Comment Letter

In the April Commission Statement Relating to Certain Administrative Adjudications and the Second Commission Statement Relating to Certain Administrative Adjudications,  the Securities and Exchange Commission (Commission or SEC) announced that there had been an ongoing internal breach by the SEC’s Division of Enforcement of the databases maintained by the Commission’s Office of the Secretary.  The substance of the Second Statement and its five exhibits were succinctly summarized in a June 5, 2023 Ignites article entitled “SEC Dismisses 42 Cases Compromised by Firewall Breach.” On June 7, 2023, there was another Ignites article that described a ransomware attack of Casepoint, a vendor utilized by the Commission to handle “troves of sensitive documents.” The article indicated that the SEC declined to comment regarding the ransomware attack and Commission information that may have been compromised as a result of the attack.

In light of these Commission Statements and disclosure of the Casepoint attack, the Investment Company Institute is writing to supplement the comments we previously submitted to the Commission on its proposals to: require broker-dealers and transfer agents to have cybersecurity risk management programs; revise Regulation S-P to require breach notices; and to require registered investment companies and investment advisers to have cybersecurity risk management programs.

Read more in the comment letter.