June 5, 2023

By Electronic Submission
Vanessa Countryman, Secretary
Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

Re: File No. S7-06-23; RIN 3235-AN
Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents

Dear Secretary Countryman,

The Securities Industry and Financial Markets Association (“SIFMA”), Bank Policy Institute (“BPI”), Institute of International Bankers (“IIB”), and American Bankers Association (“ABA”), (collectively, the “associations”) appreciate the opportunity to respond to the Rule 10 Proposal issued by the Securities and Exchange Commission (the “Commission” or “SEC”) on March 15, 2023 (“Rule 10 Proposal” or the “Proposal”).1 The associations recognize the importance of providing cybersecurity risk management rules for the entities covered by the Proposal (“Market Entities”), including broker-dealers and security-based swap dealers. A welldesigned SEC rule could provide further clarity and guidance on strong cybersecurity practices, collaboration with government agencies, and proper cyber breach reporting. However, the associations recommend that the Commission significantly revise the notice of proposed rulemaking in line with essential cross-government harmonization, greater simplicity and flexibility, appropriate deference to the input of other government agencies, and thoughtful consideration of the burdens, impacts, and justifications for certain of the proposed requirements in the Proposal.

 

1 Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34–97142, 88 Fed. Reg. 20212 (proposed Apr. 5, 2023) [hereinafter “Rule 10 Proposal”]. SIFMA notes that it requested an extension of the comment response deadline in order for it and other interested parties to have a full opportunity to comment effectively on this and many hundreds of pages of other SEC cybersecurity proposals that are simultaneously pending or were open or re-opened for comment at the same time as this Proposal. See SIFMA Letter to the SEC (Mar. 31, 2023), available at https://www.sec.gov/comments/s7-06-23/s70623-20162935-332874.pdf. The Commission failed to extend the comment deadline or otherwise respond to SIFMA’s letter. The SEC’s rushed proliferation of cybersecurity rulemakings is detrimental to sound policymaking in this crucial area and is not consistent with allowing regulated entities and other interested parties to fully evaluate the proposals and provide comprehensive feedback.