As cyber-attacks and data breaches pose an increasing threat to market participants, the US Securities and Exchange Commission ("SEC") has become increasingly focused on the cyber risks to the public and the market at large. Last week, the SEC proposed three separate proposals designed to increase the cybersecurity readiness of financial institutions: proposed amendments to Regulation S-P, proposed new requirements to address cybersecurity risks for certain market entities, and proposed new requirements to Regulation SCI.1
These proposed amendments and rules suggest that there is a growing fear that as financial institutions become more adept at collecting nonpersonal public information for business purposes, they are inviting a commensurate risk of having such information be targeted by bad actors. Thus, the SEC is requiring these institutions to have in place established policies and procedures that would allow them to react efficiently and quickly to remedy any cyber-attack and data breach and notify the impacted customers so that individuals can take further actions to protect themselves.
If adopted, these proposals have potential to change the ways in which financial institutions address cyber-attacks and data breaches and provide greater protection to customers' nonpublic personal information. This alert summarizes the potential requirements
1. The proposed amended Regulation S-P now covers cyber-attacks and data breaches.
Currently, Regulation S-P does not address customer notifications after a cybersecurity incident. Under its safeguard rule, the regulation requires that covered institutions 1) provide notice to customers about its privacy policies and practices; 2) describe the conditions under which the financial institution can disclose nonpublic information about its customers; and 3) provide a way for customers to prevent the financial institution from disclosing that information.2Within the current policies and procedures, the covered institution provides a notice to its customers or consumers that accurately reflects its privacy policies and practices, including the type of customers' nonpublic personal information that is collected and could be disclosed to third parties.3Furthermore, under its disposal rule, covered institutions that possess consumer information for business purposes must dispose of the information in a manner that protects the consumers from unauthorized access or use.4
The proposed amendments to Regulation S-P seek to specifically address incident response and victim notification when a covered institution is the victim of a cyber-attack. The SEC proposes a new requirement that covered institutions' policies and procedures must include an incident response program to detect, respond to, and recover from unauthorized access and use of customer information.5Specifically, the incident response program should lay out the procedures to assess the nature and scope of the unauthorized access and the steps to contain and control the damage.6The SEC's proposed amendment also requires covered institutions to ensure that their service providers have appropriate measures designed to protect against unauthorized access to or use of customer information.7
The proposed revisions to Regulation S-P also require the covered institution to have procedures to notify affected individuals whose sensitive customer information were accessed and used without authorization.8After becoming aware of the unauthorized access, the covered institutions will have 30 days to provide notice to affected customers.9The SEC's proposed amendments also broadens the existing protections under Regulation S-P by applying the safeguard and disposal rules to 1) nonpublic personal information that a covered institution collects about its own customers and a covered institution receives from a third-party financial institution and 2) the existing covered institutions and any transfer agent registered with the SEC or another regulatory agency.10
Lastly, the proposed amendments would require covered institutions to maintain written records documenting compliance with Regulation S-P.11
2. New Proposed Rule requires Market Entities to have written policies and procedures to address cybersecurity risks.
The SEC has also proposed a new rule that will require all Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations and exchanges, and transfer agents, to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.12Market Entities are required to assess and review these policies on an annual basis and must either submit a report or maintain a record of the annual review.13
Within the Market Entities, the SEC has implemented additional stringent requirements for a select few financial institutions called Covered Entities who may be exposed to greater cybersecurity risks because of their influence and size within the financial markets. Within their policies and procedures addressing cybersecurity risks, Covered Entities must specifically include periodic assessments of cybersecurity risks, measures to monitor and prevent unauthorized access to Covered Entities' information including overseeing the policies and procedures of their service providers, and procedures to detect, contain, and mitigate cybersecurity incidents.14And when a Covered Entity has a reasonable basis to conclude that a cybersecurity incident has occurred or is occurring, it must immediately notify the SEC of the incident.15
3. Expanding Regulation SCI to cover additional financial institutions.
Regulation SCI was implemented to require Systems Compliance and Integrity (SCI) entities to have comprehensive policies and procedures reasonably designed to ensure their technology infrastructures that support securities market functions have the capacity, integrity, resiliency, availability, and security adequate to operate effectively in the market.16Examples of such policies and procedures are periodic stress testing of the systems, business continuity and disaster recover planning, and reviewing and testing to identify vulnerabilities.17
The current version of Regulation SCI applies to self-regulatory organizations, such as national securities exchanges, registered clearing agencies, and registered securities associations. The proposed amendment would expand Regulation SCI to also include registered security-based swap data repositories, certain broker-dealers registered with the Commission under Section 15(b), and all clearing agencies exempted from registration.18Furthermore, the proposed amendment would also require an SCI entity to have policies and procedures regarding oversight of third-party providers and a program to prevent unauthorized access to the SCI systems and information.19
Implications.
The proposed amendments and new rule reveal that the SEC is aware of the growing reliance financial institutions have on third parties and service providers. It is perfectly rational to delegate to vendors and contractors everyday business activities, but such reliance may expose financial institutions to greater access points and vulnerabilities to cyber-attacks because the third-party service providers could have access to the financial institutions' data. Therefore, under the new proposals, the SEC is placing the onus on financial institutions to ensure that their policies and procedures addressing cybersecurity risks and data breaches cover their third-party service providers. Going forward, financial institutions may need to be even more careful about which service providers they contract with because third-party cyber deficiencies could implicate SEC scrutiny for those financial institutions.
If adopted, the new proposals represent a sweeping change to requirements for financial institutions and increase the stakes and potential liability for covered institutions. The stark reality is that every institution under the covered proposed amendments is susceptible to an attack at any time and any cybersecurity incident may lead to litigation, investigation, and crisis management. If these proposals are adopted, the chance of the SEC using its enforcement powers to identify alleged deficiencies in a cybersecurity program would increase. Thus, in addition to focusing on compliance with the new contours of the proposals, financial institutions should use these amendments as an opportunity to review and refine their procedures for preventing and handling data breaches.
Footnotes
1 Sarah Jarvis, "Divided SEC Advances Trio Of Cybersecurity
Rule Proposals," Law360 (Mar 15, 2023) https://www.law360.com/articles/1586347/divided-sec-advances-trio-of-cybersecurity-rule-proposals.
2 Securities Exchange Commission, 65 Fed. Reg. 400334, 40362 (Jun.
29, 2000).
3 Id. at 40366.
4 Securities Exchange Commission, 69 Fed. Reg. 71329, 71322 (Dec.
8, 2004).
5 Sec. Exch. Comm'n, Regulation S-P: Privacy of Consumer
Financial Information and Safeguarding Customer Information, at 19
(proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
6 Id. at 25, 28.
7 Id. 34-35
8 Id. at 20.
9 Id. at 58.
10 Id. at 78, 81.
11 Id. at 93.
12 Sec. Exch. Comm'n, Cybersecurity Risk Management Rule for
Broker-Dealers, Clearing Agencies, Major Security-Based Swap
Participants, the Municipal Securities Rulemaking Board, National
Securities Associations, National Securities Exchanges,
Security-Based Swap Data Repositories, Security-Based Swap Dealers,
and Transfer Agents, at 10, 52 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
13 Id. at 56.
14 Id. at 102.
15 Id. at 139-40.
16 Sec. Exch. Comm'n, Regulation Systems Compliance and
Integrity, at 17 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
17 Id.
18 Id. at 28.
19 Id. at 104, 123.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
