SEC Proposes First-Ever Cybersecurity Rule for Advisors

On the reporting side, firms would be required to notify the SEC about “significant” cyberbreaches in a document it’s calling Form ADV-C, a sort of confidential appendix to the publicly available Form ADV regulatory filings advisors submit.

Those documents would be shielded from public view, but the proposed rule would also require advisors to notify clients about risks related to a cyberincident in a publicly-available  section of the Form ADV. This would be a  less-detailed version of the disclosures advisors would have to make to the commission on Form ADV-C, SEC staffers say.

The commissioners voted to advance the cybersecurity proposal by a vote of three to one, setting in motion the rulemaking process that will collect comments from the public before the rule is revised or put forward for a final vote.

Cyberrisks have long been an area of concern at the commission as advisors and other market participants are increasingly dependent on technology while at the same time the threats are growing ever-more sophisticated. But to date, the commission has resisted proposing formal cybersecurity rules, relying instead on existing regulations concerning data privacy and identify theft, as well as gentler industry nudges like risk alerts and the annual letters detailing the agency’s examination priorities.

“Today there are no commission rules that explicitly require firms to adopt and implement comprehensive cybersecurity programs,” William Birdthistle, director of the SEC’s Division of Investment Management, said Wednesday describing the new proposal at a commission meeting.

But commissioners and staffers have grown concerned that that approach has left some firms vulnerable, and that without specific regulations, too many advisors aren’t doing enough to protect themselves and clients against cyberthreats, including updating old policies to keep up with the evolving threat landscape.

“Based on staff examinations, we’re concerned that not all registered funds and advisors have adopted and implemented recently designed cybersecurity programs,” Birdthistle said. “We are also concerned about advisors’ funds’ disclosures to clients and shareholders concerning cybersecurity risks and incidents.”

The dissenting vote came from Commissioner Hester Peirce, the sole Republican on the panel, which has one vacancy waiting to be filled.

Peirce lauded the idea of some form of reporting requirement, but argued that the proposal fails to meet the unique challenge of cybersecurity by setting up a rule that could discourage advisors from sharing information about actual attacks and working with authorities to address the threat. Instead, she contended, the commission is moving forward on cyber with its familiar “triad” of regulation, examinations, and enforcement, issuing a potentially punitive rule for advisors when “guidance might be more helpful” for the firms that are still struggling to implement effective cybersecurity programs.

“The area of cybersecurity is one that demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal,” Peirce said. “A cybersecurity rule that is styled as a cudgel will not facilitate such cooperation.”

Private fund rules. The commission is also advancing a proposal to write new rules for private-fund advisors.

Peirce was also the only dissenting voice against this proposal, which would cover entities like private equity and hedge funds, a private fund market holding an estimated $18 trillion in assets. Birdthistle’s team led the development of that proposal as well. As an academic prior to joining the commission, Birdthistle was highly critical the fund industry, and aired those objections at this week’s meeting, where he argued that private funds have largely evaded regulatory accountability and continue to keep important material information hidden from investors.

“Despite our examination and enforcement efforts, private-fund investors do not receive sufficient transparency regarding the full cost of investing in private funds, the performance of such private funds, and conflicts of interest,” Birdthistle said.

Under the proposal, fund advisors would be required to issue clients quarterly statements detailing the funds’ fees, expenses, and performance—information Birdthistle argued should be available to all investors without compromising any sensitive or proprietary information about the fund itself.

“Our recommendations today are not requiring advisors to disclose private fund holdings or strategies publicly, but rather are focused on increasing transparency about the funds’ fees and performance to their investors,” he said.

 T+1 is coming. The final item the commission advanced—this one with unanimous support—would shorten the standard settlement cycle for most broker-dealer transactions from two days after the trade date to one, and calls for comments on the prospect of moving toward same-day settlement.

The shift from a so-called T+2 settlement cycle to T+1 is aimed at reducing risk and cost in the trading system. It gets into the arcane relationships between brokers and clearing firms—sometimes known as the plumbing of the trading systems.

The SEC’s action on this front comes partially in response to the spike in trading volumes and resultant market volatility during the wave of meme stock trading that saw clearing firms issue margin calls that led some brokers to issue trading restrictions.

“These benefits are most salient in periods of heightened volatility,” said Haoxiang Zhu, the SEC’s director of trading and markets. “In January 2021, a T+1 settlement cycle would have mitigated the immense pressure on certain broker-dealers to fund the margin deposit that was required by the clearinghouse to guarantee their customer transactions.”

Write to advisor.editors@barrons.com