In August 2023, the SEC adopted significant new cybersecurity rules that apply directly to registered investment advisers and registered investment companies. These rules — including Rule 206(4)-9 under the Investment Advisers Act — impose substantive requirements for cybersecurity risk management, governance, and incident reporting that go well beyond the general obligations that existed under prior guidance. Investment advisers that have not yet fully assessed and addressed their compliance obligations under these rules face meaningful regulatory and reputational risk.
This article outlines the key requirements of the SEC's cybersecurity rules for investment advisers and identifies the specific compliance elements your firm must have in place.
Mandatory Written Cybersecurity Policies and Procedures
Rule 206(4)-9 requires registered investment advisers to adopt and implement written cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks. This is a substantive requirement — not simply a directive to "have a policy." The SEC expects that these policies and procedures will be tailored to the adviser's specific operations, risk profile, and the nature of the client data and systems it maintains.
The rule identifies specific areas that the policies and procedures must address:
- Risk assessment. Policies must address the process for assessing cybersecurity risks to the adviser's information systems, including risks arising from service provider relationships. This assessment should be documented and updated periodically or when material changes occur.
- User security and access controls. Policies must address controls governing which individuals have access to adviser information systems and data, including requirements for authentication, the principle of least privilege, and procedures for terminating access when individuals leave the firm or change roles.
- Information protection. Policies must address how the adviser protects adviser information from unauthorized access or use, including encryption standards, data classification, and data retention and disposal procedures.
- Threat and vulnerability management. Policies must address how the adviser detects, mitigates, and remediates cybersecurity threats and vulnerabilities, including patch management, vulnerability scanning, and penetration testing practices.
- Incident response and recovery. Policies must include a defined incident response plan that establishes procedures for detecting, responding to, and recovering from cybersecurity incidents. The plan should identify response roles and responsibilities, communication protocols, and procedures for assessing material impact and triggering notification obligations.
Cybersecurity Incident Reporting to the SEC
One of the most operationally significant new requirements is the obligation to report certain cybersecurity incidents to the SEC. Advisers must promptly report — within 48 hours of a reasonable belief — any significant cybersecurity incident affecting the adviser itself or any fund it manages to the SEC through Form ADV-C. A "significant cybersecurity incident" is broadly defined and includes incidents that significantly disrupt or degrade the adviser's ability to maintain critical operations, or that lead to unauthorized access to or use of adviser information, resulting in substantial harm to the adviser or its clients or funds.
"The 48-hour notification window is an aggressive timeline that requires advisers to have incident detection capabilities, pre-established escalation procedures, and pre-drafted notification language ready before an incident occurs — not after."
This reporting obligation requires advisers to:
- Have technical capabilities in place to detect significant incidents within a timeframe that allows 48-hour reporting
- Define internal escalation procedures and authority — who can determine that an incident is "significant" and who has authority to file the Form ADV-C notification
- Maintain draft Form ADV-C language and filing procedures so that the mechanics of notification can be executed quickly under pressure
- Establish criteria for assessing whether an incident meets the significance threshold, and document that assessment contemporaneously
Annual Review of Cybersecurity Policies and Procedures
Similar to the annual compliance review required under Rule 206(4)-7, the cybersecurity rules require advisers to review and assess whether their cybersecurity policies and procedures remain current and effective at least annually. This review must be documented. It should include an assessment of whether the policies adequately address the adviser's current risk profile, whether any changes in the business, technology environment, or threat landscape require updates, and whether identified gaps or deficiencies have been or are being remediated.
The annual cybersecurity review should not be a superficial exercise. Examiners reviewing cybersecurity compliance will look for evidence that the review was substantive — that it involved actual testing of controls, assessment of incident history, review of vendor security posture, and consideration of current threat intelligence — rather than a simple recirculation of existing policy documents.
Service Provider Oversight and Third-Party Risk
The SEC's cybersecurity rules reflect the agency's recognition that many significant cybersecurity incidents affecting investment advisers originate in their service provider relationships. Investment advisers routinely share client data and grant system access to a variety of third parties — custodians, technology vendors, outsourced CCO providers, cloud service providers, and others. Each of these relationships creates cybersecurity risk that the adviser is responsible for managing.
Your cybersecurity policies and procedures must address how you assess and manage the cybersecurity risks arising from your service provider relationships. This includes:
- A process for identifying and inventorying service providers that have access to adviser systems or client data
- Due diligence procedures for evaluating the cybersecurity practices of service providers before engaging them and on a periodic basis thereafter
- Contractual provisions in service provider agreements that address cybersecurity requirements, incident notification obligations, and your right to audit or obtain security certifications
- Escalation procedures for when a service provider experiences a cybersecurity incident that may affect your firm or its clients
Disclosure to Clients and Funds
Investment advisers are also required to disclose significant cybersecurity incidents to affected clients and to funds they advise. The disclosure must be provided in writing and must describe the incident, its nature and scope, and the potential or actual impact on the client or fund. Timing requirements vary: for fund clients, disclosure must be made as soon as reasonably practicable after the adviser reasonably believes a significant cybersecurity incident has occurred. For retail separately managed account clients, disclosure is required as soon as reasonably practicable.
Coordinate your client notification procedures with your SEC reporting procedures. The two processes will need to run concurrently in many incident scenarios, and having pre-prepared communication templates for both — along with clear internal authority for when and how to send them — is important for responding effectively under the time pressure that significant incidents create.
Building Implementation Readiness
Many investment advisory firms — particularly smaller and mid-size RIAs — have not yet fully implemented the technical and procedural infrastructure required to comply with these rules. The most common gaps are in incident detection capabilities (most small advisers do not have 24/7 monitoring), documented risk assessment processes, and third-party risk management programs. Addressing these gaps requires deliberate investment in both technical controls and compliance procedures.
Begin with a gap assessment that maps your current practices against each of the rule's requirements. Prioritize the gaps that create the most significant regulatory exposure — particularly around incident detection and reporting — and build a remediation roadmap with concrete deadlines and ownership. The SEC has been examining cybersecurity compliance in investment advisers consistently for several years, and firms that cannot demonstrate substantive compliance with the 2023 rules face increasing examination and enforcement risk as the rules become more fully embedded in examination practice.