On March 15, 2023, the Securities and Exchange Commission (“SEC”) concurrently proposed three rules designed to address the growing prevalence of data breaches at financial institutions and their impact on customers. The proposed rules follow pending proposals published in 2022 that address cybersecurity risks with respect to investment advisers, investment companies, and public companies.
The proposed rules would require various financial institutions to adopt written policies and procedures governing various data security issues, assess cybersecurity risks and procedures annually, report security incidents to the Commission and to the public, and expand existing security requirements to new covered entities.
Proposed Amendments to Regulation S-P
The first proposal would amend Regulation S-P to require covered entities to adopt certain written policies and procedures and to notify customers of security breaches.
Written Policies and Procedures
Currently, Regulation S-P requires registered broker-dealers, investment companies, and investment advisers to inform customers about how those institutions use customer financial information. However, Regulation S-P does not require institutions to notify customers about data breaches. The proposed rule would amend Regulation S-P to require registered broker-dealers, investment companies, investment advisers, and transfer agents (“Covered Institutions”) to adopt written policies and procedures that:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of customer information;
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer; and
- Include an incident response program for detecting, responding to, and recovering from unauthorized access to or use of customer information.
Covered Institutions would also be required to notify impacted individuals within 30 days of determining, through a reasonable investigation, that sensitive customer information has been, or is reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. If the Covered Institution is unable to identify which specific individuals’ sensitive customer information has been accessed/used, the Covered Institution must provide notice to all individuals whose sensitive customer information resides in the breached information system.
Proposed Rule 10 of the Securities Exchange Act
The second proposal would create a new Rule 10 under the Securities Exchange Act of 1934 requiring all “Market Entities” to adopt written policies and procedures that address their cybersecurity risks, and to report certain cybersecurity incidents. “Market Entities” are defined as broker-dealers, the MSRB, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap repositories, security-based swap dealers, and transfer agents.
Written Policies and Procedures
Market Entities would be required to adopt policies and procedures that address cybersecurity risks and that specifically include the following:
- Periodic cybersecurity risk assessments, and written documentation of the same.
- Controls to minimize user-related risks and unauthorized access to information systems.
- Measures to monitor the entity’s information systems and oversee service providers that access those information systems.
- Measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities.
- Annual review and assessment of the design and effectiveness of cybersecurity policies and procedures, and preparation of a written report that describes the review, assessment, tests performed, results of the review/assessment, prior incidents, and material changes to policies and procedures.
Reporting Significant Cybersecurity Incidents
Market Entities would further be required to immediately notify the Commission of a significant cybersecurity incident upon having a reasonable basis to conclude one has occurred or is occurring. A “significant cybersecurity incident” is an incident that jeopardizes the confidentiality, integrity, or availability of the information systems or any information on those systems.
Market Entities would also need to file a new Form SCIR promptly, but no later than 48 hours, after having a reasonable basis to conclude that the incident has occurred or is occurring. Form SCIR gathers information about the significant cybersecurity incident and the entity’s efforts to respond to and recover from the incident.
The Market Entity would need to disclose to the public the following information on Form SCIR:
- A plain-English summary description of the cybersecurity risks that could materially affect its business and operations and how the Covered Entity assesses, prioritizes, and addresses those cybersecurity risks; and
- A summary description of each significant cybersecurity incident that occurred during the current or previous calendar year.
Proposed Expansion and Updates to Regulation SCI
The third proposal would expand Regulation Systems Compliance and Integrity (Reg SCI) to account for the evolution of technology since the regulation’s adoption in 2014. The Reg SCI updates would expand the entities covered by Regulation SCI to include the DTCC Data Repository and the ICE Trade Vault, approximately 20 of the largest broker-dealers in the U.S. (based on total asset and transaction activity thresholds), and the five currently exempt clearing agencies.
All SCI covered entities would need to update their policies and procedures to include:
- An inventory, classification, and lifecycle management program.
- A program to oversee third party providers.
- Business continuity/disaster recovery plans that address the unavailability of key third party providers.
- A program to prevent unauthorized access to SCI systems and information.
- Identification of current SCI industry standards with which each policy and procedure is consistent.
The proposed rules are open for comment until 60 days after publication in the Federal Register. Additionally, on light of the proposed rules and other technological advancements, the SEC has reopened comments on its 2022 Investment Management Cybersecurity Proposal until May 22, 2023.
If you have questions about the proposed regulations or your current cybersecurity obligations, please reach out to a member of Michael Best’s Securities and Capital Markets team. Michael Best also has Privacy and Cybersecurity attorneys that help you meet industry security standards.