The SEC Prepares to Regulate – and Regulate – the Finserv Sector

The Securities and Exchange Commission is coming for finserv.

After clamping down on public companies with new (and hotly debated) data-breach disclosure rules last year, and rattling chief information security officers (CISOs) with a landmark lawsuit, the SEC is queuing up a slew of cybersecurity regulations for the financial services sector.

The dizzying set of proposals, under construction for almost two years, has brokers, investment advisers, and other industry players royally rankled. (One of the SEC’s own commissioners called one rule a “cudgel.”)

Financial services firms are 300 times more likely to be targeted by a cyberattack than other enterprises. Here’s how to manage risk and unlock innovation at scale.

We’ve been tracking these proposals at Focal Point month after month, and each time the SEC seems close to a decision, they introduce a new set of proposals, some echoing (or completely overlapping) previous proposals, leaving eyes crossed and questions (some, at least) unanswered.

Stop moving forward with ill-conceived ideas that do nothing but empower a professional class of lawyers whose hourly rates seem to increase every time a new rule is adopted.

What’s clear is that the SEC is not treading lightly. Those new data-breach rules adopted last July require publicly traded companies to disclose any significant or “material” cybersecurity incidents within four days, a controversial measure that sent ripples across U.S. boardrooms.

And the SEC’s response to the devastating SolarWinds attack – a lawsuit against that company and its CISO, Timothy Brown – marks the first time a CISO has been held personally liable for allegedly misleading investors about the company’s security posture and failing to take basic security precautions. CISOs are justifiably stunned, and some are thinking of leaving the industry.

For those in the finserv sector wondering just what compliance will mean for them in coming months, we’ve laid out the major concerns. So buckle up: In a bid to tighten its cybersecurity and technology policy, the SEC is taking us down a bumpy road.

A breakdown of proposed SEC cyber regulations for finserv firms

The SEC has been trying to wrangle the finserv sector for more than two years. It started with…

• A proposed cybersecurity rule for investment advisers and funds, published in February 2022. It would require written policies to address cybersecurity risks, and the reporting of significant cybersecurity incidents to the Commission within 48 hours. The SEC asked the public to weigh in on the proposal and took comments for several months.

About a year later, in March 2023, the Commission followed this up with a similar proposed rule targeting a group collectively termed “market entities.” These include broker-dealers, clearing agencies, national securities associations, and exchanges.

• Known as Rule 10, this regulation would require written security policies covering areas including access control, malware protection, and the storage and monitoring of information. Entities would also need periodic reviews to ensure they continued to align with evolving cybersecurity risk, along with incident response policies to deal with incidents. The rule also requires disclosure of a breach within 48 hours using part one of a Form SCIR. Companies would also need to inform the public in the same calendar year using part two of the form.

[Read also: U.S. public companies are searching for ways to effectively comply with the SEC’s new cyber disclosure requirements – here’s how]

It simultaneously proposed two amendments to other provisions.

• One amendment concerns Regulation S-P, which is a rule setting out policies for protecting customer records. The amendment would require broker-dealers, investment companies, registered investment advisers, and transfer agents to notify individuals affected by the data breaches.
• Another amendment relates to Regulation Systems Compliance and Integrity (Reg SCI), a 2015 rule which the Commission uses to oversee IT systems in securities markets. This amendment would bring more companies under its scope and introduce more obligations, including broadening the definition of “systems intrusion,” creating more reporting requirements.

Confusion, complaints, and delay

The proposed rules and extra amendments drew a raft of negative comments from the industry. “We urge this Commission to stop moving forward with ill-conceived ideas that do nothing but empower a professional class of lawyers and consultants whose hourly rates seem to increase every time a new rule is adopted,” snapped Christopher A. Iacovella, CEO of the American Securities Association, in a public comment.

Others noted redundancies.

“Reg SCI already achieves the same cyber resilience outcomes under Proposed Rule 10 for the entities that are or will be subject to Reg SCI,” complained Nashira Spencer, managing director of the Depository Trust & Clearing Corporation, in her response to the proposals.

As if the cascade of complicated and overlapping proposals weren’t enough, the Commission also reopened the public comment period for the investment rule – remember that first proposal for investment advisers and funds from 2022? – in March 2023 so that they could align it with the new proposals, explains Richard Borden. A partner in the Data Strategy, Privacy & Security Group at legal firm Frankfurt Kurnit Klein & Selz, Borden has been closely following the SEC’s regulation of the financial services sector. “[They will] then presumably issue a complete set that covers all of the companies that they regulate.”

