The Securities and Exchange Commission (“SEC”), under Chairman Gary Gensler, continues to propose rules at a rapid pace. Three of the most recent proposed rules would significantly impact investment advisers by:
- Requiring documentation of registered investment adviser compliance reviews;
- Establishing cybersecurity risk management and reporting requirements for investment advisers, investment companies, and business development companies; and
- Updating and accelerating beneficial ownership reporting requirements.
The deadlines for comments on these proposed rules will be the later of 30 days after publication in the Federal Register or April 11, 2022. These abbreviated comment periods are similar to what the SEC has permitted in other recent proposed rules, but are a significant departure from the approaches of prior Chairpersons, which would typically allow interested parties at least 60 days—if not 90 or 120 days—after publication of a proposed rule in the Federal Register to submit comments. These proposed rules are in addition to recently proposed rules for private fund advisers, large private equity advisers, and large liquidity fund providers.
Documentation of Registered Investment Adviser Compliance Reviews
The SEC has proposed an amendment to Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”) to require an investment adviser to document—in writing—the annual review of the adequacy of the adviser’s policies and procedures and the effectiveness of their implementation. Rule 206(4)-7 requires an investment adviser to (1) adopt and implement policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder by the investment adviser or its supervised persons; (2) review the adequacy of the policies and procedures and effectiveness of their implementation no less frequently than annually; and (3) designate a supervised person responsible for administering the policies and procedures. In proposing the rule, the SEC stated that the reports should be produced promptly upon request and asserted that “[a]ttempts to shield from, or unnecessarily delay production of any non-privileged records is inconsistent with prompt production obligations and undermines [the] staff’s ability to conduct examinations.”
Observations: While Advisers Act Rule 204-2 requires an investment adviser to maintain any records documenting its annual review that it may create, Rule 206(4)-7 does not explicitly require documentation. As a result, the SEC’s Division of Examinations has observed over the years some investment advisers were unable to provide evidence that an annual review ever occurred. The proposed rule is intended to fill this perceived gap and “help the staff understand an adviser’s compliance program, determine whether the adviser is complying with the rule, and identify potential weaknesses in the compliance program.” The SEC did not, however, prescribe specific elements that an adviser must include in the written documentation of the annual review. The staff of the Division of Examinations generally reviews annual review reports to determine whether investment advisers have reviewed significant areas of their businesses; identified or reviewed key risk areas; and considered compliance matters and any changes to their businesses or applicable law that occurred during the year, including to identify deficiencies that might support claims that advisers failed to implement policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder.
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
The SEC has proposed new rules to require registered investment advisers and registered investment companies and business development companies to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks. The discussion below focuses primarily on the proposed rules that would impact investment advisers. The proposed rules include three main components: (1) adoption of cybersecurity risk management policies and procedures; (2) reporting of significant cybersecurity incidents to the SEC; and (3) disclosure of cybersecurity risks and incidents on Form ADV Part 2A.
Adoption of Cybersecurity Risk Management Policies and Procedures
Proposed Rule 206(4)-9 under the Advisers Act would require an investment adviser to adopt and implement written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks, including:
- Periodic risk assessments: periodic written assessments of cybersecurity risks associated with information systems and information residing therein that (a) categorize and prioritize cybersecurity risks; and (b) identify and assess cybersecurity risks associated with the use of service providers that receive, maintain, or process information or that can access information systems.
- User security and access: controls designed to minimize user-related risks and prevent unauthorized access to information systems and information that (a) requires standards of behavior for persons accessing systems, such as an acceptable use policy; (b) identifies and authenticates individual users, including multifactor authentication; (c) establishes procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication; (d) restricts access to systems solely to individuals requiring access as necessary for them to perform their responsibilities and functions on behalf of the adviser; and (e) secures remote access technologies.
