MFA Provides Recommendations on the Protection of Confidential Registrant Information

On Tuesday, MFA submitted a letter to SEC Chairman Clayton providing recommendations on the protection of confidential registrant information.  We again raised concerns to the SEC that a data security breach could create significant market volatility, destabilize markets, harm investors, and result in the misappropriation of confidential proprietary information.  In our letter, we urged the SEC to rethink the data it collects from advisers; how it collects and protects such data; and the disposal of such data when the Commission is through using it.

MFA made the following four recommendations for the SEC to mitigate systemic risk and harm to investors and registrants from cyber theft:

Recommendation #1: The Commission should narrow the scope of systemic risk filings to information that could identify such risks and of exam requests to data that is necessary to achieve the SEC’s core mission.

Recommendation #2: The Commission should incorporate protections within the design of its forms and reporting systems to mitigate cyber breaches.  The Commission should enable investment advisers to use an alphanumeric identifier for filings, to be kept separately within the SEC systems, and limit questions for firm identifying information.

Recommendation #3: With respect to exams, the SEC exam staff should exhaust other less sensitive means of understanding a firm’s activities before requesting for any confidential, commercially-valuable intellectual property.  The SEC exam staff should only ask for such information if absolutely necessary and through the subpoena process.  Further, the Commission should have an information security policy in which the protections and security requirements are heightened or tiered depending upon the level of sensitivity of the data collected, regardless of how it is collected (e.g., through Form PF versus through an exam).

Recommendation #4: To further mitigate the risks from a future cyber breach, the SEC should return or destroy sensitive, confidential registrant data once the SEC is through using it.