Commentary November 02, 2021 at 07:44 AM Share & Print
What You Need to Know
- The SEC needs to bring more clarity about whether advisors and BDs should notify the agency and investors of a cybersecurity breach, Elad Roisman says.
- The SEC should look to FINRA’s cyber rules.
SEC Commissioner Elad Roisman, a Republican, wants the agency to write a rule clarifying when advisors and broker-dealers must inform investors and the commission about a cybersecurity breach.
In a speech Friday before the Los Angeles Bar Association, Roisman said he appreciates that the agency’s regulatory approach to cybersecurity has largely reflected the fact that the SEC does not “regulate this area in a vacuum.”
The agency, he said, has “been very targeted in imposing affirmative requirements on our registrants related to cybersecurity, only focusing on certain registrants and certain areas that we have identified as posing the highest risk.”
Also, SEC rules — namely, Regulation Systems Compliance and Integrity, or Reg SCI, and Regulation S-P, the Safeguards Rule — “have largely been principles-based, as we have endeavored to provide registrants flexibility to address cybersecurity obligations in the context of their particular business and circumstances.”
However, he continued, “it is time that the commission consider rules that provide registrants — particularly investment advisers and public issuers — with more of an idea of what we expect of them in today’s marketplace.”
Given the increasing and inevitable reliance of advisors on technology, Roisman said, “it is time that the commission bring more clarity to this issue in cases where there may be confusion about whether to notify the commission and investors in the event of a cybersecurity breach.”
Any such obligation, Roisman said, “should be principles-based and allow advisers the flexibility to tailor notification measures to their business and the facts and circumstances of the situation.”
That said, “there should be some framework for reporting cyber-incidents to clients and to the commission, to the extent the adviser has identified them to be material.”
Roisman said the SEC should look to a set of requirements the Financial Industry Regulatory Authority has imposed on broker-dealers to alert FINRA of certain systems-related incidents.
In addition to the rules applicable to broker-dealers, “FINRA has rules regarding supervisory procedures and business continuity planning, which can implicate cybersecurity,” Roisman said.
“FINRA also has a rule requiring a broker-dealer member to promptly report to FINRA if it has, or reasonably should have, concluded that it has violated any securities-, insurance-, commodities-, financial- or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization.”
FINRA has stated that, under this rule, the broker-dealer self-regulator “expects its members to report only conduct that has widespread or potential widespread impact to the member, its customers or the markets, or conduct that arises from a material failure of the member’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts,” Roisman said.
FINRA has also “encouraged firms to report material cyber events to their regulatory coordinator even if it does not meet the threshold outlined in its rule,” Roisman said.