X

Trade Associations Urge SEC to Modify Cybersecurity Requirements

SIFMA, the Bank Policy Institute, the Institute of International Bankers and the American Bankers Association (together, the "Associations") urged the SEC to revise its proposals on cybersecurity related regulations, emphasizing the need for clear guidance across government agencies and collaboration with the securities industry.

In their joint comment letter, the Associations offered recommendations on proposed changes to Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information") and on new SEC Rule 10 ("Cybersecurity Risk Management Rule for various entities"). The Associations stated that "a clear roadmap is necessary to navigate the varying terms and processes of the proposals and other cybersecurity rules imposed on the securities industry by the SEC." The Associations' recommendations include:

Regulation S-P

  • Clarifying the scope of service providers and allowing flexibility on contracting with them;
  • Retaining the proposed "risk-of-substantial-harm" provision, aligning it with federal banking agencies' guidance to avoid "presumptive notification;"
  • Avoiding imposing an "unreasonable notification timeframe," as the 30-day requirement may be insufficient for thorough investigation and risk assessments;
  • Expanding the national security exception to include law enforcement and cybersecurity agencies, along with foreign counterparts, to encourage early engagement with government resources; and
  • Excluding the obligation to notify customers with whom there is no preexisting relationship to avoid confusion and potential phishing concerns.

Rule 10

  • Harmonizing and reconciling Rule 10 with other cybersecurity proposals and requirements, considering the existing overlaps and conflicts;
  • Allowing market entities to tailor policies and procedures according to their internal cybersecurity risk management framework;
  • Limiting the data collected through Form SCIR to directly relevant and necessary information to mitigate security risks;
  • Prioritizing regulations focused on achieving greater cybersecurity rather than burdensome administrative and recordkeeping requirements; and
  • Enabling substituted compliance for cybersecurity risk management policies and procedures, considering the comparability of regulatory outcomes with foreign regulatory systems.

Primary Sources

  1. SIFMA, BPI, IIB, and ABA Joint Comment Letter: Rule 10 Proposal (Joint Trades)
  2. SIFMA Press Release: Financial Services Industry Urges SEC to Strengthen Cybersecurity Practices

Related Articles

  • SEC Proposes Buy-Side Cybersecurity Rules

    The SEC proposed cybersecurity risk management and reporting requirements that would be applicable to registered investment advisers, registered investment companies and business development companies. The SEC also proposed amendments to certain rules that govern investment adviser and fund disclosures.

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Adviser / CTA / CPO Broker-Dealers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC
Sub-Author
American Bankers Assoc., Bank Policy Institute, Institute of International Bankers, SIFMA