Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period, 16921-16922 [2023-05766]
Download as PDF
<![CDATA[
16921
Proposed Rules
Federal Register
Vol. 88, No. 54
Tuesday, March 21, 2023
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
SECURITIES AND EXCHANGE
COMMISSION
17 CFR Parts 230, 232, 239, 270, 274,
275, and 279
RIN 3235–AN08
Cybersecurity Risk Management for
Investment Advisers, Registered
Investment Companies, and Business
Development Companies; Reopening
of Comment Period
Securities and Exchange
Commission.
ACTION: Proposed rule; reopening of
comment period.
AGENCY:
The Securities and Exchange
Commission (‘‘Commission’’) is
reopening the comment period for a
release (‘‘Investment Management
Cybersecurity Release’’) proposing new
rules under the Investment Advisers Act
of 1940 (‘‘Advisers Act’’) and the
Investment Company Act of 1940
(‘‘Investment Company Act’’) that
would require registered investment
advisers (‘‘advisers’’) and investment
companies (‘‘funds’’) to adopt and
implement written cybersecurity
policies and procedures reasonably
designed to address cybersecurity risks,
disclose information about
cybersecurity risks and incidents, report
information confidentially to the
Commission about certain cybersecurity
incidents, and maintain related records.
Reopening the comment period for the
Investment Management Cybersecurity
Release will allow interested persons
additional time to analyze the issues
and prepare their comments in light of
other regulatory developments on
cybersecurity.
ddrumheller on DSK120RN23PROD with PROPOSALS1
SUMMARY:
The comment period for the
proposed rules published in the Federal
Register on March 9, 2022, at 87 FR
13524 is reopened. Comments should be
received on or before May 22, 2023.
VerDate Sep<11>2014
17:21 Mar 20, 2023
Jkt 259001
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/submitcomments.htm); or
• Send an email to rule-comments@
sec.gov. Please include File Number S7–
04–22 on the subject line.
Paper Comments
[Release Nos. 33–11167; 34–97144; IA–
6263; IC–34855; File No. S7–04–22]
DATES:
Comments may be
submitted by any of the following
methods:
ADDRESSES:
• Send paper comments to Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to File
Number S7–04–22. The file number
should be included on the subject line
if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method of submission. The
Commission will post all comments on
the Commission’s website (https://
www.sec.gov/rules/proposed.shtml).
Comments are also available for website
viewing and printing in the
Commission’s Public Reference Room,
100 F Street NE, Washington, DC 20549,
on official business days between the
hours of 10 a.m. and 3 p.m. Operating
conditions may limit access to the
Commission’s Public Reference Room.
All comments received will be posted
without change; the Commission does
not edit personal identifying
information from submissions. You
should submit only information that
you wish to make available publicly.
Studies, memoranda, or other
substantive items may be added by the
Commission or staff to the comment file
during this rulemaking. A notification of
the inclusion in the comment file of any
such materials will be made available
on the Commission’s website. To ensure
direct electronic receipt of such
notifications, sign up through the ‘‘Stay
Connected’’ option at www.sec.gov to
receive notifications by email.
FOR FURTHER INFORMATION CONTACT:
Alexis Palascak, Senior Counsel;
Christopher Staley, Branch Chief; or
Melissa Roverts Harke, Assistant
Director, Investment Adviser Regulation
Office, Division of Investment
Management, (202) 551–6787 or
IArules@sec.gov; Y. Rachel Kuo, Senior
Counsel; Sara Cortes, Special Senior
Counsel; or Brian McLaughlin Johnson,
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
Assistant Director, Investment Company
Regulation Office, Division of
Investment Management, (202) 551–
6792 or IM-Rules@sec.gov; or David
Joire, Senior Special Counsel, Chief
Counsel’s Office, Division of Investment
Management, (202) 551–6825 or
IMOCC@sec.gov, Securities and
Exchange Commission, 100 F Street NE,
Washington, DC 20549–8549.
