Is 48 Hours Too Short For Reporting Cybersecurity Breaches?
The 48-hour time frame for reporting cybersecurity incidents required by the Securities and Exchange Commission’s proposed cybersecurity rule would put “a lot of strain” on firm’s resources, according to the chief compliance officer at one New York-based advisory firm.
Maria Chambers, the CCO at Klingenstein Fields Advisors, detailed her worries during a discussion at the Investment Adviser Association’s Compliance Conference in Washington, D.C.
The panel centered on discussion of the SEC’s cybersecurity rule proposal released in February 2022, and occurred as commissioners prepare to vote on several cyber-related rules and amendments this Wednesday.
If finalized as is, the cybersecurity rule would require advisors and funds to create “reasonably designed” policies to offset the risk of a breach, and amends rules on Form ADVs, requiring advisors to disclose cyber risks and incidents.
The SEC also asked firms to report “significant” cyber incidents to the commission within two days. But at Chambers’ firm, the same people working on resolving the issues would also be the ones required to produce such a report. Trying to juggle both could result in a document that “at best, might be slim pickings, and could be incorrect,” Chambers said.
The SEC received a lot of feedback on the 48-hour mandate, according to David Joire, a senior special counsel in the commission’s Division of Investment Management. Many agreed with Chambers that the window was too short, while others said there should be immediate SEC notification because there could be a market impact.
Some asked for 72 hours, and issuers requested four business days, but even with those longer time periods, Chambers worried they’d be hard-pressed to meet the SEC’s requirements.
“We have a firm with 40 individuals. Everyone already is, I’m sure, at capacity,” she said. “It would require us to spend, and not even be comfortable with the output in such a short period of time.”
A “significant” incident was defined by the SEC as one in which an advisor’s critical operations were “significantly disrupted or degraded” and they were unable to provide services, according to Joire (for example, if an advisor was unable to make trades or contact clients), or if there was “substantial harm” to the advisor, their clients or investors in private funds.
In response, firms should consider adopting a tiered strategy to discern when an event rises to the reportable level, according to Jacob Prudhomme, an advisor with KPMG US. If a breach hits a critical process and a critical system for the firm, it’s a no-brainer to report, but one without the other may require investigating further to see if it warrants reporting.
Prudhomme said firms may initially believe no critical systems or processes were affected, but after examining, find that some were; in that case, the 48-hour clock starts from that point, not from when the breach first occurred.
Prudhomme found one of the most worrisome problems to be who was writing the report, with all aspects of the firm needing to be involved to ensure risk management is being done, and there’s no “failure of imagination” about what could happen.
“The lawyers don’t want the business to write it, the business doesn’t want the lawyers to write it, and no one wants tech to write it,” he said.
The rule also requires advisors to set up agreements with third-party vendors to gauge their own cybersecurity protocols, but while Prudhomme argued this gave firms leverage in negotiations, Chambers recalled that when readying for the marketing rule, some vendors refused similar requests because they were not under the commission’s jurisdiction.
“Maybe collectively we will have an impact and get vendors to support us, but it’s a fight right now,” she said.
Marc Mehrespand, a branch chief with the Investment Management Division, was cagey on details about Wednesday’s open meeting, but according to the meeting’s agenda, commissioners will vote on three proposals.
These include amendments on updating Regulation S-P to require brokers and advisors to adopt policies addressing unauthorized access or use of customer information (including alerting them), as well as amendments expanding Regulation SCI and a new cyber-related rule and amendments under the Exchange Act that would affect broker/dealers.
Even though the rule remains in its proposal stage, Prudhomme said he’d already seen some interest from firms looking to prepare, due in large part to the growing need for more cybersecurity.
“It’s kind of like clean water,” he said. “It’s hard to argue against.”