required to be registered with the Commission as an investment adviser
would be required to submit proposed Form ADV-C promptly, but in no
event more than 48 hours, after having a reasonable basis to conclude
that a significant adviser cybersecurity incident or a significant fund
cybersecurity incident had occurred or is occurring.\58\ Form ADV-C
would include both general and specific questions related to the
significant cybersecurity incident, such as the nature and scope of the
incident as well as whether any disclosure has been made to any clients
and/or investors.\59\ Proposed rule 204-6 would also require advisers
to amend any previously filed Form ADV-C promptly, but in no event more
than 48 hours, after information reported on the form becomes
materially inaccurate; if new material information about a previously
reported incident is discovered; and after resolving a previously
reported incident or closing an internal investigation pertaining to a
previously disclosed incident.
---------------------------------------------------------------------------

\58\ See proposed rules 204-6 and 38a-2.
\59\ See proposed Form ADV-C.
---------------------------------------------------------------------------

This reporting would help us in our efforts to protect investors in
connection with cybersecurity incidents by providing prompt notice of
these incidents. We believe this proposed reporting would allow the
Commission and its staff to understand the nature and extent of a
particular cybersecurity incident and the firm's response to the
incident. As stated above, this reporting would not only help the
Commission monitor and evaluate the effects of the cybersecurity
incident on an adviser and its clients or a fund and its investors, but
also assess the potential systemic risks affecting financial markets
more broadly. For example, these reports could assist the Commission in
identifying patterns and trends across registrants, including
widespread cybersecurity incidents affecting multiple advisers and
funds.
1. Proposed Rule 204-6
Proposed rule 204-6 would require investment advisers to report on
Form ADV-C within 48 hours after having a reasonable basis to conclude
that a significant adviser cybersecurity incident or a significant fund
cybersecurity incident occurred or is occurring. The rule would define
a significant adviser cybersecurity incident as a cybersecurity
incident, or a group of related incidents, that significantly disrupts
or degrades the adviser's ability, or the ability of a private fund
client of the adviser, to maintain critical operations, or leads to the
unauthorized access or use of adviser information, where the
unauthorized access or use of such information results in: (1)
Substantial harm to the adviser, or (2) substantial harm to a client,
or an investor in a private fund, whose information was accessed.\60\
---------------------------------------------------------------------------

\60\ See proposed rule 204-6(b); see also proposed rule 206(4)-
9. This proposed definition is substantially similar to the proposed
definition of ``significant fund cybersecurity incident'' for funds.
We view critical operations as including investment, trading,
reporting, and risk management of an adviser or fund as well as
operating in accordance with the Federal securities laws.
---------------------------------------------------------------------------

The first prong of the definition of significant adviser
cybersecurity incident includes a cybersecurity incident, or a group of
related cybersecurity incidents, that significantly disrupts or
degrades the adviser's ability, or the ability of a private fund client
of the adviser, to maintain critical operations. If an adviser were
unable to maintain critical operations, such as the ability to
implement its investment strategy, process or record transactions, or
communicate with clients, there is potential for substantial loss to
both the adviser and its clients. For example, if an adviser's internal
computer systems, including its websites or email function, are shut
down due to malware, it could have a significant effect on the ability
for the adviser to continue to provide advisory services and for the
adviser's clients to access their investments or communication with the
adviser. In such a situation, it is possible that the adviser's
employees would not be able to access the computer systems they need to
make trades or manage a client's portfolio, and advisory clients may
not be able to access their accounts through the adviser's web page or
other channels that were affected by the malware.\61\ Depending on the
type of malware, this could lock up advisory client records, among
other things, and affect an adviser's decision-making and investments
for days, or even weeks. This in turn could potentially affect the
market, particularly if other advisers are similarly targeted with the
same malware. Reporting to the Commission the occurrence of such an
incident, we believe, could help the Commission monitor and evaluate
the effects of the event on an adviser or fund and its clients and
investors, and the broader financial markets. For example, reporting by
a large adviser or a series of advisers of similar occurrences could
signal a market-wide event requiring Commission attention and, if
necessary, coordination with other governmental agencies.
---------------------------------------------------------------------------

\61\ Account access could also be affected by denial of service
(``DoS'') attacks that disrupt customer access for extended periods
of time. We understand that DoS attacks are often accompanied by
ransom demands to stop any attack and/or are used as a diversionary
measure to exfiltrate (or remove) information or probe further into
business networks.
---------------------------------------------------------------------------

Under the proposed rules, a significant adviser cybersecurity
incident would also include significant cybersecurity incidents
affecting private fund clients of an adviser. Given that a
cybersecurity incident that significantly disrupts or degrades the
ability of a private fund to maintain its critical operations could
potentially cause similar substantial losses to the adviser and private
fund investors, and that private funds play a significant role in the
financial industry, we believe that such incidents should be reported
as well.
The second prong of the definition of a significant adviser
cybersecurity incident would include a cybersecurity incident that
leads to unauthorized access or use of adviser information, where the
unauthorized access or use of such information results in: (1)
Substantial harm to the adviser, or (2) substantial harm to a client,
or an investor in a private fund, whose information was accessed.\62\
Substantial harm to an adviser as the result of a cybersecurity
incident in which adviser information is compromised could include,
among other things, significant monetary loss or theft of intellectual

[[Page 13537]]

property. Substantial harm to a client or an investor in a private fund
as the result of a cybersecurity incident in which adviser information
is compromised could include, among other things, significant monetary
loss or the theft of personally identifiable or proprietary
information.\63\ After gaining access to an adviser's or a fund's
systems, an attacker could use this access to disclose, modify, delete
or destroy adviser, fund, or client data, as well as steal intellectual
property and client assets. Any of these actions could result in
substantial harm to the adviser and/or to the client.
---------------------------------------------------------------------------

\62\ Proposed rule 204-6(b). There may be times where an
incident meets both prongs. For example, a breach of an adviser's
internal computer systems may affect the adviser's ability to
maintain critical operations as well as result in substantial harm
to the adviser, its clients, or investors in private fund clients of
the adviser.
\63\ When considering their obligations under these proposed
reporting and risk management requirements, advisers and funds
should also keep in mind their obligations with respect to
safeguarding client information, such as those required by
Regulation S-P and under an adviser's fiduciary duty.
---------------------------------------------------------------------------

In addition to reporting significant cybersecurity incidents for
itself and its private fund clients, an adviser would also have to
report significant fund cybersecurity incidents on Form ADV-C for its
registered fund and BDC clients. Similar to a significant adviser
cybersecurity incident, a significant fund cybersecurity incident has
two prongs, that it: (1) Significantly disrupts or degrades the fund's
ability to maintain critical operations, or (2) leads to the
unauthorized access or use of fund information, which results in
substantial harm to the fund, or to the investor whose information was
accessed.\64\ Significant fund cybersecurity incidents may include
cyber intruders interfering with a fund's ability to redeem investors,
calculate NAV or otherwise conduct its business. Other significant fund
cybersecurity incidents may involve the theft of fund information, such
as non-public portfolio holdings, or personally identifiable
information of the fund's employees, directors or shareholders.
---------------------------------------------------------------------------

\64\ See proposed rules 204-6(b) and 38a-2.
---------------------------------------------------------------------------

In order to assist the adviser in reporting a significant fund
cybersecurity incident, a fund's cybersecurity policies and procedures
must address the proposed notification requirement to the Commission on
Form ADV-C. Generally, these provisions of the policies and procedures
should address communications between the person(s) who administer the
fund's cybersecurity policies and procedures and the adviser about
cybersecurity incidents, including those affecting the fund's service
providers.
An adviser would have to report within 48 hours after having a
reasonable basis to conclude that any significant adviser or fund
cybersecurity incident has occurred or is occurring with respect to
itself or any of its clients that are covered clients.\65\ In other
words, an adviser must report within 48 hours after having a reasonable
basis to conclude that an incident has occurred or is occurring, and
not after definitively concluding that an incident has occurred or is
occurring. The 48-hour period would give an adviser time to confirm its
preliminary analysis, and prepare the report while still providing the
Commission with timely notice about the incident.
---------------------------------------------------------------------------

\65\ We believe that an adviser would generally gather relevant
information and perform an initial analysis to assess whether to
reasonably conclude that a cybersecurity incident has occurred or is
occurring and follow its own internal communication and escalation
protocols concerning such an incident before providing notification
of any significant cybersecurity incident to the Commission.
---------------------------------------------------------------------------