- Information protection: measures designed to monitor systems and protect information from unauthorized access or use based on a periodic assessment that considers (a) the sensitivity level and importance of information to business operations; (b) whether any information is personal information; (c) where and how information is accessed, stored, and transmitted; (d) access controls and malware protection; and (e) the potential effect of a cybersecurity incident on the adviser and its clients.
- Cybersecurity threat and vulnerability management: measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities.
- Cybersecurity incident response and recovery: measures to detect, respond to, and recover from a cybersecurity incident (and written documentation of any cybersecurity incident and response to and recovery therefrom), including to ensure (a) continued operations; (b) protection of systems and information; (c) external and internal cybersecurity incident information sharing and communications; and (d) reporting of significant cybersecurity incidents.
- Oversight of service providers: oversight of service providers that receive, maintain, or process information, or that can access information systems, pursuant to a written contract requiring the service provider to implement and maintain appropriate measures, including the practices described above, that are designed to protect information and information systems.
- Annual review and written report: at least annually, (a) review and assessment of the design and effectiveness of the policies and procedures, including whether they reflect changes in cybersecurity risk over that period; and (b) written report that, at a minimum, (i) describes the review, assessment, and any control tests performed, (ii) explains their results, (iii) documents any cybersecurity incident that occurred since the date of the last report, and (iv) discusses any material changes to the policies and procedures since the date of the last report.
Reporting of Significant Cybersecurity Incidents to the SEC
Proposed Advisers Act Rule 204-6 would require advisers to report on newly proposed Form ADV-C to the SEC any significant adviser cybersecurity incident promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that any such incident has occurred or is occurring. The SEC has proposed to define “significant adviser cybersecurity incident” as
a cybersecurity incident, or a group of related cybersecurity incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized use of such information results in: (1) Substantial harm to the adviser, or (2) Substantial harm to a client, or an investor in a private fund, whose information was accessed.
The SEC views critical operations as including investment, trading, reporting, and risk management functions and operating in accordance with the federal securities laws. Advisers would also be required to amend Form ADV-C promptly, but in no event more than 48 hours after (1) any information previously reported becomes materially inaccurate; (2) any new material information is discovered; or (3) the incident is resolved or any internal investigation is closed.
Disclosure of Cybersecurity Risks and Incidents
The SEC has proposed to add a new Item 20 to Form ADV Part 2A, which would require disclosure regarding cybersecurity risks and incidents.
Item 20. Cybersecurity Risks and Incidents
- Describe the cybersecurity risks that could materially affect the advisory services you offer. Describe how you assess, prioritize, and address cybersecurity risks created by the nature and scope of your business.
- Provide a description of any cybersecurity incident that that [sic] has occurred within the last two fiscal years that has significantly disrupted or degraded your ability to maintain critical operations, or has led to the unauthorized access or use of adviser information, resulting in substantial harm to you or your clients. The description of each incident must include the following information to the extent known: the entity or entities affected; when the incident was discovered and whether it is ongoing; whether any data was stolen, altered or accessed or used for any other unauthorized purpose; the effect of the incident on the adviser’s operations; and whether the adviser, or service provider, has remediated or is currently remediating the incident.
In the SEC’s view, a cybersecurity risk “would be material to an adviser’s advisory relationship with its clients if there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information.” This could include the likelihood and extent to which a cybersecurity risk, or resulting incident, could (1) disrupt the adviser’s ability to provide services (including the duration); (2) result in the loss of adviser or client data (including nature and importance of the data and duration and circumstances of compromise); or (3) harm clients (including through the inability to access investments, illiquidity, or exposure of confidential or sensitive information).
If an adviser amends its brochure to add disclosure of an event or incident, or materially revises information already disclosed about an event or incident in response to Item 20.B, the adviser would need to promptly deliver to each client a statement describing the material facts relating to the change in information about a significant cybersecurity incident (either alone or along with an amended brochure).
