SEC Proposes Cybersecurity Rule for Funds, Advisers

The SEC has proposed a rule that would require all registered funds and advisers to adopt and implement written cybersecurity policies and procedures.   In addition, funds would be required to disclose cybersecurity risks and any significant cybersecurity incidents that occurred in the fund’s last two fiscal years.  SEC Chair Gary Gensler stated the proposal would “give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”  In her dissent from the proposal, Commissioner Peirce noted concerns that a successful breach should not lead to the conclusion that a fund “was lax in its efforts to protect client data and funds” and that the Commission should help funds “in the fight against cyberattackers.”

The rule proposal (Rule 38a-2) would require a fund’s board of directors to approve the initial cybersecurity policies and procedures and review an annual written report on cybersecurity incidents and material changes to the fund’s cybersecurity policies and procedures. As with the compliance rule, directors can satisfy their approval obligation by reviewing summaries of the cybersecurity program.  The release states that board oversight of cybersecurity “is not a passive activity.”  The rule would allow fund boards to tailor their oversight based on the fund’s specific circumstances – including its cybersecurity exposures and any recent threats or cybersecurity incidents. 

The comment period will remain open for 60 days after the proposal’s publication on the SEC’s website or 30 days after publication in the Federal Register- whichever period is longer.