SEC’s Crenshaw assures advisers agency doesn’t seek to punish cyberattack victims

SEC Commissioner Caroline Crenshaw tried to reassure investment advisers Thursday that the agency wants to work with them to strengthen cybersecurity protections rather than pile on with enforcement after an cyberattack.

Last month, the Securities and Exchange Commission proposed the first cybersecurity rule for registered investment advisers and investment companies. Under the 243-page proposal, advisers would have to develop written policies and procedures that address cyber risks, report attacks to the agency and disclose major cyberbreaches on their Form ADVs as well as keep related books and records.

But at an Investment Adviser Association compliance conference, concern was raised about enforcement actions after hacks in which advisers are punished for cybersecurity lapses.  

In a Q&A with Crenshaw, IAA Chief Executive Karen Barr said advisers see themselves as victims of hacks. She asked how the agency will strike a balance between collaborating with the adviser community and being adversarial.

“Our goal certainly is not to be adversarial with any registrant, plain and simple,” said Crenshaw, who spoke via a video connection to the conference, which was held in-person at a hotel in Washington.

Advisory firms that follow best practices, provide timely disclosure and cooperate with law enforcement are unlikely to draw an enforcement action just because they were a victim of a cyberattack, Crenshaw said. She noted that the investigations that result in enforcement are the ones that have a high profile, while investigations that close without action aren’t publicized.

“Our goal is not to not to punish the victim,” said Crenshaw, one of three Democratic commissioners on what is at the moment a four-person panel. “And registrants can certainly help their cause by taking steps really before a problem happens to minimize potential harm, to have a plan for how to respond and really make sure they are abiding by all the regulations.”

Barr liked Crenshaw’s answer. “We appreciate that,” she said.

Later in the session, Crenshaw said complex investment products, such as leveraged and inverse exchange traded products, pose one of the biggest investor protection threats.

“Any products that don’t have an intuitive payoff structure are something that I’m certainly thinking about,” Crenshaw said.


The SEC’s new director of the Division of Investment Management, William Birdthistle, made his first public appearance to open the IAA conference, which drew about 400 attendees. Birdthistle addressed the audience via video from Chicago, where he was a professor of law at the University of Chicago before joining the SEC.

Technological developments have created a time that is defined by fracture and chaos, Birdthistle said. He sees an important SEC role as protecting investors in financial markets where technology has disrupted the status quo.  

In his first six weeks in office, the SEC has proposed rules – such as the cybersecurity proposal and a proposal to curtail certain practices of private fund advisers – that take “steps to ensure coherence and order,” Birdthistle said.

“If adopted, I believe that the proposals would close gaps in information and enhance investor protections in light of industry developments,” he added.

Birdthistle said he wants to bring order to the “new frontier” of crypto assets and online investing.

“The expanding opportunities to invest in securities directly using digital platforms, such as robo-advisers, online brokerages, and mobile investment apps and portals, also present challenges,” he said. “I look forward to considering recommendations in light of the comments we have received in this area.”

His remarks made it clear that Birdthistle is a fervent academician. He made more references to economic historians than to SEC rules, using their theories to put into context the challenges today’s markets pose for investor protection.

“My ultimate goal as division director is to work toward a cohesive society with an order in which innovation and investment can flourish,” Birdthistle said. “I can’t think of a more worthy calling.”

Finra should retain remote supervision, says SIFMA’s Bentsen

The post SEC’s Crenshaw assures advisers agency doesn’t seek to punish cyberattack victims appeared first on InvestmentNews.

Andrew is half-human, half-gamer. He’s also a science fiction author writing for BleeBot.

Andrew Vincent
Andrew is half-human, half-gamer. He's also a science fiction author writing for BleeBot.
%d bloggers like this: