[35322]
May 23, 2023
TO: ICI MembersChief Compliance Officer Committee
Chief Information Security Officer Committee
Closed-End Investment Company Committee
Compliance Advisory Committee
Investment Advisers Committee
SEC Rules Committee
Small Funds Committee
Technology Committee
Unit Investment Trust Committee SUBJECTS: Compliance
Cybersecurity
Disclosure
Privacy RE: ICI Files Comment Letters on SEC Cyber Program Proposals
As we previously informed you, in March 2023, the SEC published for comment proposed rules that would require various registrants, including broker-dealers and transfer agents among others, to adopt and implement written cybersecurity risk programs.[1] The Commission's proposal was, with two exceptions relating to disclosure, identical to the proposal the SEC published last year that would require registered investment companies and investment advisers to adopt and implement such programs.[2] The same day the SEC published its proposal, it also re-opened the comment period on last year's proposal. The ICI has filed a comment letter on the current proposal as well as in response to the re-opening of the comment period on last year's proposal. Our comment letters are briefly summarized below.
Comments on the Proposed Rules for Broker-Dealers and Investment Advisers
Due to the similarity between the SEC's 2022 and 2023 Releases, the comments in the Institute's comment letter on the 2023 Release are substantively identical to those in the comment letter we filed on the 2022 Release. In particular, the Institute's comment on the 2023 proposal:
- Supports adoption of the elements that would be required to be included in covered entities' cybersecurity policies and procedures;
- Opposes applying the rule to service providers that are not subject to the Commission's regulatory authority;
- Recommends narrowing the scope of service providers covered by the rules to exclude those that present little risk to a covered entity and those whose cybersecurity practices are already subject to government oversight;
- Urges that the definitions for "cybersecurity threat" and "significant cybersecurity incident" be revised to target those threats and incidents impacting a covered entity's ability to maintain critical operations or protect information;
- Opposes the proposed public disclosure of cybersecurity incidents;
- Opposes the adoption of Form SCIR or any electronic or paper form to notify the Commission of significant cybersecurity incidents;
- Opposes using EDGAR as the portal for filing information with the Commission about significant cybersecurity incidents;
- Recommends the Commission avoid multiple reporting to federal agencies of the same significant cybersecurity incident;
- Urges a 24-36 month compliance period to better facilitate and ensure an effective and orderly implementation; and
- Due to the complexity of the issues raised by the proposal, urges that the Commission be prepared and willing to provide necessary guidance to covered entities once the rules are adopted.
As noted above, the disclosure requirements in the 2023 proposal deviate from those in the 2022 proposal. The 2022 proposal would require registered investment companies and investment advisers to provide public disclosure of significant cybersecurity incidents in prospectuses and Forms ADV. It would also require registrants to notify the SEC of such incidents via a new Form ADV-C that would be filed with the IARD. By contrast, the 2023 proposal would require public disclosure of these incidents on a registrant's website and the notice provided to the SEC would be via a new Form SCIR that would be filed with the EDGAR system.
As with our comment letter on the 2022 proposal, the Institute's comment letter on the 2023 proposal opposes any public disclosure of cyber events and discusses the harm that could result from such disclosure. It also points out that there is no evidence that investors are interested in this information. With respect to providing notice to the SEC, the Institute's letter on the 2023 proposal strongly opposes both the notice the SEC would require and the use of EDGAR for filing such notices. In support of our opposition, the Institute's letter discusses the 2017 EDGAR breach and cites nine years of audit findings indicating that the SEC's information security controls are "not effective." Because of this, we express our concern with the SEC requiring filings with very sensitive and confidential information until such time as the SEC's information security controls are found to be effective.
The Institute's current letter also discusses our concerns with the SEC engaging in "regulation by enforcement" and recommends that, in any adopting release, the SEC refrain from including any statements that might result in regulation by enforcement when inspecting for compliance with the any adopted rules.
Comments on the Re-Opening of the Comment Period of the 2022 Release
The Institute has also filed a comment letter in response to the re-opening of the comment period for the 2022 proposal. Our comments in this letter reaffirm the comments we made last year when we commented on the proposal. In addition, however, the current letter supplements our comments by discussing our concerns with the use of EDGAR for filing any information related to cybersecurity events.
Tamara K. Salmon
Associate General Counsel
Notes
[1] See ICI Memo No. 35215, available here: https://www.ici.org/memo35215, summarizing Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, SEC Release No. 34-97142 (March 15, 2023) (the "2023 proposal").
[2] See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Release No. 33-11028 (February 9, 2022) (the "2022 proposal" or "last year's proposal").