Industry groups ask SEC to extend timeline for cyberbreach notifications

Financial industry groups want the SEC to give financial advisors more time to notify investors about data breaches and more flexibility in developing cybersecurity policies.

The trade associations responded to two Securities and Exchange Commission proposals released in March. One would modify Regulation S-P, a measure that requires brokers, investment advisors and other entities to protect customer information. The other would establish a new rule requiring brokers to establish policies to address cybersecurity risks and respond to cyberattacks.  

Under the Reg S-P proposal, brokers and advisors would have to develop policies and procedures to respond to unauthorized access to customer information and notify customers of an incident within 30 days.

The Investment Adviser Association told the SEC that the time frame was too short.

“We recommend a 45-day rather than a 30-day notification requirement to provide a more reasonable amount of time for advisers to perform investigation and risk assessments, collect the information necessary to include in clients notices and provide notices in complex cases,” IAA general counsel Gail Bernstein and associate general counsel William Nelson wrote in a comment letter Monday.

Several financial industry associations urged the SEC not to set a notification deadline for firms that experience a cyberbreach.

“The commission should eliminate the 30-day notification requirement, which represents an arbitrary and entirely insufficient amount of time for covered institutions to perform investigation and assessments, collect and analyze the information necessary to generate customer notices and provide notices in complex cases,” the Securities Industry and Financial Markets Association wrote in a joint comment letter Monday, along with the Bank Policy Institute, the Institute of International Bankers and American Bankers Association.

But another group, Better Markets Inc., an organization that promotes financial reform, encouraged the SEC to require a quicker turnaround in telling customers about cyberbreaches.

“As the commission finalizes the proposal, it should resist pressure to dilute its provisions,” Stephen Hall, Better Markets legal director and securities specialist, wrote in a comment letter Monday. “[I]t should shorten the period for customer notification to 14 days to ensure timely notification.”

The joint industry letter on the broker cybersecurity proposal asked the SEC to give brokers latitude in developing policies.

“The proposed requirements should allow flexibility for market entities to tailor their policies and procedures according to their internal cybersecurity risk management framework,” SIFMA and the other groups wrote.

But Better Markets cautioned the SEC against going too far in giving brokers credit for policies they currently have in place.

“In particular, the commission should reject any argument that compliance with already existing cybersecurity frameworks should serve as a safe harbor for compliance with the proposal,” Hall wrote in a comment letter Monday on the broker cybersecurity proposal.

Public comments on the proposals were due Monday. The joint letter from the industry groups and the IAA letter both urged the SEC to harmonize various cybersecurity proposals. In addition to the Reg S-P and broker proposals, the SEC also has issued a cybersecurity proposal for investment advisors.

Related Topics: American Bankers Association, Better Markets, Investment Adviser Association, Securities Industry And Financial Markets Association (SIFMA)