Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period

Issuing agencies

Abstract

The Securities and Exchange Commission ("Commission") is reopening the comment period for a release ("Investment Management Cybersecurity Release") proposing new rules under the Investment Advisers Act of 1940 ("Advisers Act") and the Investment Company Act of 1940 ("Investment Company Act") that would require registered investment advisers ("advisers") and investment companies ("funds") to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the Commission about certain cybersecurity incidents, and maintain related records. Reopening the comment period for the Investment Management Cybersecurity Release will allow interested persons additional time to analyze the issues and prepare their comments in light of other regulatory developments on cybersecurity.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 54 (Tuesday, March 21, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 54 (Tuesday, March 21, 2023)]
[Proposed Rules]
[Pages 16921-16922]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-05766]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / 
Proposed Rules

[[Page 16921]]



SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 230, 232, 239, 270, 274, 275, and 279

[Release Nos. 33-11167; 34-97144; IA-6263; IC-34855; File No. S7-04-22]
RIN 3235-AN08


Cybersecurity Risk Management for Investment Advisers, Registered 
Investment Companies, and Business Development Companies; Reopening of 
Comment Period

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule; reopening of comment period.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
reopening the comment period for a release (``Investment Management 
Cybersecurity Release'') proposing new rules under the Investment 
Advisers Act of 1940 (``Advisers Act'') and the Investment Company Act 
of 1940 (``Investment Company Act'') that would require registered 
investment advisers (``advisers'') and investment companies (``funds'') 
to adopt and implement written cybersecurity policies and procedures 
reasonably designed to address cybersecurity risks, disclose 
information about cybersecurity risks and incidents, report information 
confidentially to the Commission about certain cybersecurity incidents, 
and maintain related records. Reopening the comment period for the 
Investment Management Cybersecurity Release will allow interested 
persons additional time to analyze the issues and prepare their 
comments in light of other regulatory developments on cybersecurity.

DATES: The comment period for the proposed rules published in the 
Federal Register on March 9, 2022, at 87 FR 13524 is reopened. Comments 
should be received on or before May 22, 2023.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

    <bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/submitcomments.htm">http://www.sec.gov/rules/submitcomments.htm</a>); or
    <bullet> Send an email to <a href="/cdn-cgi/l/email-protection#7604031a135b15191b1b131802053605131558111900"><span class="__cf_email__" data-cfemail="740601181159171b1919111a0007340711175a131b02">[email&#160;protected]</span></a>. Please include 
File Number S7-04-22 on the subject line.

Paper Comments

    <bullet> Send paper comments to Secretary, Securities and Exchange 
Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number S7-04-22. The file number 
should be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method of submission. The Commission will post all 
comments on the Commission's website (<a href="http://www.sec.gov/rules/proposed.shtml">http://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and 
printing in the Commission's Public Reference Room, 100 F Street NE, 
Washington, DC 20549, on official business days between the hours of 10 
a.m. and 3 p.m. Operating conditions may limit access to the 
Commission's Public Reference Room. All comments received will be 
posted without change; the Commission does not edit personal 
identifying information from submissions. You should submit only 
information that you wish to make available publicly.
    Studies, memoranda, or other substantive items may be added by the 
Commission or staff to the comment file during this rulemaking. A 
notification of the inclusion in the comment file of any such materials 
will be made available on the Commission's website. To ensure direct 
electronic receipt of such notifications, sign up through the ``Stay 
Connected'' option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.

