On March 15, MFA submitted written testimony in response to a request by the Senate Banking Committee for feedback from key stakeholders on issues related to the collection, use and protection of sensitive information by financial regulators and private companies. In response to the Committee’s request, MFA President and CEO Richard Baker outlined three recommendations for regulators to improve data security and the treatment of confidential information:
Recommendation #1: As part of the SEC’s strategy to mitigate systemic risk and harm to investors and registrants from cyber theft, we recommend that the SEC institutionalize the practice of tailoring its data requests to that which is necessary to achieve its core mission. The SEC should limit the scope of systemic risk filings to information that could reasonably identify such risks and exam requests to data that is necessary to ensure compliance. To assist the SEC with this request, MFA developed recommendations for revising Form PF to rationalize and simplify reporting.
Recommendation #2: MFA recommends that the SEC incorporate protections within the design of its forms and reporting systems to mitigate cyber breaches. The SEC should enable investment advisers to use an alphanumeric identifier for filings, to be kept separately within the SEC systems, and limit questions for firm identifying information. These safeguards would mitigate damage from a breach of the Investment Adviser Registration Depository (through which Form PF and other filings are made). It would be the equivalent of using a unique numerical identifier on a credit file, rather than the person’s name and social security number.
Recommendation #3: With respect to exams, MFA recommends that the SEC exam staff implement a process through which it would exhaust less-sensitive means of understanding a firm’s activities before requesting for any confidential, commercially-valuable intellectual property. The SEC exam staff should only ask for such information if necessary and execute those requests through the subpoena process. Further, we recommend that the SEC adopt an information security policy in which the protections and security requirements are heightened or tiered depending upon the level of sensitivity of the data collected, regardless of how it is collected (e.g., through Form PF versus through an exam).
In the testimony, MFA also voiced support for legislation introduced during the 115th Congress by Senator David Perdue (GA), the “Protection of Source Code Act,” and companion House legislation introduced by Representatives Sean Duffy (WI), David Scott (GA) and others, which would amend the securities statutes to require the SEC to issue a subpoena before compelling a person to “produce or furnish source code, including algorithmic trading source code or similar intellectual property that forms the basis for design of the source code.”
MFA believes that legislation such as the Protection of Source Code Act and companion House bill would be an important and constructive step for implementing and ensuring that regulators have a robust process in place when it comes to determining the necessity of highly sensitive, confidential information.
