The US Securities and Exchange Commission recently proposed a comprehensive framework of cybersecurity-related rules and amendments for investment advisers and investment companies. Although advisers and funds may have already implemented many of the requirements, some, such as incident reporting, are likely to prove burdensome and make the landscape surrounding cybersecurity risk management and compliance even more complex.
With respect to investment companies, the scope of the requirements is somewhat unclear—as are what findings a board must make to approve a fund’s cybersecurity program and on whom the board may rely in doing so.