Regulatory Alerts2022-02-09
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
The Securities and Exchange Commission proposes new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 requiring registered investment advisers and funds to adopt written cybersecurity policies and procedures reasonably designed to address operational and data risks. The proposal mandates that advisers report significant cybersecurity incidents to the Commission via a new Form ADV-C while amending existing disclosure forms to ensure clients and shareholders receive timely information about material cyber risks. Additionally, the Commission introduces enhanced recordkeeping obligations and annual board oversight requirements to strengthen investor protection and standardize how financial intermediaries manage, report, and communicate cyber threats.