FOR FURTHER INFORMATION CONTACT: Alexis Palascak, Senior Counsel; 
Christopher Staley, Branch Chief; or Melissa Roverts Harke, Assistant 
Director, Investment Adviser Regulation Office, Division of Investment 
Management, (202) 551-6787 or <a href="/cdn-cgi/l/email-protection#d19890a3a4bdb4a291a2b4b2ffb6bea7"><span class="__cf_email__" data-cfemail="a6efe7d4d3cac3d5e6d5c3c588c1c9d0">[email&#160;protected]</span></a>; Y. Rachel Kuo, Senior 
Counsel; Sara Cortes, Special Senior Counsel; or Brian McLaughlin 
Johnson, Assistant Director, Investment Company Regulation Office, 
Division of Investment Management, (202) 551-6792 or <a href="/cdn-cgi/l/email-protection#ace5e181fed9c0c9dfecdfc9cf82cbc3da"><span class="__cf_email__" data-cfemail="0c4541215e7960697f4c7f696f226b637a">[email&#160;protected]</span></a>; 
or David Joire, Senior Special Counsel, Chief Counsel's Office, 
Division of Investment Management, (202) 551-6825 or <a href="/cdn-cgi/l/email-protection#8fc6c2c0cccccffceaeca1e8e0f9"><span class="__cf_email__" data-cfemail="450c080a0606053620266b222a33">[email&#160;protected]</span></a>, 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549-8549.

SUPPLEMENTARY INFORMATION:

I. Background

    The Commission has proposed rules 206(4)-9 under the Advisers Act 
and 38a-2 under the Investment Company Act that would require advisers 
and funds to adopt and implement cybersecurity policies and procedures 
addressing a number of elements in the Investment Management 
Cybersecurity Release.\1\ The Investment Management Cybersecurity 
Release also includes amendments to adviser and fund disclosure 
requirements to provide current and prospective advisory clients and 
fund shareholders with improved information regarding cybersecurity 
risks and cybersecurity incidents. In addition, the proposal would 
require advisers to report significant cybersecurity incidents 
affecting the adviser, or its fund or private fund clients, to the 
Commission on a confidential basis. Finally, the proposal would require 
advisers and funds to maintain certain records related to the proposed 
cybersecurity risk management rules. The original comment period for 
the Investment Management Cybersecurity Release ended on April 11, 
2022.
---------------------------------------------------------------------------

    \1\ See Cybersecurity Risk Management for Investment Advisers, 
Registered Investment Companies, and Business Development Companies, 
Securities Act Rel. No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 
2022)].
---------------------------------------------------------------------------

    The Commission is proposing other rules and amendments on 
cybersecurity issues.\2\ In the Regulation S-P: Privacy of Consumer 
Financial Information and Safeguarding Customer Information Release 
(``Regulation S-P Release''), the Commission is proposing rule

[[Page 16922]]

amendments that would require brokers and dealers, investment 
companies, and investment advisers registered with the Commission to 
adopt written policies and procedures for incident response programs to 
address unauthorized access to or use of customer information, 
including procedures for providing timely notification to individuals 
affected by an incident involving sensitive customer information with 
details about the incident and information designed to help affected 
individuals respond appropriately.\3\ The Commission also is proposing 
to broaden the scope of information covered by amending requirements 
for safeguarding customer records and information, and for properly 
disposing of consumer report information. In addition, the proposed 
amendments would extend the application of the safeguards provisions to 
transfer agents. The proposed amendments would also include 
requirements to maintain written records documenting compliance with 
the proposed amended rules. Finally, the proposed amendments would 
conform annual privacy notice delivery provisions to the terms of an 
exception provided by a statutory amendment to the Gramm-Leach-Bliley 
Act.
---------------------------------------------------------------------------

    \2\ We note that the Commission also proposed rules and 
amendments regarding an adviser's obligations with respect to 
outsourcing certain categories of ``covered functions,'' including 
cybersecurity. See Outsourcing by Investment Advisers, Investment 
Advisers Act Rel. No. 6176 (Oct. 26, 2022), [87 FR 68816 (Nov. 16, 
2022)]. We encourage commenters to review that proposal to determine 
whether it might affect comments on the Investment Management 
Cybersecurity Release.
    \3\ See Regulation S-P: Privacy of Consumer Financial 
Information and Safeguarding Customer Information, Exchange Act Rel. 
No. 97141 (Mar. 15, 2023).
---------------------------------------------------------------------------