SUPPLEMENTARY INFORMATION:
I. Background
The Commission has proposed rules
206(4)–9 under the Advisers Act and
38a–2 under the Investment Company
Act that would require advisers and
funds to adopt and implement
cybersecurity policies and procedures
addressing a number of elements in the
Investment Management Cybersecurity
Release.1 The Investment Management
Cybersecurity Release also includes
amendments to adviser and fund
disclosure requirements to provide
current and prospective advisory clients
and fund shareholders with improved
information regarding cybersecurity
risks and cybersecurity incidents. In
addition, the proposal would require
advisers to report significant
cybersecurity incidents affecting the
adviser, or its fund or private fund
clients, to the Commission on a
confidential basis. Finally, the proposal
would require advisers and funds to
maintain certain records related to the
proposed cybersecurity risk
management rules. The original
comment period for the Investment
Management Cybersecurity Release
ended on April 11, 2022.
The Commission is proposing other
rules and amendments on cybersecurity
issues.2 In the Regulation S–P: Privacy
of Consumer Financial Information and
Safeguarding Customer Information
Release (‘‘Regulation S–P Release’’), the
Commission is proposing rule
1 See Cybersecurity Risk Management for
Investment Advisers, Registered Investment
Companies, and Business Development Companies,
Securities Act Rel. No. 11028 (Feb. 9, 2022), [87 FR
13524 (Mar. 9, 2022)].
2 We note that the Commission also proposed
rules and amendments regarding an adviser’s
obligations with respect to outsourcing certain
categories of ‘‘covered functions,’’ including
cybersecurity. See Outsourcing by Investment
Advisers, Investment Advisers Act Rel. No. 6176
(Oct. 26, 2022), [87 FR 68816 (Nov. 16, 2022)]. We
encourage commenters to review that proposal to
determine whether it might affect comments on the
Investment Management Cybersecurity Release.
E:\FR\FM\21MRP1.SGM
21MRP1
ddrumheller on DSK120RN23PROD with PROPOSALS1
16922
Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / Proposed Rules
amendments that would require brokers
and dealers, investment companies, and
investment advisers registered with the
Commission to adopt written policies
and procedures for incident response
programs to address unauthorized
access to or use of customer
information, including procedures for
providing timely notification to
individuals affected by an incident
involving sensitive customer
information with details about the
incident and information designed to
help affected individuals respond
appropriately.3 The Commission also is
proposing to broaden the scope of
information covered by amending
requirements for safeguarding customer
records and information, and for
properly disposing of consumer report
information. In addition, the proposed
amendments would extend the
application of the safeguards provisions
to transfer agents. The proposed
amendments would also include
requirements to maintain written
records documenting compliance with
the proposed amended rules. Finally,
the proposed amendments would
conform annual privacy notice delivery
provisions to the terms of an exception
provided by a statutory amendment to
the Gramm-Leach-Bliley Act.
In the Cybersecurity Risk
Management Rule for Broker-Dealers,
Clearing Agencies, Major Security-Based
Swap Participants, the Municipal
Securities Rulemaking Board, National
Securities Associations, National
Securities Exchanges, Security-Based
Swap Data Repositories, Security-Based
Swap Dealers, and Transfer Agents
Release (‘‘Cybersecurity Release’’), the
Commission is proposing a new rule
and form and amendments to existing
recordkeeping rules to require brokerdealers, clearing agencies, major
security-based swap participants, the
Municipal Securities Rulemaking Board,
national securities associations, national
securities exchanges, security-based
swap data repositories, security-based
swap dealers, and transfer agents to
address cybersecurity risks through
policies and procedures, immediate
notification to the Commission of the
occurrence of a significant cybersecurity
incident and, as applicable, reporting
detailed information to the Commission
about a significant cybersecurity
incident, and public disclosures that
would improve transparency with
respect to cybersecurity risks and
3 See Regulation S–P: Privacy of Consumer
Financial Information and Safeguarding Customer
Information, Exchange Act Rel. No. 97141 (Mar. 15,
2023).
VerDate Sep<11>2014
17:21 Mar 20, 2023
Jkt 259001
significant cybersecurity incidents.4 In
addition, the Commission is proposing
amendments to existing clearing agency
exemption orders to require the
retention of records that would need to
be made under the proposed
cybersecurity requirements. Finally, the
Commission is proposing amendments
to address the potential availability to
security-based swap dealers and major
security-based swap participants of
substituted compliance in connection
with those requirements.
