What You Need to Know about the SEC’s Proposed Cybersecurity Rules

How will the SEC's proposed rules on cybersecurity impact registered investment advisers, registered funds and public companies? Reviews, recordkeeping and reporting will play a large role. Let’s take a closer look.

Proposed Rules Explained

The first rule is detailed in SEC Release 33-11028, filed February 9, 2022. Falling under the Investment Advisors Act of 1940 and the Investment Act of 1940, it would require advisers and funds to implement a cybersecurity program, review its completeness and effectiveness on at least an annual basis, and provide reports about risks and incidents to advisory clients, shareholders and the SEC.

Also proposed are standards for cybersecurity risk assessments, user security and access, information protection, threat and vulnerability management, and incident response and recovery. It would task a fund’s board with oversight of cybersecurity procedures and impose new standards of recordkeeping to facilitate monitoring and reporting.

If this rule is adopted, advisers would need to establish due diligence and oversight procedures for third-party vendors who share or have access to the adviser’s systems or client information.

Comments on the proposal were due April 11, 2022. The SEC is analyzing the comment letters to adopt rules proposed.

The second rule is covered in SEC Release 33-11038, filed on March 9, 2022. It calls for enhanced and standardized disclosures of cybersecurity incidents by public companies that are subject to the Securities Exchange Act of 1934.

The proposed rule would require periodic disclosure about an issuer’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of director’s cybersecurity expertise, if any, as well as its oversight of cybersecurity risk. Additionally, issuers would be required to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the cybersecurity disclosures would need to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”).

If this rule is adopted, issuers would need to add disclosure for their selection and oversight of third-party providers.

Comments are due 30 days after the date of publication in the Federal Register or May 9, 2022, whichever is later.

As a third-party service provider, Mediant’s primary objective is to ensure our clients’ compliance with applicable regulations. Our solutions are structured on strict regulatory requirements and stay consistent with the ever-changing landscape.

For additional information, please contact us.