February 7, 2022

Submitted electronically via Regulations.gov

Federal Trade Commission
Office of the Secretary
600 Pennsylvania Avenue NW
Suite CC-5610 (Annex B)
Washington, DC 20580

Re: Safeguards Rule, 16 C.F.R. part 314, Project No. P145407

Dear Secretary Tabor:

The Securities Industry and Financial Markets Association (“SIFMA”)1 and the BanknPolicy Institute (“BPI”)2 (collectively, the “Associations”) appreciate the opportunity to comment on the supplemental notice of proposed rulemaking issued by the Federal Trade Commission (“FTC” or “Commission”) about further amending the Standards for Safeguarding Customer Information, 16 C.F.R. part 314 (the “Safeguards Rule”).3

More than two decades ago, drafters of the Gramm-Leach-Bliley Act (“GLBA”), enacted in 1999, sought to establish new privacy and security standards for the protection of personal information processed by financial institutions. Rather than impose prescriptive technological controls, GLBA delegates to financial regulators the authority to create standards that evolve with technological changes. In 2002, the Commission first promulgated its version of the Safeguards Rule, and recently amended it to require specific security controls and accountability measures expressly modeled on the New York Department of Financial Services (“NYDFS”) cybersecurity rule.

In October 2021, the Commission proposed an additional amendment to the updated Safeguards Rule that would require institutions within its jurisdiction that experience a security event, in which the misuse of customer information has occurred or is reasonably likely, to provide notice of the event to the Commission no later than 30 days after discovery of the event if it affected or reasonably may have affected at least 1,000 consumers (“Proposed Amendment”). 4 The Commission seeks such report to “ensure the Commission is aware of security events that could suggest a financial institution’s security program does not comply with the Rule’s requirements, thus facilitating Commission enforcement of the Rule.”5 The Commission would then “input the information it receives from affected financial institutions into a database that it will update periodically and make available to the public” 6 in order to “assist consumers by providing information as to the security of their personal information in the hands of various financial institutions.”7

While we share the Commission’s concerns about the unique threat that current cyber risks pose for financial institutions, we write today to offer what we intend to be constructive comments on the Proposed Amendment, which, as currently drafted, could create operational and compliance challenges for some of our members without necessarily achieving the stated intent of the Proposed Amendment in an effective manner. We value the opportunity to provide input on the reporting requirement and address the issues highlighted by the Commission in its Proposed Amendment.

1 SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our members, we advocate for legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).

2 The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

3 SIFMA and BPI would like to thank Edward McNicholas and Briana Fasone of Ropes & Gray for their counsel and assistance in drafting this letter.

4 Standards for Safeguarding Customer Information, 86 Fed. Reg. 70062 (proposed Dec. 9, 2021) (to be codified at 16 C.F.R. 314).

5 86 Fed. Reg. at 70064.

6 Id.

7 Id. at 70066.