SEC cyber rules risk creating web of confusion and costs

The cyber attack on trading services provider Ion Group has pushed these incidents to the top of everyone’s agenda. But an intervention by the US Securities and Exchange Commission on the subject of cyber security may be a case of right time, wrong rules, say financial institutions.

Complicating the matter is that—in what has become something of a repeated pattern for SEC chair Gary Gensler—the agency intends to create and amend multiple rules at the same time. Add to this complex set of plans the fact that other regulators have already introduced reporting requirements for cyber incidents, and the result could be both costly and potentially involve duplicate obligations.

Nathaniel Lalone, partner at law firm Katten Muchin Rosenman, says many of the firms covered by the proposals will now find themselves “caught in the cross-current” of several overlapping SEC proposed rules that address operational resilience issues.

“Hopefully the rule set, once adopted, operates as a coherent, integrated whole, otherwise the implementation burden for firms will be significant,” says Lalone.

Brian Neuhaus, regional chief technology officer for Americas at cyber threat detection firm Vectra, thinks while the rule is an improvement to the regulatory landscape, there will be a “significant” cost of compliance on smaller firms, which may struggle to implement the necessary controls and procedures. He also questions whether the SEC has sufficient resources to effectively monitor and enforce compliance with the rules.

Hopefully the rule set, once adopted, operates as a coherent, integrated whole, otherwise the implementation burden for firms will be significant

Nathaniel Lalone, Katten Muchin Rosenman

On March 15, the SEC proposed a new cyber security risk management rule (rule 10) for a range of regulated firms, together with amendments to Regulation Systems Compliance and Integrity (Reg SCI) and to Reg S-P, which covers the protection of customer data. At the same time, in light of the new proposals, the SEC reopened the comment period for the draft cyber security risk management rule for investment advisers, originally proposed in March 2022.

Those caught by the new rule 10 include broker-dealers, alternative trading systems, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.

“The proposed amendments by the SEC to codify their cyber security and risk management requirements is certainly an improvement to their previous guidance, which wasn’t as prescriptive and clear in defining specific requirements,” says Christian Scott, chief information security officer at cyber risk consultancy Gotham Security.

However, Caitlin Potratz Metcalf, a senior US associate at law firm Linklaters, says while the SEC is taking steps in the right direction, in practice the various proposals would need further clarification, without which they may prove “inconsistent, cumbersome and costly for businesses to implement”.

Tighter definition

Under the new rule 10, covered entities would need to publicly disclose on their website summary descriptions of their cyber security risks and the significant cyber incidents they experienced during the current or previous calendar year.

This echoes last year’s proposal for investment advisers to disclose more information about cyber attacks, which was criticised by market participants as a boon for hackers. Cyber security experts said the disclosures may expose compromised firms to further attacks when they are most vulnerable. At that time, the SEC noted that reports submitted through Edgar are confidential. However, in 2016, Edgar itself was infiltrated by hackers, who stole corporate earnings reports and traded ahead of their release.

In terms of when an incident would trigger public disclosure, rule 10 defines a cyber security incident as an unauthorised occurrence on information systems that “jeopardizes” confidentiality, integrity, or availability of systems or information.

Vectra’s Neuhaus thinks covered entities previously used “loopholes in the legal narrative to maintain confidentiality of threats in order not to make disclosures. The new language—using words such as ‘jeopardize’—forces companies to take a more transparent path”.

SEC chair Gary Gensler said when the proposals were unveiled that the requirements will enable investors to hold market entities accountable.

Too many cooks

However, critics say the proposals are duplicative, burdensome and may not achieve much. Speaking at the open meeting proposing the rules, Republican SEC commissioner Mark Uyeda raised concerns about the Commission’s “kitchen sink approach to cyber security”. Uyeda said this approach could result in banks having to manage potentially duplicate policies and procedures and multiple notifications to the SEC and customers, as well as facing different state and federal standards for triggering a data breach notification.

Uyeda ultimately supported the proposal of amendments to Reg S-P, but not the new rule 10 or the Reg SCI amendments.

An existing 36-hour federal reporting rule is imposed by the Federal Deposit Insurance Corporation, Federal Reserve and Office of the Comptroller of the Currency when financial institutions experience a “notification event”. The New York State Department of Financial Services has a longer 72-hour requirement. The European Union imposes a 72-hour rule through its General Data Protection Regulation.

As a result, some US banks think cyber hygiene is already well monitored in the industry. A risk manager at a US bank says most financial institutions effectively assess their own cyber security policies and those of third parties, although he adds some organisations are still maturing such programmes.

The head of operational risk at a second US bank says large and complex financial institutions have been gearing up for several years, as they are all regulated by the three prudential agencies as well as the SEC.

