ADISA submitted comments to the SEC on its proposed rulemaking titled “Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies, and Business Development Companies.” ADISA believes that the proposed rule as written likely would undermine the SEC’s objective to address “the effectiveness of disclosures to advisory clients and fund shareholders concerning cybersecurity risks and incidents,” and recommends the following: 

1. The SEC should focus on mitigation and management of any cybersecurity breach in the first 48 hours to minimize harm to investors.
   1. The first 48 hours following a cyber-attack are critical, and firms should be focused on mitigating any intrusion, understanding the scope of the attack, protecting and recovering data, and locking out intruders.
   2. Focusing resources on reporting during the first 48 hours impedes firms’ response times and hampers mitigation of an event, negatively impacting investors.
2. The SEC should create response times appropriate for the circumstances.

   Most firms appropriately utilize third-party service providers for various operational and administrative functions, including technology and data storage. A cybersecurity breach may or may not involve more than one firm or be focused on a single vendor, rather than a reporting firm, adding complexity to any investigation. 

3. Alternatively, the SEC should implement a two-part notification and reporting regime.

   ADISA supports the overall goal of advisers having cybersecurity incident response and recovery policies and procedures, but it is imperative that any policies are flexible, provide meaningful information to investors and other stakeholders, and yet not so detailed as to unwittingly provide a roadmap for further, future attacks by bad actors. Thus, ADISA proposes an alternative Two-Part Notification and Reporting Regime that ensures timely but also accurate information. 

4. The SEC should coordinate efforts with the cybersecurity & infrastructure security agency (CISA).

   The SEC should coordinate with other federal regulators to adopt a holistic, uniform federal requirement for reporting cybersecurity and data breach incidents. 

5. The SEC should avoid requiring disclosure of breach details in brochures.

   ADISA is concerned by the proposed disclosure requirement forcing firms to publish information about cyber incidents in their brochures. Specifically, we are worried this will potentially cause firms to be viewed as particularly vulnerable to attack and breach; this may unduly create the impression that smaller firms are even more vulnerable. 

6. The SEC should not prescribe specific controls such as multi-factor authentication.

As noted by other groups, the requirement by the SEC for specific protocols such as multi-factor authentication is not prudent because technology often becomes outdated well in advance of Rule updates, quickly rendering agency actions moot and, worse, hampering firms and investors alike with antiquated practices and protections. ADISA suggests that the SEC promulgate a set of best practices and procedures that firms can choose to adopt based on specific circumstances. 

The letter, which was drafted by ADISA’s Legislative & Regulatory Committee (co-chaired by John Grady, ABR Dynamic Funds, and Catherine Bowman, The Bowman Law Firm), was signed by ADISA’s President Michael Underhill, Capital Innovations.

View the letter in its entirety here.