X

MFA Warns SEC Cybersecurity Rule Proposals May Backfire

The Managed Funds Association ("MFA") warned that the SEC's proposed cybersecurity rules may cause the "unintended consequence of diverting advisers' resources during a critical window following discovery of an attack."

As previously covered, the SEC described its proposed cybersecurity rules as (i) addressing concerns relating to advisers and funds' cybersecurity preparedness and to reduce cyber risk, (ii) improving adviser and fund disclosures and (iii) improving the SEC's ability to assess systemic risks resulting from cyber incidents. The rule proposals would require advisers and funds to adopt and implement written policies reasonably designed to address cybersecurity risks, report significant cybersecurity incidents to the SEC on proposed Form ADV-C and create cybersecurity-related books and records.

In its most recent comment letter containing textual suggestions for these proposals, the MFA reiterated support for SEC's efforts to strengthen industry cybersecurity but asserted that:

  • the amount of information required for reporting as stated by the proposals is "overly prescriptive" and burdensome;
  • the SEC’s objective to increase cybersecurity in this area would best be accomplished by narrowing the focus of information covered by the proposed rules to include only adviser information that is likely to cause actual harm in the event of a cybersecurity incident; and
  • the text of the proposed rules should be harmonized with other established regulatory requirements to further clarify when and how quickly an adviser must report cybersecurity incidents, rather than requiring an adviser to file a report within 48 hours after discovery of a cybersecurity incident.

In addition, the MFA stated it would establish a "safe harbor" for investment advisers who adopt a "preapproved, robust cybersecurity framework."

The MFA emphasized that its recommendations supplemented its previous comment letters (see, here and here).

Primary Sources

  1. MFA Comment Letter to SEC: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period; File No. S7-04-22 (6-22-23)
  2. SEC Proposed Rule: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
  3. MFA Comment Letter: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period; File No. S7-04-22 (5-22-23)
  4. MFA Comment Letter: Cybersecurity Risk Management, File number S7-04-22 (4-11-22)

Related Articles

  • SEC Proposes Buy-Side Cybersecurity Rules

    The SEC proposed cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Adviser / CTA / CPO
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
Trade / Industry Associations
Sub-Author
Managed Funds Association