Download:
pdf |
pdfNEW OMB CONTROL NUMBER: 3235-XXXX
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Rule 206(4)-9
A.
JUSTIFICATION
1.
Necessity for the Information Collection
On February 9, 2022, the Commission proposed rules related to cybersecurity risk
management for registered investment advisers, registered investment companies, and business
development companies as well as amendments to certain rules that govern investment adviser
and fund disclosures under the Investment Advisers Act of 1940 and the Investment Company
Act of 1940 (“Investment Company Act”). 1 The proposed rules and amendments are designed to
enhance the cybersecurity hygiene and preparedness of advisers and funds and improve their
resilience against cybersecurity threats and attacks, while also improving the cybersecurityrelated disclosures advisory clients and fund investors receive and enhancing the Commission’s
ability to oversee advisers and funds and assess systemic risks.
The Commission proposed new rule 206(4)-9 (“rule 206(4)-9”) under the Investment
Advisers Act to require advisers to adopt and implement written policies and procedures
reasonably designed to address cybersecurity risks. Rule 206(4)-9 enumerates certain general
elements that advisers would be required to address in their cybersecurity policies and
procedures including risk assessment, user security and access, information protection, threat and
vulnerability management, and cybersecurity incident response and recovery. Under the rule, an
adviser would also, at least annually: (1) review and assess the design and effectiveness of those
policies and procedures; and (2) prepare a written report that, at a minimum, describes the
1
15 U.S.C. 80a-1 et seq.; Cybersecurity Risk Governance and Incident Disclosure, Securities Act Release
No. 11028 (Feb. 9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf
(“Cybersecurity Risk Governance and Incident Disclosure Proposal”).
1
review, assessment, and any control tests performed, explains their results, documents any
cybersecurity incident that occurred since the date of the last report, and discusses any material
changes to the policies and procedures since the date of the last report. Finally, an adviser would
need to keep records related to the policies and procedures, written reports, annual review, and
any reports provided to the Commission.
2.
Purpose and Use of the Information Collection
The purpose of the information collection requirements in rule 206(4)-9 is to ensure that
advisers maintain comprehensive, written internal compliance programs that promote
cybersecurity hygiene and preparedness. The information collections also assist the
Commission’s examination staff in assessing the adequacy of advisers’ compliance programs.
3.
Consideration Given to Information Technology
Rule 206(4)-9 does not require the reporting of any information or the filing of any
documents with the Commission. Proposed amendments to rule 204-2, however, would require
an adviser maintain: (1) a copy of their cybersecurity policies and procedures formulated
pursuant to proposed rule 206(4)-9 that is in effect, or at any time within the past five years was
in effect; (2) a copy of the adviser’s written report documenting the annual review of its
cybersecurity policies and procedures pursuant to proposed rule 206(4)-9 in the last five years;
(3) a copy of any Form ADV-C filed by the adviser under rule 204-6 in the last 5 years; (4)
records documenting the occurrence of any cybersecurity incident, as defined in rule 206(4)-9(c),
occurring in the last five years, including records related to any response and recovery from such
2
an incident; and (5) records documenting any risk assessment conducted pursuant to the
cybersecurity policies and procedures required by rule 206(4)-9(a)(1) in the last five years. 2
4.
Duplication
Rule 206(4)-9 would impose a requirement that advisers have in place written
compliance policies and procedures on cybersecurity. Advisers also are subject to certain
requirements elsewhere in the federal securities laws that require them to maintain written
policies and procedures, including rule 206(4)-7 under the Investment Advisers Act. The staff
believes, however, that any duplication of recordkeeping requirements is limited, as rule 206(4)9 would require policies and procedures specific to cybersecurity. Moreover, rule 206(4)-9 does
not require advisers to maintain duplicate copies of records covered by these more targeted
requirements, and an adviser’s compliance policies and procedures are not required to be
maintained in a single location. The staff believes, therefore, that any duplication of regulatory
requirements does not impose significant additional costs on advisers. The Commission
periodically evaluates rule-based recordkeeping requirements for duplication and reevaluates
them whenever it proposes a rule or a change in a rule.
5.
Effect on Small Entities
Advisers, regardless of their size, are subject to the requirements of rule 206(4)-9.
Effective cybersecurity risk management is essential for advisers of all sizes. Rule 206(4)-9
affords advisers the flexibility to tailor their cybersecurity risk program to the nature of their
business. Small advisers, which generally have less complex and more limited operations, likely
2
See proposed rule 204-2(a)(17)(i) through (vii).
3
need less extensive cybersecurity risk programs than their larger counterparts. Thus, rule 206(4)9 does not inappropriately burden small entities. The Commission believes that it could not
adjust the rule to lessen the burden on small entities of complying with the rule without
jeopardizing the interests of investors. The Commission reviews all rules periodically, as
required by the Regulatory Flexibility Act, to identify methods to minimize recordkeeping or
reporting requirements affecting small businesses.
6.
Consequences of Not Conducting Collection
Less frequent information collection would be incompatible with the objectives of rule
206(4)-9. The annual reviews required under rule 206(4)-9 are integral to detecting and
correcting any gaps in the program before irrevocable or widespread harm is inflicted upon
investors, and extending the time between reviews increases the likelihood that such harm could
go unchecked.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
Rule 206(4)-9 requires advisers to maintain their internal compliance policies and
procedures and documents related to the annual review of those policies and procedures for at
least five years. Although this period exceeds the three-year guideline for most kinds of records
under 5 CFR 1320.5(d)(2)(iv), the staff believes that this is warranted because the rule
contributes to the effectiveness of the Commission’s examination and inspection program.
