Download:
pdf |
pdfNEW OMB CONTROL NUMBER: 3235-XXXX
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Rule 204-6
A.
JUSTIFICATION
1.
Necessity for the Information Collection
On February 9, 2022, the Commission proposed rules related to cybersecurity risk
management for registered investment advisers, registered investment companies, and business
development companies as well as amendments to certain rules that govern investment adviser
and fund disclosures under the Investment Advisers Act of 1940 and the Investment Company
Act of 1940 (“Investment Company Act”). 1 The proposed rules and amendments are designed to
enhance the cybersecurity hygiene and preparedness of advisers and funds and improve their
resilience against cybersecurity threats and attacks, while also improving the cybersecurityrelated disclosures advisory clients and fund investors receive and enhancing the Commission’s
ability to oversee advisers and funds and assess systemic risks.
The Commission proposed new rule 204-6 (“rule 204-6”) under the Investment Advisers
Act to require advisers to report on new Form ADV-C a significant adviser cybersecurity
incident or a significant fund cybersecurity incident. Rule 204-6 would define a significant
adviser cybersecurity incident as a cybersecurity incident, or a group of related incidents, that
significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the
adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser
information, where the unauthorized access or use of such information results in: (1) substantial
harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose
1
15 U.S.C. 80a-1 et seq.; Cybersecurity Risk Governance and Incident Disclosure, Securities Act Release
No. 11028 (Feb. 9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf
(“Cybersecurity Risk Governance and Incident Disclosure Proposal”).
1
information was accessed. 2 Proposed rule 204-6 would also require advisers to amend promptly
any previously filed Form ADV-C in the event information reported on the form becomes
materially inaccurate; if new material information about a previously reported incident is
discovered; and after resolving a previously reported incident or closing an internal investigation
pertaining to pertaining to a previously disclosed incident.
The paperwork burdens associated with proposed Form ADV-C are not included in this
collection of information for rule 204-6 and thus proposed Form ADV-C has a separate
collection of information submission.
2.
Purpose and Use of the Information Collection
The purpose of the information collection requirements in rule 204-6 is to help the
Commission in its effort to protect investors in connection with cybersecurity incidents by
providing prompt notice of these incidents to the Commission. This information collection
would allow the Commission and its staff to understand the nature and extent of a particular
cybersecurity incident and the firm’s response to the incident.
This information collection would not only help the Commission monitor and evaluate
the effects of the cybersecurity incident on an adviser and its clients or a fund and its investors,
but also assess the potential systemic risks affecting financial markets more broadly. This
collection of information would also help the Commission’s examination and oversight program
efforts in identifying patterns and trends across registrants regarding such incidents.
2
See proposed rule 204-6(b).
2
3.
Consideration Given to Information Technology
Rule 204-6 requires the electronic filing of Form ADV-C with the Commission through
the Investment Adviser Registration Depository (“IARD”) platform. The IARD platform is an
Internet-based system that investment advisers access through computers in their offices, without
the need for specialized software or hardware. The information advisers submit to the IARD is
stored in a database. Collecting information electronically through the IARD platform is
designed to reduce the regulatory burden upon investment advisers by providing a convenient
portal for quickly transmitting reports and filings.
4.
Duplication
The collection of information requirements of rule 204-6 are not duplicated elsewhere.
While the proposed amendments to Form ADV requiring advisers to provide clients and
prospective clients with information regarding an adviser’s cybersecurity risks and significant
cybersecurity incidents that have occurred in the past two years may require firms to summarize
certain topics also subject to collection of information under rule 204-6, rule 204-6 has a distinct
purpose to help the Commission monitor and evaluate the effects of the cybersecurity incident on
an adviser and its clients or a fund and its investors and assess the potential systemic risks
affecting financial markets more broadly. The Commission periodically evaluates rule-based
reporting and recordkeeping requirements for duplication, and reevaluates these requirements
whenever it adopts amendments to its rules.
3
5.
Effect on Small Entities
Advisers, regardless of their size, are subject to the requirements of rule 204-6.
Reporting of significant adviser cybersecurity incidents and significant fund cybersecurity
incidents is essential for advisers of all sizes. Because the protections of the Advisers Act are
intended to apply equally to retail investor clients of both large and small firms, it would be
inconsistent with the purposes of the Advisers Act to specify differences for small entities under
the new requirements. Thus, rule 204-6 does not inappropriately burden small entities. The
Commission believes that it could not adjust the rule to lessen the burden on small entities of
complying with the rule without jeopardizing the interests of investors. The Commission
reviews all rules periodically, as required by the Regulatory Flexibility Act, to identify methods
to minimize recordkeeping or reporting requirements affecting small businesses.
6.
Consequences of Not Conducting Collection
Less frequent information collection would be incompatible with the objectives of rule
204-6. The collection of information is necessary to ensure that the Commission promptly
receives information regarding significant adviser cybersecurity incidents and significant fund
cybersecurity incidents. The consequences of not collecting this information would be that the
Commission may not have the information needed to protect investors, to monitor and evaluate
the effects of the cybersecurity incident, and to assess any potential systemic risks affecting
financial markets more broadly.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
This collection is not inconsistent with 5 CFR 1320.5(d)(2).
