SEC Reopens Comment Period for Proposal on Cybersecurity Risk Management for Registered Investment Advisers and Funds

The SEC has reopened the comment period for its proposed rule Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.

The proposal, which the Commission initially issued in February 2022, would require:

• “[A]dvisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors.”
• “[A]dvisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.”
• “[A]dvisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.”
• “[A]dvisers and funds to maintain, make, and retain certain cybersecurity-related books and records.”

The reopening of the comment period is intended to give respondents the opportunity to provide additional feedback in view of (1) regulatory developments that have occurred since the proposal’s initial release and (2) other recently issued SEC proposals related to cybersecurity risk management and disclosure.

Comments are due 60 days after the date of the proposed rule’s publication in the Federal Register. For more information, see the press release and fact sheet on the SEC’s Web site.