X

Associations Weigh In on the SEC's Cybersecurity Proposal

In submitted comments, financial services and alternative investment associations raised multiple concerns about the SEC's proposal on cybersecurity risk management and reporting requirements for investment advisers and funds. (See previous coverage).

Alternative Investment Management Association ("AIMA")

AIMA argued that while cybercrime is a serious threat to the global financial system, there has been little evidence of material cyberattacks targeted directly at funds or their advisers. AIMA also argued that regulations should be proportionate to the risks posed to funds and advisers. Further, AIMA cautioned that funds and advisers have different resources, capabilities and technology uses, and that a "one-size-fits-all" approach will not be efficient or commensurate with the risks that different-sized advisers and funds pose to the wider financial system. AIMA recommended a doubling of the proposed incident notification period from 48 to 96 hours. In addition, AIMA questioned the grounding of the proposal on Section 206 of the Advisers Act (the act's anti-fraud provision), raising concerns that Section 206 will become an easy hook for an enforcement action where an adviser has attempted to comply with an ever-evolving landscape of cyber threats.

Investment Adviser Association ("IAA")

IAA raised concerns that the proposal may impose unnecessary operational and compliance burdens on advisers and impede their efforts to effectively respond to ongoing cyberattacks. Among other things, the IAA urged the SEC to coordinate with other federal regulators to adopt a uniform risk-based federal requirement for cybersecurity and data breach incident reporting.

SIFMA

SIFMA criticized the proposal, stating that it is an overreach of the SEC's authority under the Advisers Act's anti-fraud provision and focuses more on punishing advisers for perceived deficiencies rather than guiding advisers on enhancing their already-implemented cybersecurity programs. Among other things, SIFMA urged the SEC to (i) adopt a short-form initial notification, followed by a more detailed report to be filed after an adviser has had sufficient time to investigate a cyber incident, (ii) dispense with public disclosure of detailed information relating to a cybersecurity incident or cyber risks, and (iii) adopt a principles-based approach to cyber risk management, rather than a "one-size-fits-all" system.

Financial Services Institute ("FSI")

FSI supported the proposal, but urged the SEC to (i) focus on uniformity of its rules with other cybersecurity requirements that are already in place and (ii) account for the uncertain nature of initial fact finding in incidences that would affect an adviser's ability to timely and effectively report to the SEC.

Primary Sources

  1. FSI Comment Letter to SEC Regarding Cybersecurity Proposal
  2. AIMA Comment Letter to SEC Regarding Cybersecurity Proposal
  3. IAA Comment Letter to SEC Regarding Cybersecurity Proposal
  4. SIFMA Comment Letter to SEC Regarding Cybersecurity Proposal
  5. SEC Proposed Rule Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies

Related Articles

  • SEC Proposes Buy-Side Cybersecurity Rules

    The SEC proposed cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Adviser / CTA / CPO
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC
Sub-Author
Investment Adviser Association, SIFMA