The SEC announced rule changes for some financial companies that will require more customer disclosures when security incidents impact their personal information as well as mandate incident response programs. The new rule, however, is unlikely to change anything for enterprise financial companies as they were either already required to make such disclosures or already had incident response programs in place.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC chair Gary Gensler in a statement. “These amendments will help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
The new rules are amendments to Regulation S-P and only apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
The disclosure standard has nothing to do with whether the security incident was material or not. It “would provide notices to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization as soon as practicable, but not later than 30 days, after becoming aware that the incident occurred or is reasonably likely to have occurred,” the SEC said.
Mark Rasch, an attorney specializing in cybersecurity issues who used to head the US Justice Department’s high-tech crimes group, told CSO that the new rule instructs companies “to secure that which they have been securing for decades. But the SEC is saying ‘Now you really have to do it.’ This is the toddler bedtime rule: ‘Now this time, I really mean that you have to go to bed.’”
Rasch, who also does legal work for threat intel firm Unit221B, said that the new rule requires an incident response program, but it doesn’t in any way specify what such a program needs to look like. It does require that such programs be reasonably calculated to be effective, he said. “How do we when it’s ineffective? We only know that when it doesn’t work” and a security problem happens.
He suggests CISOs continue to do what they have historically always done: Examine the NIST guidelines to develop an appropriate incident response program.
New rules raise questions
Rasch also expressed concerns that the new rule focuses on personal information and not the many other types of sensitive financial data, such as evidence of insider trading. “By focusing narrowly on personal information, many companies will take their eyes off the ball and focus only on PII. And that’s a mistake,” Rasch said.
He also complained that the new rule limited disclosure requirements to the financial institutions and not to their many third-parties. “This is a significant oversight given that third-party service providers often play a crucial role in data management and can be a weak link in the security chain. Without mandatory protections at the third-party level, overall system security might be compromised.”
One SEC Commissioner, Hester Peirce, voted for the new rule, but expressed concerns it might generate notification fatigue, which could lead to people eventually ignoring all security notifications. “My greatest concern about the rule is that its breadth could undermine the value of the customer notifications by making them so commonplace that people ignore them. At some point, the notifications will stop having the intended effect. If covered institutions fear being second-guessed after making a reasonable judgment not to send a notice, they will err on the side of sending a notice, even if one might not be necessary?” Peirce asked in a statement. “How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?”
Peirce also said that the new rule may only aggravate today’s two-tier breach disclosure rules, with different states mandating different rules than various federal agencies. “The industry still will contend with an array of different and sometimes conflicting state and federal requirements. Further consolidation and harmonization of these requirements is a worthy goal on which federal and state regulators should continue to work,” Peirce said.
Brian Levine, an attorney who is the Ernst & Young managing director for cybersecurity, appreciates Peirce’s position but strongly disagrees with her conclusion. “They need to be reducing the underlying breaches and not worry about whether their customers are getting desensitized to them,” Levine told CSO. “Notification fatigue is a very real thing, but the solution is to have fewer breaches, not fewer notifications.”
The SEC’s documentation maintains the regulations are being changed. The problem is that a myriad of other federal and industry requirements covers the same or similar ground.
“Currently, Regulation S-P’s protections under the safeguards rule and disposal rule apply to different, and at times overlapping, sets of information. Specifically, as required under the GLBA, the safeguards rule requires broker-dealers, investment companies, and registered investment advisers, but not transfer agents, to maintain written policies and procedures to protect customer records and information, which is not defined in the GLBA or in Regulation S-P,” the SEC filing stated.
“Currently, the safeguards rule addresses protecting customer information against unauthorized access or use, but it does not include a requirement to notify affected individuals in the event of a data breach. In assessing firm and industry compliance with these requirements, Commission staff typically focus on information security controls, including whether firms have taken appropriate measures to safeguard customer accounts and to respond to data breaches.”