Observations: In today’s digital age, the risks of exposing a client’s personal information or having significant business disruptions caused by phishing, malware, ransomware, and other data breaches appear to be ever increasing. As the SEC staff has previously recognized, the vast majority of investment advisers have already adopted policies and procedures to address cybersecurity risks, including because of existing SEC rules and prior SEC and staff guidance. One might have expected the SEC (itself having been subject to significant data breaches over the years) to have recognized the evolving nature of cybersecurity risks and sought to work with the industry to develop a targeted and workable approach that incorporates existing obligations under the federal securities laws, as well as applicable state laws. Instead, the proposed rules include many prescriptive requirements that would pile onto the existing regulatory framework; might not make sense as technologies and cybersecurity risks evolve; and could be subject to interpretation and second-guessing by the SEC and its staff using the various tools the SEC seeks to provide itself to pursue enforcement actions should a cybersecurity incident occur. Assuming the SEC adopts the proposed cybersecurity rules, there are some ways that the approach might be refined to provide advisers with flexibility in responding to the evolving nature of cybersecurity risks.
Adopt Rule Under Other Authority. The SEC has proposed to adopt Rule 206(4)-9 under Section 206(4) of the Advisers Act. The proposed rule would make it unlawful to provide investment advice without adopting reasonably designed cybersecurity policies and procedures as a means to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business. This raises the prospect that an adviser that was subject to a cybersecurity incident might be found to have committed fraud notwithstanding the adviser’s diligence or the reasonableness of the adviser’s policies and procedures. Being subject to a cybersecurity incident should not mean that advice provided during that period was unlawful, as a cybersecurity incident should not reflect on the quality of advice provided. Moreover, an adviser should not be deemed to have engaged in a fraudulent, deceptive, or manipulative act, practice, or course of business as the result of the conduct of a third party outside of the control of the adviser, as is the case with third-party cyber-attacks. If the SEC’s goal is to promote better cybersecurity practices, it could pursue adoption of the rule under its other Advisers Act rulemaking authority, such as Section 211, without the attendant consequences of a Section 206(4) violation.
Issue Guidance Under Rule 206(4)-7. If the SEC wants to rely on its authority under Section 206(4), it could issue guidance under Advisers Act Rule 206(4)-7 to clarify the SEC’s expectations that an adviser’s policies and procedures address cybersecurity risks, including to consider obligations under Regulations S‑P and S‑ID, rather than adopting a new rule. The SEC has already stated its expectation that an adviser’s policies and procedures adopted under Advisers Act Rule 206(4)-7 should, at a minimum, address “[s]afeguards for the privacy protection of client records and information” and “[b]usiness continuity plans.” Regulation S-P already requires an investment adviser to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” In addition, an adviser subject to Regulation S-ID already is required to develop and implement written identity theft prevention programs designed to detect, prevent, and mitigate identity theft for covered accounts. Considering the existing requirements, cybersecurity policies and procedures might be viewed as one aspect of an adviser’s overall policies and procedures under Rule 206(4)-7.
Limit Required Reporting and Disclosures. Many advisers already include disclosure about cybersecurity risks in response to Item 8 of Form ADV Part 2A. Those disclosures are designed to inform clients about the nature and scope of cybersecurity risks and the potential impact on the advisers’ operations. The SEC has proposed to go even further, including to treat cybersecurity risks as equivalent to conflicts of interest and cybersecurity incidents as equivalent to disciplinary information.
Under Item 20.A, advisers would be required to describe how they assess, prioritize, and address cybersecurity risks. This type of disclosure, which has been limited in the instructions to Form ADV Part 2A to disclosure of conflicts of interest, may be of little use to clients (who likely would not be in position to evaluate the information) and presents risk of second-guessing by the SEC and its staff as to the adequacy of the disclosure and potential allegations that the adviser has violated Sections 206(1), 206(2), or 207 of the Advisers Act.
