June 8, 2023 (Fried Frank News & Insights):
The Financial Information Forum ("FIF"), Nasdaq, CME and the Investment Company Institute ("ICI") (collectively, the "Associations") recommended changes to the SEC's proposed rules on cybersecurity risk management practices.
Proposed Amendments to Reg S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information")
The SEC proposed to (i) require firms to implement written incident response plans, (ii) provide timely notification to affected individuals following data breaches and (iii) extend the protections of Reg S-P’s safeguards and disposal rules to cover information that a firm receives from another financial institution relating to that institution’s customers. (See previous coverage).
- FIF. FIF proposed a minimum compliance period of two years instead of 12 months to provide a sufficient implementation period to (i) update service contracts and (ii) comply with data breach notification requirements.
- Nasdaq. Nasdaq recommended that the SEC (i) expand the reporting exception regarding personal data incidents to "include documented requests from a competent law enforcement agency for the duration requested by such agency" and (ii) increase the implementation timeline to two years to support entities' compliance with the new requirements regarding contracting service providers.
Proposed Expansion of Reg SCI ("Regulation Systems Compliance and Integrity")
The SEC proposed amendments to Reg SCI that would expand the scope of the regulation to cover, among other entities, large broker-dealers, as defined by various measures of size. (See previous coverage.)
- FIF. FIF recommended that the required data under the proposal to determine whether a broker-dealer has exceeded one or more of the applicable transaction activity thresholds in a given month should be calculated by the SEC or FINRA. FIF stated that this would be more efficient than broker-dealers having to perform the calculations independently, as is currently proposed.
- Nasdaq. Nasdaq supported the proposal (i) for ensuring "like market participants are subject to the same standards" and that investors receive the same protections regardless of their regulatory classification and (ii) for providing "specific guidance" on entities’ relationships with third parties. However, Nasdaq advised the SEC to clarify its guidance regarding the use of cloud service providers.
- CME Group. CME emphasized the "significant overlap" across its proposed amendments to Reg SCI and proposed Rule 10 and argued that adopting both rules would be "inefficient and unnecessary to achieve the resiliency and systems integrity the [SEC] seeks." CME urged the SEC to consider the "substantial costs" that would be imposed under the proposal.
Proposed Cybersecurity Risk Management Requirements
The SEC proposed new Rule 10 that would require market entities to (i) create and maintain written policies and procedures to address cybersecurity risks, (ii) annually review these policies, (iii) submit an annual review to the SEC and (iv) immediately inform the SEC of any significant cybersecurity incidents once the market entity concluded that a cybersecurity incident occurred. The proposal would also require covered entities to disclose and document through new Form SCIR (i) steps taken to remedy any significant cyber incidents and (ii) an annual summary of cybersecurity risks and incidents. (See previous coverage.)
- FIF. FIF said that the proposal lacks steps the SEC is taking to protect the security of the SEC Electronic Data Gathering, Analysis and Retrieval System ("EDGAR"). FIF cited a hacker intrusion in 2016 as the basis for its concern.
- Nasdaq. Nasdaq argued that the harm that could result because of entities publicly disclosing internal weaknesses, outweighs the SEC's intent to provide information to assess the effectiveness of the entities' cybersecurity preparations. Nasdaq asserted that providing information on internal weaknesses could give bad actors specific intelligence regarding an entity's infrastructure and could cause harm to the entity. Nasdaq recommended that information on entities' cybersecurity preparedness only be disclosed to the SEC.
- CME Group. CME said the SEC should address (i) duplicative requirements in the proposal that require immediate written electronic notice of significant cyber security incidents and (ii) significant risk of "unintentionally assisting the malicious actors" by requiring entities to publicly disclose their cybersecurity vulnerabilities and incidents.
- ICI. ICI recommended that the SEC "incorporate any cybersecurity risk management program requirements into Regulation S-P rather than adopting them as stand-alone rules."