FIF - Financial Information Forum
  • Home
  • News
  • Press
  • Commenters Request Clarification on SEC-Proposed Cybersecurity Requirements

Commenters Request Clarification on SEC-Proposed Cybersecurity Requirements

June 8, 2023 (Fried Frank News & Insights): 

The Financial Information Forum ("FIF"), Nasdaq, CME and the Investment Company Institute ("ICI") (collectively, the "Associations") recommended changes to the SEC's proposed rules on cybersecurity risk management practices.

Proposed Amendments to Reg S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information")

The SEC proposed to (i) require firms to implement written incident response plans, (ii) provide timely notification to affected individuals following data breaches and (iii) extend the protections of Reg S-P’s safeguards and disposal rules to cover information that a firm receives from another financial institution relating to that institution’s customers. (See previous coverage).

  • FIF. FIF proposed a minimum compliance period of two years instead of 12 months to provide a sufficient implementation period to (i) update service contracts and (ii) comply with data breach notification requirements.
  • Nasdaq. Nasdaq recommended that the SEC (i) expand the reporting exception regarding personal data incidents to "include documented requests from a competent law enforcement agency for the duration requested by such agency" and (ii) increase the implementation timeline to two years to support entities' compliance with the new requirements regarding contracting service providers.

Proposed Expansion of Reg SCI ("Regulation Systems Compliance and Integrity")

The SEC proposed amendments to Reg SCI that would expand the scope of the regulation to cover, among other entities, large broker-dealers, as defined by various measures of size. (See previous coverage.)

  • FIF. FIF recommended that the required data under the proposal to determine whether a broker-dealer has exceeded one or more of the applicable transaction activity thresholds in a given month should be calculated by the SEC or FINRA. FIF stated that this would be more efficient than broker-dealers having to perform the calculations independently, as is currently proposed.
  • Nasdaq. Nasdaq supported the proposal (i) for ensuring "like market participants are subject to the same standards" and that investors receive the same protections regardless of their regulatory classification and (ii) for providing "specific guidance" on entities’ relationships with third parties. However, Nasdaq advised the SEC to clarify its guidance regarding the use of cloud service providers.
  • CME Group. CME emphasized the "significant overlap" across its proposed amendments to Reg SCI and proposed Rule 10 and argued that adopting both rules would be "inefficient and unnecessary to achieve the resiliency and systems integrity the [SEC] seeks." CME urged the SEC to consider the "substantial costs" that would be imposed under the proposal.

Proposed Cybersecurity Risk Management Requirements

The SEC proposed new Rule 10 that would require market entities to (i) create and maintain written policies and procedures to address cybersecurity risks, (ii) annually review these policies, (iii) submit an annual review to the SEC and (iv) immediately inform the SEC of any significant cybersecurity incidents once the market entity concluded that a cybersecurity incident occurred. The proposal would also require covered entities to disclose and document through new Form SCIR (i) steps taken to remedy any significant cyber incidents and (ii) an annual summary of cybersecurity risks and incidents. (See previous coverage.)

  • FIF. FIF said that the proposal lacks steps the SEC is taking to protect the security of the SEC Electronic Data Gathering, Analysis and Retrieval System ("EDGAR"). FIF cited a hacker intrusion in 2016 as the basis for its concern.
  • Nasdaq. Nasdaq argued that the harm that could result because of entities publicly disclosing internal weaknesses, outweighs the SEC's intent to provide information to assess the effectiveness of the entities' cybersecurity preparations. Nasdaq asserted that providing information on internal weaknesses could give bad actors specific intelligence regarding an entity's infrastructure and could cause harm to the entity. Nasdaq recommended that information on entities' cybersecurity preparedness only be disclosed to the SEC.
  • CME Group. CME said the SEC should address (i) duplicative requirements in the proposal that require immediate written electronic notice of significant cyber security incidents and (ii) significant risk of "unintentionally assisting the malicious actors" by requiring entities to publicly disclose their cybersecurity vulnerabilities and incidents.
  • ICI. ICI recommended that the SEC "incorporate any cybersecurity risk management program requirements into Regulation S-P rather than adopting them as stand-alone rules."

Contact

Financial Information Forum

212-422-8568
fifinfo@fif.com
Privacy Policy

Who We Are

The Financial Information Forum (FIF) addresses the implementation issues that impact the financial technology industry across the order lifecycle.

