The SEC’s Proposed New Cybersecurity Rules

The proposed rules address cybersecurity practices at investment advisers and investment companies, including mutual funds, exchange-traded funds, and business development companies. The proposed rules are not novel, in that they incorporate features already embodied in other regulatory frameworks, according to a legal alert from Eversheds Sutherland (US). However, they are detailed and extensive, and they would require “significant effort, expense and expertise.”

Among the proposed requirements is for significant cybersecurity incidents to be reported to the SEC within 48 hours. There would be a confidentiality option (and even a new form – Form ADV-C – for sending it in.)  Also required would be extensive record-keeping, and with it, the writers note, new opportunities for liability based on misstatements and omissions.

“No matter the final form these rules take,” say the writers, “companies would be well advised to review the Proposal and consider the steps they would need to take, both from a technical perspective as well as from a legal compliance perspective …”