The Investment Adviser Association, which is a trade group for RIAs, was thankful for the extension but worried about how the SEC’s current plans are linked. The commission also suggested new cybersecurity regulations for brokers.
Comments are reopened for Cybersecurity Risk Management
The Securities and Exchange Commission is posting its proposed rule on cybersecurity again so that the public can comment on it again. It was first posted last year.
The rule was first proposed in February 2022, and people had until April of the year before to give feedback. It would apply to registered investment advisors (RIAs), as well as RIAs and BDCs.
If the proposed rule is adopted in its current form, advisers and funds will be required to disclose cyber events on modifications to their Form ADV and implement properly adequate policies and processes to secure clients’ information in the event of a breach.
During the first comment period and again this week at the Investment Adviser Association Compliance Conference in Washington, D.C., some chief compliance officers and companies were worried that firms would have to report “significant” cyber incidents to the Securities and Exchange Commission within 48 hours of finding out how bad the breach was.
According to a statement from the SEC, the reopened comment period will give interested parties more time to “evaluate the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission could consider.”
On the same day that the comment period was reopened, commissioners approved several cyber and data privacy-related rules and changes. These included changes to Regulation S-P that would require RIAs to “provide notice to individuals affected by certain types of data breaches” that could leave them open to identity theft.
A proposed rule strengthening cybersecurity rules for broker-dealers and other so-called “market entities,” such as clearing agencies, key security-based swap players, and transfer agents, was also adopted by the commission. Similar to the suggestion made last year regarding advisors, the new regulation requires B/Ds to examine their cyber policies and processes to ensure they are appropriately structured to offset cyber risks.
A fact sheet that came with the rule said that, unlike the advisors’ rule, b/ds would have to give the SEC “prompt written electronic notice” if there was a major cybersecurity problem. Gary Gensler, the chair of the SEC, and commissioners Caroline Crenshaw and Jaime Lizárraga voted in favour of the proposal, while commissioners Hester Peirce and Mark Uyeda voted against it.
Gensler said, “The nature, size, and impact of cybersecurity risks have changed dramatically over the past few decades.”Investors, issuers, and market participants would all be better off if they knew. The “businesses have… safeguards appropriate for the digital age.”
After hearing concerns about the “interrelatedness of its existing proposals,” the SEC renewed the comment period for the cyber rule affecting advisors and funds, which was welcomed by the Institute of Advanced Advisors’ general counsel, Gail Bernstein.
SEC Commissioner Uyeda said this week that the proposed rules couldn’t all “hit at the same time” if they were to be finalized, which caused alarm in the industry during the IAA’s conference this week.
IAA CEO Karen Barr expressed concern for the knock-on effect on compliance departments and referred to the SEC’s full list of suggestions as an “aggressive policy agenda” in a subsequent interview.
She said that the Securities and Exchange Commission had not paid enough attention to how the various ideas overlapped with one another. They haven’t thought through how businesses would implement so many new regulations at once.
David Joire, senior special counsel in the Division of Investment Management, said on a panel at the IAA conference that the Securities and Exchange Commission had gotten a lot of comments on the 48-hour requirement for reporting cyber incidents to the commission.
Maria Chambers, who is the Chief Compliance Officer at Klingenstein Fields Advisors, was worried that the company didn’t have enough resources to meet the obligation because the same people who would have to fix a cyber breach would also have to make a report for the commission. A report to the commission based on such evidence “may at best be scant pickings and may be wrong.”
