Ms. Vanessa A. Countryman
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
Re: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (SEC Rel. Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22)
Dear Ms. Countryman:
The Investment Adviser Association (IAA) is writing to supplement our previous comments on the Commission’s proposal that would require investment advisers to adopt and implement written cybersecurity policies and procedures with specified elements, report significant adviser cybersecurity incidents to the Commission, disclose significant adviser cybersecurity risks and incidents to clients, and maintain related books and records. We appreciate the constructive discussions that we have had with Commission staff regarding our Prior Letter and the Proposal’s potential implications for investment advisers.
The IAA believes that the Commission has severely underestimated the quantifiable costs of the Proposal. Following our Prior Letter, and in response to questions raised by staff, the IAA surveyed our members to better determine the Proposal’s impact. The Survey consisted of 10 questions requesting input on several issues, including members’ current cybersecurity program costs and cost estimates for implementing the various requirements of the Proposal. We have included the Survey Report as an appendix to this letter.
The IAA received responses from 34 members. These members range from smaller advisers with less than $500 million in regulatory assets under management (RAUM) and/or fewer than 10 employees to very large firms with over $1 trillion RAUM and/or more than 1,000 employees. The Survey Report provides responses by both RAUM and employee count. As noted in our Prior Letter, the IAA has long urged the Commission to consider other factors in addition to RAUM (e.g., number of employees) to make a more realistic assessment of the impact of rules on smaller advisers that by their nature have limited staffing.
Below are some key highlights from the Survey:
- The Commission’s assumption that firms spend only 0.5% of their revenues on cybersecurity likely significantly underestimates what firms are currently spending. The Survey reflects that:
- The Survey shows that all advisers currently rely heavily on third-party service providers to provide cybersecurity services and we expect that this reflects industry practice. The Commission should acknowledge the need for third-party expertise in this area, and the associated costs, and take this into consideration when finalizing the Proposal, especially as it considers the impact of the Proposal and the incremental and cumulative impacts of all regulatory requirements on smaller advisers.
- A majority of smaller firms (up to $10 billion RAUM) estimate that they will spend over $50,000 in 2022 for external cybersecurity products and services and 37% estimate that they will spend over $100,000.
- Mid-sized firms (between $10 billion and $50 billion RAUM) estimate that they will spend over $400,000 in 2022 for external cybersecurity products and services.
- Larger firms (between $50 billion and $1 trillion RAUM) estimate that they will spend over $2,000,000 in 2022 for external cybersecurity products and services.
- Two of the three largest firms (more than $1 trillion RAUM) estimate that they will spend over $80,000,000 in 2022 for external cybersecurity products and services.
- The Survey reflects that the costs associated with implementing the Proposal will likely be much higher than the Commission’s Paperwork Reduction Act (PRA) cost estimates. For example:
- The Commission estimates that firms will have an annual burden of $16,013 to implement policies and procedures required by the Proposal. The Survey shows that nearly 80% of respondents estimate that the initial costs associated with adopting and implementing the proposed cybersecurity policies and procedures will be at least $20,000 per adviser, with nearly 50% estimating that these initial costs will be $100,000 or more. We are also concerned with the ongoing year-over-year impact as nearly 50% of respondents also estimate annual ongoing costs of more than $100,000. Over a five-year period, this could underestimate the cost by at least $420,000 per adviser.
- The Commission estimates that firms will have an annual burden of $340 to implement the recordkeeping obligations required by the Proposal. The Survey shows that 44% of respondents estimate that both the initial and ongoing per-adviser costs will be at least $10,000.
- The Commission estimates that firms will have an annual burden of $3,439 to implement the new requirement to report a significant cybersecurity incident. The Survey shows that over 60% of respondents estimate that both initial and ongoing annual per-adviser costs will be at least $10,000, with 40% estimating that the ongoing annual costs will exceed $20,000. Over a five-year period, this could underestimate the per-adviser cost by at least $32,000.
- The Commission estimates that firms will have an annual burden of $1,598 to implement the new requirement to disclose information on Form ADV Part 2A regarding an adviser’s cybersecurity risks and significant cybersecurity incidents that have occurred in the past two years and an annual burden of $12,919 to implement the requirement that an adviser deliver interim brochure amendments promptly to existing clients if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure about such an incident. The Survey shows that 66% of respondents estimate that initial per-adviser costs will be at least $10,000, with 45% estimating that initial costs will be at least $50,000. We are also concerned with the ongoing year-over-year impact as 37% of respondents also estimate annual ongoing per-adviser costs of more than $20,000. Over a five-year period, this could underestimate the per-adviser costs by at least $40,000.
- Due to the initial and ongoing annual estimated costs reported by respondents to the Survey, the Commission may be underestimating the per-adviser costs to implement the Proposal over a five-year period by over $500,000 per adviser.
The Survey shows much higher per-adviser costs for IAA members that responded than estimated by the Commission. It also reflects a wide range of estimated per-adviser costs to implement the Proposal, a variation that underscores the IAA’s view that there is no “one-size-fits-all” approach to cybersecurity among investment advisers, and reinforces our recommendation that the Commission continue to allow investment advisers to tailor their cybersecurity program to their business model. The IAA requests that the Commission update its cost-benefit analysis to incorporate this data and that it modify the Proposal to reflect these more significant burdens on advisers.
* * *
We appreciate the Commission’s consideration of our supplemental comments on this important Proposal. Please do not hesitate to contact the undersigned at (202) 293-4222 if we can be of further assistance.
Gail C. Bernstein
The Honorable Gary Gensler, Chair
The Honorable Hester M. Peirce, Commissioner
The Honorable Caroline A. Crenshaw, Commissioner
The Honorable Mark T. Uyeda, Commissioner
The Honorable Jaime Lizárraga, Commissioner
William A. Birdthistle, Director, Division of Investment Management