Dear Secretary Countryman,
The Securities Industry and Financial Markets Association (“SIFMA”), Bank Policy Institute (“BPI”), Institute of International Bankers (“IIB”), and American Bankers Association (“ABA”), (collectively, the “associations”) appreciate the opportunity to respond to the Rule 10 Proposal issued by the Securities and Exchange Commission (the “Commission” or “SEC”) on March 15, 2023 (“Rule 10 Proposal” or the “Proposal”). The associations recognize the importance of providing cybersecurity risk management rules for the entities covered by the Proposal (“Market Entities”), including broker-dealers and security-based swap dealers. A well- designed SEC rule could provide further clarity and guidance on strong cybersecurity practices, collaboration with government agencies, and proper cyber breach reporting. However, the associations recommend that the Commission significantly revise the notice of proposed rulemaking in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications for certain of the proposed requirements in the Proposal.
The Commission should reconsider significant aspects of its Rule 10 Proposal to allow the necessary flexibility for Market Entities to respond to unique circumstances that can arise during a cybersecurity incident. The Rule 10 Proposal should also account for the Commission’s other proposals and existing cybersecurity requirements imposed by other financial regulators.
To read the full comment letter, please click here, or click on the download button below.
 Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34–97142, 88 Fed. Reg. 20212 (proposed Apr. 5, 2023) [hereinafter “Rule 10 Proposal”]. SIFMA notes that it requested an extension of the comment response deadline in order for it and other interested parties to have a full opportunity to comment effectively on this and many hundreds of pages of other SEC cybersecurity proposals that are simultaneously pending or were open or re-opened for comment at the same time as this Proposal. See SIFMA Letter to the SEC (Mar. 31, 2023), available at https://www.sec.gov/comments/s7-06-23/s70623-20162935-332874.pdf. The Commission failed to extend the comment deadline or otherwise respond to SIFMA’s letter. The SEC’s rushed proliferation of cybersecurity rulemakings is detrimental to sound policymaking in this crucial area and is not consistent with allowing regulated entities and other interested parties to fully evaluate the proposals and provide comprehensive feedback.