Financial

SEC’s breach notification proposal one step closer to a final vote

The proposed rule would give institutions 48 hours to report a cyber incident to the agency.

February 9, 2022

SEC Chairman Gary Gensler speaks at a Senate Banking Committee hearing in September 2021. (Photo by Evelyn Hockstein-Pool/Getty Images)

The Securities and Exchange Commission voted Wednesday 3-1 to approve a recommendation for tighter mandatory cybersecurity requirements for financial institutions. The proposed rule will now open to public comment before a final vote.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” SEC Chairman Gary Gensler said at the agency’s open meeting.

Most critically, the new rule would require confidential reports of any “significant” cybersecurity incidents to the SEC within 48 hours.

The proposal also would require advisers and funds to adopt, at a minimum, cybersecurity protections including a risk assessment; user security and access controls; information protection and monitoring to protect systems from unauthorized use; and an annual written review of cybersecurity risks and policies. The report would require review by a board of directors.

Commissioners said they want more input on how the rule would cover disclosures of cybersecurity risk and incident information to investors. The current proposal does not offer specific suggestions on the timeline or extent of disclosures to investors.

The rule is just one push by Gensler in steering the commission toward taking a stronger hand in addressing cybersecurity risks in the industry. SEC staff is also looking into updating the commission’s “Regulation Systems Compliance and Integrity,” which would include some of the largest broker-dealers, as well as updates to requirements around customer notices.

The agency’s deliberations over potential breach disclosure requirements align with broader efforts from members of Congress to enhance breach notification requirements for critical industries, as well as moves by other agencies including the Federal Communications Commission to tighten incident reporting rules.

Commissioner Hester Peirce, who voted against the recommendation, warned that the new requirements could end up hurting financial institutions that are the victims of cybercrime, rather than helping them.

“Rules that set forth detailed cybersecurity prescriptions could become an easy hook for an enforcement action even when a firm has made reasonable efforts to comply with the prescriptions,” said Peirce, who advocated instead for stronger guidance for advisers and investors.

“The area of cybersecurity is one that demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal,” she said. “A cybersecurity role that is styled as a cudgel will not facilitate such cooperation.”

The proposal period, which is subject to change, will remain open for at least 30 days.