New Proposed SEC Cybersecurity Rules Includes 48-hour Breach Reporting Requirement

Following increased enforcement in 2021, the SEC recently released its new cybersecurity rules on February 9, 2022 (reference). The rules are the latest effort from federal agencies to tighten compliance around assessing and addressing cybersecurity risks and requiring regulatory breach reporting within a specified period.

Let’s take a deep dive into what it includes.

Key Points: 

  • Applies to: registered investment advisers (RIAs), registered investment companies (RICs), and business development companies (BDCs, also known as funds). Note: the rule was not issued to publicly traded companies.
  • Includes:
    1. Requirement to have Cybersecurity policies and procedures 
    2. Cyber Security incident disclosures 
    3. Required reporting of cybersecurity incidents
    4. Recordkeeping requirements for cybersecurity incidents.
  • Requirements: 
    1. Notification to the Commission within 48 hours of discovering a significant cybersecurity incident.
    2. Extensive policies and procedures intended to address and respond to cybersecurity threats, including:
      • A written information security plan, which must include: 
        • An assessment of risks associated with certain service providers, oversight of such providers, and appropriate written contracts with such providers.
        • User security and access. 
        • Information protection.
        • Cybersecurity threat and vulnerability management. 
        • Cybersecurity incident response and recovery.
      • Incident responses plan 
    3. Companies are required to increase disclosures and recordkeeping around cybersecurity practices, risks, and incidents 

In this latest effort, the Commission recognizes that there is no “one size fits all” approach. This focus on RIAs, RICs, and BDCs attempts to focus on regulation and compliance for these particular types of companies. Other changes of note include specifications for the written security plan. Though the requirement of a written security plan has been included in several previous pieces of compliance rules, none have been specified to this degree.

We hope you found this breakdown of the new cyber rule helpful. If you have questions related to your business, please reach out to PK Tech, and we can explain further. Get in touch with us here.