We are also requiring that advisers amend a previously filed Form
ADV-C promptly, but in no event more than 48 hours, in connection with
certain incidents. Advisers would be required to update the Commission
by filing an amended Form ADV-C if any previously reported information
about a significant cybersecurity incident becomes materially
inaccurate or if the adviser discovers new material information related
to an incident.\66\ We are also proposing to require advisers to file a
final Form ADV-C amendment after the resolution of any significant
cybersecurity incident or after closing any internal investigation
related to a previously disclosed incident.\67\ We believe requiring
advisers to amend Form ADV-C in these circumstances would help to
ensure the Commission has accurate and timely information with respect
to significant adviser and fund cybersecurity incidents to allocate
resources better when evaluating and responding to these incidents.
While advisers and funds have other incentives to investigate and
remediate significant cybersecurity incidents, we believe these ongoing
reporting obligations would further encourage advisers and funds to
take the steps necessary to do so completely. Moreover, based on our
experience with other regulatory filings, we believe it is likely that
an adviser could regularly engage in a productive dialogue with
applicable Commission staff after the reporting of an incident and the
filing of any amendments to Form ADV-C, and, as part of that dialogue,
could provide Commission staff with any additional information as
necessary, depending on the facts and circumstances of the incident and
the progress in resolving it.
---------------------------------------------------------------------------

\66\ See proposed rule 204-6(a)(2)(i) and (ii).
\67\ See proposed rule 204-6(a)(2)(iii).
---------------------------------------------------------------------------

We request comments on the proposed reporting rule 204-6 and the
reporting thresholds.
35. Should we require advisers to report significant cybersecurity
incidents of the adviser and covered clients with the Commission? Why
or why not? Alternatively, should we exclude incidents that affect
private fund clients of an adviser? Should we exclude registered funds
and BDCs as covered clients? If so, should we require them to report to
the Commission in another manner? How should the Commission address
funds that are internally managed? Should we require a separate
reporting requirement under the Investment Company Act for such funds?
If so, should it be substantially similar to the proposed reporting
requirements under rule 204-6?
36. Should we require advisers to report on significant
cybersecurity incidents of other pooled investment vehicle clients? For
example, should we require advisers to report on significant
cybersecurity incidents of pooled investment vehicles that rely on the
exemption from the definition of ``investment company'' in section
3(c)(5)(C) of that Act? \68\
---------------------------------------------------------------------------

\68\ Section 3(c)(5)(C) of the Investment Company Act provides
an exclusion from the definition of investment company for any
person who is not engaged in the business of issuing redeemable
securities, face-amount certificates of the installment type or
periodic payment plan certificates, and who is primarily engaged in
the business of purchasing or otherwise acquiring mortgages and
other liens on and interests in real estate.
---------------------------------------------------------------------------

37. Who should be responsible for having a reasonable basis to
conclude that there has been a significant adviser cybersecurity
incident or significant fund cybersecurity incident or that one is
occurring? Should the Commission require a person or role be designated
to be the one responsible for gathering relevant information about the
incident and having a reasonable basis to conclude that such an
incident occurred?
38. At what point would one conclude that there has been a
significant adviser cybersecurity incident or significant fund
cybersecurity incident? Would it be after some reasonable period of
assessment or some other point?
39. Are the proposed definitions of significant adviser
cybersecurity incident and significant fund cybersecurity incident
appropriate and clear? If not, how could they be made clearer? Should
the term critical operations be defined for advisers and funds, and if
so what adviser and fund

[[Page 13538]]

operations should be considered critical? For example, should critical
operations include the investment, trading, valuation, reporting, and
risk management of the adviser or fund as well as the operation of the
adviser or fund in accordance with the Federal securities laws?
Alternatively, should there be a quantitative threshold at which
operations must be impaired by a cybersecurity incident before an
adviser's or fund's obligation to report is triggered (for example,
maintaining operations at minimally 80% of current levels on any
function)? If so, what should that threshold be and how should an
adviser or fund measure its operational capacity to determine whether
that threshold has been crossed?
40. Is the proposed ``substantial harm'' threshold under the
definition of significant adviser and fund cybersecurity incident
appropriate? Should we also include ``inconvenience'' as a threshold
with respect to shareholders, clients and investors? In other words,
should we also require reporting if the unauthorized access or use of
such information results in substantial harm or inconvenience to a
shareholder, client, or an investor in a private fund, whose
information was accessed?
41. Do commenters believe requiring the report 48 hours after
having a reasonable basis to conclude that there has been a significant
adviser cybersecurity incident or significant fund cybersecurity
incident or that one is occurring is appropriate? If not, is it too
long or too short? Should we require a specific time frame at all? Do
commenters believe that ``a reasonable basis'' is a clear standard? If
not, what other standard should we use?
42. Should we provide for one or more exceptions to the reporting
of significant cybersecurity incidents, for example for smaller
advisers or funds? Are there ways, other than the filing of Form ADV-C,
we should require advisers to notify the Commission regarding
significant cybersecurity incidents?
43. The Commission recently proposed current reporting requirements
that would require large hedge fund advisers to file a current report
on Form PF within one business day of the occurrence of a reporting
events at a qualifying hedge fund that they advise.\69\ The proposed
reporting events include a significant disruption or degradation of the
reporting fund's key operations, which could include a significant
cybersecurity incident. If the amendments to Form PF are adopted,
should the Commission provide an exception to the Form ADV-C filing
requirements when an adviser has reported the incident as a current
report on Form PF? Alternatively, should the Commission provide an
exception to the Form PF current reporting requirements if the adviser
filed a Form ADV-C in connection with the reporting event?
---------------------------------------------------------------------------

\69\ See Amendments to Form PF to Require Current Reporting and
Amend Reporting Requirements for Large Private Equity Advisers and
Large Liquidity Fund Advisers, Investment Advisers Act Release No.
5950 (Jan. 26, 2022).
---------------------------------------------------------------------------

44. Should advisers be required to provide the Commission with
ongoing reporting about significant cybersecurity incidents? If so, are
the proposed requirements to amend Form ADV-C promptly, but in no event
more than within 48 hours, sufficient for such reporting? Is this
timeframe appropriate? Should we require a shorter or longer timeframe?
Is the materiality threshold for ongoing reports appropriate? Should we
require another mechanism be used for ongoing reporting? For example,
should advisers instead be required to provide periodic reports about
significant cybersecurity incidents that are ongoing? If so, how often
should such reports be required (e.g., every 30 days) and what
information should advisers be required to provide?
2. Form ADV-C
The Commission is proposing a new Form ADV-C to require an adviser
to provide information regarding a significant cybersecurity incident
in a structured format through a series of check-the-box and fill-in-
the-blank questions. We believe that collecting information in a
structured format would enhance our staff's ability to carry out our
risk-based examination program and other risk assessment and monitoring
activities effectively. By enhancing comparability across multiple
filers, the structured format would also assist our staff in assessing
trends in cybersecurity incidents across the industry and accordingly
better protect investors from any patterned cybersecurity threats.
The proposed rule would require Form ADV-C to be filed
electronically with the Commission through the Investment Adviser
Registration Depository (``IARD'') platform. We considered proposing
other electronic filing platforms, either maintained by the Commission
or by a third-party contractor. However, we believe that there would
likely be efficiencies realized if the IARD platform is expanded for
this purpose, such as the possible interconnectivity of Form ADV
filings and Form ADV-C filings, and possible ease of filing with one
password. Moreover, the IARD platform is a familiar filing system for
advisers.
Proposed Form ADV-C would require advisers to report certain
information regarding a significant cybersecurity incident in order to
allow the Commission and its staff to understand the nature and extent
of the cybersecurity incident and the adviser's response to the
incident.
Items 1 through 4 request the following information about the
adviser: (1) Investment Advisers Act SEC File Number; (2) full name of
investment adviser; (3) name under which business is conducted; (4)
address of principal place of business; and (5) contact information for
an individual with respect to the significant cybersecurity incident
being reported: (name, title, address if different from above, phone,
email address). These items are designed to provide the Commission with
basic identifying information regarding the adviser. We anticipate that
the IARD system will pre-populate this information, other than the
contact information for the individual whom should be contacted for
additional information about the incident being reported.
Items 6 through 9 would elicit whether the adviser is reporting a
significant adviser cybersecurity incident or a significant fund
cybersecurity incident (or both), the approximate date the incident
occurred, the approximate date the incident was discovered, and whether
the incident is ongoing. This information would provide the Commission
with important background information regarding the incident. This
information would also inform the Commission if the incident presents
an ongoing threat and assist the Commission in prioritizing its
outreach to advisers following multiple Form ADV-C filings in the same
time period.
Item 10 would require the adviser to disclose whether law
enforcement or a government agency has been notified about the
cybersecurity incident. In assessing the risk to the broader financial
market, it may be important for the Commission to coordinate with other
governmental authorities. Therefore, this disclosure would inform the
Commission whether an adviser or fund has already notified local and
Federal law enforcement authorities, such as the FBI, or a local or
Federal government agency, such as the Department of Homeland
Security's Cybersecurity and Infrastructure Security Agency, about an
incident.
Items 11 through 15 would require the adviser to provide the
Commission with substantive information about the

