IAA Supplemental Letter to SEC on Cybersecurity Survey Results

Download PDF

Ms. Vanessa A. Countryman
Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

Re:      Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (SEC Rel. Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22)

Dear Ms. Countryman:

The Investment Adviser Association (IAA)[1] is writing to supplement our previous comments[2] on the Commission’s proposal that would require investment advisers to adopt and implement written cybersecurity policies and procedures with specified elements, report significant adviser cybersecurity incidents to the Commission, disclose significant adviser cybersecurity risks and incidents to clients, and maintain related books and records.[3] We appreciate the constructive discussions that we have had with Commission staff regarding our Prior Letter and the Proposal’s potential implications for investment advisers.

The IAA believes that the Commission has severely underestimated the quantifiable costs of the Proposal.[4] Following our Prior Letter, and in response to questions raised by staff, the IAA surveyed our members to better determine the Proposal’s impact. The Survey consisted of 10 questions requesting input on several issues, including members’ current cybersecurity program costs and cost estimates for implementing the various requirements of the Proposal. We have included the Survey Report as an appendix to this letter.[5]

The IAA received responses from 34 members. These members range from smaller advisers with less than $500 million in regulatory assets under management (RAUM) and/or fewer than 10 employees to very large firms with over $1 trillion RAUM and/or more than 1,000 employees. The Survey Report provides responses by both RAUM and employee count. As noted in our Prior Letter, the IAA has long urged the Commission to consider other factors in addition to RAUM (e.g., number of employees) to make a more realistic assessment of the impact of rules on smaller advisers that by their nature have limited staffing.[6]

Below are some key highlights from the Survey:

• The Commission’s assumption that firms spend only 0.5% of their revenues on cybersecurity likely significantly underestimates what firms are currently spending. The Survey reflects that:
  • Almost 80% of respondents measured by number of employees and by RAUM currently spend at least 1% of their total revenue on cybersecurity.[7]
  • Approximately 53% of respondents measured by number of employees and by RAUM spent more than $500,000 on cybersecurity-related costs in 2021.[8]
• The Survey shows that all advisers currently rely heavily on third-party service providers to provide cybersecurity services and we expect that this reflects industry practice.[9] The Commission should acknowledge the need for third-party expertise in this area, and the associated costs, and take this into consideration when finalizing the Proposal, especially as it considers the impact of the Proposal and the incremental and cumulative impacts of all regulatory requirements on smaller advisers.
  • A majority of smaller firms (up to $10 billion RAUM) estimate that they will spend over $50,000 in 2022 for external cybersecurity products and services and 37% estimate that they will spend over $100,000.[10]
  • Mid-sized firms (between $10 billion and $50 billion RAUM) estimate that they will spend over $400,000 in 2022 for external cybersecurity products and services.[11]
  • Larger firms (between $50 billion and $1 trillion RAUM) estimate that they will spend over $2,000,000 in 2022 for external cybersecurity products and services.[12]
  • Two of the three largest firms (more than $1 trillion RAUM) estimate that they will spend over $80,000,000 in 2022 for external cybersecurity products and services.[13]
• The Survey reflects that the costs associated with implementing the Proposal will likely be much higher than the Commission’s Paperwork Reduction Act (PRA) cost estimates. For example:
  • The Commission estimates that firms will have an annual burden of $16,013 to implement policies and procedures required by the Proposal.[14] The Survey shows that nearly 80% of respondents estimate that the initial costs associated with adopting and implementing the proposed cybersecurity policies and procedures will be at least $20,000 per adviser, with nearly 50% estimating that these initial costs will be $100,000 or more.[15] We are also concerned with the ongoing year-over-year impact as nearly 50% of respondents also estimate annual ongoing costs of more than $100,000.[16] Over a five-year period, this could underestimate the cost by at least $420,000 per adviser.
  • The Commission estimates that firms will have an annual burden of $340 to implement the recordkeeping obligations required by the Proposal.[17] The Survey shows that 44% of respondents estimate that both the initial and ongoing per-adviser costs will be at least $10,000.[18]
  • The Commission estimates that firms will have an annual burden of $3,439 to implement the new requirement to report a significant cybersecurity incident.[19] The Survey shows that over 60% of respondents estimate that both initial and ongoing annual per-adviser costs will be at least $10,000, with 40% estimating that the ongoing annual costs will exceed $20,000.[20] Over a five-year period, this could underestimate the per-adviser cost by at least $32,000.
  • The Commission estimates that firms will have an annual burden of $1,598 to implement the new requirement to disclose information on Form ADV Part 2A regarding an adviser’s cybersecurity risks and significant cybersecurity incidents that have occurred in the past two years and an annual burden of $12,919 to implement the requirement that an adviser deliver interim brochure amendments promptly to existing clients if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident.^[21] The Survey shows that 66% of respondents estimate that initial per-adviser costs will be at least $10,000, with 45% estimating that initial costs will be at least $50,000.[22] We are also concerned with the ongoing year-over-year impact as 37% of respondents also estimate annual ongoing per-adviser costs of more than $20,000.[23] Over a five-year period, this could underestimate the per-adviser costs by at least $40,000.
  • Due to the initial and ongoing annual estimated costs reported by respondents to the Survey, the Commission may be underestimating the per-adviser costs to implement the Proposal over a five-year period by over $500,000 per adviser.

