Preparing for the SEC’s Cybersecurity Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies

13 March 2023
View Debevoise In Depth

In February 2022, the SEC proposed its first-ever cybersecurity rules for registered investment advisers (“RIAs”) (including RIAs to private funds) and Funds (which include registered investment companies (“RICs”) and closed-end funds that have elected to be treated as business development companies (“BDCs”) under the Investment Company Act), which we previously discussed here. The SEC has indicated that it plans to issue final rules in April 2023 (along with new cybersecurity rules for public companies, which we previously discussed here).

The proposed cybersecurity rules for RIAs and Funds impose significant new regulatory burdens, including:

  • A new 48-hour cybersecurity incident notification requirement;
  • Detailed cybersecurity policies and procedures requirements, and;
  • Additional disclosure and recordkeeping requirements.

This post focuses on how to prepare for compliance with these new SEC rules, which Debevoise’s Data Strategy and Security and White Collar and Regulatory Defense Practices will discuss in depth in our March 21 webcast on the topic. The webcast will also discuss the intersection between the proposed cybersecurity rules for RIAs and Funds with the SEC’s newly proposed amendments to Reg S-P and the new broker-dealer cybersecurity risk management rule.