Oct. 27, 2023
Dear Securities and Exchange Commission, I am writing to express my concerns regarding the proposed rule "Safeguarding Advisory Client Assets" and its inadequacy in addressing cybersecurity requirements for custodians of digital assets. While I appreciate the SEC's efforts to enhance investor protections and address gaps in the custody rule, the proposed rule falls short in safeguarding digital assets from the increasing threat of theft and fraud. Digital assets, such as cryptocurrencies, have transformed the financial landscape, providing individuals with new and innovative investment opportunities. However, these assets are particularly vulnerable to cyberattacks, and custodians must be held to higher standards to mitigate risks effectively. Unfortunately, the proposal lacks stringent cybersecurity requirements that are necessary to ensure the protection of digital assets. As we have witnessed numerous high-profile cryptocurrency hacks and scams in recent years, it is paramount that the SEC sets strong cybersecurity standards for custodians to safeguard investor assets. The proposal must mandate robust encryption protocols, regular security assessments, and sophisticated intrusion detection systems to protect against cyber threats. In designing cybersecurity requirements, the SEC should draw upon existing industry best practices and established standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. By aligning with recognized frameworks, the SEC can ensure that custodians of digital assets implement adequate controls to prevent unauthorized access, data breaches, and unauthorized transactions. Additionally, the proposal should emphasize the importance of employing multi-factor authentication for accessing digital wallets and implementing mechanisms for proper key management. These measures are critical in preventing unauthorized individuals from gaining access to investor funds. Moreover, the proposed rule should address the need for comprehensive incident response plans to react swiftly in the event of a security breach. By mandating well-defined breach notification requirements, custodians can promptly inform affected investors and take appropriate remedial actions. Furthermore, the proposal should require ongoing reporting of cybersecurity incidents to the SEC, enabling regulatory oversight and providing crucial data for identifying emerging threats in the digital asset space. It is essential for the SEC to have a comprehensive understanding of cybersecurity incidents to adapt regulations effectively and stay ahead of evolving cyber risks. To strengthen the proposed rule's effectiveness in addressing cybersecurity concerns, the SEC should collaborate with relevant stakeholders, such as cybersecurity experts, industry associations, and technology providers. This collaborative approach would lead to informed policymaking that accounts for the unique challenges and opportunities presented by digital assets. In conclusion, the proposed rule "Safeguarding Advisory Client Assets" must encompass robust cybersecurity requirements for custodians of digital assets. By adopting best practices and recognized frameworks, strengthening access controls, emphasizing incident response protocols, and promoting collaboration, the SEC can bolster investor confidence in the digital asset market. Thank you for considering my comments. I urge the SEC to prioritize the implementation of stringent cybersecurity measures to protect investor assets in the ever-evolving landscape of digital assets. Sincerely, Sunny Ali