ABA, associations urge SEC to modify cybersecurity proposals

The American Bankers Association and three financial sector trade associations submitted two joint letters Monday urging the Securities and Exchange Commission to reconsider proposed rules governing how certain businesses handle cybersecurity incidents.

The SEC is proposing amendments to Regulation S-P that would require brokers and dealers, investment companies and investment advisers registered with the agency to adopt written policies and procedures for incident response programs to address unauthorized access or use of customer information, including procedures for providing timely notification to certain affected individuals. It has also proposed cybersecurity risk management requirements under Rule 10 of the Exchange Act that would require certain registrants to address cybersecurity risks through policies and procedures, notification and reporting to the SEC, public disclosure and record retention.

In their letter on the Regulation S-P amendments, the associations said the SEC should reconsider certain aspects of the proposal to provide enough flexibility for covered institutions to respond to cybersecurity incidents. These include recommendations that the SEC harmonize and deconflict the proposal with other proposals and requirements, clarify the scope of service providers and permit flexibility in service provider contracts, retain the proposed risk-of-substantial-harm provision, adopt a reasonable notification timeframe, broaden the national security exception to include a law enforcement and cybersecurity agency exception, and remove a requirement to notify individuals who are not customers of the covered entity.

In their letter on the Rule 10 proposal, the associations said the SEC needs to harmonize and reconcile the proposal with other proposals and requirements, remove overly complex and granular requirements, consider the impact of public disclosure requirements on the security and financial stability of covered entities, and remove intrusive administrative burdens that also could create enforcement and litigation risks.