Because the period between examinations may be as long as five years, it is important that the
Commission have access to records that cover the entire period between examinations.
4
8.
Consultation Outside the Agency
The Commission and the staff of the Division of Investment Management participate in
an ongoing dialogue with representatives of the investment management industry through public
conferences, meetings, and informal exchanges. These various forums provide the Commission
and staff with a means of ascertaining and acting upon paperwork burdens confronting the
industry. In addition, the Commission has requested public comment on rule 206(4)-9, including
the collection of information requirements resulting from the proposed rule. Before adopting
these amendments, the Commission will receive and evaluate public comments on the proposed
amendments and their associated collection of information requirements.
9.
Payment or Gift
No payment or gift to respondents was provided.
10.
Confidentiality
If information collected pursuant to rule 206(4)-9 is reviewed by the Commission’s
examination staff, it will be accorded the same level of confidentiality accorded to other
responses provided to the Commission in the context of its examination and oversight program.
11.
Sensitive Questions
No information of a sensitive nature is required under this collection of information. The
information collection does not collect personally identifiable information (PII). The agency has
determined that a system of records notice (SORN) and privacy impact assessment (PIA) are not
required in connection with the collection of information.
5
12.
Burden of Information Collection
The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 3 and are not derived from a comprehensive or even
representative survey or study of the costs of Commission rules.
Proposed rule 206(4)-9 would require an adviser to adopt and implement written policies
and procedures reasonably designed to address cybersecurity risks. Each requirement to disclose
information, offer to provide information, or to adopt policies and procedures constitutes a
collection of information requirement under the Paperwork Reduction Act. The respondents to
these collection of information requirements would be investment advisers that are registered or
required to be registered with the Commission. As of October 31, 2021, there were 14,774
investment advisers registered with the Commission. These requirements are mandatory, and all
registered investment advisers would be subject to the requirements of the proposed rule.
Responses provided to the Commission in the context of its examination and oversight program
concerning proposed rule 206(4)-9 would be kept confidential subject to the provisions of
applicable law. The table below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule.
3
44 U.S.C. 3501 et seq.
6
Table 1: Burden Estimates for Rule 206(4)-9
Internal
initial
burden
hours
Internal
annual burden
hours1
Wage rate2
Internal time costs
Annual external
cost burden
PROPOSED RULE 206(4)-9 ESTIMATES
Adopting and implementing
policies and procedures3
Annual review of policies and
procedures and report of
review
50 hours
21.67 hours4
$396
$8,581.32
(blended rate for
compliance attorney and
assistant general
counsel)
0 hours
10 hours6
$396
$1,4885
$3,960
(blended rate for
compliance attorney and
assistant general
counsel)
$1,9847
Total new annual burden per
adviser
31.67 hours
$12,541.32
Number of advisers
× 14,774
× 14,774
$3,472
× 14,774
Total new annual aggregate
320,152.58
$51,295,328
$185,285,462
burden
hours
Notes:
1. Includes initial burden estimates annualized over a 3-year period.
2. The Commission’s estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities
Industry and Financial Markets Association’s Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2020 (
“SIFMA Wage Report”). The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of
inflation.
3. Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 25 hours is based
on the following calculation: ((60 initial hours /3) + 5 additional ongoing burden hours) = 25 hours.
4. This estimated burden is based on the estimated wage rate of $496/hour, for 12 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
5. Includes initial burden estimates annualized over a three-year period, plus 8 ongoing annual burden hours. The estimate of 6 hours is based on
the following calculation: ((9 initial hours /3) + 3 additional ongoing burden hours) = 6 hours.
6. This estimated burden is based on the estimated wage rate of $496/hour, for 2 hours, for outside legal services. See supra footnote 4
(regarding wage rates with respect to external cost estimates).
7. Includes all registered investment companies, plus BDCs.
13.
Cost to Respondents
Cost burden is the cost of goods and services purchased to meet the requirements of rule
206(4)-9, such as for the services of outside counsel. The cost burden does not include the hour
burden discussed in Item 12 above. Estimates are based on the Commission’s experience.
As summarized in Table 1 above, Commission staff estimates that the annual cost of outside
services associated with rule 206(4)-9 is approximately $3,472 per adviser and the total annual
external cost burden for rule 206(4)-9 is $51,295,328.
7
14.
Cost to the Federal Government
Rule 206(4)-9 does not impose a cost on the federal government. Rule 206(4)-9 does not
require advisers to file any documents with the Commission. However, the Commission staff
may records produced pursuant to the rule in order to assist the Commission in carrying out its
examination and oversight program.
15.
Change in Burden
New collection.
16.
Information Collection Planned for Statistical Purposes
The results of any information collection will not be published.
17.
Approval to Omit OMB Expiration Date
The Commission is not seeking approval to omit the expiration date for OMB approval.
18.
Submission
Exceptions to Certification Statement for Paperwork Reduction Act
The Commission is not seeking an exception to the certification statement.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
The collection of information will not employ statistical methods.
8
File Type | application/pdf |
File Modified | 2022-05-23 |
File Created | 2022-05-23 |