SEC's cybersecurity proposals draw protests of too much, too fast

Financial industry groups are asking for more time to digest and potentially adhere to three proposed sweeping cybersecurity rules from Wall Street's regulator.

Organizations like the Financial Services Institute, the Investment Adviser Association and the Investment Company Institute — all of which represent broad swaths of the financial services industry — said in recent letters sent to the Securities and Exchange Commission that they support the general intentions behind the federal regulator's cybersecurity proposals, which in some cases would overhaul rules that date back more than two decades. But they also would like to see tweaks.

Above all, they'd like a little more time to study the proposed rules, which together fill more than 1,200 pages.

"The SEC has not provided a sufficient explanation as to how the proposals relate to, or would operate with, each other and the anticipated collective effects if more than one Proposal is adopted, which leaves interested entities to conduct that work themselves," wrote Melissa MacGregor, the deputy general counsel and corporate secretary of the Securities Industry and Financial Markets Association in a letter submitted on March 31. "SIFMA therefore requests that the Commission extend the public comment period to at least 120 days after publication in the Federal Register."

SIFMA is a trade association and lobbying group representing broker-dealers, broker-dealers, investment banks and asset managers.

Industry groups also said that firms will need more time than the SEC wants to allot for coming into compliance. As proposed, the new rules would give financial advisors and broker-dealers a year after adoption to get their houses in order.

"The IAA believes the proposed 12-month compliance transition period is unreasonably short," said Gail Bernstein, the general counsel of the Investment Adviser Association, which represents advisors with fiduciary duties to their clients. "We have asked that it be extended and take into account other concurrent overlapping rule proposals to allow a more reasonable time for advisers to implement and operationalize changes and prevent industry disruption.

Read more: Creative Planning launches new business services after buying RIA

Cybercrime grows
Cyber attacks have been on the rise in recent years. The FBI's Internet Crime Complaint Center received 847,376 complaints of attacks in 2021. That was up 181% from 2017. Of the complaints from 2021, 51,629 concerned identity theft and 51,829 personal data breaches. Those numbers increased by 193% and 68% from 2017, respectively.

Of the SEC's two proposals, the first would give firms no more than 30 days to inform their clients of data breaches that are likely to cause substantial harm or inconvenience. Thirty-two U.S. states now have no reporting requirements for breaches, while 15 states allow for more than 30 days. 

The Financial Services Institute, which represents independent advisors and broker-dealers, said the fact that some states already have longer reporting periods will lead to confusion. The federal government should set a fair number of days as the minimum and then let states adopt their own stricter requirements if they wish.

"A 60-day deadline would accomplish the same goals and provide more workability for firms, " wrote David Bellaire, the executive vice president and general counsel of the Financial Services Institute.

Third-party vendors
The requirement to report data breaches would extend to any third-party vendors that advisory firms and broker-dealers might contract for cybersecurity and other services. Contracts with those companies will have to be renegotiated.

"A longer period will provide registrants fair and sufficient time to most responsibly implement new breach and data security requirements, including time to revise their existing contracts with service providers, including the provisions in existing contracts relating to breach notices," wrote Tamara Salmon, a senior associate counsel at the Investment Company Institute, in comments submitted on May 23.

Read more: The rise of "tax alpha" — 5 investing moves to make now

The same rule would also require firms to have written policies outlining their cybersecurity policies and procedures meant to protect customer data. The SEC's rules designed to safeguard that information — known formally as Regulation S-P — have not been revised since their adoption in 2000.

"Investors would benefit from a financial privacy rule more modern than the AOL era," SEC Chairman Gary Gensler said at the March 17 virtual meeting where the SEC first discussed the proposal. "Though the current rule requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches. I think we should close this gap."

Scrum over public data
The second rule for which comments were due on Monday would apply to broker-dealers and similar firms. It would require brokerages and their ilk to adopt written policies designed to prevent hacks and to review those policies once every year. Firms would be required to provide reports on cyber attacks immediately to federal regulators and follow up with detailed accounts within 48 hours.

Broker-dealers would also have to submit reports on their annual cybersecurity reviews and vulnerabilities that they've unearthed. Some of the resulting information would end up on public SEC databases, prompting commenters to wonder if that might be giving away data fraudsters might find useful.

"We oppose this disclosure because it would not serve any public purpose and, in fact, it would be a road map for bad actors," wrote Susan Olson, the general counsel of the Investment Company Institute, in a letter dated May 23. "We are not aware of any other financial institution, commercial business, or government agency that is currently required to provide public disclosure of their significant cybersecurity incidents.

Consolidation?
The proposal for broker-dealers is complemented by one specific to advisors. This rule would give these professionals the same 48 hours to provide confidential reports of data breaches to the SEC and to disclose to clients current cybersecurity risks and past attacks.

Read more: Advisory paying $1.4 million for failing to disclose SPAC conflicts

The Investment Company Institute beseeched regulators to consolidate some of these proposals.

"We believe the holistic approach … is preferable to the SEC's proposed approach of adopting a variety of rules under the various securities laws to impose substantially similar requirements," wrote Salmon of the Investment Company Institute. "Aside from the logic of combining related provisions in one regulation, another advantage of our recommended holistic approach is that the requirements will apply uniformly."

Along the same lines, Andrew Hartnett, the president of the North American Securities Administrators Association, urged the SEC in a letter dated May 22 to develop a system that would allow both broker-dealers and advisors to use the same sorts of forms and processes to report data breaches. NASAA represents state and provincial regulators in the U.S., Canada and Mexico.

"We recognize that implementing this change could necessitate a delay in the new cybersecurity reporting regime, potentially requiring the Commission to undertake an entirely new round of public notice and comment," Hartnett wrote. "But we believe the benefits of doing this would outweigh the downsides, making this a change well worth waiting for."

The SEC has already shown willingness to budge on timelines with the proposal specific to investment advisors. It was first proposed in February 2022 and comments on it were initially due in April that same year. 

But the regulator decided to extend the deadline by another 60 days. Comments on the advisor proposal were due on May 23.

"The SEC benefits from robust engagement from the public and will review all comments submitted during the open comment period," an SEC spokesperson said. "Generally, we respond to comments received as part of the final rulemaking and not beforehand."