BPI’s BITS Comments on the Proposed Rulemaking Issued by the Securities and Exchange Commission Regarding Cybersecurity Risk Management and Incident Reporting

Ladies and Gentlemen:

The Bank Policy Institute (“BPI”)[1], through its technology policy division known as BITS[2], appreciates the opportunity to comment on the proposed rulemaking issued by the Securities and Exchange Commission (“SEC” or “Commission”) regarding cybersecurity risk management and incident reporting for investment advisers, registered investment companies, and business development companies. Last year, when the Commission first proposed this rule, BPI/BITS submitted a comment letter addressing several of the Commission’s questions. We therefore write to re-submit those same comments, but also to offer perspective on the importance of regulatory harmonization and consideration of other agencies’ cybersecurity objectives following several new cyber-related proposals published by the Commission during the past year.

The Commission appropriately recognizes the importance of sound cybersecurity programs and well-developed risk management policies. Since 2022, the Commission has proposed five separate rules designed to enhance consumer protection and inform investors of a company’s cybersecurity risk and incident response practices.[3] We recognize the value this information may have for prospective investors, but it is equally important that these proposals are well-coordinated and do not create unnecessary compliance challenges. It is also critical that the Commission consider the adverse impact these proposals could have on broader efforts across the public and private sectors to improve cyber threat detection and mitigation, disrupt malicious attacks, and hold bad actors accountable. We encourage the Commission to take a holistic approach that acknowledges the existing regulatory landscape and the impact public disclosure may have on our collective ability to improve security and resilience.

To read the full comment letter, please click here, or click on the download button below.

[1] The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans and are an engine for financial innovation and economic growth.

[2] BITS – Business, Innovation, Technology, and Security – is BPI’s technology policy division that provides an executive level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the nation’s financial sector.

[3] Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure, 87 Fed. Reg. 16590 (proposed Mar. 9, 2022); Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period, 88 Fed. Reg. 16921 (proposed Mar. 21, 2023); Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, 88 Fed. Reg. 20212 (proposed Apr. 5, 2023); Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 88 Fed. Reg. 20616 (proposed Apr. 6, 2023); Regulation Systems Compliance and Integrity, 88 Fed. Reg. 23146 (proposed Apr. 14, 2023);