Mar. 15, 2023
March 15, 2023 Secretary Countryman: I am an SEC employee. I believe that outsourcing the functions of the Office of Ethics counsel to an automated third-party compliance system is not a good idea. I am concerned about hacks and the disclosure of my personal financial information outside of the SEC. The SEC needs to take this seriously or it risks reputational harm. If employees are distracted by the stress that comes from a hack of their financial information, how will they be able to effectively protect investors? On March 15, 2023, the Commission issued three proposals that purport to fortify financial regulation by increasing cybersecurity standards on regulated entities: (1) Regulation S-P proposal: The proposal requires broker-dealers, investment companies, registered investment advisers, and transfer agents to notify individuals affected by certain types of data breaches that may put that at risk of harm. (2) The second proposal enhances the cybersecurity requirements of broker-dealers, the MSRB, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents by adding requirements about policies and procedures and incident reporting. (3) Regulation SCI proposal: The final proposal expands the scope of Reg SCI to continue to ensure capacity, integrity, resiliency, availability, and security of the tech infrastructure of the U.S. securities markets. The Commission seems interested in cybersecurity in those proposals. Why does the instant proposal not address that same concern when it comes to its own staff's financial information? The Commission should take the cybersecurity of its own workforce seriously. Will it impose similar standards as above on whichever third-party it attempts to contract out to? How will it enforce against this outsourced third party if the duty is breached? Employees should have the right to opt out of this program and submit the way they do currently via PTCS. Cybercriminals have targeted the SEC before. There can be serious reputational, psychological, and financial costs associated with these breaches. Will the SEC protect its employees? Often times government contracts go to the lowest bidder who is not well-suited to perform the function. I urge you not to adopt third-party outsourcing of the function that the Office of Ethics Counsel currently performs. Thank you.