TSCPA News

SEC Proposals Address Cybersecurity Issues

March 15, 2023

The U.S. Securities and Exchange Commission (SEC) recently proposed new rules and the expansion of the scope of existing rules to address cybersecurity issues.

Cybersecurity Risks to U.S. Securities Markets

The SEC proposed requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks.

The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. The SEC said the proposal — through new notification requirements applicable to all Market Entities and additional reporting requirements applicable to Market Entities other than certain types of small broker-dealers (collectively, “Covered Entities”) — would improve its ability to obtain information about significant cybersecurity incidents affecting these entities. It also said that new public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.

The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.

Changes to Regulation S-P

The SEC also proposed amendments to Regulation S-P intended to enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.

The new proposal would update the rule’s requirements to address the expanded use of technology and corresponding risks since the SEC originally adopted Regulation S-P in 2000. It would require broker-dealers, investment companies, registered investment advisers and transfer agents (collectively, “covered institutions”) to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The proposed amendments would also require, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide this notice as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

The proposed amendments would also make a number of additional changes to Regulation S-P, including:

  • Broadening and aligning the scope of the safeguards rule and disposal rule to cover “customer information,” a new defined term. This change would extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions
  • Extending the safeguards rule, including the proposed enhancements, to transfer agents registered with the SEC or another appropriate regulatory agency and expanding the existing scope of the disposal rule to include transfer agents registered with another appropriate regulatory agency rather than only those registered with the SEC
  • Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015

The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.

Expansion and Update of Regulation SCI

Additionally, the SEC proposed amendments to expand and update Regulation Systems Compliance and Integrity (SCI), the set of rules adopted in 2014 to help address technological vulnerabilities in the U.S. securities markets and improve SEC oversight of the core technology of key U.S. securities markets entities (SCI entities).

To reflect technological developments in the markets, the proposed amendments would expand the scope of SCI entities to include registered security-based swap data repositories; all clearing agencies that are exempt from registration; and certain large broker-dealers, in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, U.S. Treasury securities or Agency securities.

The proposed amendments would also strengthen the requirements Regulation SCI imposes on SCI entities, including by requiring that an SCI entity’s policies and procedures include the maintenance of a written inventory and classification of all SCI systems and a program for life cycle management; a program to prevent the unauthorized access to such systems and information therein; and a program to manage and oversee certain third-party providers, including cloud service providers, of covered systems.

The proposed amendments would also expand the types of SCI events experienced by an SCI entity that would trigger immediate notification to the SEC, update the rule’s annual SCI review and business continuity and disaster recovery testing requirements, and update certain of the regulation’s recordkeeping provisions.

The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.