On March 15, 2023, the SEC issued proposed amendments and a proposed rule addressing cybersecurity. Specifically, the SEC proposed Rule 10, which addresses cybersecurity risks, and proposed to amend Regulation SCI and Regulation S-P.
Affected entities and institutions may submit comments until 60 days after the date of publication of the proposed release in the Federal Register. Affected entities should continue to monitor the SEC’s increased regulation of cybersecurity to determine whether their current policies and procedures comply with the SEC’s latest proposals.
The proposed rule and both sets of proposed amendments each apply to a different set of entities. We have outlined the various requirements for each below—
SEC Proposed Rule 10
The SEC’s proposed Rule 10 would include various requirements for addressing cybersecurity risks.
The proposed rule would apply to “Market Entities,” which include broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board (MSRB), national securities associations, national securities exchanges, security-based swap data repositories (SBSDRs), security-based swap entities, and transfer agents. A subgroup of these Market Entities are referred to as “Covered Entities,” which include the MSRB, certain broker-dealers, all clearing agencies, national securities associations, national securities exchanges, SBSDRs, security-based swap entities, and transfer agents. Under proposed Rule 10, these Covered Entities would have certain additional requirements. The proposed rule would require the following:
- Policies and Procedures. Market Entities would be required to implement written policies and procedures that address cybersecurity risks. Covered Entities would need to implement policies and procedures that specifically address user security, information protection, vulnerability management, and incident response. All Market Entities would be required to annually review and “assess their policies and procedures.” Additionally, Covered Entities would be required to prepare a report, while Non-Covered Entities would be required to prepare a record of their review.
- Notification and Reporting of Significant Cybersecurity Incidents. Market Entities would need to provide the SEC “immediate written electronic notice” of a “significant cybersecurity incident upon having a reasonable basis to conclude that the incident has occurred or is occurring.” Covered Entities would also need to file, on a confidential basis, the proposed Form SCIR within 48 hours and provide any significant updates thereafter
- Disclosure of Cybersecurity Risks and Incidents. The proposed rule would also require a Covered Entity to make public disclosures on the proposed Form SCIR. Specifically, Covered Entities would need to summarize their cybersecurity risks and provide summaries for any significant cybersecurity incidents experienced during the current or previous calendar year.
- Recordkeeping. The proposed rule would set forth preservation and maintenance requirements for Market Entities, such as retaining certain records for three years.
Amendments to Regulation SCI
The SEC also proposes to update Regulation Systems Compliance and Integrity (“Regulation SCI”) to address intensified cybersecurity risks in the U.S. securities market. Some of the core amendments include:
- Expanded Definition of SCI Entity. The SEC proposes to expand the definition of “SCI entity” to include SBSDRs, certain registered broker-dealers (i.e., SCI broker-dealers), and additional clearing agencies exempted from registration.
- Strengthening Obligations of SCI Entities. The SEC also proposes a number of amendments to enhance the cybersecurity provisions of Regulation SCI, such as updating the requirements for penetration testing and SCI reviews, expanding the definition of “system intrusions” and notification requirements, and requiring the implementation of a program to prevent unauthorized access of SCI systems.
Amendments to Regulation S-P
Finally, the SEC proposes to amend Regulation S-P to require broker-dealers, investment companies, and investment advisers registered with the SEC to have incident response programs and notify individuals in the event of a data breach. Key updates include:
- Incident Response. Covered institutions would be required to implement incident response programs “reasonably designed to detect, respond to, and recover from” unauthorized access to and unauthorized use of customer information. Additionally, covered institutions would be required to “assess the nature and scope of any incidents involving unauthorized access” and implement procedures for containing and controlling an incident.
- Customer Notification. Covered institutions would be required to notify affected individuals whose sensitive customer information was reasonably likely to have been accessed or used without authorization, as soon as practicable, but no later than 30 days, after becoming aware that sensitive customer information was accessed/used or is reasonably likely to have been accessed/used.
- Scope of Information under Safeguards Rule and Disposal Rule. The SEC proposes broadening the scope of information covered to include “customer information.”
- Recordkeeping. Covered institutions would be required to “make and maintain written records documenting compliance” with the requirements of Regulation S-P’s safeguards and disposal rules.
The SEC’s public comment period for all of these updates will remain open until 60 days after the date of publication of the proposed release in the Federal Register, and interested entities may submit comments.
These recent SEC updates would require covered institutions and entities to enhance and update their cybersecurity policies and procedures. The Paul Hastings Privacy and Cybersecurity practice will be closely monitoring these updates and, as always, is available to assist clients.
Paul Hastings LLP – Aaron Charfoos and Jacqueline Cooney
March 27 2023