SEC Must Step Up Cybersecurity Rules for B-Ds, RIAs: Commissioner

The Securities and Exchange Commission’s current rules relating to cybersecurity need to be enhanced with a new one specifically addressing reporting of cybersecurity breaches by registered investment advisors and broker-dealers, according to one of its commissioners.

The SEC has some general rules relating to cybersecurity already in place, Commissioner Elad Roisman, a Republican appointee, said in prepared remarks for his speech at the Los Angeles County Bar Association last week. The Safeguards Rule, implemented in 2000, for example, requires broker-dealers to implement policies and procedures to protect client records and ensure confidentiality of customer information as well as protect against unauthorized access, he said. The SEC also adopted a rule in 2013 requiring certain SEC-regulated entities to have policies and procedures aimed at preventing identify theft, according to Roisman.

But the commissioner wants the SEC to go one step further.

“Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach,” Roisman said.

While advisors should have flexibility in tailoring their measures as far as notifications, “there should be some framework for reporting cyber-incidents to clients and to the Commission, to the extent the adviser has identified them to be material,” he said.

Roisman believes the SEC can take a page from the Financial Industry Regulatory Authority, which has rules requiring broker-dealers to alert the self-regulator of certain cybersecurity incidents and encourages member firms to report major cyber events even if they’re outside the scope of the rule.

“I also hope that the industry and fellow registrants will help each other,” he said. “When one entity has a cyber-incident or when one entity fails to act appropriately after a cyber-incident, it raises concerns about an entire industry.”

Roisman also urged firms to act ahead of any further guidance from the SEC, including by identifying the providers and experts to contact in case of a cyber incident and conducting table-top exercises. SOURCE