A group of financial industry organizations weighed in on two proposals related to cybersecurity put forth by the Securities and Exchange Commission (SEC).
One of the SEC proposals in question is Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities. The other is Rule 10, the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents.
Overall, the associations contend that the SEC should revise the proposals in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications of the proposed requirements.
The associations that signed the comment letters include the Securities Industry and Financial Markets Association (SIFMA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), and American Bankers Association (ABA).
On the first proposal, Regulation S-P, the associations made several suggestions. Among them, they said the SEC should clarify the scope of service providers and permit flexibility in service provider contracts. In addition, they recommend broadening the national security exception to include a law enforcement and cybersecurity agency exception, which also includes foreign counterparts as appropriate. Further, they say the SEC should incentivize the industry to include provisions in their incident response plans to seek help from federal government resources early during a cyber-related incident. They add that the proposal should reflect the directive laid out by the White House in its May 2021 Executive Order related to cybersecurity.
Regarding Rule 10, the associations recommend that the SEC harmonize and reconcile it with other proposals and requirements. They say that there are considerable overlaps and conflicts among the Regulation S-P Proposal, the Rule 10 Proposal, and other proposed and existing cybersecurity rules impacting the securities industry. Additionally, they say the rule should allow for flexibility for market entities to tailor their policies and procedures according to their internal cybersecurity risk management framework, rather than be subject to complex and granular requirements that could impede the SEC’s intended results.
They also recommend limiting the data collected through Form SCIR to that which is directly relevant and necessary, as the proposed Form SCIR notification and public disclosure requirements may put security at risk and have financial stability implications.