SEC Advances Three New Cybersecurity Rule Proposals
On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.
The SEC’s first proposal would amend Regulation S-P. Regulation S-P imposes privacy, data security, and data disposal rules on broker-dealers, investment advisers, and investment companies subject to the SEC’s authority under the Gramm-Leach-Bliley Act. Among other requirements, the SEC’s proposed amendments would (1) require covered institutions to adopt a written incident response program, including procedures to assess the nature and scope of an incident involving unauthorized access to or use of customer information, as well as procedures to contain and control such an incident, (2) incorporate a requirement to notify affected individuals of a data breach, and (3) require covered institutions to maintain written records documenting their compliance with Regulation S-P’s rules.
The SEC also proposed Rule 10, which would require certain entities that perform critical services to support the U.S. securities market – namely, broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, Market Entities”) – to, among other requirements, maintain and regularly update written policies and procedures that address cybersecurity risks and include certain prescribed content, provide immediate written notice to the SEC of significant cybersecurity incidents, and publicly disclose summary descriptions of cybersecurity risks and incidents.
Finally, the SEC proposed amendments to Regulation Systems Compliance and Integrity (“SCI”), which was adopted in 2014 and applies to (1) certain entities (“SCI Entities”) and their automated and similar systems (“SCI Systems”) that directly support one or more of six key security market functions (trading, clearance and settlement, order routing, market data, market regulation, or market surveillance), and (2) systems that, if breached, would be reasonably likely to pose a security threat to SCI systems (“Indirect SCI Systems”). The proposed amendments would increase the scope of entities covered by Regulation SCI (to include registered security-based swap data repositories; broker-dealers registered with the SEC under Section 15(b) that exceed certain thresholds in assets or transaction activity; and all clearing agencies exempted from registration) and would expand on the regulation’s requirements, including by specifying content requirements for security policies and procedures mandated under the Rule, requiring notice to the SEC of certain “systems intrusions” without delay, updating the annual SCI compliance review required under the Rule, and requiring SCI entities to include key third-party providers in their required BC/DR testing.
The public comment periods for the proposals will remain open for 60 days after publication in the Federal Register. In addition, the SEC has re-opened the comment period for a 2022 proposal that would require investment advisers and funds to adopt written cybersecurity policies, report significant cybersecurity incidents to the SEC, and publicly disclose cybersecurity risks and significant cybersecurity incidents in the last two fiscal years in their brochures and registration statements.