Issue in Brief: The Securities and Exchange Commission issued a proposed suite of new cybersecurity rules for market participants and entities in mid-March 2023. If adopted, the new requirements would impose significant new costs and enforcement risks for much of the securities markets.

Key Takeaways: This flurry of rulemaking activity targets the securities market infrastructure as opposed to the disclosure rules for public companies. The rules focus on heightened cybersecurity requirements for covered entities, including:

  • the adoption of policies and procedures to address cybersecurity risk;
  • written incident response programs;
  • "immediate" written notice to the Commission of "significant" cybersecurity incidents;
  • public disclosure;
  • new types of SEC filings; and
  • extension of Reg SCI to large broker-dealers and other types of firms.

Proposed Rule 10 under the Securities Exchange Act of 1934 ("Rule 10")

Proposed Rule 10 would require Market Entities (e.g., broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents) to establish, maintain, and enforce written policies and procedures designed to address the entity's cybersecurity risks. It would also provide for more particularized requirements applicable only to a subset of entities within Market Entities (referred to as Covered Entities), including, for example, clearing agencies and security-based swap participants.

Proposed Rule 10 would establish the minimum elements that an entity would need to include in its policies and procedures. In particular, the entity's policies and procedures would need to address: (1) cybersecurity risk assessment; (2) user security and access; (3) information protection; (4) cybersecurity threat and vulnerability management; and (5) cybersecurity incident response and recovery.

In addition, proposed Rule 10 would require the entity, at least annually, to: (1) review and assess the design and effectiveness of the cybersecurity policies and procedures; and (2) prepare a written report that provides:

  • the review, the assessment, and any control tests performed;
  • an explanation of the results;
  • documentation of any cybersecurity incident that occurred since the date of the last report; and
  • a discussion of any material changes to the policies and procedures since the date of the last report.

Moreover, proposed Rule 10 would require entities to:

  • provide the Commission "immediate" written notice in the event of a significant cybersecurity incident, which is—generally—an incident that (1) "disrupts or degrades" the ability to "maintain critical operations" or (2) leads to unauthorized access or use of information that could result in substantial harm;
  • submit Part I of the proposed Form SCIR with information about such cybersecurity incidents and the entity's efforts to respond to and recover from the incident; and
  • publicly disclose (with the Commission and on the entity's website) a summary description of the entity's cybersecurity risks and incidents experienced over the previous calendar year.

Finally, the proposed Rule 10 would include corresponding amendments to existing Rules 17a-4, 17ad-7, 18a-6 establishing recordkeeping requirements for written policies and procedures, annual reports, proposed Form SCIR, and other records required by proposed Rule 10. Orders exempting certain clearing agencies from registering with the Commission would also be amended to establish similar recordkeeping requirements.

According to the Commission, these requirements are designed to position Market Entities to be better prepared to protect themselves against cybersecurity risks, to mitigate cybersecurity threats and vulnerabilities, and to recover from cybersecurity incidents. They are also designed to help ensure that entities focus their efforts and resources on the cybersecurity risks associated with their operations and business practices.

Proposed Amendments to Regulation Systems Compliance and Integrity ("Reg SCI")

Reg SCI currently imposes requirements relating to system operations and compliance, including programs designed to ensure that certain systems maintain operational capability, promote the maintenance of fair and orderly markets, and comply with the Exchange Act and the entity's own policies. The proposed amendment would expand the scope of entities covered by Reg SCI to include:

  • registered security-based swap data repositories;
  • broker-dealers registered with the Commission under Section 15(b) that exceed a certain threshold for total assets or activity; and
  • all clearing agencies exempted from registration.

Entities covered under Reg SCI would have additional requirements to develop and implement more comprehensive cybersecurity governance programs, including programs to:

  • perform inventory, classification, and lifecycle management for SCI-covered systems (i.e., assets operated by or on behalf of an SCI entity that directly or indirectly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance);
  • manage and oversee third parties that provide functionality, support, or service for SCI systems (e.g., cloud service providers);
  • develop and implement business continuity and data recovery plans that address the potential unavailability of a third-party provider that could result in a material impact on critical SCI systems; and
  • implement safeguards to prevent unauthorized access to SCI systems.

The amendments would also: (1) expand the definition of system intrusion—which currently covers any unauthorized entry into SCI systems or indirect SCI systems of an SCI entity—to include events like denial-of-service attacks; (2) require notification to the Commission "without undue delay" in the event of a system intrusion; (3) require objective personnel perform cybersecurity risk assessments on SCI systems; and (4) require covered entities perform annual testing.

Proposed Amendments to Regulation S-P

The proposed amendments to Regulation S-P (also known as the "Safeguard Rule" or "Reg S-P") would set a federal minimum standard for customer protections afforded by institutions covered by the regulation (e.g., broker-dealers, investment companies, and registered investment advisors). The proposed amendment would require these covered institutions to adopt an incident response program as part of its written policies and procedures.

Most notably, the amendments would also require these covered institutions to provide notice to individuals whose information was—or is reasonably likely to have been—compromised. Subject to certain exceptions, covered institutions would have to provide the notice "as soon as practicable, but not later than 30 days after" they become aware of the unauthorized access.

The proposed changes would also add "customer information" as a new defined term. Because the term is already in use for other parts of Reg S-P, the amendments would apply the new rules to both nonpublic personal information collected by a covered institution about its own customers and such information it receives from a third-party financial institution about customers of that financial institution.

Additional updates would include: (1) record keeping requirements to document compliance with the requirements of the safeguards rule and disposal rule; (2) conforming the annual privacy notice delivery provisions and exceptions with the 2015 Fixing America's Surface Transportation Act; (3) extending the safeguard rules to transfer agents registered with the Commission or another appropriate regulatory agency; and (4) extend the disposal rules to those registered with another appropriate regulatory agency.

Reopened Comment Period for Proposed Rules for Registered Investment Advisers and Funds

Finally, the Commission reopened the comment period on the proposed rules for Registered Investment Advisers and Funds initially released on February 9, 2022. These proposed rules and amendments take a similar focus on the adoption of policies and procedures designed to address cybersecurity risks, incident reporting, cyber risk disclosure, and recordkeeping requirements. These are separate from the proposed public company disclosure rules released in March of 2022.

Should the rules go into effect in a form substantially similar to their current one, filers can expect to see changes in the policies and procedures for national exchanges, as well as other market entities.

The Commission's Request for Comments

The Commission requested comments on a variety of points in the proposed rules. For proposed Rule 10, the Commission is seeking comment on scope of several pivotal definitions, such "Covered Entity" and "significant cybersecurity incident". For Reg SCI, the Commission is requesting comments on, among other topics, the relationship between Reg SCI (current and proposed amended forms), proposed Rule 10, and Reg S-P (current and proposed amended forms). The Commission is also asking for comments on the timing requirements for notification in the proposed amendments to Reg S-P. Comments on proposed rules for Registered Investment Advisers and Funds are due by May 22, 2023. Comments for each of the new proposed rules will be due 60 days after that proposed rule is published in the Federal Register.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.