Financial Services Industry Urges SEC to Strengthen Cybersecurity Practices

Washington, D.C., June 6, 2023—In comment letters to the Securities and Exchange Commission (SEC) on proposed changes to two cybersecurity related regulations, the Securities Industry and Financial Markets Association (SIFMA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), and American Bankers Association (ABA) have reiterated their support of strong cybersecurity practices for companies and our country, including appropriate notification of cybersecurity incidents to individuals and recognized the importance of providing cybersecurity risk management rules for entities regulated by the SEC.  

In order to ensure that SEC rules provide clarity and guidance on strong cybersecurity practices, foster collaboration with government agencies, and encourage proper cyber incident reporting, the associations believe the SEC should revise the proposals in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications of the proposed requirements.

The proposals from the SEC covered Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities, and Rule 10, the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents.  Because of its focus on investment advisers, SIFMA’s Asset Management Group (SIFMA AMG) also signed the Regulation S-P letter. 

Overall, the associations urge the SEC to harmonize and deconflict the Regulation S‑P Proposal with other proposals and requirements. The Commission has not provided guidance in an actionable format concerning the considerable overlap between the Regulation S-P Proposal with both the Rule 10 Proposal and related proposals.  A clear roadmap is necessary to navigate the varying terms and processes of the proposals and other cybersecurity rules imposed on the securities industry by the SEC.

Specific to Reg S-P, the associations suggest the SEC:

  • Clarify the scope of service providers and permit flexibility in service provider contracts.
  • Retain the proposed risk-of-substantial-harm provision to further align the standard with the federal banking agencies’ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice so that notification is not presumptively required, and only required if the covered institution affirmatively finds substantial harm or substantial inconvenience.
  • Not impose an unreasonable notification timeframe.  The 30-day notification requirement represents an arbitrary and entirely insufficient amount of time for covered institutions to perform investigation and risk assessments, collect and analyze the information necessary to generate customer notices, and provide notices in complex cases.
  • Broaden the national security exception to include a law enforcement and cybersecurity agency exception, which also includes foreign counterparts as appropriate. The SEC should incentivize the industry to include provisions in their incident response plans to seek help from federal government resources early during a cyber-related incident and the proposal should reflect the directive laid out by the White House in its May 2021 Executive Order related to cybersecurity which identified CISA, the FBI, and the intelligence community more broadly as being responsible for investigating cyber incidents.
  • Not require that a covered institution provide notice to customers with whom it does not have a preexisting relationship.  A covered institution or transfer agent should provide notice to its own customers or to the institution that provided the sensitive information that was, or is reasonably likely to have been, accessed or used without authorization (subject to the requisite triggering data elements and risk of harm threshold). Providing notice to customers with whom a financial institution does not have a preexisting relationship could cause customer confusion and result in customers thinking such a notification is a phishing attempt.

Specific to Rule 10, the associations recommend that the SEC:

  • Harmonize and reconcile the Rule 10 Proposal with other proposals and requirements, as there are considerable overlap and conflicts among the Regulation S-P Proposal, the Rule 10 Proposal, and other proposed and existing cybersecurity rules impacting the securities industry.
  • Allow for flexibility for market entities to tailor their policies and procedures according to their internal cybersecurity risk management framework, rather than be subject to overly complex and granular requirements that could impede the SEC’s intended results of more effective cybersecurity risk management.
  • Limit the data collected through Form SCIR to that which is directly relevant and necessary. The proposed Form SCIR notification and public disclosure requirements may put security at risk and have financial stability implications.
  • Focus on regulations that aim to achieve greater cybersecurity rather than detailed and prescriptive administrative and recordkeeping requirements that may create undue enforcement and litigation risk, without advancing actual security.
  • Allow substituted compliance for cybersecurity risk management policy, procedure, and notice requirements under Rule 3a71-6, and create a new subsection specifically for cybersecurity risk management articulating that the primary factor to be considered in assessing whether to grant substituted compliance to a foreign regulatory system is whether that system achieves regulatory outcomes that are comparable to the regulatory outcomes associated with those requirements in the United States.

The comment letters are available at the following links:

Reg S-P

Rule 10

About the Securities Industry and Financial Markets Association:
SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development.  SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).

Media Contact:  Katrina Cavalli, 212-313-1181, kcavalli@sifma.org

About the Bank Policy Institute:
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

Media Contact: Sean Oblack, 202-538-4227, sean.oblack@bpi.com

About the Institute of International Bankers:
The Institute of International Bankers (IIB) represents internationally headquartered financial institutions from over thirty-five countries around the world doing business in the United States. The IIB’s membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions enhance the depth and liquidity of U.S. financial markets and contribute greatly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures.

Media Contact:  Garrett Hawkins, 646-213-1151, ghawkins@iib.org

About the American Bankers Association:
The American Bankers Association is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2.1 million people, safeguard $18.7 trillion in deposits and extend $12.2 trillion in loans.

Media Contact: Sarah Grano, 202-663-5470, sgrano@aba.com