SEC Reopens Comment Period on Cybersecurity Rule

If approved, the rule would require certain actors to notify the SEC of a significant cyber event within 48 hours.



The Securities and Exchange Commission last week decided to reopen the comment period for a proposed cybersecurity rule that would apply to the policies of registered investment advisers and fund companies. The initial proposal was introduced on February 9, 2022, and its original comment period expired on April 11, 2022.

The reopening decision was based in part on the requirement that covered actors confidentially inform the SEC within 48 hours of detecting a significant cyber incident. Additionally, according to Dan Bresler, a partner at Seward & Kissel, the reopening is also due to two new proposals, on Reg SCI and Reg S-P, which cover related topics and could “impact the industry’s comments on the cybersecurity rule.” He adds that, “It also likely signals that a final rule will be coming in the near term.”

If approved as written, the cybersecurity rule would require broker/dealers, clearing agencies, national securities associations, national securities exchanges and transfer agents to maintain policies which identify and address their cybersecurity risks. They must also review these policies annually in light of possible changes to those risks. They must also inform the SEC of a significant cyber incident within 48 hours of becoming aware of it and make updates to that disclosure if the disclosed facts become materially inaccurate. This disclosure would be completed on a proposed new form, Form SCIR.

The new comment period opened on Tuesday, with the reopening release’s publication in the Federal Register, and continues through May 22.

For more stories like this, sign up for the CIO Alert newsletter.

The Investment Adviser Association said in an emailed statement that it supports reopening the comment period because it needs more time to study the rule’s interactions with others, such as the outsourcing rule.

The day before the SEC’s open hearing, the IAA also hosted a panel at its 2023 Investment Adviser Compliance Conference in which representatives of the SEC discussed the cybersecurity rule with representatives of the investment adviser industry.

Maria Chambers, the chief compliance officer at Klingenstein Fields Advisors, said that the 48-hour reporting and update requirements are misguided. She noted that many of the cybersecurity employees at her firm who are responsible for fixing and mitigating the breach will also be responsible for reporting. This means the reporting requirement essentially becomes a burden and a distraction while an incident is ongoing. It also is not clear what “significant” means in terms of precise events that would require a disclosure to the SEC.

David Joire, a senior special counsel with the SEC’s division of investment management who helped draft the proposal, said the SEC has received many comments which say that the 48-hour requirement is not enough time. He added, however, that many other comments, especially those from investors, said that it is too much, because those investors might be damaged severely in the 48 hours before a significant cyber event was reported.

He also explained that the 48-hour clock starts when a covered actor becomes aware of the cyber event, rather than the moment it takes place.

Joire also elaborated on what “significant” means: In the SEC’s definition, a cyber event is significant if critical operations, such as processing trades, are disrupted. A significant monetary loss or the theft of intellectual property would also qualify.

William Birdthistle, the director for the SEC’s division of investment management, who also spoke at the conference, commented briefly on the proposed rule. He said the importance of the 48-hour element of the proposal lies in the ability of the SEC to prevent “contagion:” If one critical actor is compromised, then that can impede other actors working in the same market segment. Other actors who had critical information compromised by the breach could be vulnerable to attack themselves, so the SEC position is that knowing about such an event quickly could reduce the probability of a contagion effect taking place.

SEC Commissioner Mark Uyeda expressed skepticism of this proposal in his statement at the open hearing. He also questioned the SEC’s ability to prevent contagion, noting that the SEC does not have a “cyber response team” and that the agency could not do much to limit the damage of a major cyber event.

Commissioner Hester Peirce agreed with that sentiment in a statement from last week’s open hearing. She said that a 48-hour notice requirement is a distraction from a crisis.

“Unfortunately, with this proposal, the Commission has apparently decided its role is to be an enforcer demanding that a firm dealing with a cybersecurity attack first and repeatedly attend to the Commission’s voracious hunger for data,” she said. “The Commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers.”

Tags: , , ,

Despite Backlash, ESG Hiring Remains Elevated

Asset owners, consultants and asset managers are all engaged in an increasingly competitive fight for ESG talent.



A quick look at ESG headlines these days mostly tells a story of backlash. Governors and state attorneys general are making it more difficult for state funds to be invested in funds or with managers using environmental, social and governance criteria.

