April 11, 2022
Submitted electronically via SEC.gov
Vanessa Countryman, Secretary
Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
Re: File No. S7-04-22 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
Dear Secretary Countryman:
The Securities Industry and Financial Markets Association (“SIFMA”)1 and SIFMA Asset Management Group (“SIFMA AMG”) appreciate the opportunity to comment on the proposed new cybersecurity risk management rules and amendments issued by the Securities and Exchange Commission (“Commission” or “SEC”). On February 9, 2022, the Commission published a Release for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies containing proposals that, if adopted, would establish a new cybersecurity incident reporting and disclosure regime and require registered investment advisers (“advisers”) and investment companies (“funds”) to implement policies and procedures designed to address cyber risks.2 We appreciate the opportunity to address various issues despite the short comment period for this extensive set of proposed rules and amendments.3
1 SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our members, we advocate for legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).
2 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028, IA-5956, IC-34497, 87 Fed. Reg. 13524 (proposed Feb. 9, 2022) (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, 279).
3 Given the complexity of these proposed rules, the short comment period is not adequate to address all reporting, disclosure, and cyber policy and procedure proposals. See Joint Comment Letter from SIFMA and other associations to the Commission on the “Importance of Appropriate Length of Comment Periods” (April 5, 2022), available at https://www.sifma.org/resources/submissions/importance-of-appropriate-length-of-comment-periods (“The number
of rule proposals, the complexity of the issues being tackled, the potential interconnectedness of the proposals, and lurking possible negative, unintended consequences should be considered when setting a proposal’s comment period. The Associations are concerned that the Commission’s current approach to comment period lengths does not take such an approach and ultimately does not comport with the spirit of the APA and applicable federal guidelines on
rulemaking procedure.”).