Cybersecurity ‘Keeps Me Up at Night’: SEC’s Crenshaw

SEC Commissioner Caroline Crenshaw said Thursday that the top concerns she sees for advisors and investors include cybersecurity, complex products and the growth of private markets, as well as cryptocurrency as an asset class.

The risks of cybersecurity incidents are “different, greater, more serious, in my view, now than they’ve ever been,” Crenshaw said during a question-and-answer session at the Investment Adviser Association’s compliance conference, held in Washington. “Cyber is something that keeps me up at night, across the board.”

Karen Barr, IAA’s president and CEO, questioned Crenshaw, a Democrat, on the securities regulator’s motivation for proposing rules requiring advisors to adopt written policies and procedures that address cybersecurity risks, as well as to report “significant cybersecurity incidents” to the SEC on a new proposed Form ADV-C.

The proposal is designed to “reiterate the importance of the [cybersecurity] issue” and to ensure that investment advisors know “what is expected of them,” Crenshaw responded.

The plan is also designed to ensure investors “receive timely and meaningful disclosures about cyber incidents,” she said, which can create “really broad disruptions.”

Cybersecurity is an area “we have to be constantly vigilant about,” Crenshaw said. “It’s never an area where we can let our guard down.”

IAA’s members “take cybersecurity very seriously; it’s very important to them,” Barr said. “They already believe that the cybersecurity policies and procedures are required under the compliance program rule.”

IAA intends to submit “extensive” comments on the rule, Barr told Crenshaw. Comments are due to the agency by April 11.

Crenshaw added that the SEC’s goal is “not to be adversarial with any registrant.” Compliant firms that “follow best practices, provide timely disclosure, cooperate with law enforcement as necessary, these are the firms that are unlikely to draw enforcement action really because they are a victim of a cyber attack.”

IAA also joined other trade groups in telling the Commission on Tuesday that it needs to extend the 30-day comment period — expiring on April 11 — on its private fund and Form PF proposals to at least 120 days.

The private fund plan “proposes complex and sweeping changes to the regulation of private funds that will impact a broad range of stakeholders,” IAA and the groups wrote. “Meaningful stakeholder input — through substantial and carefully considered comments — will be crucial to inform the Commission’s deliberations and judgments about whether and how to move forward with these packages of regulatory reforms.”

Crenshaw also pointed to the top challenges she sees for investors:

Complex products. Individuals saving for retirement are “contending with volatile markets and newer risky asset classes,” Crenshaw said. “I think complex products” — including leveraged and inverse exchange-traded products — “can pose a real challenge.”

Growth in the private markets. Private markets can be “lucrative,” but when compared with public markets they are “opaque” and prone to fraud.

Cryptocurrency as an asset class. “It remains a highly speculative and a risky asset class,” she said.