December 3, 2023

Financial industry groups ask for more time to digest and may insist on three Proposed sweeping cybersecurity rules Regulators from Wall Street.

Organizations such as the Financial Services Association, the Association of Investment Advisers and the Investment Firm Association — all of which represent broad areas of the financial services industry — said in recent letters to the SEC that they Support the general intent behind federal regulators’ cybersecurity proposals that, in some cases, would overhaul rules that date back more than two decades. But they also want to see adjustments.

Most importantly, they wanted a little more time to work on the proposed rules, which add up to more than 1,200 pages.

“The SEC has not provided an adequate explanation as to how these proposals relate to or operate with each other, and the expected collective impact if multiple proposals are adopted, leaving interested entities to conduct this work on their own,” Melissa wrote. McGregor, Deputy General Counsel and Corporate Secretary, Securities Industry and Financial Markets Association In a letter filed March 31. “As a result, SIFMA is asking the committee to extend the public comment period to at least 120 days after publication in the Federal Register.”

SIFMA is a trade association and lobbying group representing broker-dealers, broker-dealers, investment banks and asset managers.

Industry groups also say companies will need more time to comply than the SEC wants to allocate. As proposed, the new rules would give financial advisors and broker-dealers time to get their houses in order within a year of adoption.

“The IAA believes the proposed 12-month compliance transition period is unreasonably short,” said Gail Bernstein, general counsel for the Association of Investment Advisers, which represents advisers with fiduciary responsibilities to clients. “We have asked for it to be extended and to consider other concurrent overlapping rule proposals to give advisors a more reasonable time to implement and implement changes and prevent industry disruption.

read more: Creative Planning Launches New Commercial Services After Acquiring RIA

cyber crime growth
Cyber ​​attacks have been on the rise Last few years. The FBI’s Internet Crime Complaint Center received 847,376 assault complaints in 2021. This is a 181% increase from 2017. Of the 2021 complaints, 51,629 involved identity theft and 51,829 involved personal data breaches. These figures represent increases of 193% and 68%, respectively, from 2017.

Of the two SEC proposals, the first one will give the company No more than 30 days to notify their customers of data breaches that may cause significant harm or inconvenience. Thirty-two US states now have no violation reporting requirements, while 15 states allow more than 30 days.

The Financial Services Association, which represents independent advisers and broker-dealers, said the fact that some states already have longer reporting periods will lead to confusion. The federal government should set a reasonable number of days as a minimum and then let states adopt stricter requirements as they wish.

“A 60-day deadline would accomplish the same goal and provide firms with more viability,” wrote David Belair, executive vice president and general counsel for the Financial Services Association.

third party supplier
The requirement to report data breaches would extend to any third-party vendors that consultancies and broker-dealers may contract for cybersecurity and other services. Contracts with these companies will have to be renegotiated.

“A longer period would provide registrants with fair and sufficient time to most responsibly implement new breaches and data security requirements, including time to amend their existing contracts with service providers, including in existing contracts with breach notifications. related terms,” wrote Tamara Salmon, senior associate counsel at the Investment Company Institute, in a commentary Submitted on May 23.

read more: The Rise of “Alpha Taxation” – 5 Investing Moves to Make Now

The same rule also requires companies to have written policies outlining their cybersecurity policies and procedures designed to protect customer data. The SEC’s rules designed to protect that information (formally known as SP rules) have not been revised since their passage in 2000.

“Investors will benefit from financial privacy rules that are more modern than in the AOL era,” SEC Chairman Gary Gensler said at a March 17 virtual meeting where the SEC first discussed the proposal. “While current rules require regulated firms to notify customers of how their financial information is being used, these firms are not required to notify customers of breaches. I think we should close that gap.”

Scrum works with common data
Second rule due for comments on Monday Will apply to broker-dealers and similar firms. This would require brokers and their ilk to adopt written policies designed to prevent hacking and to review those policies annually. Companies will be required to immediately provide federal regulators with reports of cyberattacks and follow up with detailed accounts within 48 hours.

Broker-dealers must also submit a report on their annual cybersecurity review and the vulnerabilities found. Some of the resulting information ends up in the SEC’s public database, prompting commenters to wonder if it might reveal data fraudsters might find useful.

“We object to this disclosure because it will not serve any public purpose and, in fact, it will be a roadmap for bad actors,” Susan Olson, General Counsel of the Investment Company Institute, writes, in a letter dated 23 May. “We are not aware of any other financial institution, commercial enterprise or government agency that is currently required to publicly disclose its significant cybersecurity incident.

Proposals for broker-dealers supplemented by one specific to the advisor. The rule would give those professionals the same 48 hours to file confidential reports of data breaches with the SEC and to disclose current cybersecurity risks and past attacks to clients.

read more: Consulting firm paid $1.4 million for failing to disclose SPAC conflicts

The Investment Company Institute implored regulators to integrate some of these proposals.

“We believe the overall approach … is superior to the SEC’s proposed approach of employing various rules to impose substantially similar requirements under various securities laws,” ICI’s Salmon wrote. “In addition to consolidating the relevant provisions into one In addition to the logic in the regulations, another advantage of the holistic approach we recommend is that the requirements will apply uniformly.”

Likewise, Andrew Harnett, president of the North American Association of Securities Administrators, urged the SEC to A letter dated May 22 Develop a system that allows broker-dealers and advisors to use the same types of forms and processes to report data breaches. NASAA represents state and provincial regulatory agencies in the United States, Canada, and Mexico.

“We recognize that implementing this change may require delays in the new cybersecurity reporting regime and may require an entirely new round of public notification and comment by the Commission,” Hartnett wrote. “But we believe the upside outweighs the downside, so it’s a change worth the wait.”

The SEC has signaled its willingness to back down on the timetable for investment-adviser-specific proposals. It was first proposed in February 2022, and comments on it were originally due in April of the same year.

But the regulator decided to extend the deadline by another 60 days.Comments on consultant proposals Originally scheduled to expire on May 23.

“The SEC benefits from active public participation and will review all comments submitted during the public comment period,” an SEC spokesman said. “Generally, we respond to comments received as part of the final rulemaking rather than in advance.”