March 15, 2022
2. Should we scale the proposed requirements based on the size of the adviser or fund?
If so, which of the elements described below should not be required for smaller
advisers or funds? How would we define such smaller advisers or funds? For
example, should we define such advisers and funds based on the thresholds that the
Commission uses for purposes of the Regulatory Flexibility Act? Would using
different thresholds based on assets under management, such as $150 million or $200
million, be appropriate? Would another threshold be more suitable, such as one
based on an advisers or funds limited operations, staffing, revenues or management?
Unless founded on a risk model, thresholds are arbitrary and do not reflect the appropriate level of investment into a cybersecurity program. Smaller companies that manage smaller size funds of assets may contain systems that are highly critical (i.e. company managing user financial information or user health information). Whereas larger companies managing larger size funds of assets with systems that are less critical (i.e social media company managing user interests or likes). The larger company may be able to invest just as appropriately into cybersecurity as the smaller company, even though it spends less on its cybersecurity program. What should be a requirement is a determination of spend based on assessments detailing the level of cybersecurity risk to an organization.
Should there be additional or more specific requirements for who would implement
an advisers or funds cybersecurity program? For example, should we require an
adviser or fund to specify an individual, such as a chief information security officer,
or group of individuals as responsible for implementing the program or parts thereof?
Why or why not? If so, should such an individual or group of individuals be required
to have certain qualifications or experience related to cybersecurity, and if so, what
type of qualifications or experience should be required?
It would be appropriate to require advisers or funds to specify an individual responsible for implementing a security program. However, due to the quickly changing nature and immaturity of cybersecurity as a profession, it would not be appropriate to require certain experience or qualifications related to cybersecurity. As an example CISSP and CEH were both highly regarded certifications in the security community 10 years ago. Today, though the CISSP has retained credibility as a standard in security management, the CEH certification is looked down upon by the technical security community due to the increased popularity, demand, and relevance of the OSCP certification. In regards to higher education, colleges have been slow to keep up with the ongoing changes of the cybersecurity field and do not serve a good proxy for sniffing out professional security talent at this time.
What user measures do advisers currently have for using mobile devices or other
ways to access adviser or fund information systems remotely? Should we require
advisers and funds to implement specific measures to secure remote access
Technologies?
A challenge with specifically calling out mobile devices is that technology changes quickly and this term, although it seems accurate now, may not reflect the state of devices used in the future. Measures should be described as affecting remote access technologies in a general fashion rather than specifically calling out mobile devices.
13. Should we require that advisers and funds respond to cybersecurity incidents within a specific timeframe? If so, what would be an appropriate timeframe?
No, advisers and funds should not be required to respond to cybersecurity incidents within a specified timeframe. Each incident may require different timeframes for response depending on the nature of the incident. A more accurate statement should require reporting on cybersecurity incidents within a timeframe, not responding to cybersecurity incidents within a timeframe.