[[Page 13539]]

nature and scope of the incident being reported, including any actions
and planned actions to recover from the incident; whether any data was
stolen altered, or accessed or used for any other unauthorized purpose;
and whether the significant cybersecurity incident has been disclosed
to the adviser's clients and/or to investors. When describing the
nature and scope of the incident being reported, advisers generally
should describe whether, and if so how, the incident has affected its
critical operations, including which systems or services have been
affected, and whether the incident being reported was the result of a
cybersecurity incident that occurred at a service provider. Further, to
the extent an adviser reports a significant cybersecurity incident that
resulted from a cybersecurity incident that occurred at a service
provider, generally the adviser also should describe the services
provided to the adviser or funds it advises by the provider that
experienced the incident and how any degradation in those services have
affected the adviser's--or its registered and private fund clients'--
operations. This information should provide the Commission with
sufficient detail regarding the incident to understand its potential
effects and whether the adviser can continue to provide services to its
clients and investors. The information would also help the Commission
determine whether the incident merits further analysis by the
Commission and its staff and/or whether the Commission and its staff
should collect additional information from the adviser.
Item 16 would require the adviser to disclose whether the
cybersecurity incident is covered under a cybersecurity insurance
policy. This information would assist the Commission in understanding
the potential effect that incident could have on an adviser's clients.
This information would also be helpful in evaluating the adviser's
response to the incident given that cybersecurity insurance may require
an adviser to take certain actions during and after a cybersecurity
incident.
After realizing a cybersecurity incident has occurred, an adviser
may need time to determine the scope and effect of the incident to
provide meaningful responses to these questions. We recognize that the
adviser may be working diligently to investigate and resolve the
cybersecurity incident at the time it would be required to report to
the Commission under the proposed rule. We believe, however, that
advisers should have sufficient information to respond to the proposed
questions by the time the filing is due to the Commission. Advisers
should only share information about what is known at the time of
filing.
Section 210(a) of the Advisers Act requires information in Form
ADV-C to be publicly disclosed, unless we find that public disclosure
is neither necessary nor appropriate in the public interest or for the
protection of investors.\70\ Form ADV-C would elicit certain
information regarding cybersecurity incidents, the public disclosure of
which, we believe, could adversely affect advisers (and advisory
clients) and funds (and their investors). For example, public
disclosure may harm an adviser's or fund's ability to mitigate or
remediate the cybersecurity incident, especially if the incident is
ongoing. Keeping information related to a cybersecurity incident
confidential may serve to guard against the premature release of
sensitive information, while still allowing the Commission to have
early notice of the cybersecurity incident.\71\ Accordingly, our
preliminary view is that Form ADV-C should be confidential given that
public disclosure is neither necessary nor appropriate in the public
interest or for the protection of investors.\72\
---------------------------------------------------------------------------

\70\ Section 210(a) of the Advisers Act states that ``[t]he
information contained in any . . . report or amendment thereto filed
with the Commission pursuant to any provision of this title shall be
made available to the public, unless and except insofar as the
Commission, by rules and regulations upon its own motion, or by
order upon application, finds that public disclosure is neither
necessary nor appropriate in the public interest or for the
protection of investors.''
\71\ Further, as discussed in greater detail below, we are
proposing amendments to Form ADV Part 2A and certain fund
registration forms that would require advisers and funds to publicly
disclose significant cybersecurity incidents. Therefore, clients and
investors would have access to information regarding cybersecurity
incidents that they may find material, albeit on a different
timeline. Further, as discussed in more detail below, the disclosure
requirements we are proposing are designed to provide clients and
investors with clear and meaningful disclosure regarding
cybersecurity incidents in a narrative, plain-English format, while
the information we are proposing to require adviser disclose on Form
ADV-C may be less useful to clients and investors, given its more
granular nature and the fact that it may be incomplete due to the
expediency in which it must be reported.
\72\ Although the Commission does not intend to make Form ADV-C
filings public, the Commission or Commission staff could issue
analyses and reports that are based on aggregated, non-identifying
Form ADV-C data, which would otherwise be nonpublic.
---------------------------------------------------------------------------

We request comment on all aspects of Form ADV-C, including the
following items.
45. Is IARD the appropriate system for investment advisers to file
Form ADV-C with the Commission? Instead of expanding the IARD system to
receive Form ADV-C filings, should the Commission utilize some other
system, such as the Electronic Data Gathering, Analysis, and Retrieval
System (EDGAR)? If so, please explain. What would be the comparative
advantages and disadvantages and costs and benefits of utilizing a
system other than IARD? What other issues, if any, should the
Commission consider in connection with electronic filing?
46. Should we include any additional items or eliminate any of the
items that we have proposed to include in Form ADV-C? For example,
should advisers be required to disclose any technical information
(e.g., about specific information systems, particular vulnerabilities
exploited, or methods of exploitation) about significant cybersecurity
incidents? Should we modify any of the proposed items? If so, how and
why?
47. Should Form ADV-C be confidential, as proposed? Alternatively,
should we require public disclosure of some or all of the information
included in Form ADV-C?

C. Disclosure of Cybersecurity Risks and Incidents

We are also proposing amendments to certain forms used by advisers
and funds to require the disclosure of cybersecurity risks and
incidents to their investors and other market participants. In
particular, we propose amendments to Form ADV Part 2A for advisers and
Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6 for funds. While many
advisers and funds already provide disclosure about cybersecurity
risks, we are updating current reporting and disclosure requirements to
address cybersecurity risks and incidents more directly. These proposed
amendments are designed to enhance investor protection by ensuring
cybersecurity risk or incident-related information is available to
increase understanding and insight into an adviser's or fund's
cybersecurity history and risks. These proposed reporting and
disclosure amendments, together with the proposed cybersecurity risk
management rules, may also increase accountability of advisers and
funds on cybersecurity issues. The proposed disclosure changes would
also give the Commission and staff greater insight into cybersecurity
risks affecting advisers and funds. This information would enhance the
Commission's ability to oversee compliance with the proposed
cybersecurity risk management rules, and to gain understanding about
the specifics of the

[[Page 13540]]

policies and procedures that funds adopted under the rules.
1. Proposed Amendments to Form ADV Part 2A
We are proposing amendments to Form ADV Part 2A that are designed
to provide clients and prospective clients with information regarding
cybersecurity risks and incidents that could materially affect the
advisory relationship. We believe the proposed amendments would improve
the ability of clients and prospective clients to evaluate and
understand relevant cybersecurity risks and incidents that advisers
face and their potential effect on the advisers' services.
2. Cybersecurity Risks and Incidents Disclosure
The proposed amendments would add a new Item 20 entitled
``Cybersecurity Risks and Incidents'' to Form ADV's narrative brochure,
or Part 2A. The brochure, which is publicly available and the primary
client-facing disclosure document, contains information about the
investment adviser's business practices, fees, risks, conflicts of
interest, and disciplinary events. We believe the narrative format of
the brochure would allow advisers to present clear and meaningful
cybersecurity disclosure to their clients and prospective clients.
Advisers would be required to, in plain English, describe
cybersecurity risks that could materially affect the advisory services
they offer and how they assess, prioritize, and address cybersecurity
risks created by the nature and scope of their business. A
cybersecurity risk, regardless of whether it has led to a significant
cybersecurity incident, would be material to an adviser's advisory
relationship with its clients if there is a substantial likelihood that
a reasonable client would consider the information important based on
the total mix of facts and information.\73\ The facts and circumstances
relevant to determining materiality in this context may include, among
other things, the likelihood and extent to which the cybersecurity risk
or resulting incident: (1) Could disrupt (or has disrupted) the
adviser's ability to provide services, including the duration of such a
disruption; (2) could result (or has resulted) in the loss of adviser
or client data, including the nature and importance of the data and the
circumstances and duration in which it was compromised; and/or (3)
could harm (or has harmed) clients (e.g., inability to access
investments, illiquidity, or exposure of confidential or sensitive
personal or business information).
---------------------------------------------------------------------------

\73\ See, e.g., Amendments to Form ADV, Investment Advisers Act
Release No. 3060 (July 28, 2010) [75 FR 49233 (Aug.12, 2010)], at
n.35 (citing SEC. v. Steadman, 967 F.2d 636, 643 (D.C. Cir. 1992);
cf. Basic Inc. v. Levinson, 485 U.S. 224, 231-232 (1988); TSC
Industries v. Northway, Inc., 426 U.S. 438, 445, 449 (1976)).
---------------------------------------------------------------------------

The proposed amendments would also require advisers to describe any
cybersecurity incidents that occurred within the last two fiscal years
that have significantly disrupted or degraded the adviser's ability to
maintain critical operations, or that have led to the unauthorized
access or use of adviser information, resulting in substantial harm to
the adviser or its clients.\74\ When describing these incidents in
their brochures, advisers would be required to identify the entity or
entities affected, when the incidents were discovered and whether they
are ongoing, whether any data was stolen, altered, or accessed or used
for any other unauthorized purpose, the effect of the incident on the
adviser's operations, and whether the adviser, or service provider has
remediated or is currently remediating the incident. This information
would allow investors to make more informed decisions when deciding
whether to engage or stay with an adviser.
---------------------------------------------------------------------------

\74\ We believe disclosure covering this look-back period would
provide investors a short history of cybersecurity incidents
affecting the adviser while not overburdening the adviser with a
longer disclosure period. Further, this lookback period would foster
consistency between adviser and fund disclosures regarding
significant cybersecurity incidents.
---------------------------------------------------------------------------

