February 21, 2022
I appreciate that cyber security must be a sensitive issue for the SEC, given your own failings in this regard. However, your proposals would impose an undue burden on firms, particularly small firms, for little benefit.
Your proposed new form-you just can't help yourselves, can you?--would impose burdens without benefit. You want these ADV-C to help you \"identify patterns and trends.\" If so, why the urgency in reporting? If a firm is attacked, coordinating with IT providers, notifying clients, setting up alternative means of communication among staff and with clients, and continuing the firm's essential business--its raison d'etre--of managing portfolios, are all far more urgent that filing forms with the SEC so that you can \"identify patterns\".
I would suggest: 1. an AUM threshhold for the ADV-C to be required (such as $100 billion) 2. the 48-hour deadline with continual updating be extended until 30 days after the hack has been dealt with 3. any method of communication with the SEC be permitted rather than requiring the IARD. Again, if an attack is underway, there might be valid reasons not to use IARD (with its user name and password). If an attack were underway, we would avoid all user names and password, and would, for example, implement our person-to-person protocol for placing trades rather than user websites.
Your 243 page proposal itself takes time to plough through. There are already so many policies and procedures, committees, memos and files that there is so little time left to do the work that we are actually in business for. Let's not keep adding to these burdens, again, that take us away from helping our clients.
Yes, cyber security issue should be discussed with prospective clients, but I would urge against adding numerous new specific requirements for what must be disclosed. As you know, when the SEC requires some risk to be disclosed, the compliance officers and lawyers set to work to disclose every possible risk in an effort to minimize liability. You have kept adding requirements to what must be in the ADV II to the extent that you admitted the ADV no longer fit its original purpose and required a new form, the ADV III. The ADV II is so full of required disclosures that the majority of investors no longer read it. It may be plain English (other than the lawyer-driven disclosures) and it may disclose everything that anyone could possibly want to know, but it defeats its point if no-one reads it.
Lastly, any rules you impose on investment advisors should also apply to the SEC itself.