Download:
pdf |
pdfNEW OMB CONTROL NUMBER: 3235-xxxx
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Form ADV-C
A.
JUSTIFICATION
1.
Necessity for the Information Collection
On February 9, 2022, the Commission proposed rules related to cybersecurity risk
management for registered investment advisers, registered investment companies, and business
development companies as well as amendments to certain rules that govern investment adviser
and fund disclosures under the Investment Advisers Act of 1940 and the Investment Company
Act of 1940 (“Investment Company Act”). 1 The proposed rules and amendments are designed to
enhance the cybersecurity hygiene and preparedness of advisers and funds and improve their
resilience against cybersecurity threats and attacks, while also improving the cybersecurityrelated disclosures advisory clients and fund investors receive and enhancing the Commission’s
ability to oversee advisers and funds and assess systemic risks.
The Commission proposed a new Form ADV-C to require an adviser to provide
information regarding a significant cybersecurity incident in a structured format through a series
of check-the-box and fill-in-the-blank questions. Proposed Form ADV-C would require advisers
to report certain information regarding a significant cybersecurity incident in order to allow the
Commission and its staff to understand the nature and extent of the cybersecurity incident and
the adviser’s response to the incident. Collecting information in a structured format would
enhance the Commission’s and its staff’s ability to effectively carry out the risk-based
examination program and other risk assessment and monitoring activities. The structured format
1
15 U.S.C. 80a-1 et seq.; Cybersecurity Risk Governance and Incident Disclosure, Securities Act Release
No. 11028 (Feb. 9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf
(“Cybersecurity Risk Governance and Incident Disclosure Proposal”).
1
�would also assist the Commission and its staff in assessing trends in cybersecurity incidents
across the industry.
Proposed rule 204-6 2 under the Advisers Act requires would require advisers to report on
new Form ADV-C a significant adviser cybersecurity incident or a significant fund cybersecurity
incident. The paperwork burdens associated with proposed rule 204-6 are not included in this
collection of information for Form ADV-C and thus proposed rule 204-6 has a separate
collection of information submission.
2.
Purpose and Use of the Information Collection
The purpose of Form ADV-C is to provide the Commission with information regarding
cybersecurity incidents to allow the Commission to understand the nature and extent of the
cybersecurity incident and the adviser’s response to the incident. It would also assist the
Commission’s ability to effectively carry out its risk-based examination program and other risk
assessment and monitoring activities. This information collection would not only help the
Commission monitor and evaluate the effects of the cybersecurity incident on an adviser and its
clients or a fund and its investors, but also assess the potential systemic risks affecting financial
markets more broadly.
3.
Consideration Given to Information Technology
Form ADV-C would be required to be filed electronically with the Commission through
the Investment Adviser Registration Depository (“IARD”) platform. The IARD platform is an
Internet-based system that investment advisers access through computers in their offices, without
the need for specialized software or hardware. The information advisers submit to the IARD is
2
17 CFR 275.204-6.
2
�stored in a database. Collecting information electronically through the IARD platform is
designed to reduce the regulatory burden upon investment advisers by providing a convenient
portal for quickly transmitting reports and filings.
4.
Duplication
The collection of information is not duplicated elsewhere. While the proposed
amendments to Form ADV requiring advisers to provide clients and prospective clients with
information regarding an adviser’s cybersecurity risks and significant cybersecurity incidents
that have occurred in the past two years require firms to summarize certain topics also required
to be discussed in Form ADV-C, Form ADV-C has a distinct purpose to, as discussed above,
help the Commission monitor and evaluate the effects of the cybersecurity incident on an adviser
and its clients or a fund and its investors and assess the potential systemic risks affecting
financial markets more broadly. The Commission periodically evaluates rule-based reporting and
recordkeeping requirements for duplication, and reevaluates these requirements whenever it
adopts amendments to its rules.
5.
Effect on Small Entities
Advisers, regardless of their size, are subject to the requirements of rule 204-6.
Reporting of significant adviser cybersecurity incidents and significant fund cybersecurity
incidents is essential for advisers of all sizes. Because the protections of the Advisers Act are
intended to apply equally to retail investor clients of both large and small firms, it would be
inconsistent with the purposes of the Advisers Act to specify differences for small entities under
the new requirements. Thus, Form ADV-C does not inappropriately burden small entities. The
Commission believes that it could not adjust the rule to lessen the burden on small entities of
complying with the rule without jeopardizing the interests of investors. The Commission
3
�reviews all rules periodically, as required by the Regulatory Flexibility Act, to identify methods
to minimize recordkeeping or reporting requirements affecting small businesses.
6.
