Cybersecurity rules can create compliance challenges

It is no secret that cybersecurity threats are evolving far more rapidly than the ability of governments and regulators to counter them. Legislators and regulators in the states understand the urgency of this problem and have made admirable efforts to develop protections for consumers and investors.

Unfortunately, in our industry, a side effect of these individual state efforts to strengthen cybersecurity protections has been to create significant compliance challenges for advisers. What we need now is greater coordination to help these various authorities come together behind a principles-based approach to combating cyberthreats.

As one illustration, all 50 states have laws requiring companies to notify consumers about data breaches, but the definitions of a “breach” and “personal information” vary by state. For firms and advisers — most of which work with clients across multiple states — this creates unnecessary complications in developing protocols to follow in the event of a breach.

We are working with lawmakers and regulators to emphasize a commonsense approach to cybersecurity that harmonizes various protections and guards against cyberthreats, while also maintaining operating efficiency and flexibility.

In general, we believe that:

• National standards are preferable to a patchwork of state-by-state rules;

• Where possible, uniform approaches to cyberthreats should be pursued, while also incorporating enough flexibility to allow firms to develop effective solutions for different business models;

• Cybersecurity standards should not place undue burdens on small businesses; and

• All entities, whether private or public, should be held to a common, consumer-friendly data security standard.

We are also taking practical steps to put these principles into action.

First, we support the draft privacy legislation introduced by Senate Commerce Committee Chairman Roger Wicker, R-Miss., in December. While still in its early stages, this bill would establish national rules for handling personal information online, creating uniform federal standards.

We intend to work with Mr. Wicker and other members of Congress to secure national data breach notification requirements — instead of a patchwork of unique approaches — that ensure prompt and effective notice to consumers if their personal information is compromised.

Secondly, we are working to address our members’ concerns surrounding the confidential client information they are required to provide to Finra for the regulator’s Consolidated Audit Trail initiative.

As currently envisioned, the CAT database will be an enormous repository of highly sensitive information, including personal and financial information on advisers’ clients. We are working with regulators to ensure that this vast trove of information is either properly secured — or simply not collected at all, as proposed in the recent request for exemptive relief filed by the CAT NMS Plan Participants.

We also continue to educate regulators on the challenges our members face each day in complying with rules that bear directly on cybersecurity, such as books and records requirements.

While cybersecurity is a large, evolving challenge involving complex and disparate laws and regulations across the country, we are working to bring a coordinated approach to the key legislation and rules that impact our members most.

[More:​ Commending Finra on its efforts to improve its exam program]

Dale Brown is president and CEO of the Financial Services Institute.

Related Topics: Financial Industry Regulatory Authority