There are already 50 different state data breach notification laws, state and federal regulations governing breach reporting for financial institutions, a growing number of state privacy laws, and an inability to pass any US federal comprehensive data privacy law

Caitlin Potratz Metcalf, Linklaters

“Firms are either making continuous improvements or being required to upgrade their defences to stay in sync with their peers,” says the op risk head. “Bank frameworks take into consideration organic and external vulnerabilities through various programs including third party risk management practices to ensure complete and comprehensive coverage.”

Under the SEC’s rule 10, market entities would need to give the SEC immediate written electronic notice of a significant cyber incident, by filing a new form called SCIR – short for Significant Cybersecurity Incidents and Risks—through the Edgar system. SCIR would “elicit information about the significant cybersecurity incident and the covered entity’s efforts to respond to and recover from the incident”.

The draft SEC rule states that all market entities need to notify the Commission immediately “upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring”. Further, they would need to report information about the incident to the SEC no later than 48 hours after the event through Form SCIR.

Linklaters’ Potratz Metcalf calls that timeline “quite aggressive”. She adds: “This is against a backdrop where there are already 50 different state data breach notification laws, state and federal regulations governing breach reporting for financial institutions, a growing number of state privacy laws, and an inability to pass any US federal comprehensive data privacy law”.

Hogan Lovells partner Scott Loughlin, a privacy and cyber security lawyer, says immediate notice of a significant cyber event would be a difficult standard to meet. Identifying an attack requires an analysis based on collecting the relevant facts, and that takes time.

Loughlin adds that the “reasonable basis” language in the rule is designed to bring in more flexibility for regulated firms. But it also makes the requirement less clear-cut, potentially resulting in the SEC “second-guessing after the fact”, which would in turn create compliance uncertainty.

Just out of reach?

The issue of cyber attacks on third parties has risen to the top of the risk agenda following the shutdown of Ion, which triggered days of disruption to the settlement and reporting of derivatives trades in February, drawing regulator scrutiny.

The proposed amendments by the SEC will impose more specific requirements that third-party service providers and vendors must be evaluated as part of a firm’s cyber security risk management strategy.

“Given the increase of supply-chain attacks, it certainly makes sense from both a regulatory standpoint and practicality standpoint to understand the security posture of any vendor a firm may have that’s processing important company data or providing important outsourced functions,” says Gotham’s Scott.

However, the proposed SEC rules leave “much to be worked out in the details”, says Potratz Metcalf. In particular, she identifies questions around how service providers should be defined, whether other applicable regulations already set similar requirements, and the nature of due diligence that regulated firms will have to carry out on service providers.

She notes that the amendments to Reg S-P consider third-party cyber risk management at a rather high level. Firms must contractually require service providers processing their customers’ personal information to take “appropriate measures” to secure the data from unauthorised access.

“This may not go far enough to hold those entities or their service providers accountable, particularly where an organisation’s cybersecurity is only as strong as its weakest link,” she says.

In practice, Katten’s Lalone notes that US regulators are constrained by the lack of statutory authority to directly oversee outsourced service providers. In that context, by “beefing up policies and procedures and requiring greater transparency around cybersecurity incidents”, the SEC’s latest proposal “probably pushes the rulemaking envelope as far as it can go”.

Annual assessments

Under the SEC rule 10, market entities would also be required to annually assess the effectiveness of their cyber security policies. Michael Ruck, partner at law firm K&L Gates, says the proposal places an obligation on covered entities to ensure they have considered their cyber security risks and put in place adequate policies and procedures to address them, “rather than leaving such matters as open to them to consider”.

Stephen Harvey, president and chief executive of cyber risk analytics company BitSight Technologies, says the proposed rule contains “essential steps for any organisation to take in the 21st century”. He adds the rule would require firms to assess service provider cyber security practices, as well as focus on “timely patching of hardware and software vulnerabilities”.

Organisations aren’t able to do a decent job of this, because the vast majority of [cyber] risk measurement is qualitative, which can’t be balanced against other, economically measured, imperatives

Jack Jones, RiskLens

However, Jack Jones, co-founder of consultancy RiskLens, points to a “missing element” in existing risk frameworks, which is a accurate and meaningful cyber risk measurement. He warns the SEC proposals as currently drafted may not change this.

“Organisations aren’t able to do a decent job of this, because the vast majority of [cyber] risk measurement is qualitative, which can’t be balanced against other, economically measured, imperatives,” says Jones.

The public comment period will remain open until 60 days after the date of publication in the federal register. Given the complexity of the proposal, Potratz Metcalf wouldn’t be surprised if the rulemaking process “drags on”.