Thank you, Chair Gensler. The Commission routinely explains the need for new disclosure mandates by insisting that investors really want the information. In this case, I agree. Investors want to know if their personal information has been compromised and want it to be protected, and thus I support this proposal. However, my support is far from unreserved, and my willingness to vote for a final rule will depend largely on our response to problems identified by commenters.
Before I address this rule specifically, let me make one comment that applies to all the rules before us today. The proposed expansion of Regulation SP is one of three cybersecurity and systems-protection proposals we are considering today. Regulation SP overlaps and intersects with each of the others, as well as with other existing and proposed regulations – e.g., the cybersecurity rule for investment advisers, investment companies, and business development companies, and the recently proposed investment adviser outsourcing rule. The release does not try to hide these facts, and actually goes into considerable detail about the redundancies, but then it simply declares them appropriate given the different purposes, that they are “largely consistent,” and probably not “unreasonably costly.” Admittedly, rationalizing these overlapping requirements would be hard. To paraphrase John Kennedy when addressing another difficult challenge, the Commission should choose to harmonize and synthesize these rules not because it is easy, but because it is hard, because the goal will serve to organize and measure the best of our energies and skills, because the challenge is one that we are willing to accept, one we are unwilling to postpone.
Assuming those inspiring words did not convince my colleagues to postpone this rulemaking until we undertake a moonshot harmonization project, let me highlight some other concerns specific to the rule:
- While I support customer notification, the rule should include a law enforcement exception permitting covered institutions to delay alerting customers about an unauthorized incursion when there is a valid law enforcement or national security need for doing so. We are making the small concession of allowing the Attorney General to obtain a delay of up to 30 days, if he can cite a substantial risk to national security in writing.
- Many states have customer notification provisions, some of which conflict with ours. What is a firm that finds itself pinched between competing state and federal notification rules supposed to do? Rather than preempting or deferring to state law, we dance around the problem we are creating and provide no workable strategy for firms to manage the conflict.
- Firms experiencing a cyberincident will be juggling multiple notification requirements, including potentially reporting to more than one place at the Commission. We could think big and create a dynamic form that enables the appropriate information to reach the right parts of the Commission without requiring multiple filings for the same triggering event.
- The rule’s reach is broader than it might appear at first glance. Here are several examples:
- For instance, the breadth of information considered to be “customer information” includes “all consumer information that a covered institution maintains or otherwise possesses for a business purpose . . . regardless of whether such information pertains to individuals with whom the covered institution has a customer relationship, or pertains to the customers of other financial institutions.” Everyone is a customer of yours for purposes of the rule because everyon is some firm’s customer.
- The notification requirement would apply to “sensitive customer information,” which would encompass “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” The limits of this term are unclear.
- The amendments would extend the safeguards rule to all transfer agents, regardless of whether they are registered with us, which requires a strained understanding of the term “customer.”
- While notifying customers of unauthorized access to their information is a good thing, the proposal may result in too much of a good thing. Covered institutions would be obliged to notify individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.” While covered institutions could forgo notification if they determine after an investigation that the sensitive customer information “has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience,” most firms will err on the side of caution and just send the notice every time. We explicitly reject the path chosen by the federal banking agencies who sought “to give institutions greater discretion in determining whether to send notices, avoid alarming customers with too many notices and not to require institutions to prove a negative.”
- Firms would have to enter into written contracts with service providers to obligate them to take “appropriate measures . . . designed to protect against unauthorized access to or use of customer information.” The proposal defines “service provider” broadly, to include “any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” As the release acknowledges, this would-be universe of service providers could include “email providers, customer relationship management systems, cloud applications, and other technology vendors.” How much will it cost to renegotiate all of those contracts? Will it even be possible to do so? What happens to a covered institution whose service provider chooses not to play ball?
- The need to rewrite many contracts brings me to the last concern I will raise. The proposed compliance period is one year. I cannot understand how this is reasonable, given the work that firms will need to do to come into compliance with the rule’s requirements, much less, if this rule is adopted with the other two rules we are considering today, the requirements of any overlapping rules.
Despite my reservations, my respect for the work that has gone into this proposal is considerable. I particularly appreciate the time that the hardworking teams in IM and DERA found to answer my many questions and discuss my concerns. Thanks also go to Trading and Markets, which also was responsible for the rest of today’s agenda. As always, I look forward to hearing from commenters as I consider how to proceed should this rulemaking reach the final stage.
 See Proposal at pp. 61-2. (“The covered institution may delay such a notice for an initial period specified by the Attorney General of the United States, but not for longer than 15 days. The notice may be delayed an additional 15 days if the Attorney General of the United States determines that the notice continues to pose a substantial risk to national security. This would allow a combined delay period of up to 30 days, upon the expiration of which the covered institution must provide notice immediately.”).
 Proposal at 248.30(a).
 Proposal at 248.30(e)(9)(i).
 Proposal at 248.30(b)(4)(i).
 See Proposal at note 100.
 Proposal at 248.30(b)(5)(i).
 Proposal at 248.30(e)(10).