The SEC proposed a new rule ("Rule 10") that would require market entities to implement procedures designed to address cybersecurity risk, and a related form ("Form SCIR") for disclosing information about cyber incidents and risks. The new requirements would apply to broker-dealers, the MSRB and FINRA, clearing agencies, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.

Proposed Rule

Under Proposed Rule 10, market entities would be required to (i) create and maintain written policies and procedures to address cybersecurity risks, (ii) annually review these policies, (iii) submit an annual review to the SEC and (iv) immediately inform the SEC of any significant cybersecurity incidents once the market entity concluded that a cybersecurity incident occurred.

The SEC said that the new regulation would require a firm to establish and maintain policies that include:

  • regular written assessments of cybersecurity risks to the firm's information systems;
  • internal controls designed to (i) reduce user-related risks and (ii) prevent unauthorized access to information systems;
  • protections against unauthorized access of internal information systems including overseeing outside service providers;
  • measures to detect and mitigate cybersecurity threats to, and vulnerabilities of, its internal information system; and
  • written documentation of cybersecurity incidents and steps taken to recover from the incident.

The SEC said that proposed Form SCIR consists of the following two parts:

  • Part I provides for a firm to report steps taken by the market entity to address and resolve the incident; and
  • Part II requires an annual a summary of the firm’s cybersecurity risks and significant related incidents.

The SEC said that firms would also have to post on their website a summary filed in Part II of proposed Form SCIR.

Commissioner Statements

SEC Chair Gary Gensler emphasized that the proposal is the first rulemaking to explicitly address the cybersecurity practices of entities covered under the proposal.

Commissioner Caroline A. Crenshaw stated that with the increase in frequency and sophistication of cyberattacks, the proposal will enhance cybersecurity risk management to protect both the markets and investors.

Commissioner Jaime Lizárraga said the proposal would ensure that market entities will take “reasonable steps” to protect their information systems from security risks.

Chair Mark T. Uyeda dissented, likening the proposal to an SEC proposal in 2022 to implement cybersecurity risk management and reporting requirements (see previous coverage). He questioned why the current proposal failed to react to comments to the February 2022 proposal. Further, he noted the overlap in other proposals simultaneously being considered by the SEC, which would amend Regulation S-P and Regulation SCI. He said that the SEC’s “spaghetti on the wall” approach to submitting proposals with “potentially inconsistent regimes” can lead to confusion and conflict, and even weaken cybersecurity protections.

Commissioner Hester M. Peirce also criticized the rule proposal, calling it a “tool to enhance our year-end enforcement statistics [rather] than a serious proposal to make the securities market more secure.” She added that the proposal demonstrates the SEC’s priority to create even more “legal peril” for firms that experience cybersecurity incidents rather than allowing them to take steps to mitigate immediate threats posed by cybersecurity risks to the firm and customers.