https://www.sec.gov/rules/proposed.shtml (Quoted from this link)
Key Rules in discussion by SEC
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
- Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
|33-11038||Mar. 9, 2022||Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure|
File No: S7-09-22
Comments Due: 30 days after publication in the Federal Register or May 9 (which is 60 days after issuance), whichever is later
Submit comments on S7-09-22See Also: Press Release No. 2022-39; Fact Sheet
The Securities and Exchange Commission proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (“registrants”) that are subject to the reporting requirements of the Securities Exchange Act of 1934.
Specifically, the proposal would:
● Require current reporting about material cybersecurity incidents on Form 8-K;
● Require periodic disclosures regarding, among other things:
– A registrant’s policies and procedures to identify and manage cybersecurity risks;
– Management’s role in implementing cybersecurity policies and procedures;
– Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
– Updates about previously reported material cybersecurity incidents; and
● Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
Incident Disclosure Proposed Amendments The SEC proposed to:
● Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
● Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
● Amend Form 6-K to add “cybersecurity incidents” as a reporting topic.
Risk Management, Strategy, and Governance Disclosure
In addition to incident reporting, the SEC proposed to require enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance. Specifically, the proposal would:
● Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to:
– Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and
– Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
● Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise.
|33-11028||Feb. 9, 2022||Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies|
File No: S7-04-22
Other Release Nos: 34-94197; IA-5956; IC-34497
Comments Due: 30 days after publication in the Federal Register or April 11, 2022 (which is 60 days after issuance), whichever is later
Comments received are available for this proposal.Submit comments on S7-04-22See Also: Press Release No. 2022-20; Fact Sheet
The Securities and Exchange Commission proposed new cybersecurity risk management rules and amendments to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies against cybersecurity threats and attacks.
Specifically, the proposal would:
● Require advisers and funds to adopt and implement written policies and procedures
that are reasonably designed to address cybersecurity risks;
● Require advisers to report significant cybersecurity incidents to the Commission on
proposed Form ADV-C;
● Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
● Require advisers and funds to maintain, make, and retain certain cybersecurity-related
books and records.
Cybersecurity Risk Management Rules
The proposal includes new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act (collectively, the “proposed cybersecurity risk management rules”). The proposed cybersecurity risk management rules would require advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules list certain general elements that advisers and funds would be required to address in their cybersecurity policies and procedures to
help address operational and other risks that could harm advisory clients and fund
investors or lead to the unauthorized access to or use of adviser or fund information,
including the personal information of their clients or investors.
Reporting of Significant Cybersecurity Incidents
The proposal includes a reporting requirement under new rule 204-6 that would require
advisers to report significant cybersecurity incidents to the Commission, including on
behalf of a fund or private fund client, by submitting a new Form ADV-C. These confidential reports would bolster the efficiency and effectiveness of the Commission’s efforts to protect investors by helping the Commission monitor and evaluate the effects of a cybersecurity incident on an adviser and its clients, as well as assess the potential systemic risks affecting financial markets more broadly.
Disclosure of Cybersecurity Risks and Incidents
Currently, advisers provide disclosures to their prospective and current clients on Form
ADV’s narrative brochure, or Part 2A, which is publicly available and one of the primary
client-facing disclosure documents used by advisers. Form ADV Part 2A contains
information about the investment adviser’s business practices, fees, risks, conflicts of
interest, and disciplinary information. The proposal would amend Form ADV Part 2A to
require disclosure of cybersecurity risks and incidents to an adviser’s clients and
Like advisers, funds also would be required to provide prospective and current investors
with cybersecurity-related disclosures. Specifically, the proposed amendments would
require a description of any significant fund cybersecurity incidents that have occurred in
the last two fiscal years in funds’ registration statements, tagged in a structured data
language. The proposal includes amendments to Form N-1A, Form N-2, Form N-3, Form
N-4, Form N-6, Form N-8B-2, and Form S-6
Rule 204-2, the books and records rule under the Advisers Act, sets forth requirements for
maintaining, making, and retaining books and records relating to an adviser’s investment
advisory business. The proposal would amend this rule to require advisers to maintain
certain records related to the proposed cybersecurity risk management rules and the
occurrence of cybersecurity incidents.
Similarly, proposed rule 38a-2 under the Investment Company Act would require that a
fund maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule.