On February 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for registered advisers and funds. The proposal reflects the first SEC rules specifically addressing cybersecurity programs and reporting.
Most notably, the rules would impose a rapid reporting requirement when advisers face serious cyberattacks. Advisers would have to report any "significant cybersecurity incident" within 48 hours of its discovery by confidentially filing a proposed new Form ADV-C.
The reporting requirement would be triggered if (1) a cyberattack "significantly disrupts or degrades" the ability of an adviser or its private fund clients to "maintain critical operations," or (2) the attack results in unauthorized access to "adviser information" or "fund information" resulting in "substantial harm" to the adviser, its clients, a fund, or investors. The proposed rule offers specific examples of "significant cybersecurity incidents," including a malware attack that shuts down an adviser's "websites or email functions" or a system breach that impedes a fund's ability to "conduct its business" or results in the "theft of fund information."
