BPI, SIFMA, SIFMA AMG, IIB and ABA Respond to the Proposed Amendments to Regulation S-P Issued by the Securities and Exchange Commission

Dear Secretary Countryman,

The Securities Industry and Financial Markets Association (“SIFMA”), SIFMA Asset Management Group (“SIFMA AMG”), Bank Policy Institute (“BPI”), Institute of International Bankers (“IIB”), and American Bankers Association (“ABA”), (collectively, the “associations”) appreciate the opportunity to respond to the proposed amendments to Regulation S-P issued by the Securities and Exchange Commission (the “Commission” or “SEC”) on March 15, 2023 (the “Regulation S-P Proposal” or the “Proposal”).[1] The associations welcome amendments to Regulation S-P to provide further clarity and guidance to its existing rules. Moreover, we appreciate the importance of strong cybersecurity practices for companies and our country, including appropriate notification of cybersecurity incidents to individuals.[2]

The associations recommend that the Commission reconsider, based on the recommendations in this letter, certain aspects of its Regulation S-P Proposal, which at times is too prescriptive and does not provide enough flexibility to covered institutions in responding to the unique circumstances that can arise during an incident. Additionally, the Regulation S-P Proposal could be improved by taking into account the Commission’s other proposals related to cybersecurity, a covered institution’s need to comply with existing data breach notification laws, and the benefit of coordinating with law enforcement, cybersecurity, intelligence, and national security agencies during a security incident.

To read the full comment letter, please click here, or click on the download button below.

[1] Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities, Release Nos. 34–97141; IA–6262; IC–34854, 88 Fed. Reg. 20616 (proposed Apr. 6, 2023). SIFMA notes that it requested an extension of the comment response deadline in order for it and other interested parties to have a full opportunity to comment effectively on this and many hundreds of pages of other SEC cybersecurity proposals that are simultaneously pending or were open or re-opened for comment at the same time as this Proposal. See SIFMA Letter to the SEC (Mar. 31, 2023), available at https://www.sec.gov/comments/s7-05-23/s70523-20162960-332927.pdf. The Commission failed to extend the comment deadline or otherwise respond to SIFMA’s letter. The SEC’s rushed proliferation of cybersecurity rulemakings is detrimental to sound policymaking in this crucial area and is not fair to regulated entities and other interested parties.

[2] See Cybersecurity Resources, SIFMA, available at https://www.sifma.org/resources/cybersecurity-resources/; SIFMA Statement on Completion of Quantum Dawn VI Cybersecurity Exercise, SIFMA (Nov. 18, 2021), available at https://www.sifma.org/resources/news/sifma-statement-on-completion-of-quantum-dawn-vi-cybersecurity-exercise/; Letter from SIFMA to the SEC (Apr. 11, 2022), available at https://www.sifma.org/wp- content/uploads/2022/04/SIFMA-and-AMG-Comment-Letter-on-SEC-Cybersecurity-Proposals.pdf; Letter from SIFMA to the SEC (May 9, 2022), available at https://www.sifma.org/wp-content/uploads/2022/05/SIFMA- Comment-S7-09-22-May-9-2022.pdf.