3. Requirement To Deliver Certain Interim Brochure Amendments to
Existing Clients
17 CFR 275.204-3(b) (rule 204-3(b) under the Advisers Act) does not
require advisers to deliver interim brochure amendments to existing
clients unless the amendment includes certain disciplinary information
in response to Item 9 Part 2A or Item 3 of Part 2B.\75\ We are
proposing an amendment to rule 204-3(b) that would also require an
adviser to deliver interim brochure amendments to existing clients
promptly if the adviser adds disclosure of a cybersecurity incident to
its brochure or materially revises information already disclosed in its
brochure about such an incident. Given the potential effect that
significant cybersecurity incidents could have on an adviser's
clients--such as exposing their personal or other confidential
information or resulting in losses in their accounts--time is of the
essence, and we believe that requiring an adviser to promptly deliver
the brochure amendment would enhance investor protection by enabling
clients to take protective or remedial measures to the extent
appropriate. Accordingly, the timing of the brochure amendment delivery
should take into account the exigent nature of cybersecurity incidents
which would generally militate toward swift delivery to clients. We
also believe that requiring advisers to deliver the brochure amendment
to existing clients following the occurrence of a new significant
cybersecurity incident would assist investors in determining whether
their engagement of that particular adviser remains appropriate and
consistent with their investment objectives.
---------------------------------------------------------------------------

\75\ Even if an adviser is not required to deliver a brochure to
an existing client, as a fiduciary the adviser may still be required
to provide clients with similar information. If an adviser is not
required to deliver an existing client a brochure, the adviser may
make any required disclosures to that client by delivery of the
brochure or through some other means. See Instruction 1 of
Instructions for Part 2A of Form ADV: Preparing Your Firm Brochure.
---------------------------------------------------------------------------

We seek comment on the Commission's proposed amendments to Form ADV
Part 2A:
48. Will the proposed cybersecurity disclosures in Item 20 of Form
ADV Part 2A be helpful for clients and investors? Are there additional
cybersecurity disclosures we should consider adding to Item 20? Should
we modify or delete any of the proposed cybersecurity disclosures?
49. Does the definition of significant adviser cybersecurity
incident allow advisers to inform investors of cybersecurity risks
arising from the incident while protecting the adviser and its clients
from threat actors who might use that information for the current or
future attacks? Does this definition allow for disclosures relevant to
investors without providing so much information as to be desensitizing?
Why or why not?
50. Do the required disclosures provide investors with prompt
access to important information that they need in connection with the
decision to engage, or continue to engage, an adviser? Why or why not?
51. We propose to require advisers to update their cybersecurity
disclosures in Item 20 promptly to the extent the disclosures become
materially inaccurate. Do commenters agree that the lack of disclosure
regarding certain cybersecurity risks and cybersecurity incidents would
render an adviser's brochure materially inaccurate? Should we only
require advisers to update their cybersecurity disclosures on an annual
basis (rather than an ongoing basis, as proposed)?
52. We propose to require advisers to deliver brochure amendments
to

[[Page 13541]]

existing clients if the adviser adds disclosure of an event, or
materially revises information already disclosed about an event, that
involves a cybersecurity incident in response to proposed Item 20. Is
this delivery requirement appropriate? Why or why not? Are there other
delivery or client-notification requirements that we should consider
for advisers when updates to their cyber security disclosures are made?
53. Should advisers also be specifically required to disclose if
there has not been a significant cybersecurity incident in its last two
fiscal years? Would this disclosure assist investors in their
investment decision-making? Why or why not?
54. Should the rule include a requirement to disclose whether a
significant adviser cybersecurity incident is currently affecting the
adviser? Why or why not? Is the look-back period of two fiscal years
appropriate? Why or why not?
4. Proposed Amendments To Fund Registration Statements
Like advisers, funds would also be required to provide prospective
and current investors with disclosure about significant cybersecurity
incidents under our proposal. We are proposing amendments to funds'
registration forms that would require a description of any significant
fund cybersecurity incident that has occurred in its last two fiscal
years, and that funds must tag the new information that would be
included using a structured data language (specifically, Inline
eXtensible Business Reporting Language or ``Inline XBRL'').\76\ The
proposed disclosure amendments would require that a fund disclose to
investors in its registration statement whether a significant fund
cybersecurity incident has or is currently affecting the fund or its
service providers.\77\
---------------------------------------------------------------------------

\76\ We are proposing amendments to Form N-1A, Form N-2, Form N-
3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.
\77\ The proposed disclosure amendments would also require funds
to disclose significant fund cybersecurity incidents affecting
insurance companies (for separate accounts that are management
investment companies that offer variable annuity contracts
registered on Form N-3) and depositors (for separate accounts that
are unit investment trusts that offer variable annuity contracts on
Form N-4; unit investment trusts that offer variable life insurance
contracts on Form N-6; and unit investment trusts other than
separate accounts that are currently issuing securities, including
unit investment trusts that are issuers of periodic payment plan
certificates and unit investment trusts of which a management
investment company is the sponsor or depositor on Form N-8b-2 or
Form S-6).
---------------------------------------------------------------------------

Specifically, the proposed amendments would require a description
of each significant fund cybersecurity incident, including the
following information to the extent known: the entity or entities
affected; when the incident was discovered and whether it is ongoing;
whether any data was stolen, altered, or accessed or used for any other
unauthorized purpose; the effect of the incident on the fund's
operations; and whether the fund or service provider has remediated or
is currently remediating the incident. The requirements for disclosure
describing the incident would be similar to the information that new
Form ADV-C requires, which we believe would increase compliance
efficiencies for funds and their advisers.
The fund would be required to disclose any significant fund
cybersecurity incident that has occurred during its last two fiscal
years. We believe disclosure covering this look-back period would
provide investors a short history of cybersecurity incidents affecting
the fund while not overburdening the fund with a longer disclosure
period.\78\ We believe providing a description of a significant fund
cybersecurity incident would improve the ability of shareholders and
prospective shareholders to evaluate and understand relevant
cybersecurity risks and incidents that a fund faces and their potential
effect on the fund's operations.
---------------------------------------------------------------------------

\78\ The two-year period is consistent with other items in Form
N-1A (for example, Item 16(e) (description of the fund's portfolio
turnover), Item 17(b)(6) through (9) (management of the fund), and
Item 31 (business and other connections of investment adviser). We
are proposing a corresponding period for the disclosures in Part 2A
of Form ADV.
---------------------------------------------------------------------------

In addition to providing investors with information on significant
fund cybersecurity incidents, funds should consider cybersecurity risks
when preparing risk disclosures in fund registration statements under
the Investment Company Act and the Securities Act. Funds are currently
required to disclose ``principal risks'' of investing in the fund, and
if a fund determines that a cybersecurity risk is a principal risk of
investing in the fund, the fund should reflect this information in its
prospectus.\79\ For example, a fund that has experienced a number of
significant fund cybersecurity incidents in a short period of time may
need to disclose heightened cybersecurity risk as a principal risk of
investing in the fund. This information would allow investors to make
more informed decisions when deciding whether to invest in a fund.
---------------------------------------------------------------------------

\79\ See Form N-1A, Item 4(b)(1) (narrative risk disclosure),
Item 9(c) (risks), and Item 16(b) (investment strategies and risks);
Form N-2, Item 8(3) (risk factors); Form N-3, Item 5 (principal
risks of investing in the contract) and Item 22 (investment
objectives and risks); Form N-4, Item 5 (principal risks of
investing in the contract) and Item 20 (non-principal risks of
investing in the contract); Form N-6, Item 5 (principal risks of
investing in the contract) and Item 21 (non-principal risks of
investing in the contract). UITs filing on Form N-8B-2 must disclose
instead information concerning the operations of the trust (Form N-
8B-2, Items 14-24).
---------------------------------------------------------------------------

Funds are required to update their prospectuses so that they do not
contain an untrue statement of a material fact (or omit a material fact
necessary to make the disclosure not misleading).\80\ To make timely
disclosures of cybersecurity risks and significant fund cybersecurity
incidents, a fund would amend its prospectus by filing a supplement
with the Commission.\81\ In addition, funds should generally include in
their annual reports to shareholders a discussion of cybersecurity
risks and significant fund cybersecurity incidents, to the extent that
these were factors that materially affected performance of the fund
over the past fiscal year.\82\
---------------------------------------------------------------------------

\80\ See generally 17 CFR 230.497 [rule 497 under the Securities
Act]; section 12(a)(2) of the Securities Act (providing a civil
remedy if a prospectus includes an untrue statement of a material
fact or omits to state a fact necessary in order to make the
statements, in the light of the circumstances under which they were
made, not misleading); 17 CFR 230.408 [rule 408 under the Securities
Act] (requiring registrants to include, in addition to the
information expressly required to be included in a registration
statement, such further material information, if any, as may be
necessary to make the required statements, in the light of the
circumstances under which they are made, not misleading).
\81\ See 17 CFR 230.497 (open-end funds); 17 CFR 230.424
(closed-end funds).
\82\ See, e.g., Disclosure of Mutual Fund Performance and
Portfolio Managers, Investment Company Act Release No. 19382 (Apr.
6, 1993) [58 FR 21927 (Apr. 26, 1993)], at n.15 (noting that
management's discussion of fund performance requires funds to
``explain what happened during the previous fiscal year and why it
happened'').
---------------------------------------------------------------------------

