SEC releases new cybersecurity-related proposals and reopens comment period for cybersecurity rules
Last week, the U.S. Securities and Exchange Commission (SEC) released three new proposals related to cybersecurity:
- Expansion of Regulation SCI
- Expansion of Regulation S-P
- Proposed new Rule 10 under Securities Exchange Act for broker-dealers and other Market Entities
The proposed new Rule and regulation expansions, discussed in further detail below, demonstrate the SEC’s emphasis and focus on cybersecurity compliance. If adopted, these changes would greatly increase the SEC’s scrutiny of regulated entities with respect to cybersecurity compliance. Further, if adopted, the proposed rule expansions would, for the first time, require regulated entities to notify the SEC of a security breach. This has, in recent years, been an issue of great certainty and concern for regulated entities.
In addition to the new rule and regulation expansions, the SEC also reopened the comment period for proposed cybersecurity rules for registered investment advisers and investment companies. The reopened comment period allows the public additional time to evaluate the proposed rule for registered investment advisers and investment companies considering the new proposed Rule 10 for Market Entities and amendments to Regulation SCI and Regulation S-P. The public now has until May 14th, 2023, to provide commentary on the rule. Please see the link here to submit comments by one of three listed methods.
1. Expansion of Regulation SCI
SEC Regulation “Systems Compliance and Integrity” (Regulation SCI) applies to certain entities’, known as SCI entities, automated (and similar) systems that support securities market functions (eg, trading, clearance and settlement, market regulation). The current SCI Regulation requires SCI entities to:
- Implement comprehensive policies and procedures reasonably designed to ensure that certain systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability
- Take appropriate corrective action in response to systems issues
- Provide notice to the Commission and
- Conduct annual compliance reviews including business continuity and disaster recovery testing.
The proposed amendments would expand the definition of SCI entities under the rule. Currently, SCI entities include self-regulatory organizations, large ATSs, plan processors, clearing agencies, and SCI competing consolidators. Under the proposed amendments, the rule would be expanded to include registered broker-dealers, registered security-based swap data repositories, and clearing agencies exempted from registration.
Further, the proposed amendments would also significantly expand substantive requirements under the Rule and include the following requirements for SCI entities:
- Maintain a written inventory of systems and classification
- Implement a program to manage third-party providers for the systems of SCI entities
- Expand certain cybersecurity compliance programs (eg, business continuity/disaster recovery plans) to address the unavailability of any third-party providers for SCI entities without which there would be a material impact on any critical systems of SCI entities
- Expand policies and procedures to include a program to prevent unauthorized access of systems of SCI entities
- Increase the frequency of penetration testing from every three years to every year which we view as potentially a very positive development depending on how it is actually applied and enforced
- Expand the definition of “systems intrusion” to include any event that disrupts or significantly degrades the normal operation of an SCI system, such as distributed denial-of-service (DDoS) attacks, and attempted, unsuccessful but significant unauthorized system entries
- Require notification without delay of systems intrusion
- Require personnel assess the risks to covered systems, internal control design and operating effectiveness, and third-party provider management risks and controls
- Revise the requirements for SCI reviews and reports
- Clarify that following current industry standards operates as a safe harbor by adding the words “safe harbor” to the rule
- List minimum requirements that an SCI entity’s Rule 1001(a) policies and procedures must include
- Disseminate information about an event to an SCI entity’s customers
- Update recordkeeping provisions and Form SCI consistent with the amendments; and
- Implement recordkeeping requirements for entities that no longer qualify as an SCI entity.
2. Expansion of Regulation S-P
The SEC also proposed updates to Regulation S-P, also known as the Safeguards Rule. The current Regulation S-P applies to broker-dealers, investment companies, and registered investment advisers (the Covered Institutions) and requires Covered Institutions to implement written policies and procedures for safeguards to protect customer records and information (including disposal of information) and disclose how they use clients’ financial information. Note however that Regulation S-P does not currently require Covered Institutions to disclose data breaches.
The SEC’s proposed expansion to Regulation S-P would require Covered Institutions to implement an incident response program to address unauthorized access to, or use of customer information, and require Covered Institutions to notify individuals in the event of a data breach. Additionally, the proposed expansion of Regulation S-P would also require Covered Institutions to broaden the scope of information covered by the requirements.
Specifically, the proposed amendments to Regulation S-P include the following:
- Incident response program: Covered Institutions would be required to have an incident response program designed to detect, respond to, and recover from unauthorized access to/use of customer information. Also, Covered Institutions would be required to have written policies and procedures in place to assess the scope of incidents and control future incidents.
