On March 15, 2023, the SEC reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies and business development companies that were proposed on February 9, 2022. The initial comment period ended on April 11, 2022. A previous Vedder Price summary of the proposals is available here. Comments on the proposals are now due by May 22, 2023.
The SEC reopened the comment period in conjunction with the release of proposed new cybersecurity risk management rules for broker dealers, clearing agencies, transfer agents and other market participants and proposed amendments to Regulation S-P. Proposed amendments to Regulation S-P would, among other things, require “covered institutions”—including funds and registered investment advisers—to develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information. The proposed incident response program procedures would require notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Comments on both the proposed amendments to Regulation S-P and the proposed cybersecurity risk management rules for broker-dealers and other market participants are due by June 5, 2023.
Various SEC materials are available as follows:
- Reopening of Comment Period for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies
- Cybersecurity Risk Management Rule for Broker- Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers and Transfer Agents