Mondo Visione Worldwide Financial Markets Intelligence

FTSE Mondo Visione Exchanges Index:

Financial Services Industry Urges SEC To Strengthen Cybersecurity Practices

Date 06/06/2023

In comment letters to the Securities and Exchange Commission (SEC) on proposed changes to two cybersecurity related regulations, the Securities Industry and Financial Markets Association (SIFMA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), and American Bankers Association (ABA) have reiterated their support of strong cybersecurity practices for companies and our country, including appropriate notification of cybersecurity incidents to individuals and recognized the importance of providing cybersecurity risk management rules for entities regulated by the SEC.

 

In order to ensure that SEC rules provide clarity and guidance on strong cybersecurity practices, foster collaboration with government agencies, and encourage proper cyber incident reporting, the associations believe the SEC should revise the proposals in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications of the proposed requirements.

The proposals from the SEC covered Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities, and Rule 10, the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents.  Because of its focus on investment advisers, SIFMA’s Asset Management Group (SIFMA AMG) also signed the Regulation S-P letter.

Overall, the associations urge the SEC to harmonize and deconflict the Regulation S‑P Proposal with other proposals and requirements. The Commission has not provided guidance in an actionable format concerning the considerable overlap between the Regulation S-P Proposal with both the Rule 10 Proposal and related proposals.  A clear roadmap is necessary to navigate the varying terms and processes of the proposals and other cybersecurity rules imposed on the securities industry by the SEC.

Specific to Reg S-P, the associations suggest the SEC:

  • Clarify the scope of service providers and permit flexibility in service provider contracts.
  • Retain the proposed risk-of-substantial-harm provision to further align the standard with the federal banking agencies’ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice so that notification is not presumptively required, and only required if the covered institution affirmatively finds substantial harm or substantial inconvenience.
  • Not impose an unreasonable notification timeframe. The 30-day notification requirement represents an arbitrary and entirely insufficient amount of time for covered institutions to perform investigation and risk assessments, collect and analyze the information necessary to generate customer notices, and provide notices in complex cases.
  • Broaden the national security exception to include a law enforcement and cybersecurity agency exception, which also includes foreign counterparts as appropriate. The SEC should incentivize the industry to include provisions in their incident response plans to seek help from federal government resources early during a cyber-related incident and the proposal should reflect the directive laid out by the White House in its May 2021 Executive Order related to cybersecurity which identified CISA, the FBI, and the intelligence community more broadly as being responsible for investigating cyber incidents.
  • Not require that a covered institution provide notice to customers with whom it does not have a preexisting relationship. A covered institution or transfer agent should provide notice to its own customers or to the institution that provided the sensitive information that was, or is reasonably likely to have been, accessed or used without authorization (subject to the requisite triggering data elements and risk of harm threshold). Providing notice to customers with whom a financial institution does not have a preexisting relationship could cause customer confusion and result in customers thinking such a notification is a phishing attempt.

 

Specific to Rule 10, the associations recommend that the SEC:

  • Harmonize and reconcile the Rule 10 Proposal with other proposals and requirements, as there are considerable overlap and conflicts among the Regulation S-P Proposal, the Rule 10 Proposal, and other proposed and existing cybersecurity rules impacting the securities industry.
  • Allow for flexibility for market entities to tailor their policies and procedures according to their internal cybersecurity risk management framework, rather than be subject to overly complex and granular requirements that could impede the SEC’s intended results of more effective cybersecurity risk management.
  • Limit the data collected through Form SCIR to that which is directly relevant and necessary. The proposed Form SCIR notification and public disclosure requirements may put security at risk and have financial stability implications.
  • Focus on regulations that aim to achieve greater cybersecurity rather than detailed and prescriptive administrative and recordkeeping requirements that may create undue enforcement and litigation risk, without advancing actual security.
  • Allow substituted compliance for cybersecurity risk management policy, procedure, and notice requirements under Rule 3a71-6, and create a new subsection specifically for cybersecurity risk management articulating that the primary factor to be considered in assessing whether to grant substituted compliance to a foreign regulatory system is whether that system achieves regulatory outcomes that are comparable to the regulatory outcomes associated with those requirements in the United States.

 

The comment letters are available at the following links:

Reg S-P

Rule 10