With an eye toward improving data management and cyber-security oversight, the Securities and Exchange Commission this week approved an interim rule that modifies the submission deadlines for registered investment companies filing non-public monthly reports using the specially created Form N-PORT.

Form N-PORT is a relatively new form for reporting both public and non-public fund portfolio holdings to the Commission in a structured data format. As a result of the changes, rather than filing non-public monthly reports with the Commission within 30 days after the end of each month, funds will be required to maintain the relevant information in their records and file three monthly reports no later than 60 days after the end of each fiscal quarter.

The non-public monthly reports on Form N-PORT for the first and second months of the fiscal quarter will remain non-public; the monthly report for the third month will become publicly available upon filing. The Commission stresses that the amount and timing of the information on Form N-PORT that will be made available to the public will not change.

“As part of its approach to data management and cyber-security, the Commission periodically assesses whether alternatives exist that would allow it to fulfill its mission while reducing the sensitivity of the data that it collects,” a statement accompanying the changes says. “The Commission has determined that allowing funds to report this monthly data at quarter end —while not changing the amount or substance of the data—will allow the Commission to fulfill its mission while reducing its cyber-risk profile.

"This revised approach to the receipt of new, non-public monthly Form N-PORT data enables the Commission to receive and analyze this new data while meaningfully reducing the sensitivity of that data at the time it is transmitted to the Commission," Chairman Jay Clayton said.

The newly announced changes are connected to ongoing assessments designed to strengthen the SEC’s cyber-security risk profile, with an initial focus on the Commission’s EDGAR system as well as the non-public information collected and held by the Commission.

The collection, storage, analysis, availability, and protection of data have become fundamental to the protection of investors, the orderly function and performance of our capital markets, market participants, and the Commission,” the interim rule says. “In that regard, maintaining effective cyber-security practices requires an ongoing evaluation of the data an organization obtains and protects. The Commission periodically assesses, as part of its cyber-security efforts, whether alternatives exist that would allow it to fulfill its mission while reducing the sensitivity of data we collect.”

For example, in 2018, after concluding that the Commission would be able to achieve its regulatory objectives without taking in certain sensitive personally identifiable information, the Commission eliminated the requirement for filers of certain forms to provide us with their social security numbers, foreign identity numbers, or date or place of birth.

“We have also reduced the market sensitivity of the non-public data we collect by obtaining it on a delayed basis, when appropriate,” the interim rule adds.

Filing Form N-PORT through the EDGAR system will begin in April 2019 for larger fund groups and in April 2020 for smaller fund groups.