WASHINGTON, D.C. — Today, the American Securities Association (ASA) sent a comment letter to the U.S. Securities and Exchange Commission (SEC) regarding new mandates related to cybersecurity policies and procedures for broker-dealers and other entities.
“Cybersecurity is a top priority for financial institutions, who dedicate significant resources to protect the sensitive personal information of investors and the integrity of the financial system,” said President and CEO of the American Securities Association Chris Iacovella. “The biggest cyberthreat facing American investors today is not the lack of standardization regarding broker-dealer customer notification policies or insufficient public disclosure regarding major cyber events, it is the vast collection and storage of American investors financial and personal information in an unsecure, centralized database in Washington that will become ‘the target’ for cybercriminals and hackers from Russia and China who wish to inflict economic harm on the United States.”
On the Consolidated Audit Trail (CAT) specifically, the letter notes that "While it may have been unintentional, the Risk Management Proposal aptly described the biggest threats emanating from the CAT and made a persuasive case for prohibiting the collection of retail investor PII.” The letter also warned, “The SEC CAT policy is dangerous and must be changed before it causes the financial and personal information of millions of Americans to be compromised.”
“Additionally, the SEC has not even considered the interaction of the Risk Management Proposal and Reg S-P Proposal with its own rules,” Iacovella said. “We urge this Commission to stop moving forward with ill-conceived ideas that do nothing but empower a professional class of lawyers and consultants whose hourly rates seem to increase every time a new rule is adopted.”
The Association cites extensive comments by SEC Chairman Gary Gensler, as well as Commissioner Peirce, on the growing threat of cyber-criminal activity within financial systems. In the letter to the SEC, ASA outlined numerous concerns associated with the proposal:
General Concerns: ASA believes the SEC’s proposals are not supported by evidence that brokers are fundamentally failing in their obligations to safeguard investor information and notify government authorities. Additionally, the proposals fail to address or even consider the biggest cyberthreat facing investors today: The collection and storage of the personally identifiable information (PII) of every American that trades a share of stock on a U.S. exchange by the consolidated audit trail (CAT), which is a centralized database housed in Washington and accessible by thousands of individuals.
Impact of Voluminous Notifications: ASA believes the definition of a “significant cybersecurity incident” is extremely broad. The application of reporting requirements for incidents that involve a single customer, counterparty, member, registrant, or anyone that interacts with a broker is unnecessary and could lead to a high volume of incident reports filed with the SEC and public disclosures by brokers – even if those incidents did not implicate or threaten a broker’s customer base or ability to carry out its core functions.
Failure to Consider Current Regulations: ASA believes since many broker-dealers are also public reporting companies under the Exchange Act, it is imperative that the SEC not overburden brokers with immaterial reporting requirements and, more importantly, that it not harm, confuse, or mislead investors by imposing reporting rules that conflict with one another.
In January, ASA sent a letter to the SEC strongly opposing an attempt by self-regulatory organizations (SROs) to disclaim liability when the CAT database is breached. Following a massive cyber breach at federal agencies including the Treasury and Commerce Departments ASA once again called on the SEC to end the CAT’s collection of retail investor personal and financial data. ASA also sent a comment letter to the SEC highlighting how collecting this unprecedented amount of data will cause extraordinary harm to American investors while achieving minimal regulatory benefits.
In May 2020, ASA launched MyDataMyVote.com, a nationwide grassroots movement mobilizing all Americans to help stop the collection of retail investor data.
###
Comments