SEC Open Meeting July 26th, 2023

U.S. Securities and Exchange Commission

Open Meeting

Wednesday, July 26th, 2023

Topline

All three items were approved by the Commission. Items 1 and 2 were approved by a vote of 3-2, with Chair Gensler, Commissioner Crenshaw, and Commissioner Lizarraga voting yes and Commissioners Peirce and Uyeda opposing. Item 3 was approved unanimously.

ITEM 1: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

The Commission will consider whether to adopt rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

Staff Discussion

Erik Gerding, Division of Corporation Finance

Gerding recommended that the Commission adopt disclosure rules for registrants to improve cybersecurity. He went on to say that cybersecurity has produced great risks and that it can affect stock prices and cause reputational damage if not properly maintained. Gerding explained that the rules the SEC recommends will help investors understand risks and how companies they are considering investing in are responding to them.

Gerding went on to say current disclosure practices vary in scope and impact, which can be frustrating for investors. He provided an example saying that disclosures are sometimes not in the risk section of a report, which makes them harder to interpret and analyze. Gerding said the Division believes investors would benefit from enhanced, standardized, and regulated disclosure. He concluded by saying the rules under consideration will improve the usefulness and timeliness of cybersecurity risk management.

Nabeel Cheema, Division of Corporation Finance

Cheema began by explaining the rules have two components – risk disclosure and strategy disclosure. Cheema said that registrants would have to disclose information within 4 days of a cybersecurity incident becoming material to ensure investors have a timely picture of what has occurred. Cheema also said the attorney general would be able to trigger a delay if necessary for national security.

Cheema went on to say that firms should also disclose foreign cybersecurity issues, as they may influence a firm’s international operation and that the Commission should adopt structured data requirements using Inline XPRO to allow participants to conduct large scale analyses.

Jessica Wachter, Division of Economic and Risk Analysis

Wachter weighed in saying the rules would standardize periodic disclosure. This standardization would enable investors to compare firms more easily.

Commissioner Questions and Comments

Commissioner Hester Peirce

Peirce began by criticizing the fact that the final rule is slimmer in detail than the proposed rule. This would drive companies to spend resources to comply with the rules rather than spending to prevent cybersecurity issues. She also called compliance with the four-day requirement a feat for any firm and that it would be difficult to get approval for a delay within the four days if necessary. She continued saying it would be better to tailor costs to the issue, but it is difficult to do. Peirce highlighted the fact that the compliance timelines are aggressive even for large companies. Companies will be expected to make disclosures based on this year, meaning they must switch gears extremely quickly.

Peirce also pointed out that there is potential for the rule to aid cybercriminals. This is a roadmap that shows which companies to attack and how to attack them because their weaknesses are public. And the attacker knows within four days how well their attack went and how much money they can get. She then asked how a company would complete these disclosures in 4 days. Gerding responded say that the Division understands that registrants are often in communication with the DOJ and other agencies.

Perice expressed worry that within a few days of an incident, there is a lot going on at companies internally and that adding to this process may be quite difficult. Gerding explained that the Division believes that a company establishing its controls and procedures should not impede their response to this incident. In most cases, disclosure will not be required in the hours and days following a breach.

Perice said she worries that the short period will end up with investors getting info that is not accurate. Gerding responded saying the disclosure would be triggered on a determination that an incident is material. Item 105 disclosure would not be required within 4 days. He also said all information might not be available, so the final rules would include instructions on how to acknowledge information gaps.

Peirce then asked isn’t the nature of the rule different. She said that Gerding is speaking about a company filing an 8k on something it hasn’t gotten its arms around. Gerding responded saying that information that is not available at the time would be included in a statement and then they can file an amendment to add such information later.

Peire then explained that these disclosures become a series of 8k filings which in turn become a roadmap for the attacker. She pointed out that one other change is that the disclosure includes unauthorized occurrences and asked what Gerding thinks about tracking related events. Gerding responded saying that he believes this should be commonly understood and that the release provides guidance about what it means by related occurrences.

Peirce pushed back noting that cybersecurity incident is too broad to define and asked if that is going to cause companies to have to develop tracking systems. Gerding said he had two points – the relevant definitions would focus on unauthorized occurrences. Second, the unauthorized occurrences that jeopardize the integrity or availability of the information systems are those that would require them to make a material registration. Only material incidents would be required to be disclosed.

Peirce said the Small Business Administration wrote the SEC a letter to publish supplemental analyses because the original lacks information and asked why the SEC doesn’t follow their guidance. Megan Barbero, SEC General Counsel, said that the analysis that was included fully complied with the requirements so there was no need to publish a supplemental one.

Peirce said that this does not consider the unique burdens on small companies and said that the SEC needs to do a better job of protecting small firms. She then asked if the procedures cause companies to think they can’t change them as easily as if they weren’t describing them in such detail in public filing. Gerding responded saying the rules are not intended to impact how and when a firm updates its procedures. He then said the company can update when they feel it is appropriate so long as they provide investors annual information on that topic.

