The U.S. Securities and Exchange Commission (SEC) appears to have big plans for cybersecurity regulation in 2023.
The SEC's rulemaking agenda, which was recently published by the Office of Management and Budget's Office of Information and Regulatory Affairs, includes finalizing two sets of cybersecurity rules proposed last year and issuing a new notice of proposed rulemaking (NPRM) on cybersecurity risk disclosures and cybersecurity measures. The new NPRM will include requirements for SEC-regulated public companies, broker-dealers, funds, investment advisors, self-regulatory organizations (SROs), and others.
The SEC has been one of the most active federal agencies in the cybersecurity space over the last several years. The Commission proposed new cybersecurity regulations for registered investment advisors (RIAs) and funds in February 2022 (see our blog post here) and new cyber disclosure, governance and risk management rules for public companies in March 2022 (see our blog post here). According to the recently published rulemaking agenda, final action on both of these proposed rules is expected in April 2023 (see here and here). If these rules are finalized:
- RIAs and funds will need to adopt cybersecurity policies and procedures, conduct documented risk assessments, implement access controls, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents. Covered RIAs and funds will be required to report cybersecurity incidents with 36 hours.
- Public companies will be required to include in mandatory disclosures information about the board of directors' oversight of cybersecurity risk, individual board members' cybersecurity expertise, and the role of management in addressing cybersecurity risk, among other aspects of companies' cybersecurity risk management programs. Public companies will be required to report material cybersecurity incidents within four business days.
According to the recently published rulemaking agenda, the SEC also intends to release a new NPRM to "address registrant cybersecurity risk and related disclosures, amendments to Regulation S-P and Regulation SCI, and other enhancements related to the cybersecurity and resiliency of certain Commission registrants." While the description of this NPRM indicates that its subject matter may overlap with the existing proposed rules, it is clear that the new NPRM will tread some new ground such as in amending Regulations S-P and SCI.
Regulation S-P, which was promulgated under section 504 of the Gramm-Leach-Bliley Act (GLBA), contains numerous data privacy and security-related requires for registered broker-dealers, funds, and investment advisers. Section 30(a) of Regulation S-P, commonly known as the Safeguards Rule, requires registered broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." The SEC may intend to follow the example of the Federal Trade Commission (FTC), which recently amended its own Safeguards Rule for non-bank financial institutions by adding numerous specific cybersecurity requirements, including risk assessments, continuous monitoring, encryption and multifactor authentication (we discussed the FTC's amendments to its Safeguards Rule in a prior blog post and webinar). The SEC's February 2022 RIA and funds cybersecurity proposal acknowledged that Regulation S-P (which applies to RIAs and funds) also addresses cybersecurity but did not seek to amend that rule.
Regulation Systems Compliance and Integrity, or Regulation SCI, applies to computer systems that support key securities market functions and covers SROs—including stock and options exchanges, registered clearing agencies, the Financial Industry Regulatory Authority (FINRA), and the Municipal Securities Rulemaking Board (MSRB)—and other "SCI Entities," including certain alternative trading systems, disseminators of consolidated market data, and certain exempt clearing agencies.