Unveiling Industry Perspectives on the SEC’s Proposed Cyber Rule 206(4)-9

In February of 2022, the SEC released its proposal for Rule 206(4)-9 (the Rule), which establishes cybersecurity risk management expectations for investment advisers and companies. Its intent is to safeguard market stability and investor interests. The rule has undergone a twice extended comment period, with around 95 public comments submitted. With this feedback — totaling around 900 pages — we have a unique opportunity to understand the industry’s reaction to this proposal.

This paper will provide an overview of the seven major cybersecurity requirements within the Rule and offer context for what commenters believe to be the most challenging aspects of each requirement. The comments submitted by firms are also signposts as to where the SEC could make modifications to the proposed Rule. However, regardless of if the SEC modifies the Rule, or maintains its current form, covered firms will have much to prepare for before the Rule is scheduled to receive its final vote this fall.