SEC Issues Proposal on Cybersecurity Risk Management for Registered Investment Advisers and Funds

The SEC has issued a proposed rule, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies. The proposed rule would require:

• “[A]dvisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors.”
• “[A]dvisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.”
• “[A]dvisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.”
• “[A]dvisers and funds to maintain, make, and retain certain cybersecurity-related books and records.”

For more information, see the press release and fact sheet, as well as statements by SEC Chair Gary Gensler and Commissioners Allison H. Lee, Hester M. Peirce, and Caroline A. Crenshaw, on the SEC’s Web site.