SEC withdraws cyber rules for investment companies, advisers
The Securities and Exchange Commission is pulling back cybersecurity regulations for investment companies and investment advisers proposed under the Biden administration.
In a notice last week, the SEC said it was withdrawing pending rules requiring those companies and advisers to develop written policies to address cybersecurity risks and report significant cybersecurity incidents to the commission. It also would have required them to report on the last two fiscal years’ cyber incidents and risks in a publicly available registration form.
It’s part of broader deregulation at the SEC under President Donald Trump, with the commission simultaneously dropping proposed rules on things like artificial intelligence use and outsourcing. It also comes as industry groups are urging the SEC to reel back in a rule that’s the source of even greater animosity for them: one that established regulations requiring swift public disclosure of major cybersecurity incidents.
When the SEC first proposed the now-withdrawn rule in 2022, then-Chairman Gary Gensler touted it as an important safeguard for investment advisers and business development companies.
“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” Gensler said.
In 2023, the commission re-opened the public comment period on the rule, saying that it “will allow interested persons additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission should consider.“
At least two large companies that serve as investment advisers, Fidelity Investments and Prudential, suffered significant data breaches last year. One advocacy group, Better Markets, pointed to those incidents in comments to the SEC last year.
“The need for broker-dealers and investment advisers to adopt cybersecurity programs has only become more apparent since the SEC issued the Proposed Rules,” wrote Benjamin Schiffrin, director of securities policy at Better Markets.
But industry groups contended the rule would have done more harm than good.
“Disclosing detailed information on cyber risks, including past incidents, could help adversaries refine their tactics and techniques to maximize attack impact,” wrote Heather Hogsett, senior vice president for BITS at the Bank Policy Institute. “Moreover, the public disclosure of ongoing incidents outlined in several of the Commission’s proposals would impair the ability of other regulators to leverage confidential incident reports and warn other potential victims. If an incident involves sophisticated nation-state adversaries, this disclosure could also complicate forensics and threat actor attribution, creating additional national security concerns.”
She also said that the rule would add to a growing web of cybersecurity regulations that could divert attention from cyberattacks toward regulatory compliance.
Hogsett cheered the SEC’s new approach in a statement to CyberScoop.
“The Biden Administration’s SEC prioritized quantity over quality when it came to rulemaking, and we appreciate the current SEC’s willingness to take a fresh look at what actually works,” she said. “Requiring cybersecurity experts to spend more time on procedural compliance matters rather than protecting the firm doesn’t make the financial system any safer, it only diverts resources from actual threats.”
