SEC Plans to Update Rules for Brokers, Advisors on Protecting Client Information
The Securities and Exchange Commission has a busy rulemaking agenda, and brokers and advisors can look ahead to new regulations concerning cybersecurity and safeguarding clients’ personal information.
The commission is currently reviewing the comments it received for its cybersecurity proposal, but Chairman Gary Gensler is indicating that the agency is also working on an overhaul of Regulation S-P, the 22-year-old rule stipulating how registrants must protect sensitive client data.
Gensler briefly addressed the topic when he appeared via web conference at the Investment Adviser Association’s conference this week, saying that he believes the rule, which was last amended in 2004, needs to be updated.
Gensler positioned the overhaul of Regulation S-P as a companion initiative to the cybersecurity rule, which is focused on the policies and p
“The other thing that we’re looking at is [protecting] the investor themselves,” Gensler said. “We’ve had that rule—Rule S-P—for 20 years, we’re also looking to update that.”
The rule remains a significant area of focus for regulators. Earlier this month, the SEC announced a $35 million settlement with Morgan Stanley over what the commission described as “extensive failures” to protect client information.rocedures companies have in place to prevent, detect, and respond to data breaches.
Gensler offered no indication of timing either for a proposal to update Regulation S-P or for finalizing the cybersecurity rule, though he made a forceful case for SEC action in the area.
“In terms of cybersecurity, what we’ve found is this is a growing risk in our economy, and everybody knows that,” he said. “I think cybersecurity is a key risk, and it’s one of the risks that I’m really proud that we’re updating.”
Gensler’s appearance at the IAA conference took the form of an interview with Karen Barr, the group’s president and CEO.
Barr pressed Gensler on one of the more controversial elements of the cybersecurity proposal, which would require advisors and other registrants to notify the commission within 48 hours of detecting a breach, an interval the IAA would like to see lengthened.
“We feel that the window is too short and the ongoing reporting might detract from the response to what’s happening on the ground,” Barr said.
“I can’t prejudge where we’re going to end up,” Gensler responded, noting that commission staffers are still reviewing the voluminous public comments that interested parties filed in response to the rule proposal.
Barr’s group is also pressing the SEC to extend some relief for smaller advisory shops in its cybersecurity rule.
“We do feel that the cyber rule should be calibrated for small businesses,” she told Gensler. “We hope to continue to work with you to exclude small businesses from some of those prescriptive requirements where they don’t make sense or are not possible—for example where smaller businesses don’t have the leverage to get certain contractual provisions from their vendors.” SOURCE