Investment Company Notebook
BBD's Industry Insights Video Series Episode 2: New Cybersecurity Rules for Investment Companies
BBD's Industry Insights video series offers our clients and industry friends a brief look into important and timely developments in the investment management industry.
In Episode 2 of the series, Rich Wagner, partner with BBD, LLP, and Rachael Schwartz, counsel with Sullivan & Worcester, discuss cybersecurity developments in the registered funds industry, specifically related to SEC Rule 38a-2.
Rich Wagner 00:02
Welcome to Industry Insights, BBD's video series that offers our clients and industry friends a brief look into important and timely developments in the investment management industry. I'm Rich Wagner, partner with BBD. Today I have the great pleasure of speaking with Rachael Schwartz, Counsel with Sullivan & Worcester. Rachael and I will be speaking about the SEC's proposed rules on cybersecurity, risk management, strategy, governance and incident disclosure by public companies and how this will affect the fund industry. Rachael, can you provide a brief overview of Sullivan & Worcester's work in the investment management industry?
Rachael Schwartz 00:41
Sure, thank you Rich. Sullivan & Worcester's Investment Management Practice covers a wide range of areas. We represent all types of investment management companies, open end funds, closed end funds, ETFs, BDCs. We also represent their independent Board of Trustees and complying with their governance responsibilities.
Rich Wagner 01:08
Great. So let's get started. Can you provide a summary of Rule 38a-2?
Rachael Schwartz 01:15
Sure. So the proposed Rule 38a-2 would require funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks. Going to just call that a cybersecurity program. While there's a certain element that every fund would have to address, they also would have to tailor them for their own specific facts and circumstances. So briefly, a fund would have to periodically assess, categorize, prioritize, and document in writing its specific cybersecurity risks. The assessment would also involve identifying any service provider that has access to any fund information systems or fund information. There would have to be controls in place to minimize user related risks and prevent unauthorized access to information and systems. And the level and type of control that would vary depending on the types of information that are stored on those systems. Funds would have to have ongoing threat assessments. And if a vulnerability or a threat is identified, it would have to be remediated as soon as possible. Funds would have to measure to detect respond to and recover from cybersecurity incidents. And on an annual basis, the effectiveness of the program would have to be reviewed, there'd have to be a written assessment of this review, that would also disclose any control tests performed, any changes made to the program, and any cybersecurity incidents that occurred. The rule does allow for some flexibility as to who is going to implement and oversee the cybersecurity program. So it could be an internal person, such as somebody looks at the adviser or fund officer, or it could be an outside third party service provider, but whoever it is, they must have expertise in cybersecurity. And if it is an outside person, then the fund would have to have some level of oversight to make sure that they are you know, following all the rules of 38a-2. The program also has to lay out a chain of responsibility of who makes all cybersecurity decisions, who administers and implements cybersecurity policies, who is able to escalate any issues at the fund, and who would disclose any incidents to the SEC or investors.
Rich Wagner 03:49
Great, that's a good summary. Is this rule an instance of the regulators catching up with some of the best practices that are already in place with the larger fund groups? We've seen this with some other rules that have been put in place.
Rachael Schwartz 04:05
Well, the SEC has performed cybersecurity sweep exams over the last several years and then published risk alerts saying where they have found that fund companies have been deficient and also showing some best practices that they've seen. So likely this rule or proposed rule does kind of take some of those best practices they've observed. You know, most complexes already have some sort of cybersecurity policies and procedures that they, you know, kind of handle under 38a-1, they make sure that they kind of do a due diligence review of of their service providers to make sure they have appropriate cybersecurity in place. So this could be something that they've already seen done at a lot of places, especially larger complexes.
Rich Wagner 04:56
Great. So how will the new security policies and procedures be administered?
Rachael Schwartz 05:03
I think this is going to depend on the type of complex, you know, a very large complex or one that's affiliated with a larger organization may have access to, you know, internal information technology departments, or they could have chief information security officers and whole departments that have the resources and expertise to implement and oversee these programs. You know, it's, it's the smaller complexes, the smaller shops that don't have a lot of resources that, you know, would most likely have to go out and hire some new third parties that would have the expertise. And then you have things such as you know, series trusts, where it's a trust with, you know, many different advisors involved, but otherwise there's commonality of other service providers. So in those cases, you know, perhaps would be some sort of a hybrid model, where the funds that are in the trust together can work on a program to oversee all those service providers, but there would still have to be an element to handle each of the separate advisors.
Rich Wagner 06:14
Great. So 38a-2 requires each fund to periodically assess, categorize, prioritize, and document in writing the cybersecurity risks associated with its information system, and the information residing therein. How often do the funds have to assess their cybersecurity risks?
Rachael Schwartz 06:37
So under the proposal, they would have to do an assessment at least annually to see how the effectiveness of the program, but there also would have to be a reassessment, whenever there's any change that could affect the funds' cybersecurity risks. So any events that occurred during the year might trigger a need for reassessment, any emerging cybersecurity threats that come out, or if there's any changes in the fund business, new, you know, new programs being used, additions to their online presence, anything that might add new cybersecurity risks that were not previously considered. And you know, that the release for the proposing rule does say, you know, the funds would really probably need to sign up for all kinds of alerts from the private sector, and government resources to be able to stay up to date on these emerging cybersecurity risks.
Rich Wagner 07:34
So what kinds of controls would be used to minimize the user related risks and prevent all unauthorized access?
