To address cybersecurity risks to U.S. securities markets and protect customer information, the Securities and Exchange Commission on March 15 advanced a package of new requirements for broker-dealers, registered investment advisers and other industry stakeholders.
Under the cybersecurity proposal approved by a divided 3-2 vote, market entities—other than certain types of small broker-dealers—would be required to implement policies and procedures to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their policies and procedures, including whether they reflect changes in cybersecurity risk over the period covered by the review.
Market entities would also need to give the Commission immediate written electronic notice of a significant cybersecurity incident upon concluding that a significant cybersecurity incident had occurred or is occurring. According to the SEC, the proposed new notification requirements would improve its ability to obtain information about significant cybersecurity incidents affecting these entities and would improve transparency about cybersecurity risks.
The required policies and procedures would need to specifically include:
- periodic assessments of cybersecurity risks associated with the covered entity’s information systems and written documentation of the risk assessments;
- controls designed to minimize user-related risks and prevent unauthorized access;
- measures to monitor and protect the covered entity’s information systems, as well as oversee service providers that have access to the information systems;
- measures to detect and mitigate any cybersecurity threats and vulnerabilities with respect to the entity’s information systems; and
- measures to respond to and recover from a cybersecurity incident.
The proposal also would require covered entities to publicly disclose, on a proposed new Form SCIR, summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year.
“The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades,” SEC Chair Gary Gensler said in a statement. “Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”
Public comments on the proposal will remain open until 60 days after publication in the Federal Register.
SEC Reopens Comments for RIA and Funds’ Cybersecurity Rules
Meanwhile, the SEC also reopened the comment period on proposed rules related to cybersecurity risk management and related disclosures for RIAs, registered investment companies, and business development companies that were proposed by the Commission in February 2022. The initial comment period ended on April 11, 2022, but the proposal has not been finalized.
The SEC notes that the reopened comment period will allow interested persons additional time to address whether there would be any effects from the other proposals related to cybersecurity risk management and disclosure that the Commission should consider.
The comment period will remain open until 60 days after publication of the reopening release in the Federal Register.
Proposed Changes to Reg S-P
In a unanimous vote, the SEC also proposed amendments to Regulation S-P to enhance the protection of customer information by, among other things, requiring BDs, RIAs, investment companies and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.
The so-called “safeguards rule” currently requires these stakeholders to adopt written policies and procedures for the protection of customer records and information. Regulation S-P also requires the proper disposal of consumer report information (“disposal rule”).
The Commission’s proposal would update the requirements by addressing the expanded use of technology and corresponding risks since Regulation S-P was originally adopted in 2000. Under the proposal, these covered institutions would be required to adopt written policies and procedures for an incident response program to address unauthorized access to, or use of, customer information.
The proposed amendments would also require—with certain limited exceptions—covered institutions to provide notice to individuals whose customer information was likely to have been accessed or used without authorization. The proposal would require this notice to be provided as soon as practicable, but no later than 30 days after the covered institution becomes aware that an incident has occurred.
“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” SEC Chair Gensler further stated. “I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.”
Like the other proposals, a public comment period will remain open until 60 days after publication in the Federal Register.
Finally, the SEC also proposed amendments to expand and update Regulation Systems Compliance and Integrity (SCI), the set of rules adopted in 2014 to “help address technological vulnerabilities in the U.S. securities markets and improve Commission oversight of the core technology of key U.S. securities markets entities (SCI entities).” Among other things, the proposed amendments would expand the scope of SCI entities and the types of SCI events experienced by an SCI entity that would trigger immediate notification to the Commission.
For additional information:
 Market entities are defined as broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.