Industry trade groups are weighing in on the Securities and Exchange Commission's proposed new cybersecurity rules for broker-dealers, investment advisors and asset managers that require them to notify individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.
The comment period on the SEC's plan, proposed in March, ended Monday.
Stephen Hall, legal director at Better Markets in Washington, which submitted a comment letter, said that the SEC "has rightly proposed a rule that requires market participants to notify affected individuals. Notification can make the difference between identity theft that inflicts major financial losses and a swift response that results in minimal harm."
The SEC's proposed rule, Hall continued, "requires financial firms to notify breach victims so that they can take prompt action to protect themselves from the potential consequences. We urge the SEC to finalize the proposal without weakening any of its elements."
The SEC's plan would update Regulation S-P, which currently requires covered firms to notify customers about how they use their financial information but does not require alerts about data breaches, SEC Chairman Gary Gensler said in March.
Under the proposal, "covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves," Gensler said.
Gensler said in May 2022 that the proposal was coming.
The proposal, if adopted, would update the rule's requirements to address the expanded use of technology and corresponding risks since the commission originally adopted Reg S-P in 2000, the agency said.
