On March 9, 2022, the SEC released new proposed rules  relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.

The proposed rules would require advisers and funds to adopt and implement policies and procedures that are designed to address cybersecurity risks. Advisers and funds would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures; and prepare a report describing the review, explaining the results, documenting any incident that has occurred since the last report, and discussing any material changes to the policies and procedures since the last report.

The proposed amendments would require current reporting of material cybersecurity incidents by adding a new item to Form 8-K which is already in use. This added item would require companies to disclose material cybersecurity incidents within four business days of an incident being determined to be material.

Required disclosure would include:

• When the incident was discovered and whether it is ongoing.
• A brief description of the nature and scope of the incident.
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
• The effect of the incident on the company’s operations; and
• Whether the company has remediated or is currently remediating the incident.

The proposed rules would also require disclosure about the cybersecurity expertise of members of the board, if any. The proposed rules do not define “cybersecurity expertise” but provide several factors to consider, such as prior work experience or certifications in cybersecurity. (ISC)² addresses each of these in our response.

These new proposed rules would have a significant impact on affected entities. If approved, many advisers and funds would be required to develop more robust programs that may not address the issues each individual organization is faced with intricate and comprehensive cybersecurity programs in such a short time frame. 

(ISC)² compiled our response to the SEC request for comment with our members in mind and taking into consideration the importance of certifications for those director roles.

Effectively managing cyber risks and responsible breach disclosure should be a top priority for organizations and (ISC)² is confident our response encompasses that importance while balancing the difficult position of the organization as they navigate the challenges of a cybersecurity incident.

To learn more view the entire (ISC)² response to the SEC Request for comment .