SEC Proposes New Cybersecurity Rules for Securities Markets

New SEC Rule 10: Policy documentation & cyber incident disclosures

Under the SEC’s new Rule 10, covered entities would need to develop, maintain, and at least annually evaluate the validity of written policies and procedures to address cybersecurity risks. These policies should include the entity’s controls to mitigate unauthorized access to information, as well as measures to detect threats and recover from a cybersecurity incident.

Further, Rule 10 also introduces a new proposed Form SCIR for disclosures of cybersecurity incidents and risks. Using Part I of the form, covered entities will have to report details about a security incident and remediation measures to the SEC. Similarly, these entities must provide a summary of their cybersecurity risks and describe any major cyber incidents they experienced in the current or previous calendar year in Part II of the proposed form. Along with submitting this form to the Commission, the entity would also have to publish it on its website.

The proposed requirements would apply to broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”).

SEC Enhancements to Regulation S-P: Customer data protection

With a focus on improving the protection of customer data, the SEC has proposed amendments to the existing regulation S-P. Among other things, the new regulations would require covered insitutions to provide notice to customers whose sensitive data was compromised in a security breach within 30 days of the incident. Covered institutions must also implement and maintain an incident response program to guide the remediation of unauthorized access to customer information.

Under this rule, covered institutions include broker-dealers, investment companies, registered investment advisers, and transfer agents.

Proposed Regulation SCI Expansion: Ensure security of market technology

These new SEC rules account for developments in technology and trading. The SEC has proposed to expand ‘SCI entities’ to include registered security-based swap data repositories, all clearing agencies that are exempt from registration, and certain large broker-dealers – in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, US Treasury securities, or Agency securities.

These amendments also require that SCI entities maintain a program to manage third-party providers, including cloud service providers.

What should businesses do to prepare for the new SEC cybersecurity rules?

Although the new SEC proposals have not been implemented yet, businesses in the securities market should take stock of their current cybersecurity policies and procedures to stay ahead of the curve. The Biden administration is placing more responsibility on companies to protect their customer data and asking for greater transparency on cybersecurity risks and breaches.

So, it’s best for all businesses to start identifying and mitigating gaps in their cybersecurity posture. Cyber assessments such as IT audits and penetration testing can help enhance resilience and ready businesses for compliance with increasing regulations and scrutiny.