Trade associations raise concerns about SEC’s cybersecurity proposal
Investment Adviser Association, American Securities Association say advisers need more than 48 hours to report breaches to SEC.
Trade associations in the investment advice sector are voicing concerns about the reporting mandates of a proposed SEC cybersecurity rule for registered investment advisers and companies.
The SEC would for the first time require that advisers adopt written policies and procedures that address risks related to cyberattacks. Under the 243-page proposed rule, advisers would have to report incidents within 48 hours to the agency on a confidential form and disclose major cyber breaches over the last two fiscal years on their Form ADV. Advisers also would have to keep books and records related to cybersecurity.
The proposal was released on Feb. 9 for public input with a 60-day deadline. Comment letters were due to the SEC on Monday. Typically, major interest groups don’t file their letters until late on deadline day.
The turnaround time on reporting cyber incidents was beginning to draw criticism on Monday.
The Investment Adviser Association said it is in favor of a cyber rule but intends to tell the agency to give advisers more leeway on telling the SEC and the public about breaches.
“We have significant concerns about the proposed reporting of incidents to the Commission within 48 hours, as well as the details proposed to be included in public disclosures,” the IAA said in a statement Monday in advance of filing its comment letter later in the day. “While we generally support reporting and disclosure, we are concerned that these requirements, as proposed, would impede advisers’ efforts to respond to cybersecurity incidents as they are occurring, provide a roadmap to threat actors, and impose unnecessary operational and compliance burdens.”
The American Securities Association, which represents regional financial firms, also said it supports a cyber rule but also expressed misgivings about the reporting deadline.
“Firms may not have a clear idea of what to report to the SEC (or any other government body) within forty-eight (48) hours and thus, could end up having to file multiple revisions [on the required form] as additional material information comes to light,” ASA CEO Christopher Iacovella wrote in an April 8 comment letter. “Further incidents or discoveries could render a previous report ‘materially inaccurate.’”
The ASA also recommended that the SEC not make advisers disclose cyber attacks on their Form ADVs.
“RIAs should not be required to disclose such information, which is not required of any other regulated entity,” Iacovella wrote.
The IAA will urge the SEC not to impose the cyber rule on smaller advisory firms.
“We recommend that the Commission exclude smaller advisers from the reporting requirement altogether and also that the Commission undertake a more robust and accurate assessment of the costs, burdens, and economic effects that would be placed on advisers of all sizes, including a holistic assessment of the cumulative costs of existing and anticipated regulation on advisers,” the IAA said Monday.
The cybersecurity proposal is one four SEC proposals that has a comment deadline falling this week. The other measures include one on money market fund reform.
SEC Chairman Gary Gensler has been under pressure to allow more time for public input as the agency works through an expansive rulemaking agenda. The SEC seems to have settled on a 60-day comment period for most rules.
The clock starts ticking when the proposals are posted on the SEC website as opposed to when they’re published in the Federal Register. The cybersecurity risk proposal was made available on the SEC website on Feb. 9 but it was published in the Federal Register on March 9.
Last week, 25 financial industry trade associations asked Gensler to allow longer comment periods.
“The Associations request that the Commission in each rulemaking consider what is an appropriate comment period length for that particular proposal relative to its complexity and the Commission’s overall rulemaking agenda,” the groups, including the IAA and the Securities Industry and Financial Markets Association, wrote in an April 5 letter to Gensler. “We do not believe it is prudent to reflexively assign a 30-day or 60-day comment period to all rule proposals.”
The SEC will review the comments on the cybersecurity rule and might revise the proposal based on the input. It would then release a final rule. The timeline for the rulemaking process is uncertain.
Learn more about reprints and licensing for this article.