We are proposing to require all funds to tag this information about
significant fund cybersecurity incidents in a structured, machine-
readable data language.\83\ Specifically, we are proposing to require
funds to tag the disclosures in Inline XBRL in accordance with rule 405
of Regulation S-T and the EDGAR Filer Manual.\84\

[[Page 13542]]

The proposed requirements would include block text tagging of narrative
information about significant fund cybersecurity incidents, as well as
detail tagging of any quantitative values disclosed within the
narrative disclosures.
---------------------------------------------------------------------------

\83\ Many funds are already required to tag certain registration
statement disclosure items using Inline XBRL; however, UITs that
register on Form N-8B-2 and file post-effective amendments on Form
S-6 are not currently subject to any tagging requirements. The costs
of these requirements for funds that are currently subject to
tagging requirements and those that newly would be required to tag
certain disclosure items are discussed in the Economic Analysis. See
section III.D.2 infra.
\84\ This proposed tagging requirement would be implemented by
including cross-references to rule 405 of Regulation S-T in each
fund registration form (and, as applicable, updating references to
those fund registration forms in rule 11 and rule 405), by revising
rule 405(b) of Regulation S-T to include the proposed significant
fund cybersecurity incident disclosures, and by proposing conforming
amendments to rule 485 and rule 497 under the Securities Act.
Pursuant to rule 301 of Regulation S-T, the EDGAR Filer Manual
is incorporated by reference into the Commission's rules. In
conjunction with the EDGAR Filer Manual, Regulation S-T governs the
electronic submission of documents filed with the Commission. Rule
405 of Regulation S-T specifically governs the scope and manner of
disclosure tagging requirements for operating companies and
investment companies, including the requirement in rule 405(a)(3) to
use Inline XBRL as the specific structured data language to use for
tagging the disclosures.
---------------------------------------------------------------------------

Many funds are already required to tag certain registration
statement disclosure items using Inline XBRL.\85\ Requiring Inline XBRL
tagging of significant fund cybersecurity incidents for all funds would
benefit investors, other market participants, and the Commission by
making the disclosures more readily available and easily accessible for
aggregation, comparison, filtering, and other analysis, as compared to
requiring a non-machine readable data language such as ASCII or HTML.
This would enable automated extraction and analysis of granular data on
significant fund cybersecurity incidents, such as the date the incident
was discovered, allowing investors and other market participants to
more efficiently perform large-scale analysis and comparison across
funds and time periods. An Inline XBRL requirement would facilitate
other analytical benefits, such as more easily extracting/searching
disclosures about significant fund cybersecurity incidents, performing
targeted assessments (rather than having to manually run searches for
these disclosures through entire documents), and automatically
comparing these disclosures against prior periods. We believe requiring
structured data for significant fund cybersecurity incidents for all
funds would make cybersecurity disclosure more readily available,
accessible, and comparable for investors, other market participants,
and the Commission.
---------------------------------------------------------------------------

\85\ The Commission has adopted rules requiring funds
registering on Forms N-1A, N-2, N-3, N-4, and N-6 to submit data
using Inline XBRL. See Interactive Data to Improve Financial
Reporting, Release No. 33-9002 (Jan. 30, 2009) [74 FR 6776 (Feb. 10,
2009)] as corrected by Release No. 33-9002A (Apr. 1, 2009) [74 FR
15666 (Apr. 7, 2009)]; Inline XBRL Filing of Tagged Data, Release
No. 33-10514 (June 28, 2018) [83 FR 40846 (Aug. 16, 2018)]; Updated
Disclosure Requirements and Summary Prospectus for Variable Annuity
and Variable Life Insurance Contracts, Investment Company Act
Release No. 33814 (Mar. 11, 2020) [85 FR 25964 (May 1, 2020)]
(``Variable Contract Summary Prospectus Adopting Release'');
Securities Offering Reform for Closed-End Investment Companies,
Release No. 33-10771 (Apr. 8, 2020) [85 FR 33290 (June 1, 2020)];
Filing Fee Disclosure and Payment Methods Modernization, Release No.
33-10997 (Oct. 13, 2021) [86 FR 70166 (Dec. 9, 2021)].
---------------------------------------------------------------------------

We seek comment on the Commission's proposed amendments to fund
registration statement disclosure requirements:
55. Should there be a prospectus disclosure requirement of
significant fund cybersecurity incidents for all registered funds? If
some types of funds should be exempt, have different disclosure
requirements, or not be subject to the proposed structured data
requirement, which and why?
56. Will the proposed cybersecurity disclosures be helpful for
shareholders and potential shareholders? Are there additional
cybersecurity disclosures we should add? Should we modify or delete any
of the proposed cybersecurity disclosures?
57. Does the definition of significant fund cybersecurity incident
allow funds to inform investors of cybersecurity risks arising from the
incident while protecting the fund from threat actors who might use
that information for the current or future attacks? Does this
definition allow for disclosures relevant to investors without
providing so much information as to be desensitizing? Why or why not?
58. Should the rule include a requirement to disclose whether a
significant fund cybersecurity incident is currently affecting the fund
as proposed? Why or why not? How often should cybersecurity disclosure
be updated? Is the lookback period of two fiscal years appropriate? Why
or why not?
59. Should the rule include an instruction about significant fund
cybersecurity incidents that may have occurred in the fund's last two
fiscal years but was discovered later? Why or why not? Should the
Commission provide more specific guidance or requirements on when a
fund should update its disclosure to provide information about a
significant fund cybersecurity incident? Should the timing or
information about a significant cybersecurity incident for updated
disclosure match the prompt reporting requirement for advisers on Form
ADV-C? Why or why not?
60. Are there other delivery or shareholder-notification
requirements that we should consider for funds when updates to their
cybersecurity disclosures are made? For example, should there be an
alternate website disclosure regime, similar to how proxy voting
records may be disclosed, for cybersecurity incidents? Why or why not?
Or alternatively or additionally, should information about significant
fund cybersecurity incidents be included in funds' annual reports to
shareholders, filed on Form N-CSR, or reported on Form N-CEN?
61. Should funds also be specifically required to disclose if there
has not been a significant cybersecurity incident in its last two
fiscal years? Would this disclosure assist investors in their
investment decision-making? Why or why not?
62. Should the Commission provide more specific guidance or
requirements on when and what cybersecurity risk funds should disclose,
including when cybersecurity risk would be considered a principal risk
factor? Why or why not?
63. Should we require all funds to tag significant fund
cybersecurity incidents in Inline XBRL, as proposed? Why or why not?
64. Should we require funds to use a different structured data
language to tag significant fund cybersecurity incident disclosures? If
so, what structured data language should we require?

III. Economic Analysis

A. Introduction

The Commission is mindful of the economic effects, including the
costs and benefits, of the proposed rules and amendments. Section 3(f)
of the Exchange Act, section 2(c) of the Investment Company Act, and
section 202(c) of the Advisers Act provide that when engaging in
rulemaking that requires us to consider or determine whether an action
is necessary or appropriate in or consistent with the public interest,
to also consider, in addition to the protection of investors, whether
the action will promote efficiency, competition, and capital formation.
Section 23(a)(2) of the Exchange Act also requires us to consider the
effect that the rules would have on competition, and prohibits us from
adopting any rule that would impose a burden on competition not
necessary or appropriate in furtherance of the Exchange Act. The
analysis below addresses the likely economic effects of the proposed
amendments, including the anticipated and estimated benefits and costs
of the amendments and their likely effects on efficiency, competition,
and capital formation. The Commission also discusses the potential
economic effects of certain alternatives to the approaches taken in
this proposal.

