Rule 38a-2 (17 C.F.R 270.38a-2) under the Investment Company Act of 1940

ICR 202203-3235-022

OMB: 3235-0786

Federal Form Document

Forms and Documents

Document Name	Status
Rule 38a-2 (P-Cyber) Supporting Statement.pdf Supporting Statement A	2022-03-22

IC Document Collections

IC ID	Document Title	Status
252326	Rule 38a-2 (17 C.F.R 270.38a-2) under the Investment Company Act of 1940	New

ICR Details

OMB Control No:	ICR Reference No: 202203-3235-022
Status: Received in OIRA	Previous ICR Reference No:
Agency/Subagency: SEC	Agency Tracking No: IM-270-
Title: Rule 38a-2 (17 C.F.R 270.38a-2) under the Investment Company Act of 1940
Type of Information Collection: New collection (Request for a new OMB Control Number)	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 03/24/2022

	Requested	Previously Approved
Expiration Date	36 Months From Approved
Responses	14,749	0
Time Burden (Hours)	471,968	0
Cost Burden (Dollars)	51,212,000	0

Abstract: Proposed rule 38a-2 would require registered investment companies and business development companies to adopt and implement cybersecurity-related compliance policies and procedures, to review those policies and procedures annually, and to maintain certain records.

Authorizing Statute(s): US Code: 15 USC 80a-30(a) Name of Law: Investment Company Act of 1940: Maintenance of Records
US Code: 15 USC 80a-37(a) Name of Law: Investment Company Act of 1940: Powers of Commission

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
3235-AN08	Proposed rulemaking	87 FR 13524	03/09/2022

Federal Register Notices & Comments
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 1

IC Title	Form No.	Form Name
Rule 38a-2 (17 C.F.R 270.38a-2) under the Investment Company Act of 1940

ICR Summary of Burden

	Total Request	Change Due to Agency Discretion
Annual Number of Responses	14,749	14,749
Annual Time Burden (Hours)	471,968	471,968
Annual Cost Burden (Dollars)	51,212,000	51,212,000

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: The estimated annual burden hours associated with proposed rule 38a-2, if adopted, would be 471,968 hours. In addition, the external cost burden associated with rule 38a-2 would be $51,212,000. These annual burden hours and external cost burden are due to the requirements in proposed rule 38a-2 to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks; review at least annually the design and effectiveness of those policies and procedures; prepare and provide to the fund’s board a written report; and keep records related to the policies and procedures, written reports, annual review, and any reports provided to the Commission.

Annual Cost to Federal Government:

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Y. Rachel Kuo 202 551-3589

Common Form ICR: No