Contact Us Follow Us :      | Find Us |

Subscribe to Our Blog

Client Satisfaction Survey Results



Follow Us

Posted by Ray Gandy on Mar 16, 2022 5:53:10 PM


In a move to protect fund information, the Securities and Exchange Commission (SEC) recently proposed cybersecurity rules for registered fund advisors and investment companies. The updates to the Investment Advisers Act of 1940 would require a minimum set of cyber risk management protocol for registered funds, and additional disclosure requirements for funds that experience an information security incident.

It could have an effect on the cybersecurity protocols in place in private equity and venture capital firms. The following is what your firm needs to know about the proposed requirements.

Risk Assessments

Sound cybersecurity management often starts with the same question: how does the organization know if its information security approach addresses cybersecurity risks? The short answer is a current risk assessment.

A risk assessment process is baked into the proposed cybersecurity requirements for fund advisors. Specifically, registered fund advisors will need to demonstrate that they periodically assess, categorize, prioritize, and document the risks facing their information systems. They will also need to know the information being handled by service providers and the cybersecurity risks posed by those service providers.

To demonstrate a risk assessment has been conducted, fund advisors will need a written report of the risk assessment. The SEC recommends that this risk assessment be documented at least annually unless a more frequent interval is appropriate based on changes to business practices.

Policies & Procedures

The guidance provided for a registered fund advisor’s written cybersecurity policies are purposefully broad. In its proposed rules, the SEC acknowledged that fund advisors need to have the room to tailor an approach that makes the most sense for the unique risk profile, business practices and organizational structure. It does not, for example, prohibit the use of third-party resources to help design and implement appropriate cybersecurity strategies.

It does spell out certain characteristics that the registered advisor’s cybersecurity policies and procedures would need to have.

Reporting of Major Cybersecurity Incidents

Under the proposed rules, registered fund advisors would be required to report significant cybersecurity incidents to the SEC via a proposed Form ADV-C no later than 48 hours after the information security incident has been confirmed. The form would be updated if subsequent investigation uncovered new information and include information about the nature of the incident and scope of the attack.

Disclosure Requirements

Registered fund advisors would also be required to disclose information about the fund’s cybersecurity risks and incidents. By providing more structure and requirements to cybersecurity related disclosures, the SEC aims to increase transparency around information security risk and accountability.

What Comes Next

The SEC is accepting comments on the proposed rule change. For more information about how your fund could prepare for additional cybersecurity reporting requirements, contact a member of our team.



Ray Gandy is a Director and Leader of the IT Risk & Assurance Practice at CBIZ & MHM New England. He can be reached at or 617.761.0722.



© Copyright 2022 CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting, or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

Tags: Private Equity & Venture Capital, PE/VC, SEC

Popular Posts