The Securities and Exchange Commission last week decided to reopen the comment period for a proposed cybersecurity rule that would apply to the policies of registered investment advisers and fund companies. The initial proposal was introduced on February 9, 2022, and its original comment period expired on April 11, 2022.
The reopening decision was based in part on the requirement that covered actors confidentially inform the SEC within 48 hours of detecting a significant cyber incident. Additionally, according to Dan Bresler, a partner at Seward & Kissel, the reopening is also due to two new proposals, on Reg SCI and Reg S-P, which cover related topics and could “impact the industry’s comments on the cybersecurity rule.” He adds that, “It also likely signals that a final rule will be coming in the near term.”
If approved as written, the cybersecurity rule would require broker/dealers, clearing agencies, national securities associations, national securities exchanges and transfer agents to maintain policies which identify and address their cybersecurity risks. They must also review these policies annually in light of possible changes to those risks. They must also inform the SEC of a significant cyber incident within 48 hours of becoming aware of it and make updates to that disclosure if the disclosed facts become materially inaccurate. This disclosure would be completed on a proposed new form, Form SCIR.
The new comment period opened on Tuesday, with the reopening release’s publication in the Federal Register, and continues through May 22.
The Investment Adviser Association said in an emailed statement that it supports reopening the comment period because it needs more time to study the rule’s interactions with others, such as the outsourcing rule.
The day before the SEC’s open hearing, the IAA also hosted a panel at its 2023 Investment Adviser Compliance Conference in which representatives of the SEC discussed the cybersecurity rule with representatives of the investment adviser industry.
Maria Chambers, the chief compliance officer at Klingenstein Fields Advisors, said that the 48-hour reporting and update requirements are misguided. She noted that many of the cybersecurity employees at her firm who are responsible for fixing and mitigating the breach will also be responsible for reporting. This means the reporting requirement essentially becomes a burden and a distraction while an incident is ongoing. It also is not clear what “significant” means in terms of precise events that would require a disclosure to the SEC.
David Joire, a senior special counsel with the SEC’s division of investment management who helped draft the proposal, said the SEC has received many comments which say that the 48-hour requirement is not enough time. He added, however, that many other comments, especially those from investors, said that it is too much, because those investors might be damaged severely in the 48 hours before a significant cyber event was reported.
He also explained that the 48-hour clock starts when a covered actor becomes aware of the cyber event, rather than the moment it takes place.
Joire also elaborated on what “significant” means: In the SEC’s definition, a cyber event is significant if critical operations, such as processing trades, are disrupted. A significant monetary loss or the theft of intellectual property would also qualify.
William Birdthistle, the director for the SEC’s division of investment management, who also spoke at the conference, commented briefly on the proposed rule. He said the importance of the 48-hour element of the proposal lies in the ability of the SEC to prevent “contagion:” If one critical actor is compromised, then that can impede other actors working in the same market segment. Other actors who had critical information compromised by the breach could be vulnerable to attack themselves, so the SEC position is that knowing about such an event quickly could reduce the probability of a contagion effect taking place.
SEC Commissioner Mark Uyeda expressed skepticism of this proposal in his statement at the open hearing. He also questioned the SEC’s ability to prevent contagion, noting that the SEC does not have a “cyber response team” and that the agency could not do much to limit the damage of a major cyber event.
Commissioner Hester Peirce agreed with that sentiment in a statement from last week’s open hearing. She said that a 48-hour notice requirement is a distraction from a crisis.
“Unfortunately, with this proposal, the Commission has apparently decided its role is to be an enforcer demanding that a firm dealing with a cybersecurity attack first and repeatedly attend to the Commission’s voracious hunger for data,” she said. “The Commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers.”