ICI Comment Letter on SEC's Cybersecurity Risk Management

The Investment Company Institute appreciates the opportunity to provide its comments on the proposal by the Securities Exchange Commission (the Commission or SEC) to require various SEC-covered entities, including broker-dealers and transfer agents, to adopt and implement written cybersecurity risk programs. As proposed, such programs must include policies and procedures that are reasonably designed to address the covered entity’s cybersecurity risks. The proposal would also impose disclosure, reporting, and recordkeeping requirements on persons subject to the new rules.

We are pleased that the Commission has proposed provisions that would require covered entities to have formal programs designed to address cybersecurity risks. Currently, the only information security requirement applicable to SEC-covered entities is in Section 248.30 of Regulation S-P, which “requires covered entities to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 

Read more in the comment letter.