For more than a year in the late 2010s, personal information was stolen from hacked emails that representatives of the now-defunct wealth management firm KMS Financial Services sent out to roughly 4,900 clients.
Although the breaches were first discovered in November 2018, the Seattle-based advisory and brokerage hybrid didn't bring them to a halt until December of the following year. Even worse from a federal regulator's perspective, KMS Financial Services didn't have formal, proper policies for preventing and reporting cybersecurity attacks in place until August 2020.
Now a slew of Securities and Exchange Commission regulatory proposals is seeking to keep advisors and brokers more on the ball when it comes to protecting customers' personal information.
The SEC voted unanimously at a virtual meeting on March 15 to advance the rule, giving the public 60 days to comment before it would be put to a formal vote. SEC Chairman Gary Gensler said the SEC's rules designed to protect customer information — known as Regulation S-P — have not been overhauled since their adoption in 2000.
"Investors would benefit from a financial privacy rule more modern than the AOL era," Gensler said. "Though the current rule requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches. I think we should close this gap."
Mike Pappacena, a partner in the cybersecurity and risk division of ACA Group — a governance, risk and compliance advisor in financial service firms — said one of the best ways to prevent damage from a breach is to let clients know their personal data has been compromised. The sooner they are alerted, the faster they can take steps to prevent the information from being misused.
"If there is a cyber incident, it's important to make sure it's disclosed not only to the regulators, but also to all affected parties," Pappacena said.
Many states already have rules requiring advisors and brokers to report security breaches within varying timeframes. The SEC's proposed rule notes that 15 states allow for more than 30 days for reporting breaches, while 32 states have no notification deadlines. The SEC proposal would allow states to adopt stricter deadlines shorter than the maximum of 30 days.
At least one SEC commissioner saw the possibility for confusion arising from so many state regulations falling under an overarching federal rule.
"What is a firm that finds itself pinched between competing state and federal notification rules supposed to do?" Hester Peirce, a Republican appointee, said during the March 15 virtual meeting. "Rather than preempting or deferring to state law, we dance around the problem we are creating and provide no workable strategy for firms to manage the conflict."
The proposal does include an exemption for notifying customers of breaches. Firms that conduct investigations and find that whatever information was pilfered isn't likely to be "used in a manner that would result in substantial harm or inconvenience" don't have to bother with the disclosure requirement.
"Most firms will err on the side of caution and just send the notice every time," Peirce predicted.
Peirce also noted the rule would extend its requirements to any third parties or vendors a firm might work with. Putting the proper procedures in place with those companies will most likely require renegotiating their contracts. The one year advisors and brokers will be given to comply with the new rule should the SEC adopt it, Peirce said, will hardly afford enough time for all that.
In voting to advance the proposed rule despite her misgivings, Peirce joined her fellow commissioners in citing recent increases in cybercrime. The proposal notes the FBI's Internet Crime Complaint Center received 847,376 complaints in 2021. That was up 181% from 2017. Of the complaints from 2021, 51,629 concerned identity theft and 51,829 personal data breaches. Those numbers increased by 193% and 68% from 2017, respectively.
For some industry groups, the concern about the SEC's latest proposal has less to do with its details than with the fact that it's coming alongside a blizzard of other new and planned regulations. Gail Bernstein, general counsel for the Investment Adviser Association — an industry group representing more than 600 advisory firms — said she and her colleagues are still studying the ways the SEC is seeking to modify Regulation S-P.
Of more immediate concern, she said, is "the sheer scale and volume of what's coming out of the SEC."
"Regulators really need to step back and look holistically at the entire regulatory landscape — not only at what they are trying to do, but at what already exists," Bernstein said. "And then they need to think about: How do people fit all this together? What's the cumulative impact of all these things?"
Bernstein noted the SEC's agenda for its March 15 meeting contained
Meanwhile, the SEC has given the public
The Commission is reopening the comment period for the proposed rules so that commenters may consider whether there would be any effects of the related proposals that the Commission should consider. Among other things, the regulation would require advisors to provide confidential reports of data breaches to the SEC within 48 hours and to disclose to clients current cybersecurity risks and past attacks.
The Investment Adviser Association has taken a stance against some of this proposal's provisions. The 48-hour reporting requirement, for instance, does not provide enough time in situations in which advisors are likely to be preoccupied with figuring out how a breach occurred, how to prevent further leaks and how to protect clients.
"It's a pretty complex process making one of these reports to the SEC," Bernstein said. "Lawyers have to look at it. Compliance has to look at it. Business folks have to look at it. And this is all happening at the same time you are trying to put out this fire."
Pappacena noted, though, that the SEC has been pushing for stronger cybersecurity policies for years, even if it hasn't necessarily had former rules requiring them.
"So it's not surprising to see regulators mandate these things," he said. "Largely they're trying to get assurances that firms are taking cybersecurity seriously and doing what they can."