In the Regulation Systems
Compliance and Integrity Release
(‘‘Regulation SCI Release,’’ and together
with the Regulation S–P and
Cybersecurity Releases, the ‘‘Related
Proposals’’), the Commission is
proposing amendments to Regulation
Systems Compliance and Integrity
(‘‘Regulation SCI’’) under the Securities
Exchange Act of 1934.5 The proposed
amendments would expand the
definition of ‘‘SCI entity’’ to include a
broader range of key market participants
in the U.S. securities market
infrastructure, and update certain
provisions of Regulation SCI to take
account of developments in the
technology landscape of the markets
since the adoption of Regulation SCI in
2014. The proposed expansion would
add the following entities to the
definition of ‘‘SCI entity’’: registered
security-based swap data repositories;
registered broker-dealers exceeding an
asset or transaction activity threshold;
and additional clearing agencies
exempted from registration. The
proposed updates would amend
provisions of Regulation SCI relating to:
(i) systems classification and lifecycle
management; (ii) third party/vendor
management; (iii) cybersecurity; (iv) the
SCI review; (v) the role of current SCI
industry standards; and (vi)
recordkeeping and related matters.
Further, the Commission is requesting
comment on whether significant-volume
ATSs and/or broker-dealers using
electronic or automated systems for
trading of corporate debt securities or
municipal securities should be subject
to Regulation SCI. The comment period
for each of the Related Proposals ends
May 22, 2023.
4 See Cybersecurity Risk Management Rule for
Broker-Dealers, Clearing Agencies, Major SecurityBased Swap Participants, the Municipal Securities
Rulemaking Board, National Securities
Associations, National Securities Exchanges,
Security-Based Swap Data Repositories, SecurityBased Swap Dealers, and Transfer Agents, Exchange
Act Rel. No. 97142 (Mar. 15, 2023).
5 See Regulation Systems Compliance and
Integrity, Exchange Act Rel. No. 97143 (Mar. 15,
2023).
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
II. Reopening of the Comment Period
The Commission is reopening the
comment period for the proposed rules
so that commenters may consider
whether there would be any effects of
the Related Proposals that the
Commission should consider in
connection with the proposed rules.
Therefore, the Commission is reopening
the comment period for Release No. 33–
11028 ‘‘Cybersecurity Risk Management
for Investment Advisers, Registered
Investment Companies, and Business
Development Companies’’ until May 22,
2023.
By the Commission.
Dated: March 15, 2023.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023–05766 Filed 3–20–23; 8:45 am]
BILLING CODE 8011–01–P
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Part 165
[Docket Number USCG–2023–0127]
RIN 1625–AA00
Safety Zone; Fireworks Display; James
River, Newport News, VA
Coast Guard, DHS.
Notice of proposed rulemaking.
AGENCY:
ACTION:
The Coast Guard is
establishing a safety zone for navigable
waters within a 400-yard radius of a
fireworks barge in the James River,
Newport News, VA. The safety zone is
needed to protect personnel, vessels,
and the marine environment from
potential hazards created by the
launching of fireworks. Entry of vessels
or persons into this zone is prohibited
unless specifically authorized by the
Captain of the Port (COTP) Sector
Virginia. We invite your comments on
this proposed rulemaking.
DATES: Comments and related material
must be received by the Coast Guard on
or before April 20, 2023.
ADDRESSES: You may submit comments
identified by docket number USCG–
2023–0127 using the Federal DecisionMaking Portal at https://
www.regulations.gov. See the ‘‘Public
Participation and Request for
Comments’’ portion of the
SUPPLEMENTARY INFORMATION section for
further instructions on submitting
comments.