Peirce asked why did the Division did not do a 2-year compliance period? Gerding said he thinks the dates are reasonable and companies don’t have to make a report unless and until they have an incident.

Peirce finished by saying that firms will want to think about it a lot before they enter a 4-day period when they produce these procedures so there is a lot of work to be done this year in preparation.

Commissioner Caroline Crenshaw

Crenshaw opened by saying existing disclosure practices are varying, establishing the need for comparable and reliable disclosures to investors. She said this rule is an important reminder of how our framework incorporates emerging risks. The SEC ensures adequate disclosure of management expertise. The commission should continue to consider further disclosures.

Commissioner Mark Uyeda

Uyeda began by saying that some people think the 2018 cybersecurity guidance is adequate and today’s rules could have been created to fix cybersecurity issues rather than just report them. He continued saying that disclosure rules should not elevate cybersecurity over other, just as pressing, issues that may have a greater risk on financial performance and stock price. He then pointed out that firms will need forward looking statements about incidents and their likely impacts – which is too broad and needs to be constantly assessed to add amendments.

Uyeda then highlighted that investors today care far more about their overall portfolio than any individual company and asked if he was correct in saying that any authorized executive branch agency classifies an incident, it would have to insert a statement that the report cannot be provided. Gerding responded saying this would not do anything to modify or restrict the rules on classified information.

Uyeda then asked if the attorney general must find a substantial risk to public safety to classify it. Gerding said that is correct and that the rule does not change rules 0-6 or 0-21.

Uyeda then asked how the current rule works. Gerding responded saying that Uyeda can check with his staff to learn about that, and that the Division is not recommending that the Commission consider any changes to those rules today.

Commissioner Jaime Lizarraga

Lizarraga began by saying that by clarifying what companies must disclose, investors get more security and reliability. Lizarraga then said that the rule is focused on what likely material impacts of an incident will be which affect companies value and profitability.

Chair Gary Gensler

Chair Gensler opened by explaining that companies would benefit from making these disclosures. He continued saying that the adoption of the rule will enhance firms in the two ways the Commission has discussed: risk management strategy and governance and disclosure of material cybersecurity incidents which is not currently consistent. Gensler placed specific emphasis on only material incidents needing to be reported saying that the rule was guided by the concept of materiality.

Vote

Chairman Gensler called the role. The item was approved 3-2. Peirce and Uyeda voted no.

ITEM 2: Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers

The Commission is considering recommending that the Commission propose rules related to investment adviser conflicts in the use of predictive data analytics, artificial intelligence, machine learning, and similar technologies in connection with certain investor interactions.

Staff Discussion

William Birdthistle, Division of Investment Management

Birdthistle opened by saying that technology is central to providing goods and services to investors and that there are incentives to make decisions that favor firms’ interest over investor interest. H said that the Divisions think there should be ways to prevent harm and protect investors while continuing to make technological improvements to a business.

Blair Burnett, Division of Investment Management

Burnett began by saying that the SEC should eliminate conflicts of interest using technology that optimizes, predicts, and guides investment related outcomes. He explained there are three parts. The first is to generally require investment advisors or broker dealers to eliminate conflicts of interest that put the firm’s interest ahead of investors. The second is to ensure compliance with proposed rules. The third is written descriptions of covered technology used by a firm and its processes to satisfy each of the rules. There would be an at least annually written review about the implementation and effectiveness.

Jessica Wachter, Division of Economic and Risk Analysis

Wachter said the lack of coincidence of interest combined with new data and tools leaves investors exposed. The rule would protect investors from harm but would have costs from firms which would possibly be passed on to investors.

Commissioner Questions and Comments

Commissioner Hester Peirce

Peirce began by saying the proposal reflects a hostility toward technology and assumes investors are powerless pawns. She went on to explain that broker dealers and investment advisors are already currently subject to obligations to protect investors and that the SEC needs guidance to discuss new technology but not standalone rules. She also said it would harm small firms the most.

Perice asked if the Commission can really describe this as a technologically neutral rule. Birdthistle responded saying that the Division had discussed a broad range of technologies that could apply. He also said that firms can choose whatever works for their business needs and then make an assessment on how they wish to attest it and strike their own balance.

Perice explained that people are much more complicated than AI and asked why the Commission must do something for a technology that cannot stand for a person in terms of flexibility and complexity. Birdthistle said the capacity of AI warrants attention.

Peirce pushed back asking if it warrants going over the disclosure approach that the SEC has been using for years. Birdthistle responded saying it remains an important tool and the proposal doesn’t change that, they will remain subject to investigations including disclosure. She continued saying the Divisions thought it warranted regulatory attention beyond simple disclosure.

Peirce said she disagreed. She said the release seems to think investors are incompetent with technology and disclosure doesn’t work for them. That quote suggested that firms will have to comb through thousands of datasets to find a conflicted factor of an algorithm or data set. When a company tries to upgrade technology to be more user friendly, it will be so expensive that it won’t get updated. This will put the FinServ industry behind. Peirce asked if the SEC has other areas in which we will have to change the rules? Birdthistle answered not at the current moment.

