ICI Supplemental Letter on SEC's Cybersecurity Risk Management Proposal for Funds and Advisers
[34261]
August 18, 2022
TO: ICI MembersInvestment Company Directors
Chief Compliance Officer Committee
SEC Rules Committee SUBJECTS: Compliance
Cybersecurity RE: ICI Supplemental Letter on SEC's Cybersecurity Risk Management Proposal for Funds and Advisers
On July 28, ICI filed a letter supplementing our April comment letter[1] on the Securities and Exchange Commission's proposed cybersecurity risk management rules for funds and advisers (attached). We urged the Commission to revise proposed subsection (a)(3)(ii) of the proposed rule.[2] This subsection would require funds, to execute a written contract with each service provider that has access to a fund's information or information systems ("information-handling service providers") in which the service provider agrees to implement appropriate measures, including the practices described in paragraphs (a)(1), (a)(2), (a)(3)(i), (a)(4), and (a)(5) of the proposed Rule 38a-2 (the "SPC subsection" or "subsection").
In the letter, we explain that the SPC subsection risks severely compromising the ability of funds to continue to conduct business with critical service providers. Many information-handling service providers will be unwilling or unable to enter into a written contract with the required provisions. We also observed that this element of the rule is unnecessary. If a fund breaches its obligations to maintain the security of its information under Rule 38a-2, the Commission can proceed against the fund, irrespective of the language in the fund's contract with a service provider. We urged the Commission to revise the written contract requirement to avoid adversely impacting funds' cybersecurity risk management programs by impeding arrangements with critical service providers. We provided recommendations for revising the subsection in a way that both addressed our concerns and supports the Commission's objectives to assure funds have robust and comprehensive cybersecurity programs.
Susan Olson
General Counsel
endnotes
[1] Letter to Vanessa A. Countryman, Secretary, US Securities and Exchange Commission from Susan M. Olson, General Counsel, Investment Company Institute (April 11, 2022), available at https://www.sec.gov/comments/s7-04-22/s70422-20123076-279408.pdf
[2] The cybersecurity program rule proposal for investment advisers (Rule 204-6) includes the same problematic requirement for investment advisers and their information-handling service providers. We stated that our comments should be read as also applying to the same requirement in that proposed rule.