Commenters replying to the Securities and Exchange Commission’s three cybersecurity proposals requested additional flexibility and two years to comply with anything the regulator adopts, based on responses submitted through the deadline Monday.

The three proposals, first published in March are known as Reg S-P, Reg SCI and New Rule 10 (sometimes called Reg BD). Many firms also requested that the rules be harmonized with each other.

The Proposals

Reg S-P applies to broker/dealers and registered advisers. It requires covered entities to adopt policies to protect customer records and to notify clients who are affected by data breaches that could put them at risk. Covered entities must inform affected customers “as soon as practicable,” but no longer than 30 days after they become aware of the breach.

The update to Reg SCI expands the scope of entities subject to Regulation Systems Compliance and Integrity and would require SCI entities to maintain security policies and to undergo business-continuity and disaster testing. That testing would require SCI entities to assess how prepared they are to manage the unavailability of a third party to which they outsource.

This proposal would expand the definition of SCI entities to include registered security-based swap data repositories; broker-dealers registered with the SEC under Section 15(b) that exceed a total assets threshold or a transaction activity threshold in NMS stocks, exchange-listed options, U.S Treasury securities, or Agency securities; and all clearing agencies exempted from registration.

The proposal would require SCI entities to notify immediately the SEC of certain significant digital events, such as those that deny access to systems. This disclosure would be confidential.

Michael Pappacena, a cybersecurity partner at the ACA Group, explains that the SEC has been increasing its focus on the role of third parties and outsourcing in the financial industry. He says the SEC wants to see that “if you are trusting third parties with key business functions, that you are performing due diligence” and that core systems can survive if those third parties are affected by a digital attack.

New Rule 10 would require clearing agencies, securities exchanges, transfer agents and other actors to maintain policies designed to address their cybersecurity risks, which must be reviewed and updated annually. This rule would also require immediate confidential notice to the SEC of a cybersecurity incident.

Industry Feedback

The Investment Adviser Association offered qualified support for the proposals. In its letter to the SEC, the IAA stated that it supports requiring advisers to have an incident response program. The association requested that the program be limited to protecting sensitive data, not all data, and that the SEC narrow the requirement to monitor service providers to only those managing sensitive data.

On Reg S-P, the Financial Services Institute and Investment Company Institute both asked that the SEC modify the 30-day notification requirement. The FSI asked that the timeline be extended to 60 days and that the SEC account for state laws which also require notification. The ICI asked the SEC to account for police investigations into the incident, which may require confidentiality, and that the SEC allow at least 24 months to comply with the rule after it is finalized.

Nasdaq noted that law enforcement may even request a delay in disclosure as part of its investigation, so as to not inform perpetrators about what authorities know about a breach. Nasdaq urged the SEC to account for this possibility in its final rule and also requested that the SEC harmonize the disclosure timelines between the rules and between state governments with similar requirements.

Amazon Web Services elaborated on the concern of hasty public disclosure. Its comment explained that mass disclosure to affected customers could signal the existence of vulnerabilities, which could then be further exploited. AWS also noted that speedy disclosure requirements for all three rules would encourage false positives and misinformation, since there would be little time to review disclosures, which would only lead to more confusion.

Pappacena says immediate notification would be difficult to accomplish in practice, because the personnel who are informed enough about the incident to report it accurately would also be those working to correct the problem. The SEC also requires additional updates if anything in the disclosure becomes materially inaccurate, another burden for those trying to put out the fire.

The North American Securities Administrators Association wrote that, given the short window required for disclosure in response to a cybersecurity incident, some firms may be unsure of the extent of the breach and therefore unsure if disclosure is even required. To remedy this, the NASSA recommended that where the language “reasonably likely” appears in reference to determining if compromised data could cause substantial harm, it should be replaced with “reasonably possible” to clarify that if an organization is unsure of the extent, it should still disclose the potential compromise to the SEC or clients as appropriate.