Under the proposed rules, RIAs m


Under the proposed rules, RIAs must report "significant" cybersecurity incidents within forty-eight (48) hours. In a show of continued emphasis on cybersecurity enforcement from U.S. government agencies in the wake of the Biden Administration's Executive Order on Improving the Nation's Cybersecurity (Exec. This will create a very similar director disclosure requirement that mirrors the boards current obligation to disclose, and name, financial . the SEC found that "cybersecurity is among the most critical governance-related issues for investors" and that there "may also be a positive correlation between a registrant's stock price and investments . Specifically, the proposed rules would amend Form 8-K to require disclosure of information about a material cybersecurity incident within four business days of determining the incident is material. Email comments should include File Number S7-09-22 in the subject line. The SEC has proposed new rules that would require registered investment advisers, registered investment companies, and business development companies to: Adopt and implement written cybersecurity policies and procedures meant to address cybersecurity risks. On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. The proposed rules are intended to enhance and standardize disclosures for cybersecurity incident reporting, strategy, risk management and governance. [1] The proposal reflects the first SEC rules specifically addressing cybersecurity programs and reporting. On March 9, 2022, the SEC proposed rules that would create a new cybersecurity disclosure regime applicable to public companies. The SEC on Wednesday for the first time proposed a cybersecurity rule for registered investment advisers and investment companies. This is . On March 9, 2022, the SEC issued a proposed rule 1 that would require registrants to provide enhanced disclosures about "cybersecurity incidents and cybersecurity risk management, strategy, and governance." The proposed rule addresses concerns related to the pervasive use of digital technologies, shift to hybrid work environments, rise in the use of cryptoassets, and increase in illicit . If adopted, the new . The SEC proposed new cybersecurity risk management rules, including changes that would require both advisors and funds to create policies and procedures "reasonably designed to address . Cybersecurity Risk Management Policies and Procedures. As GT reported previously , the SEC increased enforcement of cybersecurity compliance . On March 9, 2022, the Securities and Exchange Commission ("SEC") voted three-to-one to propose new and amended rules for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 regarding cybersecurity risk management, strategy, governance, and incident reporting. On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. On February 9, 2022, the Securities and Exchange Commission ("SEC") proposed new rule 38a-2 ("Proposed Rule 38a-2") under the Investment Company Act. Comments Due: June 17, 2022. Advocacy Contact: Send an email to Meagan Singer at meagan.singer@sba.gov or call (202) 921-4843. SEC, EXAMS Risk Alert, Cybersecurity: Safeguarding Client Accounts against Credential Compromise (Sept. 15, 2020), available at. The Enhancement and Standardization of Climate-Related Disclosures for Investors. "The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and . On March 9, 2022, the U.S. Securities Exchange Commission (the Commission) announced proposed amendments to its rules regarding cybersecurity risk management, strategy . On February 9, 2022, the Commission published a Release for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development . The SEC voted 3-1 on March 9, 2022 to propose rule amendments (Proposed Rules) designed to provide investors with enhanced information to evaluate both a registrant's exposure to cybersecurity risks and incidents and the registrant's ability to manage and mitigate them.The Proposed Rules come on the heels of the SEC's recent proposals 1 concerning cybersecurity risk management for . The comment period closes May 9, 2022. On March 9, 2022, the Securities and Exchange Commission (SEC) proposed rules intended to enhance and standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. Acknowledging the gravity of cybersecurity threats to investment advisers and funds, and by extension their tens of millions of clients and trillions of dollars of assets under management, the Securities and Exchange Commission [on Feb. 9, 2022] proposed rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 pertaining to [] The SEC proposed strengthened cybersecurity requirements for investment advisers and funds1 in a notice of proposed rulemaking (the "Proposed Rule") published in the Federal Register on March 9, 2022 and announced on February 9, 2022.2 The Proposed Rule includes requirements for written cybersecurity policies and procedures to address risk . While the SEC stated that, in some cases . On Wednesday, by 3-1 vote, the SEC approved proposed rules aimed at enhancing and standardizing disclosures made by public companies regarding cybersecurity risk management, strategy, governance and incident reporting, reflecting the third rulemaking project the Commission has proposed in connection with cybersecurity in the past year. The proposed rules come on the heels of the SEC's recent cybersecurity enforcement actions (see GT Alert from Sept. 8, 2021) and proposed cybersecurity rule applicable to registered investment advisers and investment companies (see GT Alert from Feb. 11, 2022). SIFMA and SIFMA AMG provided comments on the proposed new cybersecurity risk management rules and amendments issued by the Securities and Exchange Commission (SEC). June 7, 2022. input on the Securities and Exchange Commission's proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. 03.21.2022. Alert. On February 9, 2022, the Securities and Exchange Commission (SEC) issued a new proposed rule that would overhaul the cybersecurity regulations for registered investment advisers, registered investment companies, and funds. The SEC asserts that the proposed amendments are thus intended to better inform investors about a company's risk management, strategy and governance and to provide timely notification of material cybersecurity incidents. These proposals are intended t o enhance and standardize disclosures around cybersecurity. Public Reporting of Cybersecurity Incidents. The proposed amendments were released by the SEC for public comment on February 9, 2022. The rule proposal may include the requirements below. Proposed new Rule 206 (4)-9 under the Advisers Act and proposed new . Start Preamble Start Printed Page 16590 AGENCY: Securities and Exchange Commission. Private Equity and Hedge Funds. 2022 and Beyond. The proposal builds upon a 2020 proposal and public comments received in response to that proposal. New SEC Cybersecurity Rules Focus on Board Accountability. Submit comments on S7-10-22. The SEC proposed a rule in February that would require registered investment advisers, registered investment companies, and business development companies to adopt and implement written cybersecurity policies and procedures to address cybersecurity risks. Substantially expanding on prior interpretative guidance, the new rules, if adopted, would for the first time specifically mandate current and periodic reporting of material cybersecurity incidents, and would also . ACTION: Proposed rule. On March 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for public companies and foreign private issuers. Companies including Chevron Corp. , Quest Diagnostics Inc. and Ernst & Young LLP are pushing to narrow proposed cybersecurity rules from the Securities and Exchange Commission in the private . The proposed rules define a significant cybersecurity incident as an incident, or group of related incidents, that "significantly disrupts or degrades" a firm's ability to "maintain critical operations," or "leads to the unauthorized access or . 2.

