From the Publisher: Yigal M. Rechtman, CPA is the publisher of the CPA Publisher.
Executive Summary
The proposed cybersecurity rule takes a conservative stance, aiming to minimize perceived costs rather than prioritizing strong security measures. While we support a risk-based approach, the rule should shift from a passive compliance model to one that demands accountability and rigorous security standards. Rather than focusing on cost-benefit analyses, cybersecurity should be viewed as an essential regulatory function.
We recommend expanding coverage, refining definitions of incidents and breaches, and aligning policies with established risk frameworks like NIST 800-30. The proposed audit cost estimates are unrealistically low, and the rule should emphasize external inspections over internal audits to ensure effective compliance.
Detailed Analysis
1. Expanding the Scope of Covered Entities
The rule should explicitly include subcontractors, platform providers, consultants, and any third parties with access to financial recordkeeping systems. A comprehensive regulatory scope ensures that cybersecurity measures extend beyond primary entities to include all involved parties.
2. Notification Requirements and Incident Classification
The proposed 48-hour notification window is arbitrary and may lead to excessive, low-impact reporting. We suggest adopting a two-tier classification:
- Incident: A potential security event that warrants investigation.
- Breach: A confirmed event resulting in data compromise or harm.
This approach, modeled after HIPAA, would reduce unnecessary disclosures while maintaining vigilance over significant security breaches.
3. Aligning Cybersecurity Definitions with Industry Standards
Current definitions in the proposed rule do not align with established regulations such as HIPAA or state cybersecurity laws. We recommend referencing NIST 800-30 for risk assessments to create consistency across industries and regulatory frameworks.
4. Public Disclosure and Reporting Concerns
While transparency is critical, excessive public disclosure of cybersecurity incidents could expose organizations to further risk. The rule should specify safe disclosure methods that inform stakeholders without compromising security. The SEC should collaborate with existing agencies, such as the FBI’s National Cyber Investigative Task Force, rather than becoming an isolated reporting entity.
5. Strengthening Risk Management Policies
We support the proposed five core risk management areas:
- Risk assessment
- User security and access
- Information protection
- Cybersecurity threat and vulnerability management
- Incident response and recovery
However, audits should be externally managed to eliminate conflicts of interest. The estimated cost of $1,500-$20,000 per audit is unrealistic; we propose an adjusted range of $15,000-$35,000 to ensure high-quality assessments.
6. Addressing Crypto Asset Risks
The proposal acknowledges risks from cryptocurrency and smart contracts but fails to introduce meaningful action. We recommend:
- Enhanced awareness training to mitigate phishing and fraud risks.
- Exchange monitoring to detect potential blockchain attacks.
- Stronger “Know Your Customer” (KYC) measures to prevent fraudulent transactions.
- Hardware-based security measures against MitM attacks.
- Air-gapped backups to mitigate ransomware threats.
Instead of merely recognizing threats, the rule should mandate proactive cybersecurity measures for entities handling digital assets.
Conclusion
The SEC must enforce stronger cybersecurity obligations, moving beyond minimum compliance to proactive protection of financial systems. Expanding coverage, refining risk definitions, and prioritizing external audits will significantly enhance security resilience. Additionally, the SEC should work in tandem with established cybersecurity agencies to avoid regulatory redundancy and ensure meaningful oversight.
