Statement on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
Feb. 9, 2022
I want to begin by offering my thanks to the staff of the Divisions of Investment Management, Examinations, and Economic and Risk Analysis, Nancy Sumption, and the Offices of the Chief Accountant, Information Technology, and General Counsel. Although I am unable to support today’s proposal, I appreciate all of the work and effort staff put into producing it, and I am grateful for the time they took to discuss my concerns and respond to my questions.
Cybercrime is a uniquely challenging threat to our financial system, and I am very much in favor of establishing a mechanism for registered investment advisers and investment companies to inform the Commission when they have suffered a material breach. As the proposing release documents, cybercrime results in billions of dollars in stolen assets, as well as significant legal and reputational liabilities.
A properly designed reporting system could serve as the foundation for the Commission to assist industry in establishing strong, attack-resistant systems. “Public-private partnership” is a treacly and overused term, but cybersecurity could be one of those rare instances in which the term is apt. The Commission, serving as a repository with up-to-date intelligence on trends in financial sector cybercrime, could provide registrants with practical, timely knowledge so vital to keeping one step ahead of the bad guys. For this to happen, however, the Commission would have to be willing to depart from the traditional regulation-examination-enforcement triad. That willingness is not evident in this proposal.
That an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds. Cyber criminals are devilishly clever and often benefit from state support. No investment adviser or investment company wants to have its system hacked, its data stolen and exploited, or its investors’ funds stolen. Most firms are investing substantial resources in defense against breaches. We should stand ready to assist advisers and funds in the fight against cyberattackers. Absent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.
Rules that set forth detailed cybersecurity prescriptions could become an easy hook for an enforcement action, even when a firm has made reasonable efforts to comply with the prescriptions. Central to my opposition to the investment adviser rule proposal is that we have chosen to ground it in Section 206, the Investment Adviser Act’s anti-fraud provision. Just as we regrettably did in 2003 when we established a general compliance rule for registered advisers, we cite Section 206(4) as the authority allowing us to impose cybersecurity policies and procedures. This approach does not make sense.
First, section 206(4) states that it is unlawful for an adviser “to engage in any act, practice, or course of business which is fraudulent, deceptive, or manipulative” and directs the Commission “by rules and regulations [to] define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative.” The rules under this section should be designed to prevent advisers from engaging in acts, practices, and courses of business that are fraudulent, deceptive, or manipulative. Here, however, the fraudulent, deceptive, and manipulative acts, practices, and courses of business that the Commission seeks to prevent with the proposed rule are not ones in which the adviser is the perpetrator, but the victim.
Second, taken literally, if an adviser that does not have good enough policies and procedures, any investment advice it provides to clients is illegal. The proposed rule states:
As a means reasonably designed to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business within the meaning of section 206(4) of the Act (15 U.S.C. 80b6(4)), it is unlawful for any investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3) to provide investment advice to clients unless the adviser adopts and implements written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks . . .
While having good cyberpolicies is important, there is no apparent logical connection between the effectiveness of an adviser’s cyberpolicies and the soundness of its investment advice. Deeming illegal all advice provided during a period in which cyberpolicies were deficient (in the estimation of the Commission sitting in its Monday morning quarterback chair) seems extreme.
Third, and related, based on the language of the proposed rule, not having reasonably designed cybersecurity policies is a fraudulent, deceptive, or manipulative act, practice, or course of business. We included similar language almost 19 years ago to the day when we proposed the compliance rule for registered advisers. In response to concerned commenters, we slightly tweaked the regulatory text to remove explicit reference to “fraudulent, deceptive, or manipulative acts, practices, or courses of business.” This fig leaf was an acknowledgement that a failure to establish policies and procedures does not fit comfortably within the framework of an anti-fraud provision, but the underlying problem remained. Indeed, the adopting release made clear that the changed language, “which responds to commenters’ concerns regarding the optics of the rule, does not change its substance; failure to comply with its terms will result in a violation of section 206(4) of the [Advisers] Act.” I take cold comfort in the fact that the Commission, despite the compliance rule’s uncompromising language, has never treated an adviser’s failure to establish reasonable compliance policies and procedures as a basis for arguing that the adviser’s provision of advice was unlawful. The fact remains that the placement of the compliance rule under the authority of section 206(4) recasts a flawed set of compliance policies and procedures as an existential moment for the adviser. As an historical aside, the diligent reader will note that my name appears first on the list of SEC contacts responsible for drafting the final rules that we issued back in 2003. My primary focus at that time was on the fund rule (which does not have a similar authority problem), not the adviser rule, but as a member of the team I would be remiss if I did not at least acknowledge regret that I did not then raise the concerns that I am expressing today.
Using the Commission’s anti-fraud authority—rather than our general rulemaking authority in section 211 of the Advisers Act, our recordkeeping authority under section 204, or our authority under adviser supervision section 203(e)(6)—does not make sense for a generic compliance rule. It makes even less sense for the cybersecurity rule we are considering today. As I noted earlier, the area of cybersecurity is one that demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal. A cybersecurity rule that is styled as a cudgel will not facilitate such cooperation.