On February 9, 2022, the U.S. Securities and Exchange Commission ("SEC") proposed a package of new rules and amendments to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies against cybersecurity threats and attacks. The SEC encourages broker-dealers, investment advisers, investment companies, exchanges, and other market participants to refer to the resources on the spotlight page. Last month the SEC proposed new cybersecurity rules which very likely will be finalized before the end of 2022. 14028, May 12, 2021), on February 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940 (Advisers Act) and 38a-2 . Cybersecurity Risk Management Policies and Procedures. The timing of the 8-K would be tied to an issuer's determination that the incident is material, not discovery of the incident itself. Most notably, the rules would impose a rapid reporting requirement when advisers face serious cyberattacks. On February 9, 2022, the Securities and Exchange Commission ("SEC") proposed new rule 38a-2 ("Proposed Rule 38a-2") under the Investment Company Act of 1940, as amended ("1940 Act"), which would require registered investment companies and business development companies ("funds") to adopt and implement written cybersecurity .

On March 9, 2022, the Securities and Exchange Commission ("SEC" or "Commission") held a virtual open meeting where it considered a rule proposal for new cybersecurity disclosure requirements for public companies, primarily consisting of: (i) current reporting of material cybersecurity incidents and (ii . 7 The proposed rule expands on the SEC's 2018 guidance, which, among other things, recommended issuers . SEC.

The proposed rules are the latest in a series of cybersecurity-related rules proposed by the SEC, which include proposed . The proposed rules would increase the prominence of required disclosure of cybersecurity incidents in several corporate filings, including annual and quarterly filings and current reports. Cyber risk is central to business risk, making it a board-level issue. The SEC's proposed rules will amend Item 407 of Regulation S-K relating to corporate governance to now also require disclosure if any member of the registrant's board has cybersecurity expertise. Proposed SEC Cybersecurity Rules. On March 9, 2022, the Securities and Exchange Commission (SEC) proposed amendments to its rules that would require certain cybersecurity-related disclosures by public companies.