 

What We Do

FIF prepares comment letters and discussion documents based on member input that contribute to changes in implementation time frames and methodology.

Working Groups

FIF forms topic-oriented working groups to address implementation issues associated with new initiatives.
More here

© 2024 Financial Information Forum

Press enter to search
Impressum

Wir bieten unseren Kunden mit nützlichen Informationen und Ratschläge, die sie benötigen, fundierte Entscheidungen zu treffen, ihre Ziele zu erreichen. Ob es sich um die Verwaltung von Kundeninvestitionen oder einen umfassenden Plan für sie zu schaffen und ihre Familie sind unsere zertifizierten Planern gewidmet mit einem außergewöhnlichen Service zu bieten.

Deshalb, im Laufe der Jahre konnten wir einen Ruf als einer der besten unabhängigen Beratern zu bauen. Wir verstehen die Bedeutung der Kunden auf dem richtigen Weg zum Erfolg bringen, und wir sind bereit, mit ihnen der Planung in allen Bereichen zu arbeiten.

Terms and Conditions

  1. Introduction

These Website Standard Terms and Conditions written on this webpage shall manage your use of this website. These Terms will be applied fully and affect to your use of this Website. By using this Website, you agreed to accept all terms and conditions written in here. You must not use this Website if you disagree with any of these Website Standard Terms and Conditions.

Minors or people below 18 years old are not allowed to use this Website.

  1. Intellectual Property Rights

Other than the content you own, under these Terms, Buckle LLC and/or its licensors own all the intellectual property rights and materials contained in this Website.

You are granted limited license only for purposes of viewing the material contained on this Website.

  1. Restrictions

You are specifically restricted from all of the following

  • publishing any Website material in any other media;
  • selling, sublicensing and/or otherwise commercializing any Website material;
  • publicly performing and/or showing any Website material;
  • using this Website in any way that is or may be damaging to this Website;
  • using this Website in any way that impacts user access to this Website;
  • using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity;
  • engaging in any data mining, data harvesting, data extracting or any other similar activity in relation to this Website;
  • using this Website to engage in any advertising or marketing.

Certain areas of this Website are restricted from being access by you and Buckle LLC may further restrict access by you to any areas of this Website, at any time, in absolute discretion. Any user ID and password you may have for this Website are confidential and you must maintain confidentiality as well.

  1. Your Content

In these Website Standard Terms and Conditions, “Your Content” shall mean any audio, video text, images or other material you choose to display on this Website. By displaying Your Content, you grant Buckle LLC a non-exclusive, worldwide irrevocable, sub licensable license to use, reproduce, adapt, publish, translate and distribute it in any and all media.

Your Content must be your own and must not be invading any third-party’s rights. Buckle LLC reserves the right to remove any of Your Content from this Website at any time without notice.

  1. No warranties

This Website is provided “as is,” with all faults, and Buckle LLC express no representations or warranties, of any kind related to this Website or the materials contained on this Website. Also, nothing contained on this Website shall be interpreted as advising you.

  1. Limitation of liability

In no event shall Buckle LLC, nor any of its officers, directors and employees, shall be held liable for anything arising out of or in any way connected with your use of this website whether such liability is under contract. Buckle LLC, including its officers, directors and employees shall not be held liable for any indirect, consequential or special liability arising out of or in any way related to your use of this Website.

  1. Indemnification

You hereby indemnify to the fullest extent Buckle LLC from and against any and/or all liabilities, costs, demands, causes of action, damages and expenses arising in any way related to your breach of any of the provisions of these Terms.

  1. Severability

If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.

  1. Variation of Terms

Buckle LLC is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.

  1. Assignment

The Buckle LLC is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.

  1. Entire Agreement

These Terms constitute the entire agreement between Buckle LLC and you in relation to your use of this Website, and supersede all prior agreements and understandings.

  1. Governing Law & Jurisdiction

These Terms will be governed by and interpreted in accordance with the laws of the State of New York, and you submit to the non-exclusive jurisdiction of the state and federal courts located in New York for the resolution of any disputes.

Press enter to search

Interested in joining us?

Download membership kit

Key Reasons to Join

  1. Stay informed on Current Regulatory and Market Initiatives
  2. Drive Industry Issues to Successful Resolution
  3. Impact the implementation timing and methodology of new rules
  4. Apply FIF Insight Within Your Firm