Many commenters were concerned about the short time periods – just 48 hours to disclose a cyberattack, sometimes less, and reports would need to be updated throughout an attack, which the Investment Advisors Association called “onerous and unnecessary,” noting it would flood the SEC with data it couldn’t process. Amazon Web Services warned that “Providing information before an incident has been assessed may lead to confusion and misunderstanding.”

[Read also: RaaS class – a defensive guide to ransomware-as-a-service attacks]

SEC commissioners were also unhappy with the Rule 10 proposal, which was introduced in a 3-2 vote. One dissenter, Commissioner Hester M. Peirce, warned that the rule was a “cudgel” with which to threaten market entities rather than assist them. She worried about the legal liability for misstatements or omissions on Form SCIR part one, which companies would be filling out during a panicked period when accurate information might not yet be available.

“This rule is easier to understand as a tool to enhance our year-end enforcement statistics than a serious proposal to make the securities markets more secure,” she said.

Do the SEC’s cyber regulations shift risk to the weakest point?

The SCI enhancements also have worrying implications for securities entities using cloud service providers. The proposed rule explicitly dismisses the shared responsibility principle. This is a well-established concept in cloud computing engagements that divides responsibilities for security and systems resilience between cloud service provider and user. Instead, the SCI-covered organization bears the brunt of these responsibilities under the proposal. It also suggests that an organization use multiple cloud service providers in unison for extra resilience where deemed necessary.

That’s incredibly difficult to do from a technical perspective and would be extremely expensive.

“That’s incredibly difficult to do from a technical perspective and would be extremely expensive,” says Borden. He adds that the extra complexity might cause operational problems that could make systems less reliable, not more.

Borden is concerned the proposed rules place the risk management burden on financial institutions that might not have the power to address it. For example, the extra requirements could force affected organizations not to use cloud services at all and instead resort to less-secure on-premises systems.

“I worry that they’re going to drive some inappropriate behavior, or some behaviors that are potentially more damaging,” he adds.

[Read also: 3 ways banks can prep for quantum computing threats to cybersecurity]

These regulatory expansions also risk overlapping with yet more rules. In October 2023, the Commission proposed oversight requirements on services outsourced by investment advisers. Advisers would need to look at a service provider’s competence and resources, and assess any risks that they represent, while periodically monitoring the provider’s performance and reassessing the contract, keeping records of the whole process.

The proposed requirements also contain multiple additional measures involving cloud service providers, including creating agreements to retain the adviser as a client for a minimum period of time, and ensuring availability.

The SEC’s cyber regulations put AI under the microscope

No self-respecting regulator would miss a chance to govern the risk of AI, so in October 2023 the Commission released a proposed rule concerning the use of technologies such as AI and predictive analytics. It stems from concerns that advisers might use these technologies to further their own interests at the expense of investors, and it applies even to robo-adviser services.

The problem is that it also applies to everything else, warned Commissioner Mark T. Uyeda, in a statement denying support for the proposal.

“Under the rule text, even non-electronic calculators like an abacus might be legally subject to its scope,” he warned.

[Read also: Navigating the responsibilities (and new regs) of AI takes an expert – here’s where to find your first chief AI officer]

Uyeda also criticized “the pattern of recent Commission proposals in which somewhat outlandish components were included, which drew the attention and focus of commenters.”

One such critic was Jennifer W. Han, executive vice president of the Managed Funds Association. Her comment on the proposal included an impact analysis of the proposed rule that the MFA commissioned from economic consulting firm NERA. It warned that the rule would introduce “substantial compliance costs that may force firms to close or consolidate.”

A lack of joined-up thinking

An overriding concern about many of the SEC’s regulations isn’t just their own overlapping nature but also their lack of harmony with other governmental reporting rules.

Harley L. Geiger, counsel advising on cybersecurity law and policy at legal firm Venable LLP, notes a September 2023 report from the Department of Homeland Security’s Office of Strategy, Policy, and Plans looking at harmonization of cyber incident reporting to the federal government. Its assessment of 52 in-effect or proposed cyber incident reporting requirements found potentially duplicative requirements.

[Read also: Top 10 takeaways from our 2024 FedCyber Exchange covering issues from automation to zero trust]

This lack of joined-up reporting policy might leave organizations – especially those governed by multiple regulators – facing a slew of different reporting triggers and timelines, Geiger says. “This is a sub-optimal regulatory landscape. We think that it is important for organizations to be prepared to manage this patchwork but also to have greater harmonization in federal cyber incident reporting policy.”

Please stand by

There is no word from the SEC (which did not respond to our query) about if or when the proposed rules might become final.

Borden first expected some deliverable from the Commission soon after the initial investment adviser rule. “Then when they did that whole set of things last year, I thought, ‘OK, we’re going to have something in 90 days’,” he concludes. “Well, it’s been 14 months.”