Consequences of Not Conducting Collection
Less frequent information collection would be incompatible with the objectives of Form
ADV-C. The collection of information is necessary to ensure that the Commission promptly
receives information regarding significant adviser cybersecurity incidents and significant fund
cybersecurity incidents. The consequences of not collecting this information would be that the
Commission may not have the information needed to protect investors, to monitor and evaluate
the effects of the cybersecurity incident, and to assess any potential systemic risks affecting
financial markets more broadly.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
This collection is not inconsistent with 5 CFR 1320.5(d)(2).
8.
Consultation Outside the Agency
The Commission and the staff of the Division of Investment Management participate in
an ongoing dialogue with representatives of the investment management industry through public
conferences, meetings, and informal exchanges. These various forums provide the Commission
and staff with a means of ascertaining and acting upon paperwork burdens confronting the
industry. In addition, the Commission has requested public comment on Form ADV-C. Before
adopting Form ADV-C, the Commission will receive and evaluate public comments on the
proposed form and its associated collection of information requirements.
9.
Payment or Gift
No payment or gift to respondents was provided.
10.
Confidentiality
4
�Responses to the information collection will be kept confidential to the extent permitted
by law. Form ADV-C elicits non-public information, the public disclosure of which could
adversely affect advisers (and advisory clients) and funds (and their investors). Keeping
information related to a cybersecurity incident confidential may serve to guard against the
premature release of sensitive information, while still allowing the Commission to have early
notice of the cybersecurity incident.
11.
Sensitive Questions
Form ADV-C elicits non-public information about private funds and their trading
strategies, the public disclosure of which could adversely affect the funds and their investors. A
System of Records Notice that covers the collection of information has been published in the
Federal Register at 83 FR 6892 and can also be found at
http://www.sec.gov/about/privacy/secprivacyoffice.htm. Instructions for obtaining the Privacy
Impact Assessment for IARD can be found at
http://www.sec.gov/about/privacy/secprivacyoffice.htm.
12.
Burden of Information Collection
The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 3 and are not derived from a comprehensive or even
representative survey or study of the costs of Commission rules.
The Commission is proposing a new Form ADV-C to require an adviser to provide
information regarding a significant cybersecurity incident in a structured format through a series
of check-the-box and fill-in-the-blank questions. The respondents to this collection of
3
44 U.S.C. 3501 et seq.
5
�information are investment advisers registered or required to be registered with the Commission.
This requirement is mandatory, and all registered investment advisers will be subject to the
requirements of the proposed rule. Responses provided to the Commission would be kept
confidential subject to the provisions of applicable law. This collection of information would
help the Commission’s examination and oversight program efforts in identifying patterns and
trends across registrants regarding such incidents. As of October 31, 2021, there were 14,774
registered advisers that would be subject to this reporting requirement. The table below
summarizes the initial and ongoing annual burden and cost estimates associated with Form
ADV-C’s reporting requirements.
Table 1: Form ADV-C PRA Estimates
Internal
initial
burden
hours
Annual external
cost burden
Internal
annual
burden hours
Wage rate
Internal time costs
PROPOSED FORM ADV-C ESTIMATES
Form ADV-C
3 hours
1.5 hours
1
$396 (blended rate for
assistant general counsel
and compliance
manager)
×
$594
Total new annual burden per
adviser
1.5 hours
Number of advisers
× 14,774
× 14,774
22,161 hours
$8,775,756
Total new aggregate annual
burden
Notes:
$4962
$496
× 14,774
$7,327,904
1. Includes initial burden estimates annualized over a three-year period, plus 0.5 ongoing annual burden hours. The estimate of 1.5 hours is based
on the following calculation: ((3 initial hours /3) + 0.5 additional ongoing burden hours) = 1.5 hours.
2. This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission’s estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry
and Financial Markets Association’s Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2020. The estimated
figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation. The Commission’s estimates
of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of sources including
general information websites, and adjustments for inflation.
6
�13.
Cost to Respondents
Cost burden is the cost of goods and services purchased to meet the requirements of Form
ADV-C, such as for the services of outside counsel. The cost burden does not include the hour
burden discussed in Item 12 above. Estimates are based on the Commission’s experience.
As summarized in Table 1 above, Commission staff estimates that the annual cost of outside
services associated with Form ADV-C is approximately $496 per adviser and the total annual
external cost burden for Form ADV-C is $7,327,904.
14.
Cost to the Federal Government
There are no costs to the government directly attributable to the rule.
15.
Change in Burden
New collection.
16.
Information Collection Planned for Statistical Purposes
Not applicable.
17.
Approval to Omit OMB Expiration Date
We request authorization to omit the expiration date on the electronic version of the form,
although the OMB control number will be displayed. Including the expiration date on the
electronic version of this form will result in increased costs, because the need to make changes to
the form may not follow the application’s scheduled version release dates.
18.
Submission
Exceptions to Certification Statement for Paperwork Reduction Act
Not applicable.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
7
�
| File Type | application/pdf |
| File Modified | 2022-05-23 |
| File Created | 2022-05-23 |