SEC’s breach notification proposal one step closer to a final vote

The proposed rule would give institutions 48 hours to report a cyber incident to the agency.
Gary Gensler
SEC Chairman Gary Gensler speaks at a Senate Banking Committee hearing in September 2021. (Photo by Evelyn Hockstein-Pool/Getty Images)

The Securities and Exchange Commission voted Wednesday 3-1 to approve a recommendation for tighter mandatory cybersecurity requirements for financial institutions. The proposed rule will now open to public comment before a final vote.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,”  SEC Chairman Gary Gensler said at the agency’s open meeting.

Most critically, the new rule would require confidential reports of any “significant” cybersecurity incidents to the SEC within 48 hours.

The proposal also would require advisers and funds to adopt, at a minimum, cybersecurity protections including a risk assessment; user security and access controls; information protection and monitoring to protect systems from unauthorized use; and an annual written review of cybersecurity risks and policies. The report would require review by a board of directors.


Commissioners said they want more input on how the rule would cover disclosures of cybersecurity risk and incident information to investors. The current proposal does not offer specific suggestions on the timeline or extent of disclosures to investors.

The rule is just one push by Gensler in steering the commission toward taking a stronger hand in addressing cybersecurity risks in the industry. SEC staff is also looking into updating the commission’s “Regulation Systems Compliance and Integrity,” which would include some of the largest broker-dealers, as well as updates to requirements around customer notices.

The agency’s deliberations over potential breach disclosure requirements align with broader efforts from members of Congress to enhance breach notification requirements for critical industries, as well as moves by other agencies including the Federal Communications Commission to tighten incident reporting rules.

Commissioner Hester Peirce, who voted against the recommendation, warned that the new requirements could end up hurting financial institutions that are the victims of cybercrime, rather than helping them.


“Rules that set forth detailed cybersecurity prescriptions could become an easy hook for an enforcement action even when a firm has made reasonable efforts to comply with the prescriptions,” said Peirce, who advocated instead for stronger guidance for advisers and investors.

“The area of cybersecurity is one that demands transparent cooperation between regulators and financial firms toward the achievement of a shared goal,” she said. “A cybersecurity role that is styled as a cudgel will not facilitate such cooperation.”

The proposal period, which is subject to change, will remain open for at least 30 days.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts