On March 15, the SEC released three new proposed rules to address cybersecurity risks in the U.S. securities markets. The new proposals – which align with the Biden administration’s national cybersecurity strategy – have been designed to mitigate evolving threats to the integrity and security of the financial services sector.
Among other things, the SEC proposed cybersecurity rules introduce requirements for public disclosure of cyber incidents, written policies to tackle risks, and breach notifications to customers – increasing the pressure on players in the securities markets to enhance their cybersecurity posture and adopt measures to better defend client information.
Overview of the new SEC proposed cybersecurity rules:
New SEC Rule 10: Policy documentation & cyber incident disclosures
Under the SEC’s new Rule 10, covered entities would need to develop, maintain, and at least annually evaluate the validity of written policies and procedures to address cybersecurity risks. These policies should include the entity’s controls to mitigate unauthorized access to information, as well as measures to detect threats and recover from a cybersecurity incident.
Further, Rule 10 also introduces a new proposed Form SCIR for disclosures of cybersecurity incidents and risks. Using Part I of the form, covered entities will have to report details about a security incident and remediation measures to the SEC. Similarly, these entities must provide a summary of their cybersecurity risks and describe any major cyber incidents they experienced in the current or previous calendar year in Part II of the proposed form. Along with submitting this form to the Commission, the entity would also have to publish it on its website.
The proposed requirements would apply to broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”).
SEC Enhancements to Regulation S-P: Customer data protection
With a focus on improving the protection of customer data, the SEC has proposed amendments to the existing regulation S-P. Among other things, the new regulations would require covered insitutions to provide notice to customers whose sensitive data was compromised in a security breach within 30 days of the incident. Covered institutions must also implement and maintain an incident response program to guide the remediation of unauthorized access to customer information.
Under this rule, covered institutions include broker-dealers, investment companies, registered investment advisers, and transfer agents.
Proposed Regulation SCI Expansion: Ensure security of market technology
These new SEC rules account for developments in technology and trading. The SEC has proposed to expand ‘SCI entities’ to include registered security-based swap data repositories, all clearing agencies that are exempt from registration, and certain large broker-dealers – in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, US Treasury securities, or Agency securities.
These amendments also require that SCI entities maintain a program to manage third-party providers, including cloud service providers.
What should businesses do to prepare for the new SEC cybersecurity rules?
Although the new SEC proposals have not been implemented yet, businesses in the securities market should take stock of their current cybersecurity policies and procedures to stay ahead of the curve. The Biden administration is placing more responsibility on companies to protect their customer data and asking for greater transparency on cybersecurity risks and breaches.
So, it’s best for all businesses to start identifying and mitigating gaps in their cybersecurity posture. Cyber assessments such as IT audits and penetration testing can help enhance resilience and ready businesses for compliance with increasing regulations and scrutiny.
Is your business ready for the new SEC cybersecurity regulations?
Our Information Security team can provide your business with expert risk assessments, policy implementation, and advisory to prepare for the new SEC cybersecurity regulations. Check out our cybersecurity services or contact us to get started!
Webinar: Protect Your Business Against Impersonation & Phishing Attacks
We are hosting a webinar with our partner, Sendmarc! Join us on June 21 to learn how to safeguard your brand from phishing attacks.
Top 3 Benefits of Hiring a Managed Security Service Provider (MSSP)
We explore the top three reasons businesses should outsource cybersecurity functions to a Managed Security Service Provider (MSSP).
GraVoc Partners With Blackpoint to Deliver 24/7 Managed Detection & Response (MDR)
GraVoc is thrilled to join forces with Blackpoint to provide customers with action-focused managed detection and response (MDR) technology.