FOR FURTHER INFORMATION CONTACT: If
you have questions about this proposed
SUMMARY:
E:\FR\FM\21MRP1.SGM
21MRP1
]]>Agencies
[Federal Register Volume 88, Number 54 (Tuesday, March 21, 2023)]
[Proposed Rules]
[Pages 16921-16922]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05766]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 /
Proposed Rules��
[[Page 16921]]
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 230, 232, 239, 270, 274, 275, and 279
[Release Nos. 33-11167; 34-97144; IA-6263; IC-34855; File No. S7-04-22]
RIN 3235-AN08
Cybersecurity Risk Management for Investment Advisers, Registered
Investment Companies, and Business Development Companies; Reopening of
Comment Period
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule; reopening of comment period.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
reopening the comment period for a release (``Investment Management
Cybersecurity Release'') proposing new rules under the Investment
Advisers Act of 1940 (``Advisers Act'') and the Investment Company Act
of 1940 (``Investment Company Act'') that would require registered
investment advisers (``advisers'') and investment companies (``funds'')
to adopt and implement written cybersecurity policies and procedures
reasonably designed to address cybersecurity risks, disclose
information about cybersecurity risks and incidents, report information
confidentially to the Commission about certain cybersecurity incidents,
and maintain related records. Reopening the comment period for the
Investment Management Cybersecurity Release will allow interested
persons additional time to analyze the issues and prepare their
comments in light of other regulatory developments on cybersecurity.
DATES: The comment period for the proposed rules published in the
Federal Register on March 9, 2022, at 87 FR 13524 is reopened. Comments
should be received on or before May 22, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/submitcomments.htm); or
Send an email to [email protected]. Please include
File Number S7-04-22 on the subject line.
Paper Comments
Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-04-22. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules/proposed.shtml). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Alexis Palascak, Senior Counsel;
Christopher Staley, Branch Chief; or Melissa Roverts Harke, Assistant
Director, Investment Adviser Regulation Office, Division of Investment
Management, (202) 551-6787 or [email protected]; Y. Rachel Kuo, Senior
Counsel; Sara Cortes, Special Senior Counsel; or Brian McLaughlin
Johnson, Assistant Director, Investment Company Regulation Office,
Division of Investment Management, (202) 551-6792 or [email protected];
or David Joire, Senior Special Counsel, Chief Counsel's Office,
Division of Investment Management, (202) 551-6825 or [email protected],
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-8549.
SUPPLEMENTARY INFORMATION:
I. Background
The Commission has proposed rules 206(4)-9 under the Advisers Act
and 38a-2 under the Investment Company Act that would require advisers
and funds to adopt and implement cybersecurity policies and procedures
addressing a number of elements in the Investment Management
Cybersecurity Release.\1\ The Investment Management Cybersecurity
Release also includes amendments to adviser and fund disclosure
requirements to provide current and prospective advisory clients and
fund shareholders with improved information regarding cybersecurity
risks and cybersecurity incidents. In addition, the proposal would
require advisers to report significant cybersecurity incidents
affecting the adviser, or its fund or private fund clients, to the
Commission on a confidential basis. Finally, the proposal would require
advisers and funds to maintain certain records related to the proposed
cybersecurity risk management rules. The original comment period for
the Investment Management Cybersecurity Release ended on April 11,
2022.
---------------------------------------------------------------------------
\1\ See Cybersecurity Risk Management for Investment Advisers,
Registered Investment Companies, and Business Development Companies,
Securities Act Rel. No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9,
2022)].
---------------------------------------------------------------------------
The Commission is proposing other rules and amendments on
cybersecurity issues.\2\ In the Regulation S-P: Privacy of Consumer
Financial Information and Safeguarding Customer Information Release
(``Regulation S-P Release''), the Commission is proposing rule
[[Page 16922]]
amendments that would require brokers and dealers, investment
companies, and investment advisers registered with the Commission to
adopt written policies and procedures for incident response programs to
address unauthorized access to or use of customer information,
including procedures for providing timely notification to individuals
affected by an incident involving sensitive customer information with
details about the incident and information designed to help affected
individuals respond appropriately.\3\ The Commission also is proposing
to broaden the scope of information covered by amending requirements
for safeguarding customer records and information, and for properly
disposing of consumer report information. In addition, the proposed
amendments would extend the application of the safeguards provisions to
transfer agents. The proposed amendments would also include
requirements to maintain written records documenting compliance with
the proposed amended rules. Finally, the proposed amendments would
conform annual privacy notice delivery provisions to the terms of an
exception provided by a statutory amendment to the Gramm-Leach-Bliley
Act.
---------------------------------------------------------------------------
\2\ We note that the Commission also proposed rules and
amendments regarding an adviser's obligations with respect to
outsourcing certain categories of ``covered functions,'' including
cybersecurity. See Outsourcing by Investment Advisers, Investment
Advisers Act Rel. No. 6176 (Oct. 26, 2022), [87 FR 68816 (Nov. 16,
2022)]. We encourage commenters to review that proposal to determine
whether it might affect comments on the Investment Management
Cybersecurity Release.
