SEC Reopens Comment Period For Proposed Cybersecurity Rule
The Securities and Exchange Commission is reopening the public comment period for its proposed rule on cybersecurity, after it was initially released last year.
The rule was originally proposed in February 2022, with an initial comment period extending into April of last year, and it would pertain to RIAs, as well as registered investment companies and business development companies.
If finalized as written in the proposal, the rule would require advisors and funds to create reasonably designed policies and procedures to protect clients’ information if a breach occurred, and to disclose cyber incidents on amendments to their Form ADVs.
Additionally, firms would be tasked with reporting “significant” cyber incidents to the SEC within 48 hours of uncovering the severity of the breach, a time period that caused some consternation for chief compliance officers and firms in the initial comment period and during this week’s Investment Adviser Association Compliance Conference in Washington, D.C.
“The reopened comment period will allow interested persons additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission could consider,” according to an SEC statement.
The reopening of the public comment period also came on the same day commissioners approved a number of cyber and data privacy-related rules and amendments, including amendments to Regulation S-P that would require RIAs to “provide notice to individuals affected by certain types of data breaches” which might leave them vulnerable to identity theft.
Additionally, the commission approved a proposed rule updating cybersecurity requirements for broker/dealers, as well as other so-called “Market Entities,” including clearing agencies, major security-based swap participants and transfer agents, among others. Under the new rule, b/ds must review their cyber policies and procedures so they’re reasonably designed to offset cyber risks, akin to the proposal pertaining to advisors from last year.
Unlike the advisors’ rule, however, b/ds would have to give the SEC “immediate written electronic notice” when faced with a significant cybersecurity incident, according to a fact sheet released with the rule. SEC Chair Gary Gensler voted for the proposal, along with Commissioners Caroline Crenshaw and Jaime Lizárraga, while Commissioners Hester Peirce and Mark Uyeda opposed it.
“The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades,” Gensler said. “Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.”
Gail Bernstein, IAA’s general counsel, said the group appreciated that the commission had heard the worries about the “interrelatedness of its current proposals” and reopened the comment period for the cyber rule affecting advisors and funds.
The number of new proposals coming out of the SEC raised industry concerns at the IAA’s conference this week, with SEC Commissioner Mark Uyeda saying that if all proposed rules would be finalized, their compliance dates couldn’t all “hit at the same time.”
In a subsequent interview, IAA CEO Karen Barr called the SEC’s full list of proposals an “aggressive policy agenda,” and worried about the domino effect on compliance departments.
“The SEC has not focused on how the proposals interrelate and overlap with each other,” she said. “They haven’t focused on how firms are going to implement all of these rules at the same time.”
The SEC had received a lot of feedback on the 48-hour rule for reporting cyber incidents to the commission, according to David Joire, a senior special counsel in the Division of Investment Management, speaking on a panel at the IAA conference.
Maria Chambers, the CCO for Klingenstein Fields Advisors, said she was worried the firm lacked the bandwidth to meet the mandate, as the same people tasked with trying to fix a cyber breach would be the same ones who would create such a report for the commission. It could result in a report to the commission that “at best, might be slim pickings, and could be incorrect.”
The public comment period will extend for 60 days after the release on the reopening is published in the Federal Register, according to the SEC.