On March 15, the Securities and Exchange Commission ("Commission") addressed continuing concerns regarding cybersecurity risks by proposing amendments to Regulation S-P and Regulation SCI, and proposing a new rule and form addressing cybersecurity risks for a broad array of broker-dealers and other market participants.
Proposed Enhancements to Regulation S-P (Fact Sheet)
Regulation S-P, adopted in 2000, generally requires that broker-dealers, investment companies, and registered investment advisers adopt written policies and procedures to safeguard customer records and information, properly dispose of consumer report information, and implement privacy policy notice and opt-out provisions. The proposed amendments (unanimously approved by the Commission) would, among other things:
- Expand the safeguarding and disposal provisions to cover "customer information," defined to include nonpublic personal information about a customer of a financial institution. As defined, the proposed amendments would apply to nonpublic personal information that a "covered institution" collects about its own customers and nonpublic personal information it receives from a third party financial institution about customers of that financial institution.
- Require covered institutions to adopt cybersecurity incident response programs that are designed to:
- detect, respond to, and recover from unauthorized access to or use of customer information;
- assess the nature and scope of any such incident;
- contain and control such incidents; and
- address the risk of harm posed by security compromises at service providers (through contractual provisions between the covered institution and service provider).
- Require covered institutions to notify (in a timely manner) affected individuals whose "sensitive customer information" was or is reasonably likely to have been accessed or used without authorization.
The proposed rule includes a rebuttable presumption to notify affected individuals in the event of such unauthorized access to or use of customer information. A covered institution may rebut the presumption (and not send notices), but only where the covered institution can demonstrate that it has determined, after a reasonable investigation, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
Regulation SCI: Proposed Expansion and Updates (Fact Sheet)
Regulation Systems Compliance and Integrity (Reg SCI), adopted in 2014, seeks to help ensure that the technology infrastructure of the U.S. securities markets remains robust, resilient, and secure. Reg SCI applies to certain entities (SCI entities) with respect to their automated and similar systems that directly support any one of a number of key securities market functions (e.g., trading, clearance and settlement, market regulation). Reg SCI currently requires SCI entities to, among other things:
- Implement comprehensive policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability;
- Take appropriate corrective action in response to systems issues;
- Provide notices and reports to the Commission to facilitate oversight; and
- Conduct coordinated business continuity and disaster recovery testing.
The proposed amendments (approved by a 3-2 vote with Commissioners Peirce and Uyeda dissenting) would expand and enhance the above referenced requirements through, for example, requiring that such policies and procedures include a program to manage and oversee third party providers (including cloud service providers), that provide or support SCI entities.
The proposed amendments would also expand the definition of "SCI entities" subject to Reg SCI, to include:
- Registered security-based swap data repositories;
- Registered broker-dealers that exceed a total assets threshold (total assets of 5% or more of the total assets of all security brokers and dealers) or a transaction activity threshold (generally 10% or more of the total average daily dollar volume of trading activity) in NMS stocks, exchange-listed options, U.S. Treasury securities, or Agency securities; and
- All clearing agencies exempt from registration.
Addressing Cybersecurity Risks: "Market Entities" (Fact Sheet)
The Commission also proposed a new rule, form, and related amendments (approved by a 3-2 vote with Commissioners Peirce and Uyeda dissenting) to require entities that perform critical services to support the fair, orderly, and efficient operations of the U.S. securities markets ("Market Entities") to address their cybersecurity risks. The new requirements would apply to, among others: broker-dealers; clearing agencies, major security-based swap participants, security-based swap data repositories, and security-based swap dealers.
The proposed rule would require all Market Entities to:
- Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks;
- Review and assess (at least annually) the design and effectiveness of such polices and procedures; and
- Provide immediate written electronic notification to the Commission of any significant cybersecurity incident.
In addition, for most Market Entities, other than certain types of small broker-dealers (defined as "Covered Entities"), the proposed rule would also:
- Expand, beyond immediate electronic notification to the Commission, the reporting of cybersecurity incidents (on proposed Form SCIR, Part I);
- Require certain public disclosures regarding cybersecurity risks and significant cybersecurity incidents (on proposed Form SCIR, Part II); and
- Include a number of more specific requirements to be addressed in such written policies and procedures (e.g., measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities; measures to detect, respond to, and recover from a cybersecurity incident; and procedures to oversee service providers that receive, maintain, or process information or otherwise are permitted access to such entities' information systems).
Certain types of small broker-dealers (excluded from the definition of Covered entity in the proposed rule) would not be subject to these additional requirements (e.g., a registered broker-dealer with less than $50 million in regulatory capital or that has less than $1 billion in total assets).
Final Thoughts
The proposing releases acknowledge and request public comment on the potential overlap in regulations as it relates to cybersecurity. As proposed, and without a meaningful unified approach, investment advisers, broker-dealers, and other impacted market participants will likely find it quite challenging to navigate the sea of varying cybersecurity compliance obligations. Relatedly, the SEC has reopened the comment period (which initially closed on April 11, 2022) for its February 2022 rule proposal that would require investment advisers, registered investment companies, and business development companies to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risk. This rule proposal is, in many ways, substantially similar to the cybersecurity risk management rule for Market Entities discussed above. A number of Commissioners noted or otherwise asked questions regarding the extent to which the Commission took into account the comments received on the February 2022 rule proposal when developing the cybersecurity risk management proposal for Market Entities.
We will continue to monitor developments in this area. The reopened comment period and the comment periods for all three proposals are open for 60 days following publication in the Federal Register.