[[Page 13543]]

The proposed rules and amendments would provide a more specific and
comprehensive framework for advisers and funds to address, report on,
and disclose cybersecurity-related risks and incidents. They would
directly affect advisers and funds through changes in their obligations
related to cybersecurity risks. They would also directly affect
investment advisers' and funds' current and prospective clients and
investors. In addition, the proposed rules may affect third-party
service providers to advisers and funds.
We anticipate that the main economic benefits of the proposed rules
and amendments would be to enhance certain advisers' and funds'
cybersecurity preparedness and thereby reduce related risks to clients
and investors, to improve clients' and investors' information about
advisers' and funds' cybersecurity exposures, and to enhance the
Commission's ability to assess systemic risks and its oversight of
advisers and funds. We expect the main economic costs of the proposed
rules and amendments to be compliance costs \86\ borne by investment
advisers and funds--costs likely to be passed on to their respective
clients and investors. We do not anticipate that these costs and
benefits will be material in the aggregate, although they may have
significant effects on individual advisers, funds, and their respective
clients and investors.
---------------------------------------------------------------------------

\86\ Throughout this economic analysis, ``compliance costs''
refers to the direct and indirect costs resulting from material
changes to affected registrants' business practices that may be
required to comply with the proposed regulations (e.g., conducting
cybersecurity analysis of deployed systems, replacing outdated
insecure computer software, hiring staff to implement cybersecurity
improvements, renegotiating contracts with service providers,
exposing aspects of secret business practices through mandated
disclosures). As used here, ``compliance costs'' excludes certain
administrative costs of the proposed regulations (e.g., filling out
and filing required forms, conducting legal reviews of mandated
disclosures) subject to the Paperwork Reduction Act. These
administrative costs are discussed in detail in the Paperwork
Reduction Act analysis in section IV.
---------------------------------------------------------------------------

We expect that the proposed rules and amendments would have a more
significant effect on smaller advisers and smaller fund families as
well as their clients and investors. Such differential impacts would
likely have some effect on competition in the adviser and fund
management markets, although the direction of this effect is
ambiguous.\87\ In addition to providing clients and investors with
additional cybersecurity-related information about advisers and funds,
we expect the proposed amendments to increase investors' confidence in
the operational resiliency of advisers and funds and safety of their
investments held through those firms. In so doing, we expect that the
proposed amendments would improve economic efficiency and enhance
capital formation.
---------------------------------------------------------------------------

\87\ Both costs and benefits would have differential effects.
See infra section III.E.
---------------------------------------------------------------------------

Many of the benefits and costs discussed below are difficult to
quantify. For example, the effectiveness of cybersecurity hygiene
measures taken as a result of the proposed amendments on the
probability of a cybersecurity incident and on the expected cost of
such an incident, including remediation costs, is subject to numerous
assumptions and unknowns, and is thus impracticable to quantify. Also,
in some cases, data needed to quantify these economic effects are not
currently available. For example, the Commission does not have reliable
data on the incidence of cybersecurity incidents for advisers and
funds. While we have attempted to quantify economic effects where
possible, much of the discussion of economic effects is qualitative in
nature. The Commission seeks comment on all aspects of the economic
analysis, especially any data or information that would enable a
quantification of the proposal's economic effects.

B. Broad Economic Considerations

While advisers and funds have private incentives to maintain some
level of cybersecurity hygiene, market failures can lead the privately
optimal level to be inadequate from the perspective of overall economic
efficiency: Such market failures provide the economic rationale for
regulatory intervention in advisers' and funds' cybersecurity
practices. At the core of these market failures is asymmetric
information about cybersecurity preparations and incidents as well as
negative externalities to these incidents. Asymmetric information
contributes to two main inefficiencies: First, because the production
of cybersecurity defenses must constantly evolve, an adviser's or
fund's inability to observe cyberattacks on its competitors inhibits
the efficacy of its own cybersecurity preparations. Second, for a
client or investor, the inability to observe an adviser's or fund's
effort in cybersecurity preparation gives rise to a principal-agent
problem that can contribute to an adviser or fund exerting too little
effort (i.e., underinvesting or underspending) on cybersecurity
preparations. Moreover, because there can be substantial negative
externalities related to cybersecurity incidents, advisers' and funds'
private incentives to exert effort on cybersecurity preparations are
likely to be lower than optimal from a societal standpoint.
In the production of cybersecurity defenses, the main input is
information. In particular, information about prior attacks and their
degree of success is immensely valuable in mounting effective
countermeasures.\88\ However, firms are naturally reluctant to share
such information freely: Doing so can assist future attackers as well
as lead to loss of customers, reputational harm, litigation, or
regulatory scrutiny.\89\ Moreover, because disclosure of such
information creates a positive information externality \90\--the
benefits of which accrue to society at large and which cannot be fully
captured by the firm making the disclosure--an inefficient market
equilibrium is likely to arise. In this market equilibrium, too little
information about cybersecurity incidents is disclosed, leading to
inefficiently low levels of cybersecurity defense production.\91\
---------------------------------------------------------------------------

\88\ See Peter W. Singer and Allan Friedman, Cybersecurity: What
Everyone Needs to Know. Oxford University Press 222 (2014).
\89\ See, e.g., Federal Trade Commission v. Equifax, Inc.
(2019), available at <a href="https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc">https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc</a>.
\90\ However, disclosure of this information to parties that do
not obey the law creates significant negative externalities as it
can facilitate attacks against those who employ similar business
methods and IT systems. See infra section III.D.2.b (discussing the
potential costs of excessive disclosure).
\91\ This problem has long been recognized by policymakers
leading to various efforts aimed at encouraging voluntary
information sharing across firms. See infra section III.C.1.
---------------------------------------------------------------------------

Asymmetric information also contributes to a principal-agent
problem. The relationship between an adviser and its client or a fund
and its investor is one where the principal (the client or fund
investor) relies on an agent (the investment adviser or fund complex
and its management) to perform services on the principal's behalf.\92\
Because principals and their agents do not have perfectly aligned
preferences and goals, agents may take actions that increase their
well-being at the expense of principals, thereby imposing ``agency
costs'' on the principals.\93\ Although private contracts between
principals and agents aim to minimize such costs, they are limited in
their ability to do so; this limitation provides one rationale for
regulatory intervention.\94\
---------------------------------------------------------------------------

\92\ See Michael C. Jensen and William H. Meckling, Theory of
the Firm: Managerial Behavior, Agency Costs and Ownership Structure,
3 Journal of Financial Economics, 305-360 (1976) (``Jensen and
Meckling'').
\93\ Id.
\94\ Such limitations can arise from un-observability or un-
verifiability of actions, transactions costs associated with
including numerous contingencies in contracts, or bounded
rationality in the design of contracts. See e.g. Jean Tirole,
Cognition and Incomplete Contracts, 99 (1) American Economic Review,
265-94 (Mar. 2009) (discussing a relatively modern treatment of
these issues) (``Tirole'').

---------------------------------------------------------------------------

[[Page 13544]]

In the context of cybersecurity, the principal-agent problem is one
of underspending in cybersecurity--agents exerting insufficient effort
toward protecting the personal information, investments, or funds of
the principals from being stolen or otherwise compromised. For example,
in a recent survey of financial firms, 58% of the respondents self-
reported ``underspending'' on cybersecurity.\95\ Several factors can
contribute to this underspending. Agents (i.e., advisers and funds) may
not be able to credibly signal to their principals (i.e., clients or
investors) that they are better at addressing cybersecurity risks than
their peers, reducing their incentives to bear such costs.\96\ At the
same time, agents who do not bear the full cost of a cybersecurity
failure (e.g., losses of their customers' information or assets) will
prefer to avoid bearing costs--such as elaborate cybersecurity
practices--the benefits of which accrue in large part to principals
(i.e., clients and investors).
---------------------------------------------------------------------------

\95\ Institute of International Finance, IIF/McKinsey Cyber
Resilience Survey (Mar. 2020), available at <a href="https://www.iif.com/Portals/0/Files/content/cyber_resilience_survey_3.20.2020_print.pdf">https://www.iif.com/Portals/0/Files/content/cyber_resilience_survey_3.20.2020_print.pdf</a>
2020) (``IIF/McKinsey Report''). A total of 27 companies
participated in the survey, with 23 having a global footprint.
Approximately half of respondents were European or U.S. Globally
Systemically Important Banks (G-SIBs).
\96\ See Sanford J. Grossman, The Informational Role of
Warranties and Private Disclosure about Product Quality, 24 (3) The
Journal of Law and Economics 461-83 (Dec. 1981); see also Michael
Spence, Competitive and Optimal Responses to Signals: An Analysis of
Efficiency and Distribution, 7 (3) Journal of Economic Theory 296-
332 (Mar. 1, 1974); G.A. Akerlof, The Market for ``Lemons'': Quality
Uncertainty and the Market Mechanism, 84 (3) The Quarterly Journal
of Economics 488-500 (Aug. 1970).
---------------------------------------------------------------------------

Agents' reputation motives--the fear of market-imposed loss of
future profits--should generally work against the tendency for agents
to underinvest in cybersecurity measures. However, for smaller agents--
who do not enjoy economies of scale or scope, and generally have less
valuable brands--the cost of implementing robust cybersecurity measures
will be relatively high, while their reputation motives will be more
limited. Thus, smaller agents can be expected to be especially prone to
underinvestment.
Even in the absence of agency problems, advisers and funds may
still underinvest in cybersecurity due to negative externalities or
moral hazard. In the context of cybersecurity, negative externalities
arise because a disruption to the operation or financial condition of
one financial entity can have significant negative repercussions on the
financial system broadly.\97\ For example, a cybersecurity incident at
a large money market fund that affects its ability to process
redemptions could disrupt the fund's shareholders' ability to access
cash needed to satisfy other obligations, potentially leading those
shareholders to default, which, in turn, could trigger further defaults
by those shareholders' creditors. Alternatively, a cybersecurity
incident may adversely affect market confidence and curtail economic
activity through a confidence channel.\98\ As such costs would not be
internalized by advisers and funds, advisers and funds would be
expected to underinvest in measures aimed at avoiding such costs. In
addition, advisers and funds may also underinvest in their
cybersecurity measures due to moral hazard from expectations of
government support.\99\ For example, a large fund may realize that it
is an attractive target for sophisticated state actors aiming to
disrupt the U.S. financial system. Protection against such ``advanced
persistent threats'' \100\ from sophisticated actors is costly.\101\ A
belief that such an attack would be met with government support could
lead to moral hazard where the fund underinvests in defenses aimed at
countering this threat.
---------------------------------------------------------------------------