Peirce said that the rule would even cover investor interactions and asked if this is a backdoor way to defer the interactions. Anand Das from the Division of Trading and Markets said this rule builds off existing legal standards and that it is designed to approach specific risks and address risks.

Perice pointed out that the definition of conflict of interest is unique to this proposal and asked why. Das responded saying this rule is designed to address a specific risk associated with different technologies and that there is potential overlap between this rule and certain aspects of the conflict’s obligation.

Peirce then asked Wachter if the proposed rules could create economies of scale, making it more difficult for smaller firms to compete. Wachter explained that the burden relates to the complexity of the technology. She also said the Division does not expect them to be substantial if it is not complex. They may be eased by the existence of third-party providers who could keep this down.

Perice then asked what using simple cover technology looks like and what does it have to do once the rule is adopted. Wachter responded that there are multiple steps. It is possible that if they are using the technology in a way that does not consider the interest of the firm, this whole process could be relatively short.

Finally, Peirce said the process should take more than 25 hours, especially if firms have multiple technologies and asked what the compliance period would be. Birdthistle answered saying the Division plans to address it as part of the adoption process and will accept comments saying he would prefer an open discussion on compliance periods.

Commissioner Caroline Crenshaw

Crenshaw began by saying that there has been increased investor accessibility in markets in recent years with so much more online. She continued saying conflicts of interest could cause risky investments which could be transmitted too rapidly to a wide segment of investors and that she supported the proposal.

Commissioner Mark Uyeda

Uyeda began by saying that AI can enhance investing and reduce costs, but it has potential adverse effects. He said the proposal was too broad and that the release acknowledges that spreadsheets and calculators count as technology, which goes too far. Virtually any investor interaction is covered. He went on to say that this subjects almost every single interaction under the rule and may cause firms to avoid innovation.

Commissioner Jaime Lizarraga

Lizarraga said that investors increasingly rely on technology to produce trades, and a robust body of law that protects them is vital and that the current framework needs to be modernized.

Chair Gary Gensler

Chair Gensler said if a firm is using an optimization function that takes the interest of the firm and the investor into consideration, it could lead to a conflict of interest which could manifest at scale across the investor base. Gensler continued saying it’s simple math and that advisors and broker dealers have obligations and investors deserve to be protected.

Vote

Chairman Gensler called the role. The item was approved 3-2. Peirce and Uyeda voted no.

ITEM 3: Exemption for Certain Investment Advisers Operating Through the Internet

The Division is considering recommending that the Commission propose amendments to the exemption for internet advisers from the prohibition against registration under the Investment Advisers Act of 1940.

Staff Discussion

William Birdthistle, Division of Investment Management

Birdthistle opened by saying that the rule allows certain internet investment advisors to register with the commission despite not meeting other requirements. It would also permit certain advisors who provide advice to register with the commission. These advisors possess no physical or local presence in one state so they would register in multiple states and concluded by saying that advisory activities warrant commission oversight.

Blair Burnett, Division of Investment Management

Burnett said the rule would modernize the rules and conditions for the first time since the 2002 adoption of the rule and enhance investor protection and commission oversight.

Jessica Wachter, Division of Economic and Risk Analysis

Wachter explained that the rule provides exemption for interactive advice websites for investors that don’t only work in one state. This could help avoid investors using the type of advisor that they did not intend.

Commissioner Questions and Comments

Commissioner Hester Peirce

Peirce said that the rule is intended to provide a narrow path for otherwise ineligible investment advisors. She also said it would eliminate advisors from having non-internet clients and must always be operational serving at least one client.

Perice then said that the term digital investor advisory services could include algorithm-based systems and asked what effect this would have on small advisors. Birdthistle said this relates to registration and concerns itself with allocation of regulatory responsibility between states and commissions.

Peirce asked what happens if an advisor had a cyberattack and their website is unexpectedly taken down. Birdthistle said it would not create a problem for them.

Commissioner Caroline Crenshaw

Crenshaw said that the current rules are not enough and make it too complicated for advisors with investors in different states. She finished by saying that not having an interactive website has made it hard for advisors to meet the requirements for the exemption and it has become broadly misused.

Commissioner Mark Uyeda

Uyeda said that 40% of advisors that currently rely on the exemption may not be eligible. He also said that this drop raises questions as to whether this is needed at all, or another test may be appropriate. Uyeda did confirm he intended to support, before asking how the proposal addresses those who rely on the exemptions who do not have a website. Birdthistle responded saying that having a website critical to the exemption.

Commissioner Jaime Lizarraga

Lizarraga said that many firms have misused the SEC registration process in the past.

Chair Gary Gensler

Chair Gensler said the current rules need to be modernized to protect investors in a digital age. He also said the website needs to be the sole source of advising.

Vote

Chairman Gensler called the role. The item was approved unanimously.