The Securities and Exchange Commission needs to provide more clarity and guidance about recent amendments to its data breach standards for investment companies and advisers, and it should consider making further changes to ease the compliance burden on covered institutions, the American Bankers Association and seven associations said today in a joint letter to the SEC.
The SEC last year adopted amendments to Regulation S-P to require brokers and dealers, investment companies and investment advisers registered with the agency to adopt written policies and procedures for cyber incidents, including data breaches. In their joint letter, the associations noted they had previously asked the commission to reconsider certain aspects of the proposal, as they were too prescriptive and did not provide enough flexibility for institutions dealing with the unique circumstances of a cybersecurity incident.
The associations listed several revisions they had proposed when the amendments were originally considered. They include eliminating the 72-hour notification requirement for service providers and harmonizing it with existing standards, allowing for investigation and a reasonable notification period, and not requiring covered institutions to provide notice to customers with whom they do not have preexisting relationships. They also recommended delaying the effective date of the amendments by a year to give covered institutions adequate time to prepare for the new requirements.
“(W)e encourage the commission to consider our proposed changes as a means to avoid too many overly prescriptive, duplicative and burdensome requirements on covered institutions, the associations said. “These changes would better promote harmonization between the various SEC-proposed rules — and with rules of other federal agencies — simplify requirements within the proposals, and design proposals that protect against cyberthreats without creating enforcement and litigation traps.”