\97\ See Anil K. Kashyap and Anne Wetherilt, Some Principles for
Regulating Cyber Risk, AEA Papers and Proceedings 109, 482-487 (May
2019).
\98\ Id.
\99\ It has long been noted that it is difficult for governments
to commit credibly to not providing support to entities that are
seen as critical to the functioning of the financial system,
resulting in problems of moral hazard. See, e.g., Walter Bagehot,
Lombard Street, King (1873). Historically, banking entities seen as
``too big to fail'' or ``too interconnected to fail'' have been the
principal recipients of such government support. Since the financial
crisis of 2007-2009, non-bank financial institutions (such as
investment banks), money market funds, and insurance companies, as
well as specific markets such as the repurchase market have also
benefited. See, e.g., Gary B. Gorton, Slapped by the Invisible Hand:
The Panic of 2007, Oxford University Press (2010). See also Viral V.
Acharya, Deniz Anginer, and A. Joseph Warburton, The End of Market
Discipline? Investor Expectations of Implicit Government Guarantees,
SSRN Scholarly Paper. Rochester, NY: Social Science Research Network
(May 1, 2016).
\100\ Advanced persistent threat (APT) refers to sophisticated
cyberattacks by hostile organizations with the goal of: Gaining
access to defense, financial and other targeted information from
governments, corporations and individuals; maintaining a foothold in
these environments to enable future use and control; and modifying
data to disrupt performance in their targets. See Michael K, Daly,
The Advanced Persistent Threat (or Informationized Force
Operations), Usenix LISA 09 (Nov. 4, 2009), available at <a href="https://www.usenix.org/legacy/events/lisa09/tech/slides/daly.pdf">https://www.usenix.org/legacy/events/lisa09/tech/slides/daly.pdf</a>.
\101\ See Nikos Virvilis, and Dimitris Gritzalis, The Big Four--
What We Did Wrong in Advanced Persistent Threat Detection? 2013
International Conference on Availability, Reliability and Security,
248-54 (2013).
---------------------------------------------------------------------------

The proposed amendments could mitigate these problems in several
ways. First, establishing explicit requirements for cybersecurity
policies and procedures could help ensure that investment advisers and
funds devote a certain minimum amount of effort toward cybersecurity
readiness. Second, the proposed disclosure and regulatory reporting
requirements could help alleviate the information asymmetry problems by
providing current and prospective investors and clients, third parties
(e.g., fund rating services), and regulators with more information
about funds' and advisers' cybersecurity exposure. The publicly
disclosed information could in turn be used by investors, clients, and
third parties to screen and monitor funds and investment advisers,
while the confidential regulatory reports could be used by regulators
to inform industry and law enforcement about ongoing threats. Finally,
by reducing uncertainty about the effectiveness of funds' and
investment advisers' cybersecurity measures, the proposed amendments
could help level the competitive playing field for funds and advisers
by simplifying prospective investors' and clients' decision
making.\102\ By addressing important market imperfections, the proposed
amendments could mitigate underinvestment in cybersecurity and improve
the adviser and fund industry's ability to produce effective
cybersecurity defenses through better information sharing, which could
in turn lead to improved economic efficiency.
---------------------------------------------------------------------------

\102\ By analogy, in the absence of rigorous airline safety
regulation, shopping for airline tickets would be considerably more
complex as one would need to consider not only each airline's price
and level of service, but also the adequacy of each airline's
maintenance regime, the age of its fleet, and the training of its
pilots.
---------------------------------------------------------------------------

The effectiveness of the proposed amendments at mitigating the
aforementioned problems would depend on several factors. It would
depend on the extent to which the proposed amendments materially affect
registrants' policies and procedures and disclosures. Insofar as the
new requirements affect registrants' policies and procedures, the
effectiveness of the proposed amendments would also depend on the
extent to which the actions they induce alleviate cybersecurity
underinvestment. The effectiveness of the proposed amendments would
also depend on the extent to which the proposed disclosure requirements
provide useful

[[Page 13545]]

information to investors, clients, third parties, and regulators.\103\
---------------------------------------------------------------------------

\103\ Similar arguments have been put forward with respect to
disclosure's utility in predicting adviser fraud. See, e.g., Stephen
Dimmock and William Gerken, Predicting Fraud by Investment Managers,
105 (1) Journal of Financial Economics, 153-173 (2012).
---------------------------------------------------------------------------

C. Baseline

The market risks and practices, regulation, and market structure
relevant to the affected parties in place today form the baseline for
our economic analysis. The parties directly affected by the proposed
amendments are advisers that are registered or required to be
registered with the Commission and funds. In addition, the proposed
amendments would indirectly affect current and prospective clients of
such advisers (including private funds) and investors in such funds as
well as certain service providers to advisers and funds. Finally, these
amendments could also affect issuers of financial assets whose access
to and cost of capital could change because of the proposed amendments'
effects on the asset management markets.
1. Cybersecurity Risks and Practices
With the widespread adoption of internet-based products and
services over the last two decades, all businesses have had to address
issues of cybersecurity. For financial services firms, the stakes are
particularly high--it is where the money is. Cybersecurity threat
intelligence surveys consistently find the financial sector to be one
of--if not the most--attacked industry,\104\ and remediation costs for
such incidents can be substantial.\105\ The financial services sector
has also been at the forefront of digitization and now represents one
the most digitally mature sectors of the economy.\106\ Not
surprisingly, it is also one of the biggest spenders on cybersecurity
measures: A recent survey found that non-bank financial firms spent an
average of approximately 0.5% of revenues--or $2,348/employee--on
cybersecurity.\107\
---------------------------------------------------------------------------

\104\ See, e.g., IBM, X-Force Threat Intelligence Index 2021
(2021), available at <a href="https://www.ibm.com/security/data-breach/threat-intelligence">https://www.ibm.com/security/data-breach/threat-intelligence</a>.
\105\ See, e.g., supra footnote 6 (Cost of Data Breach Report)
and accompanying text (noting the average cost of a data breach in
the financial industry in the United States is $5.72 million).
\106\ See BCG Global, Digital Maturity Is Paying Off (Nov. 6,
2020), available at <a href="https://www.bcg.com/publications/2018/digital-maturity-is-paying-off">https://www.bcg.com/publications/2018/digital-maturity-is-paying-off</a>.
\107\ Deloitte LLP, Reshaping the Cybersecurity Landscape,
Deloitte Insights (accessed Nov. 10, 2021), available at <a href="https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html">https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html</a>
(``Reshaping the Cybersecurity Landscape'').
---------------------------------------------------------------------------

The ubiquity and rising costs of cybercrime \108\ along with firm's
increasingly costly efforts to prevent it \109\ has created a boom in
the cybersecurity industry \110\ and led to the development of a
numerous technologies, standards, and industry noted ``best practices''
aimed at mitigating cybersecurity threats. Many of these developments--
multi-factor authentication, HTTPS, and user-access control--are so
widely deployed as to be in common parlance. Among practitioners (chief
technology officers, chief information officers, chief security
officers (``CISOs'') and their staffs), best practice frameworks such
as Carnegie Mellon University's Cyber Resilience Review,\111\ the NIST
Framework,\112\ and similar offerings from cybersecurity consultants
and product vendors are now frequently employed to assess and address
institutional cybersecurity preparedness. Such frameworks cover the
gamut of cybersecurity, including: IT asset management, controls,
change management, vulnerability management, incident management,
continuity of operations, risk management, dependencies on third
parties, training, and information sharing. In recent years, company
boards and executive management teams have been paying more attention
to many of these areas.\113\
---------------------------------------------------------------------------

\108\ See supra footnote 5 (FBI 2020 Internet Crime Report,
noting that cybercrime victims lost approximately $4.2 billion in
2020).
\109\ See Office of Financial Research, Annual Report to
Congress (2021), available at <a href="https://www.financialresearch.gov/annual-reports/files/OFR-Annual-Report-2021.pdf">https://www.financialresearch.gov/annual-reports/files/OFR-Annual-Report-2021.pdf</a>.
\110\ VentureBeat, The Cybersecurity Industry Is Burning--But
VCs Don't Care (Sept. 2, 2021)), available at <a href="https://venturebeat.com/2021/09/02/the-cybersecurity-industry-is-burning-and-vcs-dont-care/">https://venturebeat.com/2021/09/02/the-cybersecurity-industry-is-burning-and-vcs-dont-care/</a> (``VentureBeat'').
\111\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, CRR: Method Description and Self-
Assessment User Guide (Apr. 2020), available at <a href="https://www.cisa.gov/sites/default/files/publications/2_CRR%204.0_Self-Assessment_User_Guide_April_2020.pdf">https://www.cisa.gov/sites/default/files/publications/2_CRR%204.0_Self-Assessment_User_Guide_April_2020.pdf</a>.
\112\ See supra footnote 24.
\113\ See Reshaping the Cybersecurity Landscape, supra footnote
107.
---------------------------------------------------------------------------