Rachael Schwartz 07:43
So you know, they talk about the fact that pretty much everything would have to be customized so that the only people that have access to systems are the people that need to have access. So for example, you know, a portfolio manager would need access to trading systems to be able to actually enter in trades, whereas compliance personnel would maybe only need access to review and approve trades, but you wouldn't want them to be able to enter in trades. So there would have to be a lot of controls for that, such as maybe user credentials, digital rights management, and multifactor authentication. If your employees are working remotely, there have to be additional controls that you might want to put in place. And then separately at the investor level, there have to be controls, to make sure that you don't have unauthorized logins to client accounts. They'd be controls to kind of trigger if there's too many login attempts that fail that that would trigger you looking into it, or if there was an unusual client request. And that might need to be customized based on whether you think your clients are coming in from say, a cell phone or computer. And although, you know, these shareholder logins usually are going to be at the TA level or at their broker, you know, at their brokerage account, the fund would have to make sure it kind of has agreements with the TA. So that is able to assess their cybersecurity risks in order to meet the responsibilities under 38a-2. So, you know, this could get a little complicated of having to get all this oversight over all these people that are much farther away from the fund than than the advisor itself.
Rich Wagner 09:30
So it seems like a lot of the the procedures are things we're used to, like multifactor identity, authorization, you know, password length, etc. So, I guess maybe we've already been doing some of those things in practice.
Rachael Schwartz 09:48
I think so. Yes, probably a lot of it is being done.
Rich Wagner 09:52
So how would the- How would this affect the funds' relationship with their service providers?
Rachael Schwartz 09:59
So, you know, again, I think, you know, sort of a general oversight of all service providers has already been done under the 38a-1 programs. And so, you know, compliance goes and does these due diligence visits and cybersecurity is something they look at. But now, you know, there might be having to get a bit more in depth, specifically, on, you know, many more aspects of their cybersecurity programs. And this might be something where this new cybersecurity expert who is in charge of the program would perhaps go along with the CCO to these due diligence visits, or would maybe have to do you know, additional reviews. You know, it's just hard to know. And, you know, how much access would the service providers give to these people to let them know about their inner workings? That's also, you know, a question.
Rich Wagner 10:56
So the proposal requires funds to adopt measures to detect, respond and recover from cybersecurity incidents. What do you think some of these measures will look like?
Rachael Schwartz 11:08
Sure, um, you know, I think, you know, again, this is something that funds already do a lot of, but, you know, for example, if they don't back up their data on a continuous basis, that would be something they would need to start doing. You have to have this, you know, detailed response plan, listing out the specific personnel that are going to respond in the event of a cybersecurity incident, and an escalation plan. That might be something, you know, funds don't have already. You know, one specific event that is discussed in the proposal is that, you know, funds obviously rely on service providers to help calculate their NAV, their net asset value, every day. And so, you know, they need to assess what kind of cybersecurity risks are involved with that. And if something happened at that service provider, so that the NAV couldn't be calculated, you know, what are they going to do. They need to have policies and procedures with alternative ways they could calculate that NAV in such an instance. But, you know, again, I think this is something you know, a lot of people, you know, over the years have sort of developed, it might just be more detail than they have already, but there are a lot of these questions do come up already, in board meetings and discussions.
Rich Wagner 12:30
So in the proposal, I also read that you have to disclose any cybersecurity instances, how would that work?
Rachael Schwartz 12:38
Sure. Well, you know, generally, you would have to have disclosure in your registration statement, if there was any significant cybersecurity risk affecting the fund or its service providers in the last two years. Unclear whether or not, you know, the specific event actually affected the fund at the service provider level or just an incident at the service provider. But they also know that these disclosures have to be timely. And so that could start requiring there to be stickers to the registration statement every single time, you know, there's an event, which obviously would get a lot more press and other things that these are coming out. So that's an interesting development. We'll see if that's something that, you know, stays in the proposal.
Rich Wagner 13:29
So what would be required of the board under this proposal?
Rachael Schwartz 13:34
Well, the board would have to initially approve the cybersecurity program. You know, kind of like with, you know, 38a-1 and the liquidity risk program, they can rely on summaries provided by others to evaluate the program. You know, but this is one area where boards are a bit concerned with the proposal on that now they're thinking, you know, do they need to have cybersecurity experts on the board? Because how can they really evaluate if this program is reasonably designed, when they don't have cybersecurity expertise? Annually, they would have to review the report, make sure that, you know, they're thoroughly covering their oversight responsibilities. And they also need to question you know, does the fund feel like it has enough resources to cover you know, everything under the cybersecurity rule, or do they feel like they need more resources?
Rich Wagner 14:33
Would any amendments to fund disclosures be required?
Rachael Schwartz 14:38
Um, yeah, again, I think there would be you know, if you're aware of a cybersecurity incident, you would disclose that, you know, I think at this point, most funds do have general cybersecurity risks kind of already in the registration statement. To the extent somebody doesn't have that, I think they probably would start adding that in, but those are probably the main events. And then of course, if you actually have a cybersecurity event, you would have to, you know, disclose that at some point to the SEC and then possibly to investors also, depending on the materiality of the incident.
Rich Wagner 15:21
It would be interesting if a service provider had a cybersecurity event and how that would ripple through many different funds and fund prospectuses.
Rachael Schwartz 15:31
Exactly, exactly, because some of those service providers, you know, probably service half the industry or more.
Rich Wagner 15:38
Well, Rachael, thanks very much for your time today and for your helpful insight.
Rachael Schwartz 15:44