Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period

Download PDF
Federal RegisterMar 21, 2023
88 Fed. Reg. 16921 (Mar. 21, 2023)

AGENCY:

Securities and Exchange Commission.

ACTION:

Proposed rule; reopening of comment period.

SUMMARY:

The Securities and Exchange Commission (“Commission”) is reopening the comment period for a release (“Investment Management Cybersecurity Release”) proposing new rules under the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”) that would require registered investment advisers (“advisers”) and investment companies (“funds”) to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the Commission about certain cybersecurity incidents, and maintain related records. Reopening the comment period for the Investment Management Cybersecurity Release will allow interested persons additional time to analyze the issues and prepare their comments in light of other regulatory developments on cybersecurity.

DATES:

The comment period for the proposed rules published in the Federal Register on March 9, 2022, at 87 FR 13524 is reopened. Comments should be received on or before May 22, 2023.

ADDRESSES:

Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/rules/submitcomments.htm ); or

• Send an email to rule-comments@sec.gov. Please include File Number S7-04-22 on the subject line.

Paper Comments

  • Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number S7-04-22. The file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( http://www.sec.gov/rules/proposed.shtml ). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Operating conditions may limit access to the Commission's Public Reference Room. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.

Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission's website. To ensure direct electronic receipt of such notifications, sign up through the “Stay Connected” option at www.sec.gov to receive notifications by email.

FOR FURTHER INFORMATION CONTACT:

Alexis Palascak, Senior Counsel; Christopher Staley, Branch Chief; or Melissa Roverts Harke, Assistant Director, Investment Adviser Regulation Office, Division of Investment Management, (202) 551-6787 or IArules@sec.gov; Y. Rachel Kuo, Senior Counsel; Sara Cortes, Special Senior Counsel; or Brian McLaughlin Johnson, Assistant Director, Investment Company Regulation Office, Division of Investment Management, (202) 551-6792 or IM-Rules@sec.gov; or David Joire, Senior Special Counsel, Chief Counsel's Office, Division of Investment Management, (202) 551-6825 or IMOCC@sec.gov, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-8549.

SUPPLEMENTARY INFORMATION:

I. Background

The Commission has proposed rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act that would require advisers and funds to adopt and implement cybersecurity policies and procedures addressing a number of elements in the Investment Management Cybersecurity Release. The Investment Management Cybersecurity Release also includes amendments to adviser and fund disclosure requirements to provide current and prospective advisory clients and fund shareholders with improved information regarding cybersecurity risks and cybersecurity incidents. In addition, the proposal would require advisers to report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission on a confidential basis. Finally, the proposal would require advisers and funds to maintain certain records related to the proposed cybersecurity risk management rules. The original comment period for the Investment Management Cybersecurity Release ended on April 11, 2022.

See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Rel. No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 2022)].

The Commission is proposing other rules and amendments on cybersecurity issues. In the Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Release (“Regulation S-P Release”), the Commission is proposing rule amendments that would require brokers and dealers, investment companies, and investment advisers registered with the Commission to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The Commission also is proposing to broaden the scope of information covered by amending requirements for safeguarding customer records and information, and for properly disposing of consumer report information. In addition, the proposed amendments would extend the application of the safeguards provisions to transfer agents. The proposed amendments would also include requirements to maintain written records documenting compliance with the proposed amended rules. Finally, the proposed amendments would conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act.

We note that the Commission also proposed rules and amendments regarding an adviser's obligations with respect to outsourcing certain categories of “covered functions,” including cybersecurity. See Outsourcing by Investment Advisers, Investment Advisers Act Rel. No. 6176 (Oct. 26, 2022), [87 FR 68816 (Nov. 16, 2022)]. We encourage commenters to review that proposal to determine whether it might affect comments on the Investment Management Cybersecurity Release.

See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Exchange Act Rel. No. 97141 (Mar. 15, 2023).

In the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents Release (“Cybersecurity Release”), the Commission is proposing a new rule and form and amendments to existing recordkeeping rules to require broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents to address cybersecurity risks through policies and procedures, immediate notification to the Commission of the occurrence of a significant cybersecurity incident and, as applicable, reporting detailed information to the Commission about a significant cybersecurity incident, and public disclosures that would improve transparency with respect to cybersecurity risks and significant cybersecurity incidents. In addition, the Commission is proposing amendments to existing clearing agency exemption orders to require the retention of records that would need to be made under the proposed cybersecurity requirements. Finally, the Commission is proposing amendments to address the potential availability to security-based swap dealers and major security-based swap participants of substituted compliance in connection with those requirements.

See Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Rel. No. 97142 (Mar. 15, 2023).

In the Regulation Systems Compliance and Integrity Release (“Regulation SCI Release,” and together with the Regulation S-P and Cybersecurity Releases, the “Related Proposals”), the Commission is proposing amendments to Regulation Systems Compliance and Integrity (“Regulation SCI”) under the Securities Exchange Act of 1934. The proposed amendments would expand the definition of “SCI entity” to include a broader range of key market participants in the U.S. securities market infrastructure, and update certain provisions of Regulation SCI to take account of developments in the technology landscape of the markets since the adoption of Regulation SCI in 2014. The proposed expansion would add the following entities to the definition of “SCI entity”: registered security-based swap data repositories; registered broker-dealers exceeding an asset or transaction activity threshold; and additional clearing agencies exempted from registration. The proposed updates would amend provisions of Regulation SCI relating to: (i) systems classification and lifecycle management; (ii) third party/vendor management; (iii) cybersecurity; (iv) the SCI review; (v) the role of current SCI industry standards; and (vi) recordkeeping and related matters. Further, the Commission is requesting comment on whether significant-volume ATSs and/or broker-dealers using electronic or automated systems for trading of corporate debt securities or municipal securities should be subject to Regulation SCI. The comment period for each of the Related Proposals ends May 22, 2023.

See Regulation Systems Compliance and Integrity, Exchange Act Rel. No. 97143 (Mar. 15, 2023).

II. Reopening of the Comment Period

The Commission is reopening the comment period for the proposed rules so that commenters may consider whether there would be any effects of the Related Proposals that the Commission should consider in connection with the proposed rules. Therefore, the Commission is reopening the comment period for Release No. 33-11028 “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies” until May 22, 2023.

By the Commission.

Dated: March 15, 2023.

Vanessa A. Countryman,

Secretary.

[FR Doc. 2023-05766 Filed 3-20-23; 8:45 am]

BILLING CODE 8011-01-P