US SEC Proposes 48-Hour Incident Reporting RequirementCommission Advances Rule With Mandatory Cyber Requirements in 3-1 Vote
The U.S. Securities and Exchange Commission on Wednesday voted 3-1 to advance new, mandatory cybersecurity rules for registered investment advisers, companies and funds. The rules - now open for at least a 30-day public comment period - would require related entities to adopt and implement written cybersecurity policies and would issue a 48-hour incident reporting mandate to the commission via a new confidential form.
"Cyber risk relates to each part of the SEC's three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets," SEC Chair Gary Gensler said in a statement. "The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."
The proposal would also require covered entities to publicly disclose cybersecurity risks and "significant incidents" detected over the past two fiscal years, set forth new record-keeping requirements for advisers and funds and facilitate the SEC's inspection and enforcement capabilities. Its public comment period runs for at least 30 days.
In a fact sheet, the SEC says that both advisers and funds play "an important role" in U.S. financial markets and depend on technology for critical operations. As such, they are part of interconnected systems and networks that face heightened cybersecurity risks.
On what is arguably the rule's most critical component - incident reporting - the commission says it would require entities to report "significant cybersecurity incidents," including on behalf of a fund or private fund client, through a new Form ADV-C.
The SEC commissioners say in their statement: "These confidential reports would bolster the efficiency and effectiveness of the commission's efforts to protect investors by helping [it] monitor and evaluate the effects of a cybersecurity incident on an adviser and its clients, as well as assess the potential systemic risks affecting financial markets more broadly."
The rule would also amend the existing Form ADV Part 2A - which contains information about entities' business practices, fees, risks, conflicts of interests and disciplinary action - to require disclosure of cyber risks and incidents to clients and prospective clients. The amendments call for descriptions of any "significant" incident over the past two fiscal years.
The proposal would also require advisers to maintain certain records related to cyber risk management, and the occurrence-related incidents. It would also require funds to maintain copies of cyber policies and procedures, and other records.
Lone 'No' Vote
Republican SEC Commissioner Hester Peirce was the lone vote against the proposal, citing potential harm to financial institutions that have fallen victim to cybercrimes.
In a statement, Peirce said: "Absent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach."
She continued: "Rules that set forth detailed cybersecurity prescriptions could become an easy hook for an enforcement action, even when a firm has made reasonable efforts to comply with the prescriptions.
"The proposal is intended to give cybersecurity the top billing on funds' and advisers' agendas that it deserves. While I have serious concerns about the shape the rule has taken, I am grateful to the staff for the care they put into the release. [It] does a good job balancing the need to notify the commission and investors of cyber incidents, with legitimate concerns about the timing of such disclosures and perils of overdisclosure, which can provide a road map to future bad actors."
Some security experts say the recent surge in ransomware has hastened a fairly rapid regulatory response.
"This guidance comes at a time when ransomware in particular is of heightened concern. And when it comes to ransoms, perhaps there is no bigger target than financial institutions in terms of perceived potential payouts - not to mention the potential consequences a breach could have in derailing economic activity," says Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance.
"Reporting in particular continues to be a big focus for the Biden administration, and this announcement builds on some of [these] cyber moves and desires," she says.
Still, others urge caution.
Adam Flatley, a member of the U.S. Ransomware Task Force and a former technical lead at the National Security Agency, says: "Such policies must not be treated as a check box on a compliance list, but rather used to drive real change and improvements in the industry.
"Mandatory reporting quickly becomes a double-edged sword if implemented improperly, and it is critical that the government avoids penalizing companies for complying with new reporting rules."
Otherwise, Flatley, currently the director of threat intelligence for the firm Redacted, says companies will be hesitant to report and will compensate by classifying serious incidents beneath the "significant" bar, making the rule less effective.
And Nasser Fattah, an adjunct professor of cybersecurity at New Jersey Institute of Technology, says the industry can "expect more primary regulators [to require] covered entities to report on cybersecurity incidents."
Fattah, who chairs the North America Steering Committee for the third-party risk platform Shared Assessments, says: "The time frame to report an incident and what constitutes a significant/material incident can vary from one regulatory body to another. The same is true at the state level." As such, he adds, the industry can expect to see more disparate versions of mandatory incident reporting.
Banking Rules, Senate Committee
This SEC proposal follows a rule approved by U.S. banking regulators in November 2021 requiring banks to notify their primary regulatory body no later than 36 hours after a "computer-security incident" (see: Regulators: Banks Have 36 Hours to Report Cyber Incidents).
Regulators from the Department of the Treasury's Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corp. implemented the rule, which will go into effect April 1, with full compliance extended to May 1. Notifications will go to appropriate FDIC supervisory offices or FDIC-designated points of contact.
Elsewhere, Senate leaders within the Homeland Security and Governmental Affairs Committee - Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio - have also spearheaded a charge to push mandatory reporting across the finish line for critical infrastructure providers.
Their Strengthening American Cybersecurity Act, introduced this week, bundles three committee-passed cybersecurity measures, including a modernization to FISMA, which has not been touched since 2014. But Peters and Portman's reporting component would require critical infrastructure providers to disclose cyber incidents within 72 hours and ransom payments within 24 hours (see: Security Experts Discuss Log4j Mitigation Before US Senate).
In a Senate hearing on Tuesday on the Log4Shell vulnerability, Peters urged his colleagues to pass the "landmark legislation," saying it will "help our lead cybersecurity agency better understand the scope of attacks, including vulnerabilities like Log4j, to warn others of the threat, prepare for potential impacts, and help affected entities respond and recover."