The Securities and Exchange Commission announced multiple new proposed regulations this week that would require broker-dealers to notify customers within 30 days of a data breach, immediately inform the government, and expand the type of customer information protected by data privacy regulations.
The three separate proposed rules for market entities are designed to standardize cybersecurity risk disclosure and enhance financial stability, said SEC Chair Gary Gensler. They are now open to public comment for 60 days before facing another round of voting.
Under the proposals, broker-dealers, investment companies, registered investment advisers, and transfer agents would be required to notify customers whose sensitive information was or is likely to have been leaked or used without authorization. The notifications would have to be no later than 30 days after the companies identify the incident.
The changes come through the expansion of SEC's 24-year-old Regulation S-P rules governing financial institutions to protect customer information. The current rule requires firms to notify customers about how they use financial information, but has no requirement for customer-breach notification, said Gensler.
“I think we should close this gap...I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves,” Gensler said in a statement.
The proposals would also require companies to provide the Commission with immediate written notice of a cyber incident, followed by a more detailed report within 48 hours.
Other proposed rules announced Wednesday include requiring companies to review and assess, at least annually, the effectiveness of their cybersecurity policies and procedures. SEC also proposed to expand and update the 2014 Regulation Systems Compliance, asking covered entities, such as securities exchanges and clearing agencies, to take the responsibility of managing third-parties risk, including those from cloud service providers.
Commissioner Mark T. Udeya criticized what he characterized as the SEC’s “spaghetti on a wall” approach to cybersecurity regulations. In a lengthy statement Udeya said the agency should have put forth a consolidated set of rules instead of proposing multiple separate regulations. He also noted one of those rules is substantially similar to previously proposed regulations that have already received significant criticism and comments from the private sector.
“The Commission’s ‘spaghetti on the wall’ approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections,” Udeya said. “While the proposals acknowledge the possibility of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs. A preferable approach would have been to propose a set of coordinated rules and to consider those costs and benefits both individually and as a package.”
Commissioner Hester Peirce contended that covered firms should have the option to postpone the breach notification process if there is a valid law enforcement or national security reason. In addition, she worried that providing "immediate" incident report to SEC would add extra burden to security teams.
"Within the first 48 hours of discovering a significant cybersecurity incident, filling out a detailed government form may not be the best use of time, but it gets worse — the person who signs faces individual liability if anything she submits is not current, true, or complete," Peirce argued.
While many industry advocates agreed with Peirce and expressed their objections, Jonathan Reiber, former chief strategy officer for cyber policy in the Office of the Secretary of Defense during the Obama administration and vice president of cybersecurity policy and strategy at AttackIQ, said the immediate notice rule requiring 48-hour notice is "a long overdue" and "immensely positive step."
"The Biden Administration has just said regulations need to be performance-based. The best way to deliver a risk management strategy is through a threat-informed defense that focuses on the adversary and generates data about the effectiveness of organizations' cybersecurity programs," Reiber told SC Media.
To better adopt the rule, he said that organizations should prepare a template in advance so that they can outline the incident information and deliver those facts as quickly as possible to the best of their ability.
Consulting firm PWC said in a blog post that the proposed mandatory SEC cyber disclosure rules will not only help regulators govern the financial sector but also stakeholders - especially CEOs and boards - to better understand how a company manages its cyber risk exposures.
"For many companies, current disclosure provides limited insights into their risk management programs. Companies commonly do not provide information about policies and procedures such as third-party risk management practices, whether they use advisors or other third-parties for additional insights on their cybersecurity programs or on their business continuity and recovery plans," the post read.
"Companies worry that disclosing weakness in cyber risk management may be tantamount to handing a playbook for threat actors. But even for those with robust cyber risk strategy, governance and processes, the capability and capacity to report may be lagging."