SEC proposes new cybersecurity requirements for investment advisers

The U.S. Securities and Commission has proposed an extensive cybersecurity risk management rule for registered investment advisers and companies that calls for greater disclosure and additional recordkeeping.

The proposed 243-page rule, announced Wednesday, would require advisers and funds to adopt and implement written policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investments, the agency said in its statement.

It would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients on a new, confidential form.

In addition, it requires advisers and funds to publicly disclose cybersecurity risks and significant incidents that occurred in the last two fiscal years in their brochures and registration statements.

The proposal would also create new recordkeeping requirements for advisers and funds designed to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities.