The Securities and Exchange Commission is reopening the public comment period for its proposed cybersecurity rule after it was first published last year.
The rule was originally proposed in February 2022, with an initial comment period until April last year, and it would relate to RIAs and registered investment companies and business development companies.
If completed as outlined in the proposal, the rule would require advisors and funders to create reasonably designed policies and procedures to protect client data in the event of a breach and to disclose cyber incidents when changing their AD forms.
Additionally, companies would be mandated to report “material” cyber incidents to the SEC within 48 hours of discovering the seriousness of the breach, a timeframe that caused some dismay from chief compliance officers and companies in the initial comment period during the Investment Adviser Association’s compliance conference this week in Washington, D.C
“The reopened comment period will give interested parties additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any implications of other Commission proposals related to cybersecurity risk management and disclosure, which the Commission may consider.” according to an SEC statement.
The reopening of the public comment period also came on the same day that the commissioners approved a number of cyber and privacy rules and changes, including Amendments to Regulation SP This would require RIAs to “notify individuals affected by certain types of data breaches,” which could leave them vulnerable to identity theft.
In addition, the Commission approved a proposed rule updating cybersecurity requirements for broker/dealers and other so-called “market entities” including, but not limited to, clearing houses, large securities-based swap participants and transfer agents. Under the new rule, b/ds must review their cyber policies and procedures to ensure they are appropriately designed to balance cyber risk, similar to last year’s proposal for consultants.
Contrary to the advisor rule, however, b/ds would have to provide the SEC with “immediate written electronic notification” when faced with a significant cybersecurity incident, according to a leaflet published with the rule. SEC Chairman Gary Gensler, along with Commissioners Caroline Cre, voted in favor of the proposalnshaw and Jaime Lizarraga, while Commissioners Hester Peirce and Mark Uyeda opposed it.
“The nature, scale, and impact of cybersecurity risks have increased significantly over the past few decades,” Gensler said. “Investors, issuers and market participants alike would benefit by knowing these companies have protections fit for a digital age.”
Gail Bernstein, ILO General Counsel, said the group appreciated the Commission’s concerns over the “interconnectedness of its current proposals” and opened the comment period for the cyber rule, which affects advisers and funds.
The number of new proposals coming out of the SEC sparked industry concerns at this week’s ILO conference SEC Commissioner Mark Uyeda says that if all proposed rules were finalized, their compliance dates could not all arrive “at the same time”.
In a subsequent interview, Karen Barr, CEO of the IAA, called the SEC’s full list of proposals an “aggressive political agenda” and worried about the knock-on effect on compliance departments.
“The SEC has not focused on how the proposals relate and overlap,” she said. “They haven’t focused on how companies are going to implement all of these rules at once.”
The SEC has received a lot of feedback on the 48-hour rule for reporting cyber incidents to the commission, according to David Joire, senior special counsel in the Division of Investment Management, speaking on a panel at the ILO conference.
Maria Chambers, CCO of Klingenstein Fields Advisors, said she was concerned the firm lacked the bandwidth to fulfill the mandate since the same people tasked with remediating a cyber breach are the same people responsible for such a report would create for the Commission. This could lead to a report to the Commission that “at best could be a meager pick and could be wrong”.
The public comment period is extended by 60 days after the publication of the reopening in federal register, according to SEC.
