Statement on Cybersecurity Reforms in the Investment Management Industry
Feb. 9, 2022
Today, the Commission is considering a set of comprehensive reforms to improve cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies. I am pleased to support this proposal because, if adopted, it would improve advisers’ and funds’ cybersecurity risk management and incident reporting.
The SEC plays a key role as the regulator of the capital markets with regard to SEC registrants, including the entities in today’s release. Cyber risk relates to each part of our three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets.
Cyber incidents, unfortunately, happen a lot. Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of our registrants.
Cybersecurity incidents can lead to significant financial, operational, legal, and reputational harm for advisers and funds. More importantly, they can lead to investor harm. The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.
Registered investment advisers, investment companies, and business development companies currently have to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations. Today’s release builds upon those requirements. It would strengthen financial sector registrants’ cybersecurity hygiene and incident reporting requirements in four key ways:
- It would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks and incidents;
- It would require related recordkeeping obligations for advisers and funds;
- It would require confidential reporting to the Commission by investment advisers if the adviser (or a fund they advise) is subject to certain cybersecurity incidents; and
- It would require disclosure by advisers on brochures and registered funds on registration statements regarding certain cybersecurity incidents.
I think such reforms could help reduce the risk for these registrants posed by significant cybersecurity incidents. I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.
I’ve also asked staff to make recommendations for the Commission’s consideration with respect to broker-dealers, Regulation Systems Compliance and Integrity, and to make recommendations around intermediaries’ requirements with respect to customer notices (Regulation S-P) and third-party service providers.
I am pleased to support today’s proposal and, subject to Commission approval, look forward to the public’s feedback. I’d like to thank the members of the SEC staff who worked on this rule, including:
- William Birdthistle, Sarah ten Siethoff, Melissa Gainor, Brian Johnson, David Joire, Amanda Wagner, Christopher Staley, Juliet Han, Rachel Kuo, and Thomas Strumpf in the Division of Investment Management;
- Jessica Wachter, Oliver Richard, Alexander Schiller, Charles Woodworth, Maciej Szefler, and Parhaum Hamidi in the Division of Economic and Risk Analysis;
- Meridith Mitchell, Malou Huth, Nancy Sumption, Natalie Shioji, Cathy Ahn, and Alice Wang in the Office of the General Counsel;
- Keith Cassidy, Jennifer McCarthy, Akrivi Mazarakis, Alexis Hall, Dan DeWaal, Christopher Mulligan, and Joseph Murphy in the Division of Examinations;
- Corey Schuster in the Division of Enforcement;
- Luna Bloom and Ian Greber-Raines in the Division of Corporation Finance;
- Ted Shelkey in the Office of Information Technology; and
- Omid Harraf and Shehzad Niazi in the Office of the Chief Accountant.