SEC Cyber Rule for Advisors vs. the Public Disclosure Rule

How the April 2024 SEC Cyber Rule differs from the Public Disclosure Rule, and what it means for you as an Alternative Asset Manager.  

What you need to know – How the SEC Cyber Rule differs from the Public Disclosure Rule .

To help you prepare for the new cyber rule, let’s answer three essential questions regarding this new SEC Cyber Rule and how it is different from the existing Public Disclosure Rules: 

  1. What is SEC Rule 206(4)-9, Rule 38a-2, and Amendments of 204-2 & who is it for?

The new SEC cyber rule primarily aims to require Registered Advisers and Alternative Asset Managers to “adopt and implement written policies and procedures reasonably designed to address cybersecurity risks.”  

Other key aspects of the rule include: 

  • Enhancing cybersecurity disclosures from Advisers and Managers. 
  • Requiring Advisers and Managers to maintain, create, and retain cybersecurity books and rules. 
  • Requiring Advisers and Managers to report significant cybersecurity incidents to the SEC. 

Read: SEC Factsheet on Cybersecurity Risk Management under the Investment Advisors Act 

Download: SEC Cyber Rule Preparation Checklist

  1. What is the Public Disclosure Rule?

Compared to the new cyber rule for Registered Advisers and Alternative Asset Managers, the Public Company Cybersecurity Disclosures (aka “Public Disclosure Rule”) rule is a broader piece of legislation focused on disclosing cybersecurity incidents from public companies across all industries.  

As part of the Public Disclosure Rule, all registered public companies must disclose the nature, scope, and timing of a cybersecurity incident, as well as the material impact of the incident. Public companies are required to report cyber incidents within their 10k reports, as well. 

Read: SEC Factsheet on Public Company Cybersecurity Disclosures; Final Rules 

  1. What are the similarities and differences between these two SEC rules?

While both rules require detailed disclosures of cybersecurity incidents, the new SEC rule is designed specifically to address cybersecurity threats relevant to Registered Advisers and Alternative Asset Managers.

Compared to the new cyber rule, the Public Company Cybersecurity Disclosures rule focuses more heavily on enhancing and standardizing cybersecurity disclosures for risk management, strategy, governance, and material cybersecurity incidents for public companies.  

Additionally, the Public Disclosure Rule covers a broader spectrum of registrants, while the new cyber rule focuses specifically on requiring cybersecurity disclosure adoption from Advisors and Managers.  

Why this is important – The time to prepare for the SEC Cyber Rule final action date is now.

The final action date for the SEC Cyber Rule for registered advisors and funds is scheduled sometime in April 2024. 

To minimize the work required for the new SEC Cybersecurity Rule, a proactive approach is critical. Firms that have completed a Drawbridge Cyber Risk Assessment also have access to Drawbridge Analytics that maps the fundamental controls to SEC cyber requirements. Quickly and easily get a comprehensive list of remediations that will help you meet SEC cyber requirements.   

Request a 30-minute demo of Drawbridge Analytics today.  

Request a demo