SEC Cybersecurity Rules: The Battle Against Cyberpunks

The Biden Administration has recently stressed the importance of cybersecurity through certain requirements on companies that are critical to national interests. (Alan Suderman and Eric Tucker, Associated Press). For example, on March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which aims to combat against a recent breach on U.S. fuel pipeline and to alleviate the concern that Russia’s invasion into Ukraine may increase risk to U.S. infrastructure. (Gibson Dunn). However, this Administration is not alone in its focus on cybersecurity issues. Given the security risks that have arisen from a heavy shift to working from home, these concerns have become more widespread. (Perkins Coie). These feelings likely stem from the evolving technology that allow “cyberpunks” and hackers to breach company infrastructure. Id Following the trend toward more security, the Securities and Exchange Commission (“SEC”) has proposed new cybersecurity rules on a number of different types of investment companies (“Funds”) and investment advisers in an attempt to address and the fight against these types of cyber threats. (Id.; Rachael Schwartz, JD Supra; Federal Registrar).

Using information from its examination program, the SEC recently discovered that many advisers and Funds are not adequately prepared for cybersecurity threats. (Amy Greer and Jennifer Klass, Connect On Tech). As such, on February 9, 2022, the SEC proposed Rule 38a-2 under the Investment Company Act of 1940. (Rachael Schwartz, JD Supra). This Proposed Rule (“PR”) 38a-2 protects investors by requiring the implementation of new cybersecurity policies and the disclosure of breaches that occur within the fund. (Id.; James Chen, Investopedia). Funds that are subject to this rule include “open-end funds, registered closed-end funds, business development companies, and unit investment trusts.” (Federal Registrar). Along with PR 38a-2, the SEC also proposed a similar rule, PR 206(4)-9, under the Investment Advisers Act of 1940, which would apply to registered advisers and their duties related to cybersecurity. (Perkins Coie). In releasing these proposals, the SEC noted that these Funds and advisers are fiduciaries that owe their clients a duty of care and loyalty. (Amy Greer and Jennifer Klass, Connect On Tech). These duties already require the Funds and advisors to minimize the risk of breach to the client’s interests. Id. Thus, the Proposed Rules are the SEC’s explicit requirement to tighten up security in addition to the Fund’s and adviser’s current obligations to their clients. Id.

The rules provide comprehensive direction for Funds and advisers in navigating the new cybersecurity landscape. (Federal Registrar). Under both PR 38a-2 and PR 206(4)-9, Funds and advisers will be required to “adopt, implement, and enforce written policies and procedures” related to cybersecurity, “and to review and evaluate the design and effectiveness of those policies and procedures at least annually.” (Perkins COIE). Under PR 38a-2, Funds will have to select a Cyber Program Administrator to implement and oversee the effectiveness of the new policies and procedures. (Rachael Schwartz, JD Supra). The Cyber Program Administrator must be authorized to make decisions and escalate any security-related information or issues that arise to the relevant senior officers. Id. Additionally, each Fund must include a periodic assessment, categorization, prioritization, and written documentation of the cybersecurity risks in its written policies and procedures. Id.

These rules also require Funds to provide all investors, both current and prospective, with information relating to significant cybersecurity incidents. Id. Significant Cybersecurity Incidents are cybersecurity incidents that significantly disrupt the ability of the firm to maintain operations, or lead to the unauthorized use of fund information, “where the unauthorized access or use of such information results in substantial harm to the fund or to an investor whose information was accessed.” Id. The disclosure must include the entities affected; when the incident was discovered and whether it is ongoing; whether any data was used for an unauthorized purpose; the effect the incident had on the firm; and whether the Fund has remediated the issue. Id. The SEC Release No. 33-11028 noted that Funds should also include cybersecurity incidents and risks in their annual report to shareholders. (Id.; Federal Registrar).  

While these regulations seem to be a good step forward towards a more secure and informative financial and investment industry, the Proposed Rules have their opponents. Commissioner Pierce, the lone republican and the sole opponent to the Proposed Rules on the SEC Board of Commissioners, points to a few specific flaws. (Amy Greer and Jennifer Klass, Connect On Tech; Commissioner Hester M. Pierce, SEC). Commissioner Pierce first argues that the Proposed Rules do not fit within the scope of the Investment Advisor Act of 1940. (Commissioner Hester M. Pierce, SEC). This Act is meant to prevent advisers from engaging in certain illegal acts. Id. However, the illegal acts that the SEC plans to prevent in the Proposed Rules are in situations where the advisor is the victim, rather than the perpetrator. Id. Commissioner Pierce also believes that there is no logical connection under the Proposed Rules because the rules seek to make illegal an adviser’s investment advice if the adviser is not in compliance with the Proposed Rules. Id. This means that if an adviser is not adequately protected under the new cybersecurity rules, any advice that the adviser gives will be illegal. Id. While expressing her concerns, Commissioner Pierce looks forward to hearing from commenters through the public comment period for better resolutions, which period ends on April 11, 2022. (Id.; Federal Registrar).

Despite the potential for flaws in the Proposed Rules enactment and enforcement, the SEC’s move to further regulate the cybersecurity of investment Funds and advisers is a large step in the broad focus area of cybersecurity and likely conforms with the Biden Administration’s objectives regarding security. The Proposed Rules provide investors with the assurance of a contemplated and strong cybersecurity program that is adaptable as new technology for hacking emerges. The Proposed Rules also allow investors to receive information regarding breaches, in the event that the Fund’s security program fails. These two sets of requirements may be enough to sufficiently protect investors. Less stringent requirements could put Funds, advisers, and investors at risk of detrimental consequences stemming from a cybersecurity incident. 

On the other hand, a broader regime of regulations over cybersecurity would likely be an unnecessary and overreaching move by the SEC. Although Commissioner Pierce has stated that there is no logical connection and that the rules are outside the scope of the Investment Advisor Act of 1940, the Proposed Rules will effectively regulate the internal system of Funds and will provide investors with valuable information regarding the Fund’s security. Besides Commissioner Pierce’s concerns and some other questions that may arise through public comment, the Proposed Rules are necessarily continuing the trend towards a safer and more secure financial industry.