While spending on cybersecurity measures in the financial services
industry is considerable, it may nonetheless be inadequate--even in the
estimation of financial firms themselves: According to one recent
survey, 58% of financial firms self-reported ``underspending'' on
cybersecurity measures.\114\ And while adoption of cybersecurity best
practices has been accelerating overall, many firms continue to lag in
their adoption.\115\ While surveys of financial services firms are
suggestive, the true extent of advisers' and funds' underspending--and
of failing to adopt industry-accepted cybersecurity ``best
practices''--is impracticable to quantify.\116\
---------------------------------------------------------------------------

\114\ See IIF/McKinsey Report, supra footnote 95.
\115\ See VentureBeat, supra footnote 110.
\116\ As noted in section III.B, the quality of cybersecurity
measures is difficult to quantify. Moreover, the cybersecurity
measures being employed by registrants are not generally observable.
Consequently, it is not practicable to estimate the adequacy of
measures currently being employed by registrants.
---------------------------------------------------------------------------

Similarly, it is impracticable to quantify the adequacy of
advisers' and funds' information sharing arrangements.\117\ The value
of such information sharing has long been recognized. In 1998,
Presidential Decision Directive 63 established industry-based
information sharing and analysis centers (``ISACs'') to promote the
disclosure and sharing of cybersecurity information among firms.\118\
The FS-ISAC provides financial firms with such a forum.\119\ However,
observers have questioned the efficacy of these information-sharing
partnerships,\120\ while the U.S. Government has continued in attempts
to further such efforts. For example, President Obama's 2015 Executive
Order, ``Promoting Private Sector Cybersecurity Information Sharing''
aimed ``to encourage the voluntary formation of [information sharing
organizations], to establish mechanisms to continually improve the
capabilities and functions of these organizations, and to better allow
these organizations to partner with the Federal Government on a
voluntary basis.'' \121\ Although the Commission does not have data on
the extent of advisers' and funds' use of such forums or their
efficacy, surveys of securities firms conducted by FINRA suggest that
there is considerable variation in firms' willingness to share
information about cybersecurity threats voluntarily, with larger firms
being

[[Page 13546]]

more likely to do so.\122\ Other surveys paint a similar picture; a
recent survey of financial firms found that while recognition of the
value of information-sharing arrangements is widespread, a majority of
firms report hesitance to participate due to regulatory restrictions or
privacy concerns.\123\
---------------------------------------------------------------------------

\117\ The Commission does not currently collect data from
registrants regarding the presence of such arrangements. We are also
not aware of any third-party data providers that tabulate this
information.
\118\ See President Decision Directive/NSC-63, Critical
Infrastructure Protection (May 22, 1998); Presidential Decision
Directive 63 on Critical Infrastructure Protection: Sector
Coordinators, 98 FR 41804 (Aug. 5, 1998) (notice and request for
expressions of interest). See also National Council of ISACs,
available at <a href="https://www.nationalisacs.org">https://www.nationalisacs.org</a>.
\119\ More information about the FS-ISAC is available at <a href="https://www.fsisac.com">https://www.fsisac.com</a>.
\120\ Denise E. Zheng and James A. Lewis, Cyber Threat
Information Sharing, Center for Strategic and International Studies
62 (2015).
\121\ See Executive Order 13691, Promoting Private Sector
Cybersecurity Information Sharing (Feb. 13, 2015).
\122\ FINRA, Report on Cybersecurity Practices (Feb. 2015),
available at <a href="https://www.finra.org/sites/default/files/2020-07/2015-report-on-cybersecurity-practices.pdf">https://www.finra.org/sites/default/files/2020-07/2015-report-on-cybersecurity-practices.pdf</a>. Survey respondents included
large investment banks, clearing firms, online brokerages, high-
frequency traders, and independent dealers. Thus, the results should
be taken as suggestive of practices that may be in place at advisers
and funds.
\123\ See Reshaping the Cybersecurity Landscape, supra footnote
107. Survey respondents consisted of CISOs (or equivalent) of 53
members of the FS-ISAC. Of the respondents, twenty-four reported
being in the retail/corporate banking sector, twenty reported being
in the consumer/financial services (non-banking) sector, and
seventeen reported being in the insurance sector. Other respondents
included IT service providers, financial utilities, trade
associations, and credit unions. Some respondents reported being in
multiple sectors.
---------------------------------------------------------------------------

2. Regulation
As discussed in greater detail in section I.B above, although
existing rules and regulations do not impose explicit cybersecurity
requirements on advisers and funds, advisers' duties as fiduciaries, as
well as several existing rules and regulations applicable to advisers
and funds indirectly implicate cybersecurity. As fiduciaries, advisers
are required to act in the best interest of their clients at all
times.\124\ This fiduciary obligation includes taking steps to minimize
cybersecurity risks that could lead to significant business disruptions
or a loss or misuse of client data.\125\ Additionally, the Advisers Act
compliance rule requires advisers to consider their fiduciary and
regulatory obligations and formulate policies and procedures to address
them.\126\ While the Advisers Act compliance rule does not enumerate
specific cybersecurity elements that an adviser must include in its
compliance program,\127\ the Commission has previously stated that
advisers should consider factors creating risk exposure for the firm
and its clients and design policies and procedures that address those
risks.\128\ As the potential for a cybersecurity incident to create
significant operational disruptions is well understood at this point,
we understand that larger advisers with significant IT infrastructures
are assessing cybersecurity risks when developing their compliance
policies and procedures.\129\
---------------------------------------------------------------------------

\124\ See supra footnote 9.
\125\ See supra section I.B (discussing fiduciary obligations).
\126\ See supra section I.B (discussing Advisers Act compliance
rule).
\127\ According to the rule, an adviser should identify
conflicts of interest and other compliance factors creating risk
exposure for the firm and its clients in light of the firm's
particular operations. See supra footnote 10 and accompanying text.
\128\ See Compliance Program Release, supra footnote 10, at n.22
and accompanying text.
\129\ See, e.g., Chuck Seets, Jamie Smith, and Steve Klemash,
What Companies Are Disclosing About Cybersecurity Risk and
Oversight, The Harvard Law School Forum on Corporate Governance
(blog), (Aug. 25, 2020), available at <a href="https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight/">https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight/</a> (finding that 100 percent of
Fortune 100 companies list cybersecurity as a risk factor in 2020
SEC disclosures, and 93 percent referenced efforts to mitigate such
risks).
---------------------------------------------------------------------------

One potential risk for an adviser's client stemming from the
cybersecurity threats faced by the adviser, is that a cybersecurity
incident at the adviser could lead to the client's information \130\
being compromised or the loss of the client's assets. Nominally, the
risk of outright loss should be limited for assets subject to 17 CFR
275.206(4)-2 (the ``Custody Rule''),\131\ which are--by effect of said
rule--generally held by ``qualified custodians.'' Qualified custodians
are typically large financial institutions.\132\ Such financial
institutions generally enjoy significant economies of scale, have large
franchise (and reputation) values, and are subject to numerous
additional regulatory requirements.\133\ For these reasons,
cybersecurity protections provided by qualified custodians may be well-
developed, and could help mitigate the risk of outright loss of client
funds and securities in advisers' custody.\134\
---------------------------------------------------------------------------

\130\ Advisers may possess a wide range of potentially sensitive
information relating to their clients, including personally
identifiable information, portfolio composition, transaction
histories, and confidential correspondence.
\131\ The Custody Rule applies only to client funds and
securities. 17 CFR 275.206(4)-2. In practice, staff has observed
that many advisers treat all assets in the same way.
\132\ 17 CFR 275.206(4)-2(a) and (d). A qualified custodian can
be a bank, broker-dealer, futures commission merchant, or certain
foreign financial institutions. The qualified custodian maintains
client's funds and securities in a separate account for each client.
Alternatively, the adviser's clients' funds and securities can be
held in an account under the adviser's name as agent or trustee for
the clients.
\133\ See, e.g., Interagency Guidelines Establishing Information
Security Standards, 12 CFR 225 Appendix F; see also Information
Technology Risk Examination (``InTREx'') Program, FDIC Financial
Institution Letter FIL-43-2016 (June 30, 2016).
\134\ See id. The qualified custodian industry is dominated by
large U.S. banking entities which are subject to various
regulations, guidance, and examinations relating to cybersecurity.
---------------------------------------------------------------------------

Although protection provided by qualified custodians can mitigate
risk to certain client assets to some extent, they cannot replace
cybersecurity hygiene at the adviser level. As an adviser's ``custody''
of client assets implies a degree of control over those assets,
compromise of adviser's systems--or the adviser's service providers'
systems--could lead to unauthorized actions being taken with respect to
those assets--including assets maintained with qualified custodians.
Moreover, as observed by Commission staff, advisers may fail to realize
that they have ``custody'' of client funds and securities, and may not
place these assets with a qualified custodian.\135\ Such problems can
occur when, for example, an adviser holds login credentials to clients'
accounts or when the adv

[…truncated; see source link]

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on March 9, 2022.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.