Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on Twitter: twitter.com/IDTheftCenter

Show Transcript

A Tale of Two SECs

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 11, 2022. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week ITRC COO James E. Lee was looking through some news items when he came across this headline from the Washington Post: SEC is Hopping on the Cybersecurity Bus. He will freely admit that his first thought was, “Why does the Southeastern Conference care about cybersecurity practices?”

Then it dawned on him the article was about the Securities & Exchange Commission (SEC). He still wondered why the SEC was suddenly interested in cybersecurity practices? So, let’s call today’s episode – A Tale of Two SECs. 

SEC Makes Recommendations on How to Improve Cybersecurity Practices

It’s been nearly a decade since the SEC adopted its Reg SCI or Regulations for Systems Compliance and Integrity. Adopted in 2014, the goal was to strengthen the technology infrastructure of the U.S. securities markets. It was something of a surprise last month when the Chair of the Commission, Gary Gensler, announced that he had asked the SEC staff to make recommendations on improving the financial sector’s cybersecurity practices and incident reporting. 

Chair Gensler revealed his intentions during a speech at Northwestern University. He also cited investor interest as a reason he was seeking to enhance how clients receive notifications of data breaches, as well as how public companies disclose cybersecurity practices and risks. In a nod to the increasing cyber threats from third-party vendors, Gensler also asked staff to look at how to address cyber issues related to service providers. In his speech, the SEC Chair noted that “Cyber incidents, unfortunately, happen a lot. History and any study of human nature tell us they’re going to continue to happen.” 

SEC Proposes Rule Requiring Financial Institutions to Report Cybersecurity Incidents

Back in Washington, the SEC staff wasted no time coming up with a new rule requiring financial institutions to report, on a confidential basis, to the SEC any significant cybersecurity incident. The new rule, approved this week on a 3-1 vote, would require a notice be filed with the Commission within 48 hours of an incident. That would not necessarily trigger a public notice.

The proposal would also require investment advisers and funds to adopt a minimum set of cybersecurity practices, including: 

  • Risk assessments,
  • User security and access controls,
  • Policies, procedures, and practices to prevent unauthorized use of information, and
  • An annual written review of cybersecurity risks and policies that would require review by the board of directors.

These are pretty modest changes and reflect many of the requirements already in place by some state regulators and other federal agencies. However, they are not without their critics. There is concern that the 48-hour notice rule may be too strict since not much is known about most cyberattacks until days, weeks or months after they’re discovered. 

Still, a mandatory reporting requirement is a big step in the right direction. This week’s Commission vote triggers a required 30-day public comment period where anyone can submit their thoughts on the proposed rule changes. The Commission has at least one more chance to change the proposal once the public comment period ends. If there are changes, look for them to focus on the 48-hour notice provision.

Contact the ITRC

If you want to learn more about cybersecurity practices, how to protect your personal information or if you think you have been the victim of an identity crime or compromise, visit our new website www.idtheftcenter.org. From there, you can speak with an expert ITRC advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). 

Be sure to listen to the latest episode of our sister podcast, The Fraudian Slip, where ITRC CEO Eva Velasquez visits with Kelle Slaughter of the Federal Trade Commission about Identity Theft Awareness Week.

Thanks again to Experian for supporting the ITRC and this podcast. We will be back next time with another episode of the Weekly Breach Breakdown.