A cybersecurity policies and procedures rule may not even be necessary to foster the investments in strong cyber-defenses, dialogue, communication, and cooperation we seek from investment advisers and investment companies. We have a number of regulations, including Regulation S-P, which requires advisers, among others, to have “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” These policies and procedures must be reasonably designed to, among other things, “[p]rotect against any anticipated threats or hazards to the security or integrity of customer records and information,” as well as “[p]rotect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Similarly, Regulation S-ID requires advisers to develop and implement an Identity Theft Prevention Program “designed to detect, prevent, and mitigate identity theft” from customer accounts. As the proposing release acknowledges, a number of advisers and funds already “have implemented cybersecurity programs under the existing regulatory framework.” For advisers and funds that have not adopted adequate cyber-policies and procedures, guidance might be more helpful than a rule. Industry has welcomed prior staff cybersecurity observations and guidance. Further guidance could outline the points in the proposing release as areas of potential focus for advisers and funds trying to build strong cybersecurity programs, while allowing the latitude for firms to tailor their policies and procedures to their particular risks.
The proposal before us today is intended to give cybersecurity the top billing on funds’ and advisers’ agendas that it deserves. While I have serious concerns about the shape the rule has taken, I am grateful to the staff for the care they put into the release. Among other things, the release does a good job balancing the need to notify the Commission and investors of cyberincidents with legitimate concerns about the timing of such disclosures and perils of over-disclosure, which can provide a roadmap to future bad actors. I look forward to hearing from commenters as they evaluate the merits of this proposal and assist me in formulating my own position should we reach the adopting stage.
 See, e.g., Ponemon Institute and IBM Security, Cost of Data Breach Report 2021 (July 2021), available at https://www.ibm.com/security/data-breach (noting the average cost of a data breach in the financial industry in the United States is $5.72 million); Federal Bureau of Investigation, 2020 Internet Crime Report (Mar. 17, 2021), at 15, available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf (noting that cybercrime victims lost approximately $4.2 billion in 2020).
 “Responding to the PRC’s Destabilizing and Irresponsible Behavior in Cyberspace,” July 19, 2021 press statement available at https://www.state.gov/responding-to-the-prcs-destabilizing-and-irresponsible-behavior-in-cyberspace/ (“The PRC’s Ministry of State Security (MSS) has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”).
 15 U.S.C. 80b-6(4).
 Compliance Programs of Investment Companies and Investment Advisers, Investment Company Act Release No. 25924 (Feb.5, 2003) (68 FR 7038 (Feb 11, 2003)).
 See, e.g., Comment letter from Pickard and Djinis, April 18, 2003 (“[R]elying on the Advisers Act’s anti-fraud provision (section 206(4)) to mandate formal compliance programs may have unintended consequences. If deficient procedures alone are deemed to be grounds for a finding of fraud, an adviser could face serious collateral consequences for shortcomings in its compliance program, even where those shortcomings do not result in any substantive misconduct.”) (footnote discussing collateral consequences of a fraud ruling omitted) https://www.sec.gov/rules/proposed/s70303/pickard041803.htm; Comment letter from Charles Schwab & CO., Inc., April 23, 2003 (“It concerns us that a breakdown in supervision (e.g., failing to include a procedure in a compliance manual) would be treated ‘a fraudulent, deceptive or manipulative practice’ under the Proposed Rule. These consequences seem unduly harsh, and are inconsistent with a compliance program designed to achieve compliance both with antifraud and other rules such as record-keeping requirements.”) https://www.sec.gov/rules/proposed/s70303/charlesschwab042303.htm; Comment letter from Financial Engines Advisors LLC, April 18, 2003 (“Conceivably, diligent investment advisers who proactively try to develop new policies and procedures but come up short, might put their firms at greater enforcement risk than other advisers who might overlook, defer or otherwise not bring attention to a particular aspect of their business.”) https://www.sec.gov/rules/proposed/s70303/financial041803.htm; Comment letter from National Society of Compliance Professionals Inc., April 17, 2003 (pointing out that advisers could be subject to an antifraud charge for having an inadequate policy even absent any fraudulent activity) https://www.sec.gov/rules/proposed/s70303/nationals70303-16.pdf; Comment letter from T. Rowe Price Associates, Inc., April 17, 2003 (“Without some other substantive wrongdoing, there is no basis or need to deem as “fraud” the failure to adopt a procedure, the failure to review a procedure or the failure to designate an individual responsible for administering a procedure.”) https://www.sec.gov/rules/proposed/s70303/trowes70303-17.pdf; Comment letter from Debra M. Brown, April 17, 2003 (“Although tighter compliance programs may prevent rogue activity by an employee, less formal compliance programs do not necessarily result in fraud. It is for this reason that we believe that the failure to have adequate policies and procedures should not come under the anti-fraud provisions of the Advisers Act.”) https://www.sec.gov/rules/proposed/s70303/dmbrown041703.htm; Comment letter from The Vanguard Group, April 16, 2003 (“Although we support the Commission's goal to strengthen industry commitment to compliance programs, we believe it is inappropriate to characterize a substandard compliance program as somehow perpetrating a fraud on the firm's clients.”) https://www.sec.gov/rules/proposed/s70303/vanguard041603.htm.
 See Compliance Programs of Investment Companies and Investment Advisers, Investment Advisers Act Release No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)] at n.11.
 17 CFR 248.30.
 17 CFR 248.201.
 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028; IA-5956; IC-34497, at 13, (Feb. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf.
 Office of Compliance Inspections and Examinations (now Division of Examinations), Cybersecurity and Resiliency Observations, SEC (Jan. 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.