SEC rule for finance firms boosts disclosure requirements


He suggests CISOs continue to do what they have historically always done: Examine the NIST guidelines to develop an appropriate incident response program.

New rules raise questions

Rasch also expressed concerns that the new rule focuses on personal information and not the many other types of sensitive financial data, such as evidence of insider trading. “By focusing narrowly on personal information, many companies will take their eyes off the ball and focus only on PII. And that’s a mistake,” Rasch said. 

He also complained that the new rule limited disclosure requirements to the financial institutions and not to their many third-parties. “This is a significant oversight given that third-party service providers often play a crucial role in data management and can be a weak link in the security chain. Without mandatory protections at the third-party level, overall system security might be compromised.”

One SEC Commissioner, Hester Peirce, voted for the new rule, but expressed concerns it might generate notification fatigue, which could lead to people eventually ignoring all security notifications. “My greatest concern about the rule is that its breadth could undermine the value of the customer notifications by making them so commonplace that people ignore them. At some point, the notifications will stop having the intended effect. If covered institutions fear being second-guessed after making a reasonable judgment not to send a notice, they will err on the side of sending a notice, even if one might not be necessary?” Peirce asked in a statement. “How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?”

Peirce also said that the new rule may only aggravate today’s two-tier breach disclosure rules, with different states mandating different rules than various federal agencies. “The industry still will contend with an array of different and sometimes conflicting state and federal requirements. Further consolidation and harmonization of these requirements is a worthy goal on which federal and state regulators should continue to work,” Peirce said. 

Brian Levine, an attorney who is the Ernst & Young managing director for cybersecurity, appreciates Peirce’s position but strongly disagrees with her conclusion. “They need to be reducing the underlying breaches and not worry about whether their customers are getting desensitized to them,” Levine told CSO. “Notification fatigue is a very real thing, but the solution is to have fewer breaches, not fewer notifications.”


Leave a Reply

Your email address will not be published. Required fields are marked *