Current reports The proposed rules would add new Item 1.05 to Form 8-K, which would require disclosure within four business days after a company has determined that it has experienced a material cybersecurity incident, not discovery of such of incident. 2022-82; Proposed Rule Rel. Proposed new Rule 206 (4)-9 under the Advisers Act and proposed new . SUMMARY: The Securities and Exchange Commission is proposing new rules under the Investment Advisers Act of 1940 ("Advisers Act") and the Investment Company Act of 1940 . Click for PDF. See Also: Press Release No. No. The Securities and Exchange Commission today proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

The SEC has proposed rules and amendments related to cybersecurity risk management, strategy, governance, and incident reporting for public companies subject to the Securities Exchange Act of 1934 (i.e., registrants). The SEC is proposing a new Rule 206(4)-9, promulgated under the Advisers Act and a new Rule 38a-2, promulgated under the Investment Company Act. As outlined in a joint statement issued by the FBI, CISA, and ODNI on 16 Dec, the US government has become aware of a significant and ongoing cybersecurity campaign. Required elements of cybersecurity risk management program include: Risk Assessment - A written documentation of risk assessment may be required by the proposed rules. Most notably, the rules would impose a 4-day reporting requirement for domestic issuers who have experienced a "material cyberse The proposed rules broadly define a "cybersecurity incident" to cover effectively any intrusion of a company's systems . Here is an overview of key features of the proposed rules. On February 9, 2022, the U.S. Securities and Exchange Commission ("SEC") voted (3-1) 1 to propose new cybersecurity requirements for SEC-registered investment advisers under the Investment Advisers Act of 1940 (the "Advisers Act") and SEC-registered investment companies under the Investment Company Act of 1940 (the "Investment Company Act"). Note that in addition to the proposed rule discussed in this Heads Up, the SEC in February 2022 issued a proposed rule on cybersecurity risk management and incident reporting for registered investment advisers and funds. 33-11042. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign . On March 9, 2022, the Securities and Exchange Commission ("SEC") held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. 1 The Proposing Release ("Proposal") states that the new and amended rules . 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. SEC proposes cybersecurity rules. Disclose certain cybersecurity incidents in their brochure or registration statement. SEC Proposed Rule Release No. March 9, 2022. 2 The proposed rules follow several . The new SEC cybersecurity rule is designed to provide the public with additional transparency on company breaches when they occur, and provide timely notification of cybersecurity incidents. The SEC's new proposals would require investment funds and advisers to have written policies and procedures to address cyberattacks. Other Release No: 34-94867. Order No. The proposed regulation, which the Securities and Exchange . The timing of the 8-K would be tied to an issuer's determination that the incident is material, not discovery of the incident itself. Background and Current Requirement Read the Federal Register notice and submit comments. The proposal provides extensive explanations of the . Less than a month after the U.S. Securities and Exchange Commission (SEC) proposed substantial new cybersecurity requirements for investment advisers and registered investment companies, the commission unveiled a new slate of proposed cybersecurity disclosure rules for public companies. On March 21, 2022, the SEC proposed rules that would require publicly reporting companies to include certain climate-related disclosures in their registration statements and periodic reports. On March 9, 2022, the Securities and Exchange Commission ("SEC") held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. 34-94868. The Securities and Exchange Commission proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies ("registrants") that are subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC is proposing a new rule requirement to report "significant cybersecurity incidents" confidentially to the Commission on proposed Form ADV-C "promptly, but in no event more than 48 . The Proposed Rules would require advisers and registered funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks based on an ongoing analysis of specific elements. Last week, the U.S. Securities and Exchange Commission (SEC) doubled down on its position that enhanced cybersecurity policies, procedures, and disclosures are necessary to combat cybersecurity threats by announcing proposed cybersecurity risk management rules for investment advisers ("RIAs") registered under the Investment Advisers Act of 1940 ("Advisers Act") and registered funds and . The proposed rules would require reporting material cybersecurity incidents, and periodic updates about previously reported cybersecurity incidents. File No: S7-10-22. Proposed Rules Incident Disclosure.

