IAA Statement: SEC Proposal on Protection of Client Information

June 5, 2023

---

Contact:
IAA VP of Communications & Marketing Janay Rickwalder.

Attribution to Gail Bernstein, IAA General Counsel

The Investment Adviser Association remains committed to supporting efforts by the SEC to protect investors, market participants, and the broader financial markets against information security threats. We submitted comments to the SEC today expressing support for the proposed amendments to rules governing the protection of clients’ non-public personal information.

The IAA supports requirements for advisers to have a principles-based incident response program that addresses unauthorized access to or use of client PII and notification of a breach to affected clients. We believe advisers should protect the confidentiality of client PII and inform clients of any breaches.

We therefore support the proposal, subject to several recommendations. Our recommendations would further the SEC’s objectives while more effectively protecting investors and streamlining unnecessary operational and compliance burdens on advisers. For example, we’ve asked the SEC to limit the new requirements to sensitive client information, rather than all client information. We’ve also asked the SEC to narrow the scope of the third parties that advisers would need to cover in their incident response plans. And we’ve cautioned the SEC against requiring public disclosures that would provide a roadmap to threat actors.

This proposal, like several of the other open rule proposals, would require advisers to enter into specific contractual terms with service providers. We’re again asking the SEC to recognize how challenging it is for advisers to negotiate these terms with service providers, especially when they have little leverage. This concern relates to advisers of all sizes, but especially smaller advisers.

A growing concern for the IAA relates to the SEC’s expectations around how advisers will be expected to implement the many substantial new requirements likely to get finalized within the same period. The SEC is proposing unreasonably short implementation timelines for each proposal in isolation, but it’s also not considering all these new requirements together. So, we’ve asked that the individual timelines be extended but also that a more realistic overall implementation timeline be established to allow advisers to implement and operationalize changes and prevent industry disruption.

The proposed data privacy amendments are the latest in a series of rulemaking proposals that are unprecedented in their scope and speed. The SEC has not adequately considered how these proposals interrelate or their cumulative effect on investment advisers, especially smaller advisers, despite our many calls for the SEC to do so. The IAA has asked the SEC to reopen comment periods for several other rulemakings, including the Outsourcing, Safeguarding, and Cybersecurity proposals, to consider the interrelationships and conduct a holistic cost-benefit analysis.

The IAA will continue to advocate for all advisers, and in particular for smaller advisers, to ensure that final rules recognize the extent of the burdens being placed on them and consider less burdensome ways to achieve the SEC’s goals.

The IAA is committed to working constructively with the SEC to achieve our shared goal of safeguarding clients’ PII. We will continue to engage with the SEC as it considers this proposal and the feedback it receives.