The proposed rules would require Registered Investments Advisers (“Advisers”) and Business Development Companies (“Funds”) to implement policies and procedures designed specifically to address cyber risks. Under this rule change, Advisers would also be required to maintain records around their risk mitigation efforts and to report significant cybersecurity incidents to the SEC, using a confidential form. Perhaps the most visible change in the eyes of the investing public would be the requirement that funds provide current and prospective investors with a description of any such incidents that have occurred in the preceding two fiscal years.
It appears from this proposal that the SEC is working to move beyond seeking transparency around cyber risk from regulated entities, in an effort to become de facto enforcers of security standards. The SEC’s proposal contains over twenty pages detailing the elements of the policies and procedures these entities would be required to implement, including risk assessment, user security and access, information protection, threat and vulnerability management, and incident response and recovery. Although there is a period for public comment, regulated entities would do well to begin reviewing these elements now, because even with some amendments, the SEC can be expected to enact the substance of these proposed rules.
The proposed rules have potential implications on cyber liability insurance, as most policies contain coverage for regulatory proceedings. However, as an investment advisory errors and omissions (“E&O”) policy may also offer regulatory coverage, it is important to consider how these two coverages might interplay in the event of an inquiry by the SEC.
First, Gensler proposed that investors who acquire at least a 5% stake of a company must disclose this position within five days. He also recommended that amendments to such filings be provided within one business day, as they have a material impact on the company’s share price. Lastly, Gensler proposed shortening alternative filings for investors with no intention of exerting control over a company to five days. The proposed changes are intended to prevent some market participants, such as activist investors, from having certain advantages in the trading environment that tend to create an imbalance with other shareholders. The proposal also expands regulations concerning derivative securities and their reporting obligations, amongst other changes.
While technological advances have made shorter deadlines more feasible, the proposal drew dissent from SEC Commissioner Hester Pierce. Pierce noted that the purpose of longer deadlines was to balance the shareholders’ needs to learn about a potential change in company control against investors’ needs to keep their strategies private. The ability to comment on the proposal will remain open through April 2022 and a vote on a final version is expected to take place later this year.
Director/Officer |
Role |
Company |
Charles Strongo |
CEO, CFO |
Global Wholehealth Partners Corp. |
James Velissaris |
Chief Investment Officer |
Infinity Q Capital Management |
Amount |
Director/Officer |
Role |
Company |
$1,392,000.00 |
Martin Shkreli |
CEO |
Retrophin, Inc. |