SEC Cybersecurity Requirements for Asset Managers

This guide outlines the top four cybersecurity requirements set forth by the SEC for asset managers as part of a new compliance regime. The first requirement emphasizes the need for asset managers to design and implement comprehensive cybersecurity policies and procedures that are tailored to their specific needs. This includes conducting annual cybersecurity assessments and preparing an annual written report. The second requirement mandates the reporting of certain cybersecurity incidents to the SEC within 48 hours, particularly those that impair critical operations or harm investors. The third requirement involves disclosing cybersecurity risks and incidents to investors through Form ADV Part 2A Brochure, including material risks and incidents from the past two fiscal years. Lastly, the fourth requirement establishes a recordkeeping obligation that necessitates the retention of relevant documents for five years, expanding existing rules to encompass all cybersecurity-related documentation. The guide provides legal and IT tips to assist asset managers in meeting these obligations effectively.