The SEC set its focus on cybersecurity on Wednesday, proposing new rules and expanding the scope of existing rules.
“Cyberattacks and associated data breaches impose significant financial and emotional costs on victims. Once victims’ identities are stolen, or their personal identifiable information is inappropriately revealed and/or sold to the highest criminal bidders, the damage can be irreparable and irreversible,” SEC Commissioner Jaime Lizárraga said in response to the flurry of activity. “This is why we must do everything in our power to enhance cybersecurity practices by market participants and to protect investors’ sensitive personal information. In that spirit, the commission is amending existing rules and proposing new ones that will strengthen financial market resiliency and increase investor confidence.”
Newly proposed cybersecurity requirements
The SEC proposed that “market entities” be required to implement cybersecurity policies and procedures, review the effectiveness of the policies at least once a year, and give the SEC notice of significant cybersecurity incidents.
The SEC’s definition of “market entities” includes broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.
Proposal requiring disclosure of data breaches
The SEC proposed amendments to Regulation S-P that would require broker-dealers, investment companies, registered investment advisers, and transfer agents to make individuals aware of certain types of data breaches.
“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” SEC Chair Gary Gensler said. “I think we should close this gap.”
Proposed expansion of SCI requirements
The SEC proposed to expand what entities are covered by Regulation Systems Compliance and Integrity (SCI) and what is expected of SCI entities.
The amendments would expand the definition of “SCI entities” in the 2014 rule to include registered security-based swap data repositories, all clearing agencies that are exempt from registration, and certain large broker-dealers. The amendments also would expand what SCI entities must feature in their policies and procedures, including the maintenance of a written inventory and classification of all SCI systems and a program for life cycle management.
Also on Wednesday, the SEC reopened the comment period for a set of cybersecurity risk management rules that originally were proposed on Feb. 9, 2022.
All of Wednesday’s proposals are open for public comment for 60 days after publication in the Federal Register.
— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at [email protected]