Download:
pdf |
pdfOMB CONTROL NUMBER: 3235-xxxx
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Rule 38a-1
A.
JUSTIFICATION
1.
Necessity for the Information Collection
On February 9, 2022, the Commission proposed rules related to cybersecurity risk
management for registered investment advisers, as well as for registered investment companies
and business development companies (together, “funds”), and also proposed amendments to
certain rules that govern investment adviser and fund disclosures under the Investment Advisers
Act of 1940 and the Investment Company Act of 1940 (“Investment Company Act”). 1 The
proposed rules and amendments are designed to enhance the cybersecurity hygiene and
preparedness of advisers and funds and improve their resilience against cybersecurity threats and
attacks, while also improving the cybersecurity-related disclosures advisory clients and fund
investors receive and enhancing the Commission’s ability to oversee advisers and funds and
assess systemic risks.
The Commission proposed new rule 38a-2 under the Investment Company Act (“rule
38a-2”) to require funds to adopt and implement written policies and procedures reasonably
designed to address cybersecurity risks. Proposed rule 38a-2 enumerates certain general elements
that advisers and funds would be required to address in their cybersecurity policies and
procedures including risk assessment, user security and access, information protection, threat and
1
15 U.S.C. 80a-1 et seq.; Cybersecurity Risk Governance and Incident Disclosure, Securities Act Release
No. 11028 (Feb. 9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf
(“Cybersecurity Risk Governance and Incident Disclosure Proposal”).
1
�vulnerability management, and cybersecurity incident response and recovery. Under the rule, a
fund would also, at least annually: (1) review and assess the design and effectiveness of those
policies and procedures; and (2) prepare and provide to the fund’s board a written report. It
would also require a fund’s board of directors, including a majority of its independent directors,
initially to approve the fund’s cybersecurity policies and procedures, as well as to review the
annual written report. Finally, a fund would need to keep records related to the policies and
procedures, written reports, annual review, and any reports provided to the Commission.
2.
Purpose and Use of the Information Collection
The purpose of the information collection requirements in proposed rule 38a-2 is to
ensure that funds maintain comprehensive, written internal compliance programs that promote
cybersecurity hygiene and preparedness. The information collections also would assist the
Commission’s examination staff in assessing the adequacy of funds’ compliance programs.
3.
Consideration Given to Information Technology
Proposed rule 38a-2 does not require the reporting of any information or the filing of any
documents with the Commission. Rule 38a-2 would require that a fund maintain: (1) a copy of
its cybersecurity policies and procedures that are in effect, or at any time within the last five
years were in effect; (2) copies of written reports provided to its board; (3) records documenting
the fund’s annual review of its cybersecurity policies and procedures; (4) any report of a
significant fund cybersecurity incident provided to the Commission by its adviser; (5) records
documenting the occurrence of any cybersecurity incident, including any records related to any
response and recovery from such an incident; and (6) records documenting the fund’s
cybersecurity risk assessment. These records would have to be maintained for five years, the first
two years in an easily accessible place. The Electronic Signatures in Global and National
2
�Commerce Act 2 and the conforming amendments to rules under the Investment Company Act
permit funds to maintain records electronically.
4.
Duplication
Proposed rule 38a-2 would impose a requirement that funds have in place written
compliance policies and procedures on cybersecurity. Funds also are subject to certain
requirements elsewhere in the federal securities laws that require them to maintain written
policies and procedures, including rule 38a-1 under the Act. The staff believes, however, that any
duplication of requirements is limited, as rule 38a-2 would require policies and procedures
specific to cybersecurity. Moreover, rule 38a-2 would not require funds to maintain duplicate
copies of records covered by these more targeted requirements, and a firm’s compliance policies
and procedures are not required to be maintained in a single location. The staff believes,
therefore, that any duplication of regulatory requirements would not impose significant
additional costs on funds. The Commission periodically evaluates rule-based recordkeeping
requirements for duplication and reevaluates them whenever it proposes a rule or a change in a
rule.
5.
Effect on Small Entities
Funds, regardless of their size, are subject to the requirements of proposed rule 38a-2.
Effective cybersecurity risk management is essential for firms of all sizes. Rule 38a-2 would
afford funds the flexibility to tailor their cybersecurity risk program to the nature of their
business. Small firms, which generally have less complex and more limited operations, likely
need less extensive cybersecurity risk programs than their larger counterparts. Thus, rule 38a-2
2
P.L. 106-229, 114 Stat. 464 (June 30, 2000).
3
�would not inappropriately burden small entities. The Commission believes that it could not
adjust the rule to lessen the burden on small entities of complying with the rule without
jeopardizing the interests of investors in small funds. The Commission reviews all rules
periodically, as required by the Regulatory Flexibility Act, to identify methods to minimize
recordkeeping or reporting requirements affecting small businesses.
6.
Consequences of Not Conducting Collection
Less frequent information collection would be incompatible with the objectives of
proposed rule 38a-2. The annual reviews that would be required under rule 38a-2 are integral to
detecting and correcting any gaps in the program before irrevocable or widespread harm is
inflicted upon investors, and extending the time between reviews would increase the likelihood
that such harm could go unchecked.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
Proposed rule 38a-2 would require funds and advisers to maintain their internal
compliance policies and procedures and documents related to the annual review of those policies
and procedures for at least five years. Although this period exceeds the three-year guideline for
most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff believes that this is warranted
because the rule would contribute to the effectiveness of the Commission’s examination and
inspection program. Because the period between examinations may be as long as five years, it is
important that the Commission have access to records that cover the entire period between
examinations.
