SEC proposes first cybersecurity rule for investment advisers

Under the regulation, advisers would have to adopt and implement policies and procedure to address cyber risks and report incidents to the SEC and on their Form ADV.

The SEC on Wednesday for the first time proposed a cybersecurity rule for registered investment advisers and investment companies.

The proposed regulation, which the Securities and Exchange Commission released for public comment on a 3-1 vote, would require advisers to adopt and implement written policies and procedures that address risks related to cyberattacks.

Under the 243-page proposed rule, advisers would have to report incidents to the agency on a confidential form and disclose major cyber breaches over the last two fiscal years on their Form ADV. It also mandates that advisers keep books and records related to cybersecurity.

The SEC drafted the cybersecurity rule at a time when cyberattacks are increasing in order to protect investors and strengthen market stability, SEC Chairman Gary Gensler said at an SEC open meeting.

“Cybersecurity incidents can lead to significant financial, operational, legal and reputational harm for advisers and funds,” Gensler said. “More importantly, they can lead to investor harm. The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”

Over the last few years, the Securities and Exchange Commission has issued cybersecurity guidance, made the topic an examination priority and brought enforcement cases that centered on cybersecurity lapses that violated existing customer protection rules.

The proposal distills the SEC’s expectations on cyber preparedness in a stand-alone cyber rule.

SEC Commissioner Hester Peirce opposed releasing the proposal, saying it could create a foundation for enforcement against advisers who are victims of cyberattacks. She criticized an adversarial approach that might limit the ability of regulators and financial firms to work together on combatting cyber threats.

“A cyber rule that is styled as a cudgel will not facilitate such cooperation,” Peirce said during the open meeting. “A cyber policies and procedures rule may not even be necessary to foster the investments, strong cyber defenses, dialogue, communication and cooperation we seek for investment advisers and funds.”

The proposal will be open to public comment for 60 days after it’s posted on the SEC website or 30 days after it’s published in the Federal Register, whichever is longer. After reviewing the feedback, the SEC might revise the proposal before voting on a final rule.