Oct. 30, 2023
Dear SEC, I am writing to provide comments on the proposed cybersecurity rules for registered investment advisers. I appreciate the SEC’s goals of strengthening protections for retail investors. However, I have concerns that certain requirements may be in conflict with the nature of digital assets and prove overly difficult to implement for advisers dealing with cryptocurrency and decentralized finance protocols. Specifically, the 48-hour breach reporting mandate could compromise the anonymity of digital asset holders. Unlike breaches of traditional accounts, wallet hacks and stolen crypto may be impossible to trace back to underlying client owners. Forcing advisers to provide details in these cases would both violate investor privacy and potentially expose firms to liability for breaching anonymity they cannot actually circumvent. Additionally, prescriptive cybersecurity policies and auditing mandated by the proposal seem extremely challenging to execute given the breadth of new platforms, apps, and protocols across the fragmented digital asset ecosystem. Assessing vulnerabilities and implementing uniform controls is not feasible in such a rapidly evolving landscape. Rather than a blanket approach, I suggest the SEC take a more principles-based stance focused on accountability over specifics. Require advisers to demonstrate thoughtful cyber risk management tailored to their particular client assets and services. But avoid overly rigid technical standards, recognizing that what constitutes “reasonable care” differs fundamentally between centralized and decentralized systems. I urge the SEC to collaborate with industry and technical experts to ensure rules account for the unique attributes of digital assets. Thank you for considering this feedback. I hope we can find approaches that balance innovation and expanding access with appropriate investor protections.