Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor
Cybersecurity, laptop screen with a padlock

Regulation and Compliance > Cybersecurity

SEC's New Cyber Rule Plan Needs Changes, Trade Groups Say

By Melanie Waddell

X
Your article was successfully shared with the contacts you provided.

Industry trade groups are weighing in on the Securities and Exchange Commission’s proposed new cybersecurity rules for broker-dealers, investment advisors and asset managers that require them to notify individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.

The comment period on the SEC’s plan, proposed in March, ended Monday.

Stephen Hall, legal director at Better Markets in Washington, which submitted a comment lettersaid that the SEC “has rightly proposed a rule that requires market participants to notify affected individuals. Notification can make the difference between identity theft that inflicts major financial losses and a swift response that results in minimal harm.”

The SEC’s proposed rule, Hall continued, “requires financial firms to notify breach victims so that they can take prompt action to protect themselves from the potential consequences. We urge the SEC to finalize the proposal without weakening any of its elements.”

The SEC’s plan would update Regulation S-P, which currently requires covered firms to notify customers about how they use their financial information but does not require alerts about data breaches, SEC Chairman Gary Gensler said in March.

Under the proposal, “covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves,” Gensler said.

Gensler said in May 2022 that the proposal was coming.

The proposal, if adopted, would update the rule’s requirements to address the expanded use of technology and corresponding risks since the commission originally adopted Reg S-P in 2000, the agency said.

The plan among other things, would strengthen the SEC’s regulatory standards in the safeguards rule by requiring broker-dealers, investment advisors and certain other registrants  to have written policies and procedures reasonably designed to detect, respond to and recover from any unauthorized access or use of their customers’ information.

These firms would also face “a new obligation to notify customers whose information may have been accessed or used improperly, with this new duty standing alongside any other notice requirements that exist under state or federal law,” the North American Securities Administrators Association explained.

NASAA President Andrew Harnett said in his comment letter that the term “cyberattack” should be included as an event that “could give rise to the customer notice obligation.”

David Bellaire, general counsel for the Financial Services Institute in Washington, said in his comment letter that when the SEC adopts the proposals, “the SEC should provide an extended implementation period of two years” — three years for small firms.

Further, Bellaire said that while FSI appreciates “that the BD Proposal has a partial exclusion for certain smaller broker-dealers … the impact of the BD Proposal — and the Reg S-P Proposal — remains outsized for these smaller broker-dealers.”

Smaller investment advisors, Bellaire continued, “do not benefit from any relief based on their size and are also subject to an outsized impact” from the plan.

The provision that would require, with certain limited exceptions, these covered institutions “to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization” not later than 30 days after the firm becomes aware of an incident, should be extended to 60 days, Bellaire said.

Melanie Waddell

@Think_MelanieW

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.