If adopted, these proposed rules would (i) enhance protection of customer information under Regulation S-P, (ii) add new requirements addressing cybersecurity risk to the U.S. securities markets, and (iii) expand the types of entities covered by Regulation SCI.
On March 15, 2023, the U.S. Securities and Exchange Commission ("SEC") voted to propose three cybersecurity measures for certain entities. While some of these rulemaking proposals were met with mixed feedback from commissioners, if implemented, each would require firms to update their cybersecurity measures.
Proposal 1: Changes to Regulation S-P
The SEC's proposed amendments to Regulation S-P would enhance protection of customer information. Among other features, these changes would require firms to notify individuals affected by certain data breaches within 30 days. This proposal would also extend safeguards and disposal rules to cover customer nonpublic personal information. Under the Regulation S-P updates, broker-dealers, investment companies, registered investment advisers, and transfer agents would also have to adopt written policies and procedures addressing unauthorized access or use of customer information.
Proposal 2: Cybersecurity Risk Management Rule
This cybersecurity risk management rule, if adopted, would require all "Market Entities" to implement cybersecurity risk policies and procedures. Under this rule, "Market Entities" would include: broker-dealers, clearing agencies, major security-based swap participants, national securities associations and exchanges, security-based swap dealers, security-based swap data repositories, transfer agents, and the Municipal Securities Rulemaking Board. Immediate written electronic notice to the SEC of significant cybersecurity incidents would also be required under this rule. Finally, this new SEC measure would mandate annual review and assessment of the effectiveness of cybersecurity policies and procedures.
Proposal 3: Updates to Regulation SCI
Under the SEC proposed updates to Regulation SCI (Systems Compliance and Integrity), the scope of this regulation would expand to registered security-based swap data repositories, all clearing agencies that are exempt from registration, and certain large broker-dealers. Additionally, these updates would expand the types of SCI events that trigger immediate SEC notification. Other features of these updates include requiring annual compliance reviews, mandating business continuity reviews, implementing disaster recovery testing, and updating the regulation's recordkeeping provisions.
The SEC will accept comments on each proposal for 60 days following publication in the Federal Register. Further, as a result of these new proposals, the SEC has reopened the comment period for its previously proposed rules for Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies, and Business Development Companies. Those proposed rules had previously been published on March 9, 2022, and their comment period had closed on May 9, 2022.
The SEC continues its trend of promulgating new rulemaking on cybersecurity controls and disclosures. Companies should continue to monitor proposed rules and ensure that their controls and disclosure practices are compliant before these rules go into effect.