https://www.sec.gov/rules/proposed.shtml (Quoted from this link)
Key Rules in discussion by SEC
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
- Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
| First Quarter | ||
| 33-11038 | Mar. 9, 2022 | Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure File No: S7-09-22 Comments Due: 30 days after publication in the Federal Register or May 9 (which is 60 days after issuance), whichever is later Submit comments on S7-09-22See Also: Press Release No. 2022-39; Fact Sheet The Securities and Exchange Commission proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (“registrants”) that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, the proposal would: ● Require current reporting about material cybersecurity incidents on Form 8-K; ● Require periodic disclosures regarding, among other things: – A registrant’s policies and procedures to identify and manage cybersecurity risks; – Management’s role in implementing cybersecurity policies and procedures; – Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and – Updates about previously reported material cybersecurity incidents; and ● Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL). Incident Disclosure Proposed Amendments The SEC proposed to: ● Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident; ● Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and ● Amend Form 6-K to add “cybersecurity incidents” as a reporting topic. Risk Management, Strategy, and Governance Disclosure In addition to incident reporting, the SEC proposed to require enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance. Specifically, the proposal would: ● Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to: – Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and – Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies. ● Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. |
| 33-11028 | Feb. 9, 2022 | Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies File No: S7-04-22 Other Release Nos: 34-94197; IA-5956; IC-34497 Comments Due: 30 days after publication in the Federal Register or April 11, 2022 (which is 60 days after issuance), whichever is later Comments received are available for this proposal.Submit comments on S7-04-22See Also: Press Release No. 2022-20; Fact Sheet The Securities and Exchange Commission proposed new cybersecurity risk management rules and amendments to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies against cybersecurity threats and attacks. Specifically, the proposal would: ● Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; ● Require advisers to report significant cybersecurity incidents to the Commission on proposed Form ADV-C; ● Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and ● Require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records. Proposed Amendments Cybersecurity Risk Management Rules The proposal includes new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act (collectively, the “proposed cybersecurity risk management rules”). The proposed cybersecurity risk management rules would require advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules list certain general elements that advisers and funds would be required to address in their cybersecurity policies and procedures to help address operational and other risks that could harm advisory clients and fund investors or lead to the unauthorized access to or use of adviser or fund information, including the personal information of their clients or investors. Reporting of Significant Cybersecurity Incidents The proposal includes a reporting requirement under new rule 204-6 that would require advisers to report significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client, by submitting a new Form ADV-C. These confidential reports would bolster the efficiency and effectiveness of the Commission’s efforts to protect investors by helping the Commission monitor and evaluate the effects of a cybersecurity incident on an adviser and its clients, as well as assess the potential systemic risks affecting financial markets more broadly. Disclosure of Cybersecurity Risks and Incidents Currently, advisers provide disclosures to their prospective and current clients on Form ADV’s narrative brochure, or Part 2A, which is publicly available and one of the primary client-facing disclosure documents used by advisers. Form ADV Part 2A contains information about the investment adviser’s business practices, fees, risks, conflicts of interest, and disciplinary information. The proposal would amend Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients. Like advisers, funds also would be required to provide prospective and current investors with cybersecurity-related disclosures. Specifically, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in funds’ registration statements, tagged in a structured data language. The proposal includes amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6 Recordkeeping Rule 204-2, the books and records rule under the Advisers Act, sets forth requirements for maintaining, making, and retaining books and records relating to an adviser’s investment advisory business. The proposal would amend this rule to require advisers to maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. Similarly, proposed rule 38a-2 under the Investment Company Act would require that a fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule. |