4
8.
Consultation Outside the Agency
The Commission and the staff of the Division of Investment Management participate in
an ongoing dialogue with representatives of the investment management industry through public
conferences, meetings, and informal exchanges. These various forums provide the Commission
and staff with a means of ascertaining and acting upon paperwork burdens confronting the
industry. In addition, the Commission has requested public comment on rule 204-6, including the
collection of information requirements resulting from the proposed rule. Before adopting the
rule, the Commission will receive and evaluate public comments on the proposed rule and its
associated collection of information requirements.
9.
Payment or Gift
No payment or gift to respondents was provided.
10.
Confidentiality
Responses to the information collection will be kept confidential to the extent permitted
by law. Rule 204-6 would require disclosure of non-public information, the public disclosure of
which could adversely affect advisers (and advisory clients) and funds (and their investors).
Keeping information related to a cybersecurity incident confidential may serve to guard against
the premature release of sensitive information, while still allowing the Commission to have early
notice of the cybersecurity incident.
5
11.
Sensitive Questions
Rule 204-6 elicits non-public information about private funds and their trading strategies,
the public disclosure of which could adversely affect the funds and their investors. A System of
Records Notice that covers the collection of information has been published in the Federal
Register at 83 FR 6892 and can also be found at
http://www.sec.gov/about/privacy/secprivacyoffice.htm. Instructions for obtaining the Privacy
Impact Assessment for IARD can be found at
http://www.sec.gov/about/privacy/secprivacyoffice.htm.
12.
Burden of Information Collection
The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 3 and are not derived from a comprehensive or even
representative survey or study of the costs of Commission rules.
Rule 204-6 would require investment advisers to report on new Form ADV-C a
significant adviser cybersecurity incident or a significant fund cybersecurity incident. The
respondents to this collection of information are investment advisers registered or required to be
registered with the Commission. This requirement is mandatory, and all registered investment
advisers will be subject to the requirements of the proposed rule. Responses provided to the
Commission would be kept confidential subject to the provisions of applicable law. This
collection of information would help the Commission’s examination and oversight program
efforts in identifying patterns and trends across registrants regarding such incidents. As of
3
44 U.S.C. 3501 et seq.
6
October 31, 2021, there were 14,774 registered advisers that would be subject to this reporting
requirement. The table below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule’s reporting requirement.
Table 1: Burden Estimates for Rule 204-6
Internal
initial
burden
hours
Annual external
cost burden
Internal
annual
burden hours
Wage rate
Internal time costs
PROPOSED ESTIMATES
Making a determination of
significant cybersecurity
incident
Amending Form ADV-C as
required (e.g., if any of the
information previously filed on
Form ADV-C becomes
materially inaccurate)
3 hours
3 hours
1
1 hour
1 hour
×
$353 (blended rate for
assistant general counsel,
compliance manager and
systems analyst)
$1,059
x
$396 (blended rate for
assistant general counsel
and compliance
manager)
$396
Total new annual burden per
adviser
4 hours
$1,455
Number of advisers
× 14,774
× 14,774
$1,4882
$4963
$1,984
× 14,774
Total new aggregate annual
$29,311,616
59,096 hours
$21,496,170
burden
Notes:
1. Includes initial burden estimates annualized over a three-year period, plus 2 ongoing annual burden hours. The estimate of 6 hours is based on
the following calculation: ((3 initial hours /3) + 2 additional ongoing burden hours) = 3 hours.
2. This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation. The Commission’s estimates of the relevant wage rates
are based on salary information for the securities industry compiled by Securities Industry and Financial Markets Association’s Office Salaries in
the Securities Industry 2013, as modified by Commission staff for 2020. The estimated figures are modified by firm size, employee benefits,
overhead, and adjusted to account for the effects of inflation.
3. This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
13.
Cost to Respondents
Cost burden is the cost of goods and services purchased to meet the requirements of rule 2046, such as for the services of outside counsel. The cost burden does not include the hour burden
discussed in Item 12 above. Estimates are based on the Commission’s experience.
7
As summarized in Table 1 above, Commission staff estimates that the annual cost of outside
services associated with rule 204-6 is approximately $1,984 per adviser and the total annual
external cost burden for rule 204-6 is $29,311,616.
14.
Cost to the Federal Government
There are no costs to the government directly attributable to the rule.
15.
Change in Burden
New collection.
16.
Information Collection Planned for Statistical Purposes
Not applicable.
17.
Approval to Omit OMB Expiration Date
The Commission is not seeking approval to omit the expiration date for OMB approval.
18.
Exceptions to Certification Statement for Paperwork Reduction Act
Submission
Not applicable.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
8
File Type | application/pdf |
File Modified | 2022-05-23 |
File Created | 2022-05-23 |