SEC Proposes New Rule on Safeguarding Client Assets

CybersecuritySECData Protection
Written By Hosch & Morris

 

Privacy Plus+

Privacy, Technology and Perspective

SEC Proposes New Rule on Safeguarding Client Assets. This week, let’s highlight the Securities and Exchange Commission’s (“SEC” or “Commission”) new proposal regarding Safeguarding Advisory Client Assets.  On February 15, the Commission issued a new Proposed Rule related to that topic.  This marks the first time the Commission has addressed crypto assets in the context of notice and comment rulemaking as opposed to enforcement actions.

The Proposed Rule runs 434 pages. It generally addresses the development of safeguards related to custodial services for crypto assets.  In doing so, it specifically invokes “robust cybersecurity standards,” and proposes the following standard of care in relation to crypto security for crypto custodians:

And the exercise of due care may require, in many cases, that crypto assets be stored in a cold wallet, but depending on the facts and circumstances, such as when a client seeks to buy and sell crypto assets very frequently, due care may mean the use of hot wallets in combination with robust policies and procedures. Other facts and circumstances may require a hybrid of the two. Further, because crypto assets and distributed ledger technology are still evolving, we expect the methods used to safeguard crypto assets will likewise evolve, which may lead to reevaluation of best practices in the future.

Proposed Rule, pp. 85-86.

Additionally, the Proposed Rule requires crypto custodians to provide their clients with broad indemnification, including indemnification of their clients “against the risk of loss in the event of the qualified custodian’s own negligence, recklessness, or willful misconduct.” Such sweeping indemnities – particularly with the custodian indemnifying its clients against its own negligence are atypical. In fact, many custodial agreements in other contexts include clauses in which it is “the other way around:” the client agrees to indemnify the custodian.  (For that matter, a first party indemnifying its counterparty from consequences of the first party’s acts is unusual enough generally as to require, in many states, that the obligation be made expressly. In Texas, this is known as the “express negligence rule.”) We suspect there will be strong push-back from organizations currently offering or interested in offering crypto custody services. 

In a statement (linked below), crypto-savvy Commissioner Hester Pierce noted her dissatisfaction with the indemnification provision, along with the Proposed Rule in its entirety, stating: “the Commission is once more proposing to dictate contract provisions involving entities the Commission does not regulate.”

Links to the Proposed Rule, its Press Release, Fact Sheet and the Commissioners’ statements follow:

Proposed Rule: https://www.sec.gov/rules/proposed/2023/ia-6240.pdf

Press Release: https://www.sec.gov/news/press-release/2023-30

Fact Sheet: https://www.sec.gov/files/ia-6240-fact-sheet.pdf

Commissioners’ Statements:

  • ·       SEC Chair Gary Gensler:

https://www.sec.gov/news/statement/gensler-statement-custody-021523

  • ·       Commissioner Caroline A. Crenshaw (Supporting):

https://www.sec.gov/news/statement/crenshaw-statement-custody-021523

  • ·       Commissioner  Jaime Lizarraga (Supporting):

https://www.sec.gov/news/statement/lizarraga-statement-custody-021523

  • ·       Commissioner Mark T. Uyeda (Supporting, though disagreeing with “a number of provisions”):

https://www.sec.gov/news/statement/uyeda-statement-custody-021523

  • ·       Commissioner Hester Pierce (Not Supporting):

https://www.sec.gov/news/statement/peirce-statement-custody-021523

We look forward to the comment period and expect that substantial revisions will follow.  In the meantime, industry participants should remain aware that the SEC (reasonably) views cybersecurity controls as a critical piece of responsible custodial services, and appears to be ready to allow clients to hold custodians responsible for any negligence in rendering their services.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

 

Hosch & Morris https://hoschmorris.com
Previous

Kate Morris to Speak at Advanced Intellectual Property Law conference
Next

Managing AI Risk: NIST Framework and ISO Guidance Announced