MFA submitted a comment letter to the Securities and Exchange Commission (SEC) in response to its proposed rule on cybersecurity risk management. In the letter, MFA highlights its support for the SEC’s objective of promoting cybersecurity risk management for investment advisers but calls on the SEC to avoid overly prescriptive requirements. MFA emphasizes that the costs associated with certain aspects of the Proposed Rules will impose significant barriers to entry for investment advisers. MFA calls on the Commission to:
- Adopt Principles-Based Rules that Avoid Prescriptive Requirements: MFA believes that the Commission should amend the Proposed Rules to remove prescriptive requirements and instead adopt a principles-based set of rules that allow advisers to appropriately tailor their cybersecurity programs based on the cybersecurity risks that the adviser reasonably determines to be most relevant in light of the nature, size and scope of the adviser’s business operations. In that regard, we appreciate the Commission’s recognition in the release accompanying the Proposed Rules (the “Release”) that there is no one-size-fits-all approach to addressing cybersecurity risks.
- Coordinate the Commission’s Rules and Implementation of the Rules with Existing Rules and Standards: As the Commission and its staff are aware, many advisers already have adopted and implemented robust cybersecurity risk management programs. Many advisers already are subject to existing cybersecurity requirements, including National Futures Association (“NFA”) rules for commodity trading advisors and commodity pool operators and the Federal Trade Commission’s Safeguards Rule for private funds. MFA continues to encourage the Commission to promote coordination and harmonization among existing rules and standards and the Proposed Rules to avoid inconsistencies or unnecessary duplication of requirements for advisers.