SEC's New Cyber Rule Plan Needs Changes, Trade Groups Say

The plan among other things, would strengthen the SEC’s regulatory standards in the safeguards rule by requiring broker-dealers, investment advisors and certain other registrants  to have written policies and procedures reasonably designed to detect, respond to and recover from any unauthorized access or use of their customers’ information.

These firms would also face “a new obligation to notify customers whose information may have been accessed or used improperly, with this new duty standing alongside any other notice requirements that exist under state or federal law,” the North American Securities Administrators Association explained.

NASAA President Andrew Harnett said in his comment letter that the term “cyberattack” should be included as an event that “could give rise to the customer notice obligation.”

David Bellaire, general counsel for the Financial Services Institute in Washington, said in his comment letter that when the SEC adopts the proposals, “the SEC should provide an extended implementation period of two years” — three years for small firms.

Further, Bellaire said that while FSI appreciates “that the BD Proposal has a partial exclusion for certain smaller broker-dealers … the impact of the BD Proposal — and the Reg S-P Proposal — remains outsized for these smaller broker-dealers.”

Smaller investment advisors, Bellaire continued, “do not benefit from any relief based on their size and are also subject to an outsized impact” from the plan.

The provision that would require, with certain limited exceptions, these covered institutions “to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization” not later than 30 days after the firm becomes aware of an incident, should be extended to 60 days, Bellaire said.