Under Item 20.B, advisers would be required to disclose specified information about significant cybersecurity incidents and notify clients promptly when Item 20.B is updated (similar to the treatment of disciplinary history disclosed under Item 9). It would be helpful if the SEC clarified the concept of a significant cybersecurity incident (e.g., what constitutes a significant disruption or degradation of an adviser’s ability to maintain critical operations, or what results in “substantial harm” to the adviser or its clients).
The required reporting in response to Item 20.B and Form ADV-C might also present challenges for advisers when responding to a cybersecurity incident. As proposed, advisers would be required to deliver updates to Item 20.B promptly, and to file Form ADV-C promptly, but in no event more than 48 hours, after having a reasonable basis to conclude that any such incident has occurred or is occurring and upon certain instances of learning additional information. These reporting timeframes might prove to be challenging for advisers in the midst of responding to a cybersecurity incident, including in relation to reporting requirements under other applicable laws and regulations. It would also help to understand what tangible actions the SEC expects it would take to aid in the response to a cybersecurity incident that would require such rapid reporting.
Provide Latitude Regarding Service Providers. The information protection provisions in the proposed rule would require “oversight” of service providers through a written contract. The concept of oversight is not sufficiently clear. Investment advisers use various types of entities that might be viewed as service providers for purposes of proposed Rule 206(4)‑9, including sub-advisers, trade order management system providers, recordkeepers, custodians, and platform providers. The agreements governing these relationships are often heavily negotiated. Depending on the nature of a service provider’s business, the service provider may not permit separate “oversight” of its cybersecurity policies by a third party. For example, a service provider may be reluctant or unwilling to permit third parties to engage in penetration testing and might prefer to conduct its own penetration testing. Advisers will likely need sufficient flexibility in engaging service providers, particularly as it relates to overseeing the service providers.
Modernization of Beneficial Ownership Reporting
The SEC has proposed what it deemed “comprehensive changes” to Regulation 13D-G and Regulation S-T to, among other things, revise the filing deadlines for Schedules 13D and 13G; “deem” holders of certain cash-settled derivative securities as beneficial owners of the referenced security; and amend provisions related to when two or more persons form a “group.”
Schedules 13D and 13G
Section 13(d) of the Securities Exchange Act of 1934 (“Exchange Act”) requires a person to file a disclosure statement with the SEC within 10 days of acquiring more than 5% of a covered class of a security, or such shorter time as the SEC may establish by rule. Persons who are subject to Section 13(d) are required to file a Schedule 13D with the SEC. Section 13(g) of the Exchange Act is designed to require reporting by persons who accumulate large amounts of stock in a public issuer but who are not required to file a beneficial ownership report under Section 13(d). Persons subject to Section 13(g) are required to file a Schedule 13G with the SEC.
The SEC has proposed to amend the filing deadlines for initial filings and amendments to Schedules 13D and 13G.
- The initial filing deadline for Schedule 13D would be lowered from 10 days to five days after acquiring beneficial ownership of more than 5% or losing eligibility to file on Schedule 13G.
- The initial filing deadline for Schedule 13G for qualified institutional investors (QIIs) and “exempt investors” would be lowered from 45 days after calendar year-end in which beneficial ownership exceeds 5% to five days after month-end in which beneficial ownership exceeds 5%.
- The initial filing deadline for Schedule 13G for passive investors would be lowered from 10 days to five days after acquiring beneficial ownership of more than 5%.
- All filers of Schedule 13G would be required to amend Schedule 13G upon a material change—rather than any change—in the information previously reported on Schedule 13G. The SEC has not proposed amending the triggering event for Schedule 13D amendments (i.e., a material change in the facts set forth in the previous Schedule 13D) or Schedule 13G amendments for QIIs and passive investors (i.e., upon exceeding 10% beneficial ownership or a 5% increase or decrease in beneficial ownership).
- Schedule 13D amendments would need to be filed within one business day—rather than promptly—after the triggering event.
