Financial services industry groups urge SEC to strengthen cybersecurity practices

The Securities Industry and Financial Markets Association (SIFMA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), and American Bankers Association (ABA) (collectively, the “associations”) have written to the US Securities and Exchange Commission (SEC) comment letters to reiterate their support of strong cybersecurity practices for businesses.

Specifically, the associations said that the SEC should revise its current, proposed changes to Regulation S-P and Rule 10 to provide clarity and guidance on strong cybersecurity practices, foster collaboration with government agencies, and encourage proper cyber incident reporting. Those rules are the SEC’s rules relating to the privacy and safeguarding of consumer financial information (Reg S-P) and the cybersecurity risk management rule for broker-dealers, clearing agencies, national securities exchanges, and other participants (Rule 10).

Main concerns

The associations said their concerns center around ensuring appropriate notification of cybersecurity incidents to individuals and that entities regulated by the SEC have strong cybersecurity risk management.

They said the SEC must “harmonize and deconflict the Regulation S‑P Proposal with other proposals and requirements.”

“The Commission has not provided guidance in an actionable format concerning the considerable overlap between the Regulation S-P Proposal with both the Rule 10 Proposal and related proposals. A clear roadmap is necessary to navigate the varying terms and processes of the proposals and other cybersecurity rules imposed on the securities industry by the SEC,” the associations said.

Reg S-P suggestions

The associations suggest the following changes or clarifications regarding Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities.

Clarify the scope of service providers and permit flexibility in service provider contracts.

Retain the proposed risk-of-substantial-harm provision to further align the standard with the federal banking agencies’ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice so that notification is not presumptively required, and only required if the covered institution affirmatively finds substantial harm or substantial inconvenience.

Do not impose an unreasonable notification timeframe – the proposed 30-day notification requirement represents an arbitrary and entirely insufficient amount of time for covered institutions to perform investigation and risk assessments.

Broaden the national security exception to include a law enforcement and cybersecurity agency exception, which also includes foreign counterparts as appropriate. The SEC should incentivize the industry to include provisions in their incident response plans to seek help from federal government resources early during a cyber-related incident and the proposal should reflect the directive laid out by the White House in its May 2021 Executive Order related to cybersecurity which identified CISA, the FBI, and the intelligence community more broadly as being responsible for investigating cyber incidents.

Not require that a covered institution provide notice to customers with whom it does not have a preexisting relationship.

Rule 10 suggestions

Here are the associations’ suggestions with regard to Rule 10, the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents:

Harmonize and reconcile the Rule 10 proposal with other proposals and requirements, as there are considerable overlap and conflicts among the Regulation S-P Proposal, the Rule 10 Proposal, and other proposed and existing cybersecurity rules impacting the securities industry.

Allow for flexibility for market entities to tailor their policies and procedures according to their internal cybersecurity risk management framework, rather than be subject to overly complex and granular requirements that could impede the SEC’s intended results of more effective cybersecurity risk management.

Limit the data collected to that which is directly relevant and necessary. The proposal’s notification and public disclosure requirements may put security at risk and have financial stability implications.

Focus on regulations that aim to achieve greater cybersecurity rather than detailed and prescriptive administrative and recordkeeping requirements that may create undue enforcement and litigation risk, without advancing actual security.

Create a new subsection specifically for cybersecurity risk management, saying the primary factor to be considered in assessing whether to grant substituted compliance to a foreign regulatory system is whether that system achieves regulatory outcomes that are comparable to the regulatory outcomes associated with US requirements.

National cyber risk rules, guidance

The SEC has been eager this year to craft new rules to protect the wider securities ecosystem and apply them to most market participants.

On March 15, the SEC rolled out three new or amended rule proposals with that goal in mind.

The agency proposed changes to Reg S-P with the stated goal of enhancing the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to notify individuals who have been affected by a data breach that may put them at risk of identity theft or other harm.

That day, the SEC also unveiled its new requirements that encompass Rule 10 – a rule covering many market participants and designed to set standards for those market entities’ cybersecurity practices. It includes requirements relating to policies, procedures, audits, regulatory reporting and public disclosures expected of covered entities.

And it proposed amendments to expand and update Regulation Systems Compliance and Integrity (Reg SCI), a set of rules adopted in 2014 to help address technological vulnerabilities in the US securities markets and improve the SEC’s oversight of the core technology of key US securities markets entities.

“A clear roadmap is necessary to navigate the varying terms and processes of the proposals and other cybersecurity rules imposed on the securities industry by the SEC.”
The associations

The proposed changes focus on entities’ policies and procedures, including the maintenance of a written inventory of all SCI systems and a program for life cycle management; a program to prevent the unauthorized access to such systems; and a program to oversee certain third-party providers, including cloud service providers, of covered systems.

For its part, the Biden Administration has spent the last two years announcing a variety of national cybersecurity initiatives, including the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity); National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems); and M-22-09 (Moving the US Government Toward Zero-Trust Cybersecurity Principles).

Lingering concerns

Although many regulated entities and industry associations support the goals of these new rules and strategies, many of them have been concerned about conflicting obligations between them, plus some lack of clarity in the roles and responsibilities of all of the possible participants, including third parties, law enforcement and foreign entities.

And they continually ask for flexibility in crafting policies, procedures, and internal controls that suit their businesses’ risk profiles – in other words, less prescriptive mandates.