\3\ See Regulation S-P: Privacy of Consumer Financial
Information and Safeguarding Customer Information, Exchange Act Rel.
No. 97141 (Mar. 15, 2023).
---------------------------------------------------------------------------
In the Cybersecurity Risk Management Rule for Broker-Dealers,
Clearing Agencies, Major Security-Based Swap Participants, the
Municipal Securities Rulemaking Board, National Securities
Associations, National Securities Exchanges, Security-Based Swap Data
Repositories, Security-Based Swap Dealers, and Transfer Agents Release
(``Cybersecurity Release''), the Commission is proposing a new rule and
form and amendments to existing recordkeeping rules to require broker-
dealers, clearing agencies, major security-based swap participants, the
Municipal Securities Rulemaking Board, national securities
associations, national securities exchanges, security-based swap data
repositories, security-based swap dealers, and transfer agents to
address cybersecurity risks through policies and procedures, immediate
notification to the Commission of the occurrence of a significant
cybersecurity incident and, as applicable, reporting detailed
information to the Commission about a significant cybersecurity
incident, and public disclosures that would improve transparency with
respect to cybersecurity risks and significant cybersecurity
incidents.\4\ In addition, the Commission is proposing amendments to
existing clearing agency exemption orders to require the retention of
records that would need to be made under the proposed cybersecurity
requirements. Finally, the Commission is proposing amendments to
address the potential availability to security-based swap dealers and
major security-based swap participants of substituted compliance in
connection with those requirements.
---------------------------------------------------------------------------
\4\ See Cybersecurity Risk Management Rule for Broker-Dealers,
Clearing Agencies, Major Security-Based Swap Participants, the
Municipal Securities Rulemaking Board, National Securities
Associations, National Securities Exchanges, Security-Based Swap
Data Repositories, Security-Based Swap Dealers, and Transfer Agents,
Exchange Act Rel. No. 97142 (Mar. 15, 2023).
---------------------------------------------------------------------------
In the Regulation Systems Compliance and Integrity Release
(``Regulation SCI Release,'' and together with the Regulation S-P and
Cybersecurity Releases, the ``Related Proposals''), the Commission is
proposing amendments to Regulation Systems Compliance and Integrity
(``Regulation SCI'') under the Securities Exchange Act of 1934.\5\ The
proposed amendments would expand the definition of ``SCI entity'' to
include a broader range of key market participants in the U.S.
securities market infrastructure, and update certain provisions of
Regulation SCI to take account of developments in the technology
landscape of the markets since the adoption of Regulation SCI in 2014.
The proposed expansion would add the following entities to the
definition of ``SCI entity'': registered security-based swap data
repositories; registered broker-dealers exceeding an asset or
transaction activity threshold; and additional clearing agencies
exempted from registration. The proposed updates would amend provisions
of Regulation SCI relating to: (i) systems classification and lifecycle
management; (ii) third party/vendor management; (iii) cybersecurity;
(iv) the SCI review; (v) the role of current SCI industry standards;
and (vi) recordkeeping and related matters. Further, the Commission is
requesting comment on whether significant-volume ATSs and/or broker-
dealers using electronic or automated systems for trading of corporate
debt securities or municipal securities should be subject to Regulation
SCI. The comment period for each of the Related Proposals ends May 22,
2023.
---------------------------------------------------------------------------
\5\ See Regulation Systems Compliance and Integrity, Exchange
Act Rel. No. 97143 (Mar. 15, 2023).
---------------------------------------------------------------------------
II. Reopening of the Comment Period
The Commission is reopening the comment period for the proposed
rules so that commenters may consider whether there would be any
effects of the Related Proposals that the Commission should consider in
connection with the proposed rules. Therefore, the Commission is
reopening the comment period for Release No. 33-11028 ``Cybersecurity
Risk Management for Investment Advisers, Registered Investment
Companies, and Business Development Companies'' until May 22, 2023.
By the Commission.
Dated: March 15, 2023.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-05766 Filed 3-20-23; 8:45 am]
BILLING CODE 8011-01-P