- Schedule 13G amendments would need to be filed within five business days after the month in which a triggering event occurred (rather than 45 days after calendar year end). QIIs would need to file an amended Schedule 13G five days after the triggering event (rather than 10 days after month end) and passive investors would need to file an amended Schedule 13G one business day—rather than promptly—after the triggering event.
The filing cut-off time for Schedules 13D and 13G would be extended from 5:30 p.m. Eastern time to 10:00 p.m. Eastern time.
Holders of Cash-Settled Derivative Securities
The SEC has proposed to amend Exchange Act Rule 13d-3 to deem the holder of a cash-settled derivative security, as defined in Exchange Act Rule 16a-1(c), other than a security-based swap, to be a beneficial owner of the referenced covered class if such person holds the derivative security “with the purpose or effect of changing or influencing the control of the issuer of such class of equity securities, or in connection with or as a participant in any transaction having such purposes or effect.” This would reverse its decades-old position that holding derivatives that entitled the holder to nothing more than economic exposure to a covered class was insufficient to constitute beneficial ownership. The SEC also proposed provisions regarding how to calculate the number of securities that a person is deemed to beneficially own.
Acquisition of Beneficial Ownership
The SEC has also proposed to amend Exchange Act Rule 13d-5 to remove the reference to an “agreement” between two or more persons, and instead the rule would state that two or more persons who “act as” a group under Section 13(d)(3) of the Exchange Act will be deemed to have acquired beneficial ownership of all equity securities owned by the group’s members as of the date of the group’s formation. In the SEC’s view, whether a group exists does not depend solely on the presence of an express agreement. Rather, depending on the facts and circumstances, concerted actions by two or more persons for the purpose of acquiring, holding, or disposing of securities are sufficient to form a group.
Disclosure of Schedule 13D Filings. Proposed Rule 13d-5(b)(1)(ii) would also provide that a person who discloses to another person information about an upcoming Schedule 13D filing that the person is required to make acts as a group with that person to the extent the information was shared with the purpose of causing the person to acquire equity securities of the same class for which the Schedule 13D will be filed.
Post-Formation Acquisitions of Beneficial Ownership. The SEC has proposed to provide that a group will be deemed to have acquired beneficial ownership if any member of the group becomes the beneficial owner of additional equity securities in the same class beneficially owned by the group after the date of the group’s formation.
Transfers Between Group Members. The SEC has proposed to carve out from Rules 13d‑5(b)(1)(iii) and 13d-5(b)(2)(ii) intra-group transfers of equity securities of a covered class, providing that a regulated group will not be deemed to have become the beneficial owner of additional equity securities in the same class if a group member becomes the beneficial owner of additional equity securities in the same class through a sale by or transfer from another group member.
Exemptions from Group Status. In recognition that the proposed amendments to Rule 13d-5 might raise concerns about whether communications and other activities between investors would constitute the formation of a group, the SEC proposed two exemptions from Sections 13(d)(3) and 13(g)(3) of the Exchange Act.
- Two or more persons will not be deemed to have formed a group solely because of their concerted actions with respect to such issuer’s equity securities, provided that:
- Communications among or between the persons are not undertaken with the purpose or effect of changing or influencing control of the issuer, and are not made in connection with or as a participant in any transaction having such purpose or effect; and
- The persons are not directly or indirectly obligated to take such concerted actions.
- Two or more persons will not be deemed to have formed a group if they, in the ordinary course of their business, enter into a bona fide purchase and sale agreement setting forth the terms of a derivative security, provided that they did not enter into the agreement with the purpose or effect of changing or influencing control of the issuer, or in connection with or as a participant in any transaction having such purpose or effect.