The proposed rules, if adopted, would require each public company to: 1) report material cybersecurity . 14028, May 12, 2021), on February 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940 (Advisers Act) and 38a-2 . . This post focuses on the provisions that impact private fund advisers. Proposed rule. The public may also submit comments by email to rule-comment@sec.gov. On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) published an update to its proposed cybersecurity rules for investment advisers, registered investment companies, and business development companies (funds), expanding key aspects of the requirements to all public companies. 3 Like other disclosure required by Form 8-K, an issuer would be required to file the Form 8-K within four business days after a triggering event. Comments received are available for this proposal. On February 9, 2022, the Commission published a Release for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development . Gone are the days when cybersecurity was just an information technology (IT) problem. Financial regulators proposed long-awaited cybersecurity . Specifically, the proposed rules would amend Form 8-K to require disclosure of information about a material cybersecurity incident within four business days of determining the incident is material. If adopted, the proposed rules would apply to reg The SEC's proposed rules would require an issuer to timely disclose material cybersecurity incidents on a Current Report on Form 8-K, including specified information about the nature of the incident. "Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," said SEC Chair Gary Gensler.

The proposed rules would require reporting material cybersecurity incidents, and periodic updates about previously reported cybersecurity incidents. Item 1.05 would require the disclosure of: When the incident was discovered The proposed rules accomplish these objectives through specific, mandated disclosure requirements applicable to all companies in a manner designed to enhance . 3 Specifically, the proposed rule would "require advisers to report certain information regarding a significant cybersecurity incident in order to allow the [SEC] and its staff to understand the nature and extent of the . The US Securities and Exchange Commission has proposed new rules and amendments to mandate disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Form 8-K, Form 10-Q and Form 10-K. As proposed, these new rules and amendments require both current reporting and periodic reporting concerning cybersecurity matters. Office . The SEC would amend Form 8-K to add a new 8-K trigger (proposed Item 1.05) for cybersecurity incidents 2 that are material to the issuer. On Feb. 9, 2022, the SEC released its long-awaited proposed cybersecurity rule, and there's a lot to unpack. The proposal, if adopted, would require mandatory . Proposed rules Cybersecurity incident reporting. "Cyber risk relates to each part of the SEC's three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets," said SEC Chair Gary Gensler. The Proposed Rules would require advisers and registered funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks based on an ongoing analysis of specific elements. On February 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for registered advisers and funds. Although the SEC cybersecurity proposed rule changes have not been made official, companies can and should take steps to prepare for the potential rule . March 11, 2022. The Securities and Exchange Commission today proposed rules to better protect investors and enhance cybersecurity by bringing more Alternative Trading Systems (ATS) that trade Treasuries and other government securities under the regulatory umbrella. If adopted, these rules will incorporate existing SEC staff guidance on cybersecurity policies and procedures, and . The proposed rules respond to investor concerns related to the . The SEC's proposed rules would require an issuer to timely disclose material cybersecurity incidents on a Current Report on Form 8-K, including specified information about the nature of the incident. For the first time, a proposed rule set from the US Securities and Exchange Commission (SEC) will require virtually . The proposed rules only require advisers to report "significant" cybersecurity incidents to the SEC. The Proposed Rules would amend Form 8-K to add an Item 1.05, requiring the disclosure of a material cybersecurity incident within four business days after a registrant determines that a material cybersecurity incident has occurred. The proposed rules define a significant cybersecurity incident as an incident, or group of related incidents, that "significantly disrupts or degrades" a firm's ability to "maintain critical operations," or "leads to the unauthorized access or . Require advisers and funds to adopt and implement written policies and procedures that address cybersecurity risks. Collectively, our associations appreciate the goals of the SEC's proposed rules, which focus on increasing investors' knowledge of publicly traded companies' cybersecurity postures. Although there may be some changes to the specifics, the overall requirement will remain clear: "Adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risk.". Among other information, the new disclosures would require information about greenhouse gas emissions (GHG), climate-related risks that are reasonably likely to have a material impact on a company's . In a show of continued emphasis on cybersecurity enforcement from U.S. government agencies in the wake of the Biden Administration's Executive Order on Improving the Nation's Cybersecurity (Exec.