On February 9, 2022, the SEC proposed new rules that require investment advisers registered with or required to register with the SEC to adopt policies and procedures reasonably designed to address the cybersecurity risks they face as well as to conduct periodic assessments and annual reviews of their cybersecurity programs. The proposed rules would also require advisers to make and update public disclosures on Form ADV regarding cybersecurity risks and significant cybersecurity incidents and to make additional confidential disclosures to the SEC regarding cybersecurity incidents experienced by the firm or any funds they manage within 48 hours of a cybersecurity incident.
The rule proposal, if adopted, will invariably require advisers to devote significantly more time and resources to cybersecurity risk management.