4
�8.
Consultation Outside the Agency
The Commission and the staff of the Division of Investment Management participate in
an ongoing dialogue with representatives of the investment company industry through public
conferences, meetings, and informal exchanges. These various forums provide the Commission
and staff with a means of ascertaining and acting upon paperwork burdens confronting the
industry. In addition, the Commission has requested public comment on proposed rule 38a-2,
including the collection of information requirements resulting from the proposed rule. Before
adopting these amendments, the Commission will receive and evaluate public comments on the
proposed amendments and their associated collection of information requirements.
9.
Payment or Gift
No payment or gift to respondents was provided.
10.
Confidentiality
If information collected pursuant to proposed rule 38a-2 is reviewed by the
Commission’s examination staff, it would be accorded the same level of confidentiality accorded
to other responses provided to the Commission in the context of its examination and oversight
program.
11.
Sensitive Questions
No information of a sensitive nature is required under this collection of information. The
information collection does not collect personally identifiable information (PII). The agency has
determined that a system of records notice (SORN) and privacy impact assessment (PIA) are not
required in connection with the collection of information.
5
�12.
Burden of Information Collection
The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 3 and are not derived from a comprehensive or even
representative survey or study of the costs of Commission rules.
Proposed rule 38a-2 would require a fund to adopt and implement written policies and
procedures reasonably designed to address cybersecurity risks. Each requirement to disclose
information, offer to provide information, or to adopt policies and procedures constitutes a
collection of information requirement under the Paperwork Reduction Act. The respondents to
proposed rule 38a-2 would be registered investment companies and business development
companies. We estimate that 14,749 funds would be subject to these proposed rule
requirements. 4 The collections of information associated with these requirements would be
mandatory, and responses provided to the Commission in the context of its examination and
oversight program concerning rule 38a-2 would be kept confidential subject to the provisions of
applicable law. The table below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule.
Table 1: Burden Estimates for Rule 38a-2
Internal
initial
burden hours
Internal annual
burden hours1
Wage rate2
Internal time
costs
Annual external
cost burden
$10,625
$5,9524
PROPOSED RULE 38A-2 ESTIMATES
$425
Adopting and implementing
policies and procedures
60 hours
25 hours3
(blended rate for
compliance attorney and
assistant general counsel)
3
44 U.S.C. 3501 et seq.
4
As of December 2020, we estimate 14,654 registered investment companies and 95 BDCs (totaling 14,749
funds).
6
�$425
Annual review of policies
and procedures and report
9 hours
6 hours5
(blended rate for
compliance attorney and
assistant general counsel)
$2,550
$9926
$356
$0
$356
Recordkeeping
1 hour
1 hour
(blended rate for
compliance attorney and
senior programmer)
Total new annual burden
per fund
32 hours
$13,531
$6,944
Number of funds
× 14,749
funds7
× 14,749 funds
7,3758
Total new annual aggregate
471,968 hours
$199,568,719
$51,212,000
burden
Notes:
1. Includes initial burden estimates annualized over a 3-year period.
2. The Commission’s estimates of the relevant wage rates are based on the SIFMA Wage Report. The estimated figures are modified by firm
size, employee benefits, overhead, and adjusted to account for the effects of inflation.
3. Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 25 hours is based
on the following calculation: ((60 initial hours /3) + 5 additional ongoing burden hours) = 25 hours.
4. This estimated burden is based on the estimated wage rate of $496/hour, for 12 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
5. Includes initial burden estimates annualized over a three-year period, plus 8 ongoing annual burden hours. The estimate of 6 hours is based on
the following calculation: ((9 initial hours /3) + 3 additional ongoing burden hours) = 6 hours.
6. This estimated burden is based on the estimated wage rate of $496/hour, for 2 hours, for outside legal services.
7. Includes all registered investment companies, plus BDCs.
8. We estimate that 50% of funds will use outside legal services for these collections of information. This estimate takes into account that funds
may elect to use outside legal services (along with in-house counsel), based on factors such as fund budget and the fund’s standard practices for
using outside legal services, as well as personnel availability and expertise.
13.
Cost to Respondents
Cost burden is the cost of goods and services purchased to meet the requirements of
proposed rule 38a-2, such as for the services of outside counsel. The cost burden does not
include the hour burden discussed in Item 12 above. Estimates are based on the Commission’s
experience.
7
�As summarized in Table 1 above, Commission staff estimates that the annual cost of
outside services associated with rule 38a-2 would be approximately $6,944 per fund and the total
annual external cost burden for rule 38a-2 would be $51,212,000. 5
14.
Cost to the Federal Government
Proposed rule 38a-2 would not impose a cost on the federal government. Rule 38a-2
would not require funds to file any documents with the Commission. However, the Commission
staff may records produced pursuant to the rule in order to assist the Commission in carrying out
its examination and oversight program.
15.
Change in Burden
New collection.
16.
Information Collection Planned for Statistical Purposes
The results of any information collection will not be published.
17.
Approval to Omit OMB Expiration Date
The Commission is not seeking approval to omit the expiration date for OMB approval.
18.
Exceptions to Certification Statement for Paperwork Reduction Act
Submission
The Commission is not seeking an exception to the certification statement.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
The collection of information will not employ statistical methods.
5
This estimate is based on the following calculation: 7,375 funds x $6,944 = $51,212,000.
8
�
| File Type | application/pdf |
| File Modified | 2022-03-22 |
| File Created | 2022-03-22 |