Observations: As QIIs, SEC-registered investment advisers often submit a report on Schedule 13G. If the proposed rules are adopted, investment advisers (and their parent holding companies and affiliates submitting joint filings) will likely need to reconsider their approaches to monitoring beneficial ownership in securities and filing Schedule 13G. For example, advisers may need to update systems to monitor beneficial ownership monthly and file Schedule 13G five days after month-end in which beneficial ownership exceeds 5% and five days after an event that triggers an amendment to Schedule 13G. The proposed rules may also impact reporting requirements under Section 16 of the Exchange Act, which applies to beneficial owners of more than 10% of a class of equity security registered under Section 12. Deeming the holder of a cash-settled derivative security to be a beneficial owner of the referenced covered class may also present a significant change to how some firms track and report beneficial ownership. Whether the person holds the derivative security “with the purpose or effect of changing or influencing the control of the issuer of such class of equity securities, or in connection with or as a participant in any transaction having such purposes or effect,” also appears to be subject to second-guessing by the SEC. The changes to deem a holder of cash-settled derivative securities to be a beneficial owner and expand the concept of when a group is formed for purposes of Section 13(d) and (g) will also apply for purposes of Section 16.
John V. Ayanian anchors the broker-dealer and investment adviser regulatory counseling practice, advising clients on broker-dealer and securities markets regulation. He counsels U.S. and foreign financial institutions and markets on all aspects of their U.S. securities trading, markets, and clearing activities under SEC and FINRA rules. He also advises broker-dealers on regulatory matters involving merger and acquisition transactions.
Brian J. Baltz counsels financial institution clients with a focus on issues that cut across their broker-dealer, investment adviser, and bank fiduciary business models. This includes advising clients on business and regulatory issues at the intersection of the differing federal and state regulatory schemes that impact their business models, including the U.S. federal and state securities laws, OCC rules governing bank fiduciaries, and laws governing retirement account fiduciaries under ERISA and Section 4975 of the Internal Revenue Code.
McGuireWoods is a national leader in securities enforcement defense. The firm’s securities enforcement and litigation group and its broker-dealer and investment adviser counseling practice work hand-in-hand to assist clients on the full spectrum of regulatory, business and compliance issues. The securities enforcement and litigation group is part of an experienced and respected Government Investigations and White Collar Litigation Department that has been twice recognized as a Law360 White Collar Practice Group of the Year. We are comprised of former senior SEC and FINRA enforcement attorneys and litigators, as well as high-level federal prosecutors, and are experienced at managing every stage of complex regulatory investigations.
1. Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews, Investment Advisers Act Release No. 5955 (Feb. 9, 2022).
2. Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Investment Advisers Act Release No. 5956 (Feb. 9, 2022).
3. Modernization of Beneficial Ownership Reporting, Securities Act Release No. 11030 (Feb. 10, 2022).
4. Amendments to Form PF to Require Current Reporting and Amend Reporting Requirements for Large Private Equity Advisers and Large Liquidity Fund Advisers, Investment Advisers Act Release No. 5950 (Jan. 26, 2022).
5. OCIE Observations: Investment Adviser Compliance Programs, Office of Compliance Inspections and Examinations (Nov. 19, 2020).
6. National Exam Program Risk Alert: Observations from Cybersecurity Examinations, Office of Compliance Inspections and Examinations (Aug. 7, 2017).
7. Section 206(4) of the Advisers Act allows the SEC to define and prescribe means reasonably designed to prevent acts, practices, or courses of business that are fraudulent, deceptive, or manipulative.
8. Compliance Programs of Investment Companies and Investment Advisers, Investment Advisers Act Release No. 2204, 68 Fed. Reg. 74714, 74716 (Dec. 24, 2003).
9. Section 207 makes it unlawful for any person willfully to make any untrue statement of a material fact in any registration application or report filed with the SEC under Sections 203 or 204, or willfully to omit to state in any such application or report any material fact which is required to be stated therein.
12. The SEC refers to passive investors as those beneficial owners of more than 5% but less than 20% of a covered class who can certify under Item 10 of Schedule 13G that the subject securities were not acquired or held for the purpose or effect of changing or influencing the control of the issuer of such securities and were not acquired in connection with or as a participant in any transaction having such purpose or effect.