 Members of Congress tried to limit how retirement plans could consider ESG factors when selecting investments. Even in Europe, recent regulatory changes to ESG classifications have prompted allegations of widespread greenwashing. Still, in the U.S. and abroad, asset owners, asset managers and investment consultants are hiring for a wide variety of ESG roles, and sources say they are unlikely to stop any time soon.

 “Even though it is politically charged at the moment, investors, customers, employees and other stakeholders aren’t letting up on their demands for transparency and action on material areas of risk and opportunity,” says Miriam Wrobel, senior managing director and global leader of environmental, social and governance and sustainability at FTI Consulting. Her company is both hiring for ESG roles and working with clients on finding talent.

 Wrobel says there is “exponential growth and demand” for ESG-related reporting, strategies and business transformation. That is pushing investors, public companies and asset managers to bring on new people who can gather the necessary data and analyze it.

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

 Those needs are expressed in a recent job posting from the San Francisco Employees’ Retirement System, which is looking for an ESG investment officer. The posting suggests that the role will primarily be focused on ESG reporting, data analysis and integration.

 The New York City Office of the Comptroller is looking for a similar person: an ESG integration officer to work with both the CIO and the Bureau of Asset Management to find ways of integrating ESG into investment considerations. The New York State Insurance Fund and the United Nations Joint Staff Pension Fund’s office of investment management have similar roles open.

 On Tuesday, Franklin Templeton also announced a new sustainability hire who will be working on ESG integration and strategy. James Andrus joins from the California Public Employees’ Retirement System to be vice president of Sustainability Global Markets, a newly created leadership role within the firm’s Global Sustainability Strategy Team.

In his new role, he will work across teams and jurisdictions to set the direction of Franklin Templeton’s sustainable investment team. At CalPERS, Andrus served as the Interim Managing Investment Director for Sustainable Investing and led CalPERS’ sustainable investment strategy.

Andrus will report to Anne Simpson, Franklin Templeton’s Global Head of Sustainability, who had previously been the managing investment director of board governance and sustainability at CalPERS.

But it may not be easy to fill these roles. All of these postings are looking for someone with at least five years of experience in ESG, and the pensions are competing against some of the world’s largest asset managers, including Blackstone, Goldman Sachs, Franklin Resources, State Street and Fidelity. Each of those companies has ESG spots open, as do many consultants, including Alvarez & Marsal, FTI and Wilshire.

“We’re seeing more and more professionals with formal ESG training, so there is a strong pipeline of talent, but there isn’t a sufficient talent pool that has both the formal training and the real-world expertise to execute,” Wrobel says.

Paul Aversano, managing director and global practice leader for global transaction advisory business at Alvarez & Marsal, agrees. He is in the process of expanding the firm’s ESG practice as a result of growing client demand. He says Alvarez & Marsal is getting requests for help with due diligence, transaction advisory and data/reporting. When he looks at clients’ ESG interests, he says it is hard to take the backlash seriously.

“On the transaction side, buyers are willing to pay more for a company with a positive or improving ESG footprint,” Aversano says. “On the talent management side, we’re getting questions about our policies, and so are our clients. New hires don’t want to work somewhere that isn’t at least looking at ESG. If you look at corporates, the ESG disclosure rules and regulations continue to evolve, and companies have to track that—especially if they have a global footprint. Other jurisdictions aren’t going to stop asking for this data.”

He adds that there are material financial risks that can be missed if companies, sponsors and investors are not tracking things like climate risk, which could lead to trapped assets down the line.

“A lot of this is really a data collection exercise,” he says. “You want to have the most information you can about an asset or a company or a transaction, and you need people who can get that data.”

These realities are also popping up for asset managers. Many asset managers have a global footprint, and there is still significant demand for ESG strategies abroad—especially in Europe, the Middle East and Asia. For firms that have operations in all of those areas, avoiding ESG just because of pushback in the U.S. likely is not the most prudent or efficient use of resources, says Tyler Cloherty, managing director at Deloitte’s asset management strategy consultant, Casey Quirk.

“It’s kind of a highest-common-denominator thing,” he says. “You need to be able to maintain credibility everywhere you do business. We’re seeing from some investors that even if they aren’t saying they are specifically interested in ESG, they’re still asking for ESG-type data in their due diligence process. ESG is an area that continues to evolve, but I think it’s hard to argue that we’re going to go back to a time when these considerations weren’t included. Firms will have to keep hiring for that.”

Tags: , , , , , , , , , , , ,

«