The Survey shows much higher per-adviser costs for IAA members that responded than estimated by the Commission. It also reflects a wide range of estimated per-adviser costs to implement the Proposal, a variation that underscores the IAA’s view that there is no “one-size-fits-all” approach to cybersecurity among investment advisers, and reinforces our recommendation that the Commission continue to allow investment advisers to tailor their cybersecurity program to their business model.[24] The IAA requests that the Commission update its cost-benefit analysis to incorporate this data and that it modify the Proposal to reflect these more significant burdens on advisers.

* * *

We appreciate the Commission’s consideration of our supplemental comments on this important Proposal. Please do not hesitate to contact the undersigned at (202) 293-4222 if we can be of further assistance.

Respectfully Submitted,

Gail C. Bernstein
General Counsel

cc:
The Honorable Gary Gensler, Chair
The Honorable Hester M. Peirce, Commissioner
The Honorable Caroline A. Crenshaw, Commissioner
The Honorable Mark T. Uyeda, Commissioner
The Honorable Jaime Lizárraga, Commissioner
William A. Birdthistle, Director, Division of Investment Management

[1] The IAA is the leading organization dedicated to advancing the interests of investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. The IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.

[2] See Letter from Gail C. Bernstein, General Counsel, Investment Adviser Association, to the Commission re: Cybersecurity Risk Management for Investment Advisers (Apr. 11, 2022), available at https://www.investmentadviser.org/wp-content/uploads/2022/04/IAA-Cybersecurity-Comment-Letter-4.11.22-FINAL.pdf (Prior Letter).

[3] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (Mar. 9, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-03-09/pdf/2022-03145.pdf (Proposal).

[4] As we noted in our Prior Letter, we are concerned with the statement in the Proposal that “[a]s we do not currently have reliable data on the extent to which registrants’ existing policies and procedures follow industry best practices, address cybersecurity risks, their ‘reasonableness,’ or the frequency at which they are reviewed, it is not possible for us to quantify the scale of the benefits arising from the proposed requirements.” Proposal at 13551. Without having an appropriate baseline, it is difficult to accurately measure the additional incremental costs.

[5] See Appendix (Survey Report).

[6] See also, e.g., Letter from Karen Barr to SEC Chair Gary Gensler on the Regulation of Registered Investment Advisers (May 17, 2021), available at https://www.investmentadviser.org/publications/comment-letters/comment-letter-may-17-2021 (“Smaller advisory firms face unique challenges as small businesses. The IAA recommends that the Commission consider the economic impact of regulations on smaller advisory firms more carefully and conduct a more realistic assessment of the cumulative impact of policy and regulatory decisions on these firms’ businesses and their ability to serve the investing public.”).

[7] Survey Report, Q3.

[8] Id.

[9] Id. Q6.

[10] Id. Q5 (Up to $10B RAUM).

[11] Id. Q5 (Between $10B and $50B RAUM).

[12] Id. Q5 (Between $50B and $1T RAUM).

[13] Id. Q5 (Over $1T RAUM).

[14] See Proposal at 13560, Table 1—Rule 206(4)–9 PRA Estimates. The estimated total new annual burden per adviser of proposed Rule 206(4)-9 is $12,541 (internal time costs) plus $3,472 (external cost burden), for a total of $16,013.

[15] Id. Q7.1.

[16] Id. Q7.2.

[17] See Proposal at 13562-63, Table 3—Rule 204–2 PRA Estimates. The estimated total annual burden per adviser of each of the five aspects of proposed Rule 204-2 is $68, for a total of $340. The five aspects are (i) retention of cybersecurity policies and procedures; (ii) retention of written report documenting annual review; (iii) retention of copy of any Form ADV-C filed in last five years; (iv) retention of records documenting a cybersecurity incident; and (v) retention of records documenting an adviser’s cybersecurity risk assessment.

[18] Survey Report Q10.1 and Q10.2.

[19] See Proposal at 13563, Table 4—Rule 204–6 PRA Estimates. The estimates for making a determination of significant cybersecurity incident are $1,059 (internal time costs) plus $1,488 (external cost burden), plus the estimates for amending Form ADV-C if any of the information previously filed becomes materially inaccurate are $396 (internal time costs) plus $496 (external cost burden), for a total of $3,439.

[20] Survey Report Q9.1 and Q9.2.

[21] See Proposal at 13568, Table 7—Rule 204-3 PRA Estimates. The estimated total new annual burden per adviser is $12,919.04. See also Proposal at 13566, Table 6—Form ADV PRA Estimates. The estimated revised burden/external cost per adviser is $1,598.03.

[22] Survey Report Q8.1.

[23] Id. Q8.2.

[24] See Prior Letter at 6.