- Customer notification requirement: Covered Institutions would be required to notify individuals whose information was reasonably likely to have been accessed without authorization no later than 30 days after the institution becomes aware that customer information was accessed or is reasonably likely to have been accessed.
- Expanding scope of customer information disposal: The disposal of customer information would be expanded to apply to all “customer information,” which would include any record containing nonpublic personal information in any form about a customer of a financial institution. The current rules require proper disposal of records regardless of whether the individuals are customers. The amendment extends to both nonpublic personal information that a Covered Institution collects about its customers and that it receives about customers of other financial institutions.
- Transfer agents: The proposed expansion of Regulation S-P would also extend incident response and safeguarding and disposal rules to transfer agents registered with the Commission or another regulatory agency.
- Recordkeeping: Under the proposed expansion, Covered Institutions would be required to make and maintain written records documenting their compliance with the safeguards and disposal rules.
3. New Rule 10 under Securities Exchange Act for broker-dealers and other Market Entities
The SEC also proposed a new Rule 10 under the Securities Exchange Act of 1934 which would impose additional cybersecurity requirements on Market Entities and require them to take additional steps to address their cybersecurity risks. Market Entities would be defined to include broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. Note that some of the requirements under Rule 10 would apply only to a subset of Market Entities referred to as “Covered Entities.”
While the proposed requirements under Rule 10 are in fact new, these requirements are very similar to the SEC’s previously proposed Advisers Act Rule 206(4)-9 and furthers the SEC’s continued focus on cybersecurity risk.
Additionally, of important note, material requirements of the proposed rule include the following:
- All Market Entities would be required to establish, maintain, and enforce written policies and procedures reasonably designed to address their cybersecurity risks. Market Entities would also be required to review and assess these policies and procedures annually and ensure that they reflect changes in cybersecurity risk. Covered Entities would be required to prepare a report of the review, with other Market Entities preparing a record of it.
- Covered Entities would be required to address the following elements in their policies and procedures:(i) periodic risk assessments; (ii) controls to minimize user-related risks and prevent unauthorized access to information systems; (iii) monitoring of information systems and oversee service providers whose work involves the entity’s information systems; (iv) measures to detect, mitigate and remediate threats and vulnerabilities; and (v) measures to detect, respond to, and recover from a cybersecurity incident, including written documentation of the incident, response and recovery.
- Covered Entities would be required to provide notice to the SEC of a significant cybersecurity incident. The requirement would be triggered whenever circumstances gave an entity a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. Covered Entities also would be required to file Part I of a proposed Form SCIR, required by 17 CFR 242.10, to report information about the cybersecurity incident and the Covered Entity’s response to and recovery from the incident. Note that this filing must be made promptly but no later than within 48 hours upon having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. The filing would be made on a confidential basis and would have to be updated if new material information were discovered, upon resolution of the incident, or if the Covered Entity conducts an internal investigation of the incident.
- A “significant cybersecurity incident” is defined as an incident that significantly disrupts or degrades the ability of the entity to maintain critical operations; or leads to unauthorized access or use of information where the access results in or is likely to result in substantial harm to the entity, a customer, a counterparty, a member, a registrant, a user of the Market Entity, or any other person that interacts with the Market Entity.
- In addition, Covered Entities would be required to make two types of public disclosures through Part II of the proposed Form SCIR which would include a summary of the cybersecurity risks that could materially affect the entity’s business and operations and how the entity assesses, prioritizes, and addresses those risks as well as a summary of each significant cybersecurity incident that occurred during the current or previous calendar year. The summary would be required to identify the person or persons affected, the date the incident was discovered and whether it is ongoing, whether any data was stolen, altered, accessed, or used for any unauthorized purpose, the effect of the incident on the entity’s operations, and whether the incident has been remediated or is currently being remediated.
Covered Entities that are introducing broker-dealers and “carrying” broker-dealers would be required to provide the form to customers on account opening, whenever the form is updated, and annually.
- All Market Entities would need to preserve certain records, with the specific requirements depending on the type of Market Entity.
In response to the proposed new Rule and regulation expansions, DLA Piper recommends that entities consider taking certain actions to ensure future compliance, including reviewing and refreshing internal security policies and procedures (eg, incident response plans and data breach notification procedures and policies), conducting internal testing (eg, annual compliance reviews, penetration testing, etc.), and ensuring adequate employee security training is in place.
For more information about the proposed expansions and new Rule listed above and the implications it may have on your organization, please contact the authors.
Google to pay $29.5 million to Indiana and District of Columbia to settle location privacy...
9 January 2023 .4 minute read
SEC proposes sweeping new public company cybersecurity disclosure and governance rules
16 March 2022 .20 minute read