    In the Cybersecurity Risk Management Rule for Broker-Dealers, 
Clearing Agencies, Major Security-Based Swap Participants, the 
Municipal Securities Rulemaking Board, National Securities 
Associations, National Securities Exchanges, Security-Based Swap Data 
Repositories, Security-Based Swap Dealers, and Transfer Agents Release 
(``Cybersecurity Release''), the Commission is proposing a new rule and 
form and amendments to existing recordkeeping rules to require broker-
dealers, clearing agencies, major security-based swap participants, the 
Municipal Securities Rulemaking Board, national securities 
associations, national securities exchanges, security-based swap data 
repositories, security-based swap dealers, and transfer agents to 
address cybersecurity risks through policies and procedures, immediate 
notification to the Commission of the occurrence of a significant 
cybersecurity incident and, as applicable, reporting detailed 
information to the Commission about a significant cybersecurity 
incident, and public disclosures that would improve transparency with 
respect to cybersecurity risks and significant cybersecurity 
incidents.\4\ In addition, the Commission is proposing amendments to 
existing clearing agency exemption orders to require the retention of 
records that would need to be made under the proposed cybersecurity 
requirements. Finally, the Commission is proposing amendments to 
address the potential availability to security-based swap dealers and 
major security-based swap participants of substituted compliance in 
connection with those requirements.
---------------------------------------------------------------------------

    \4\ See Cybersecurity Risk Management Rule for Broker-Dealers, 
Clearing Agencies, Major Security-Based Swap Participants, the 
Municipal Securities Rulemaking Board, National Securities 
Associations, National Securities Exchanges, Security-Based Swap 
Data Repositories, Security-Based Swap Dealers, and Transfer Agents, 
Exchange Act Rel. No. 97142 (Mar. 15, 2023).
---------------------------------------------------------------------------

    In the Regulation Systems Compliance and Integrity Release 
(``Regulation SCI Release,'' and together with the Regulation S-P and 
Cybersecurity Releases, the ``Related Proposals''), the Commission is 
proposing amendments to Regulation Systems Compliance and Integrity 
(``Regulation SCI'') under the Securities Exchange Act of 1934.\5\ The 
proposed amendments would expand the definition of ``SCI entity'' to 
include a broader range of key market participants in the U.S. 
securities market infrastructure, and update certain provisions of 
Regulation SCI to take account of developments in the technology 
landscape of the markets since the adoption of Regulation SCI in 2014. 
The proposed expansion would add the following entities to the 
definition of ``SCI entity'': registered security-based swap data 
repositories; registered broker-dealers exceeding an asset or 
transaction activity threshold; and additional clearing agencies 
exempted from registration. The proposed updates would amend provisions 
of Regulation SCI relating to: (i) systems classification and lifecycle 
management; (ii) third party/vendor management; (iii) cybersecurity; 
(iv) the SCI review; (v) the role of current SCI industry standards; 
and (vi) recordkeeping and related matters. Further, the Commission is 
requesting comment on whether significant-volume ATSs and/or broker-
dealers using electronic or automated systems for trading of corporate 
debt securities or municipal securities should be subject to Regulation 
SCI. The comment period for each of the Related Proposals ends May 22, 
2023.
---------------------------------------------------------------------------

    \5\ See Regulation Systems Compliance and Integrity, Exchange 
Act Rel. No. 97143 (Mar. 15, 2023).
---------------------------------------------------------------------------

II. Reopening of the Comment Period

    The Commission is reopening the comment period for the proposed 
rules so that commenters may consider whether there would be any 
effects of the Related Proposals that the Commission should consider in 
connection with the proposed rules. Therefore, the Commission is 
reopening the comment period for Release No. 33-11028 ``Cybersecurity 
Risk Management for Investment Advisers, Registered Investment 
Companies, and Business Development Companies'' until May 22, 2023.

    By the Commission.

    Dated: March 15, 2023.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-05766 Filed 3-20-23; 8:45 am]
BILLING CODE 8011-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>