Earlier today the Securities and Exchange Commission voted to propose rules related to cybersecurity risk management for registered investment advisers, and registered investment companies and business development companies (funds), as well as amendments to certain rules that govern investment adviser and fund disclosures.

The SEC Chair Gary Genlser stated that the proposed rules and amendments are designed to enhance cybersecurity preparedness.

The proposed rules would require:

  • The adoption and implementation of written cybersecurity policies and procedures designed to address cybersecurity risks
  • Reporting significant cybersecurity incidents to the Commission using a confidential submission form
  • Publicly disclosing cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in brochures and registration statements

Additionally, new record keeping requirements will define the cybersecurity-related information that will need to be maintained for SEC inspection and enforcement actions.

Why pay attention?

Several enforcement actions and commentary provided by the SEC over the past eight months were hints at these proposed changes. It is expected these rules will pass given the changes in the cybersecurity landscape over the past 8 years, and the fact that the current rules do not address modern day problems.

Firms should ensure their cybersecurity programs are maintained, tested, and continually evolves.

How can we help?

Elteni can help build and test your entire program. We can help with technical testing to ensure your cybersecurity controls are working to protect your environment. We can also assist you with remediation. Reach out to find out more.