I want to begin by offering my thanks to the staff of the Divisions of Investment Management, Examinations, and Economic and Risk Analysis, Nancy Sumption, and the Offices of the Chief Accountant, Information Technology, and General Counsel.  Although I am unable to support today’s proposal, I appreciate all of the work and effort staff put into producing it, and I am grateful for the time they took to discuss my concerns and respond to my questions.

Cybercrime is a uniquely challenging threat to our financial system, and I am very much in favor of establishing a mechanism for registered investment advisers and investment companies to inform the Commission when they have suffered a material breach.  As the proposing release documents, cybercrime results in billions of dollars in stolen assets, as well as significant legal and reputational liabilities.[1] 

A properly designed reporting system could serve as the foundation for the Commission to assist industry in establishing strong, attack-resistant systems.  “Public-private partnership” is a treacly and overused term, but cybersecurity could be one of those rare instances in which the term is apt.  The Commission, serving as a repository with up-to-date intelligence on trends in financial sector cybercrime, could provide registrants with practical, timely knowledge so vital to keeping one step ahead of the bad guys.  For this to happen, however, the Commission would have to be willing to depart from the traditional regulation-examination-enforcement triad.  That willingness is not evident in this proposal.

That an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds.  Cyber criminals are devilishly clever and often benefit from state support.[2]  No investment adviser or investment company wants to have its system hacked, its data stolen and exploited, or its investors’ funds stolen.  Most firms are investing substantial resources in defense against breaches.  We should stand ready to assist advisers and funds in the fight against cyberattackers.  Absent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach. 

Rules that set forth detailed cybersecurity prescriptions could become an easy hook for an enforcement action, even when a firm has made reasonable efforts to comply with the prescriptions.  Central to my opposition to the investment adviser rule proposal is that we have chosen to ground it in Section 206, the Investment Adviser Act’s anti-fraud provision.  Just as we regrettably did in 2003 when we established a general compliance rule for registered advisers, we cite Section 206(4) as the authority allowing us to impose cybersecurity policies and procedures.  This approach does not make sense.

First, section 206(4) states that it is unlawful for an adviser “to engage in any act, practice, or course of business which is fraudulent, deceptive, or manipulative” and directs the Commission “by rules and regulations [to] define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative.”[3]  The rules under this section should be designed to prevent advisers from engaging in acts, practices, and courses of business that are fraudulent, deceptive, or manipulative.  Here, however, the fraudulent, deceptive, and manipulative acts, practices, and courses of business that the Commission seeks to prevent with the proposed rule are not ones in which the adviser is the perpetrator, but the victim. 

Second, taken literally, if an adviser that does not have good enough policies and procedures, any investment advice it provides to clients is illegal.  The proposed rule states:

As a means reasonably designed to prevent fraudulent, deceptive, or manipulative acts, practices, or courses of business within the meaning of section 206(4) of the Act (15 U.S.C. 80b6(4)), it is unlawful for any investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3) to provide investment advice to clients unless the adviser adopts and implements written policies and procedures that are reasonably designed to address the adviser’s cybersecurity risks . . .

While having good cyberpolicies is important, there is no apparent logical connection between the effectiveness of an adviser’s cyberpolicies and the soundness of its investment advice.  Deeming illegal all advice provided during a period in which cyberpolicies were deficient (in the estimation of the Commission sitting in its Monday morning quarterback chair) seems extreme. 

Third, and related, based on the language of the proposed rule, not having reasonably designed cybersecurity policies is a fraudulent, deceptive, or manipulative act, practice, or course of business.  We included similar language almost 19 years ago to the day when we proposed the compliance rule for registered advisers.[4]  In response to concerned commenters,[5] we slightly tweaked the regulatory text to remove explicit reference to “fraudulent, deceptive, or manipulative acts, practices, or courses of business.”[6]  This fig leaf was an acknowledgement that a failure to establish policies and procedures does not fit comfortably within the framework of an anti-fraud provision, but the underlying problem remained.  Indeed, the adopting release made clear that the changed language, “which responds to commenters’ concerns regarding the optics of the rule, does not change its substance; failure to comply with its terms will result in a violation of section 206(4) of the [Advisers] Act.”[7]  I take cold comfort in the fact that the Commission, despite the compliance rule’s uncompromising language, has never treated an adviser’s failure to establish reasonable compliance policies and procedures as a basis for arguing that the adviser’s provision of advice was unlawful.  The fact remains that the placement of the compliance rule under the authority of section 206(4) recasts a flawed set of compliance policies and procedures as an existential moment for the adviser.  As an historical aside, the diligent reader will note that my name appears first on the list of SEC contacts responsible for drafting the final rules that we issued back in 2003.  My primary focus at that time was on the fund rule (which does not have a similar authority problem), not the adviser rule, but as a member of the team I would be remiss if I did not at least acknowledge regret that I did not then raise the concerns that I am expressing today.

Using the Commission’s anti-fraud authority—rather than our general rulemaking authority in section 211 of the Advisers Act, our recordkeeping authority under section 204, or our authority under adviser supervision section 203(e)(6)—does not make sense for a generic compliance rule.  It makes even less sense for the cybersecurity rule we are considering today.  As I noted earlier, the area of cybersecurity is one that demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal.  A cybersecurity rule that is styled as a cudgel will not facilitate such cooperation.

A cybersecurity policies and procedures rule may not even be necessary to foster the investments in strong cyber-defenses, dialogue, communication, and cooperation we seek from investment advisers and investment companies.  We have a number of regulations, including Regulation S-P, which requires advisers, among others, to have “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”[8]  These policies and procedures must be reasonably designed to, among other things, “[p]rotect against any anticipated threats or hazards to the security or integrity of customer records and information,” as well as “[p]rotect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”[9]  Similarly, Regulation S-ID requires advisers to develop and implement an Identity Theft Prevention Program “designed to detect, prevent, and mitigate identity theft” from customer accounts.[10]  As the proposing release acknowledges, a number of advisers and funds already “have implemented cybersecurity programs under the existing regulatory framework.”[11]  For advisers and funds that have not adopted adequate cyber-policies and procedures, guidance might be more helpful than a rule.  Industry has welcomed prior staff cybersecurity observations and guidance.[12]  Further guidance could outline the points in the proposing release as areas of potential focus for advisers and funds trying to build strong cybersecurity programs, while allowing the latitude for firms to tailor their policies and procedures to their particular risks.

The proposal before us today is intended to give cybersecurity the top billing on funds’ and advisers’ agendas that it deserves.  While I have serious concerns about the shape the rule has taken, I am grateful to the staff for the care they put into the release.  Among other things, the release does a good job balancing the need to notify the Commission and investors of cyberincidents with legitimate concerns about the timing of such disclosures and perils of over-disclosure, which can provide a roadmap to future bad actors.  I look forward to hearing from commenters as they evaluate the merits of this proposal and assist me in formulating my own position should we reach the adopting stage.