New Rules on the Horizon to Beef Up Cybersecurity – But What Are They and How Will they Affect Companies

| General

New Rules on the Horizon to Beef Up Cybersecurity – But What Are They and How Will they Affect Companies?

After the United States Securities and Exchange Commission (SEC) voted in favour of proposals seeking to implement new measures tackling the growing issue of cybersecurity risk management there is a strong possibility that new rules will be introduced governing the management, reporting and disclosing of cybersecurity risks.

Why Is the Regulator Introducing These Changes?

The SEC appear to recognise the vital part played by funds and registered Advisers. They have also identified that to keep their businesses running efficiently such advisers and funds heavily rely upon technological solutions, systems and networks. Due to this reliance, there exists the very real possibility of a cybersecurity incident, so the risks need to be identified and managed effectively. Parties looking to perpetuate these cyber-attacks are gaining access to ever more sophisticated methods.

What Are These New Rules and What Impact Will They Have?

The new Proposals promulgated by the SEC on the 9th February 2022 broadly affect cybersecurity and board oversight. The new measures are likely to bring in new reporting and notification requirements. If a registered adviser reasonably concludes that a significant cybersecurity incident is in progress or has occurred, the new standards will oblige them to notify the Regulator and submit a report forty-eight hours after such an event is suspected as having occurred. To report such incidents advisers will be required to complete new Form ADV-C.

Tougher disclosure requirements are likely to be introduced under the rules putting the onus on funds and registered advisers to complete and submit details of any incidents which have taken place or are currently suspected of occurring in real time.

What Action Should Lawyers Be Taking?

From a Risk Management perspective, the new rules will require stakeholders in funds and registered advisers to take steps to mitigate againstcybersecurity risks. They will be obliged to introduce and keep updated Standard Operating Procedures and policies preventing such information from being disclosed when this has not been authorised. On a strategic level lawyers need to be advising affected companies of the need to:

  • Conduct risk assessments to manage threats and vulnerabilities;
  • Regularly assess:
    • the relevant systems themselves;
    • the information contained and stored in such systems; and
    • mitigate against the risk of systems being accessed.
  • Introduce an incident response and recovery plan.
  • Annually review and require written reports.

Meredith Ponce from Lockton commented that lawyers should be advising clients to take a three-pronged approach. They should be communicating with clients, raising their awareness of the likely changes being introduced and advising on how they may affect the organisation. They should also be encouraging management to comply with the new rules as they are likely to be legally required to record how the rules have been complied with.

Focussing on the cyber security insurance perspective clients should be advised to check their insurance policy certificates and schedules to see if they are covered for cybersecurity risks. If clients are going to be able to obtain, renew and maintain adequate insurance provision they should not overlook this aspect. They need to follow their insurance policy clauses to gain an insight into what they need to disclose and how to report incidents and breaches. Clients and their lawyers need to be holding regular collaboration meetings with their insurance companies to ensure they are covered, prepared and protected against cyber-security risks which may potentially affect them. Communication is key.

Anyone interested needs to watch this space as more rules are likely following a speech on Cybersecurity and Securities Laws given by Gary Gensler on 24th January 2022.

Written by Adam Green

Assessing Firms

#Bird&BirdLLP #BristowsLLP #FieldFisher #HoganLovellsInternationalLLP #HuntonAndrewsKurthLLP #LinklatersLLP #Allen&Overy #BakerMcKenzie #CMS #Covington&Burling #Dentons #DLAPiper #EvershedsSutherlandLLP #Latham&Watkins #NortonRoseFulbrighton #PinsentMasonsLLP #TaylorWessing

Sources Used When Writing This Article

[1] Securities and Exchange Commission – Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies – 9 February 2022 Proposed Rule: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies

[2] Rule 206(4)-9 Investment Advisers Act 1940

[3] Rule 38a-2 Investment Company Act 1940

[4] Section 202(a)(29) Investment Advisers Act 1940

[5] Brown, Colleen et al – Sidley – New Proposed SEC Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds – 4 March 2022 - Newly Proposed SEC Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds | Insights | Sidley Austin LLP

[6] Rule 304-6

[7] Peirce, Hester – Statement on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies – 9 February 2022 – U.S. Securities and Exchange Commission - SEC.gov | Statement on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies

[8] Ponce, Meredith – Lockton – SEC proposes cybersecurity risk management rules for investment advisors & funds – 7 March 2022 - SEC proposes cybersecurity risk management rules for investment advisors & funds | Lockton

[9] Gensler, Gary – Cybersecurity and Securities Laws – 24 January 2022 - SEC.gov | Cybersecurity and Securities Laws

banner

Articles

  • Meeting Targets and Getting Paid

    Meeting Targets and Getting Paid

    General 12.06.2024

    Any ambiguity to the fulfilment of these clauses can lead to a contract dispute, where lawyers may get involved to resolve the issue through negotiation, mediation, or even legal action if necessary

  • Proactive Lawyers in Sports Law

    Proactive Lawyers in Sports Law

    General 20.05.2024

    Many football disputes are resolved behind closed doors. This is because there is often the need to be amicable so to no disrupt the team harmony and function. The demands of star players are often

Stay Tuned

Receive regular news, updates, upcoming events and more...