The SEC’s Impactful New Rules on Cybersecurity and Incident Reporting for Private Investment Advisers and Funds

The Securities and Exchange Commission (SEC) is set to implement new and proposed rules on cybersecurity and cyber-incident reporting that will have a significant impact on private investment advisers and funds. These rules aim to enhance cybersecurity practices and incident reporting within the financial industry, ultimately leading to a shift in market standards and increased enforcement.

The proposed adviser cybersecurity rule, expected to be finalized in April 2024, will impose cybersecurity obligations on investment advisers, registered investment companies, and business development companies. Additionally, the already promulgated corporate cybersecurity rule for public companies will increase scrutiny and comparison of companies’ cybersecurity programs by investors, insurers, and the public.

The 2024 Cybersecurity Benchmarking Survey conducted by ACA Group and the Nationals Society of Compliance Professionals revealed concerns among compliance professionals regarding the enforcement and compliance with the new SEC cybersecurity rules. With cybersecurity risks on the rise due to increasing reliance on electronic systems and third-party service providers, the costs of cyber incidents are also increasing, impacting companies and investors alike.

The SEC’s approach to these rules emphasizes the need for greater focus on cyber resilience and board-level attention to cybersecurity. Similar initiatives are being seen worldwide, such as the UK’s draft code of practice on cyber security governance, which emphasizes the importance of detailed and robust cyber incident response plans.

In the US, the new SEC requirements will also impact insurance coverage, as public disclosures of cybersecurity policies and procedures will enable insurance companies to assess companies and advisers more effectively. This will influence the scope and cost of cyber insurance for in-scope entities.

To ensure compliance with the proposed rule, private fund advisers will need to integrate effective cyber risk management regimes into their business planning, involving coordination across various functions. Data collection and AI technology may play a crucial role in identifying and reporting cyber incidents accurately.

Overall, the focus on cybersecurity compliance is growing, and regulators are placing a greater emphasis on ensuring entities are prepared to address and mitigate cyber risks effectively. The financial industry will need to adapt to these new rules and standards to protect themselves and their investors from the increasing threats posed by cyber incidents.