On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed a new rule concerning cybersecurity risk management as well as updates to Regulations S-P and SCI (Systems Compliance Integrity).[1] With these proposals, the SEC aims to update its regulatory regime to address changes in the information landscape. If adopted, these rules would expand the scope Agency’s regulation and add to the patchwork of cybersecurity compliance considerations for the covered entities.
Updates to Regulation S-P
The SEC first adopted Regulation S-P in 2000. The regulation covers brokers-dealers, investment companies and registered investment advisers. Regulation S-P requires, inter alia, that these entities adopt written policies and procedures to protect their own “customer records and information” (Rule 248.30(a) or the “Safeguard Rule”) and to properly dispose “consumer report information” (Rule 248.30(b) or the “Disposal Rule”).[2] The disposal rule also applies to transfer agents. In proposing this rule update, the Commission observed the following:
Since Regulation S-P was adopted, evolving digital communications and information storage tools and other technologies have made it easier for firms to obtain, share, and maintain individuals’ personal information. This evolution also has changed or exacerbated the risks of unauthorized access to or use of personal information, thus increasing the risk of potential harm to individuals whose information is not protected against unauthorized access or use.[3]
The proposals include expanding the scope of safeguard rule to cover transfer agents and redefining the coverage of the Safeguard Rule and Disposal Rule to be encompassed by the unified term “Customer Information,” which would cover “nonpublic personal information”—whether it was collected by the covered entity or acquired from a third-party financial institution.[4]
The SEC further proposes expansions to the Safeguard Rule that would require covered institutions to adopt incident response programs that the Commission describes as “reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information.”[5] In the event that customer information was, or was reasonably likely to have been, accessed or used without authorization, the proposed update would also require the covered institution to provide notice within 30 days, unless it determines that there is no risk of harm.[6]
For the proposed notice requirement, the SEC acknowledges that it is wading into a heavily regulated area, with all 50 states “enact[ing] laws in recent years requiring firms to notify individuals of data breaches.” The SEC, reasoned, however, that the proposed updates would set a federal minimum standard that would provide more protections to individuals than a significant number of state statutes.[7]
Similar considerations may exist, albeit on a lesser scale, for the proposed incident response program. For instance, a broker-dealer covered by the cybersecurity regulations promulgated by New York State Department of Financial Services may already be required to have a cybersecurity policy that covers incident responses, under 23 NYCRR 500.16. Those entities may need to evaluate their current policies for another layer of regulatory compliance if the SEC adopts the proposed update.
Updates to Regulation SCI
Regulation SCI is of a more recent vintage, adopted by Commission in 2014. Regulation SCI imposes an extensive set of requirements on SCI covered entities, including that they:
[1] have comprehensive policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability and promote the maintenance of fair and orderly markets; [2] take appropriate corrective action in response to systems issues; [3] provide notices and reports to the Commission designed to facilitate oversight of securities market technology; [4] disseminate information about systems issues to affected parties; [5] conduct an annual review of compliance with Regulation SCI (SCI review); [6] conduct coordinated business continuity and disaster recovery (BC/DR) testing; [7] and make, keep, and preserve records.[8]
Regulation SCI currently covers significant market participants like:
[A] self-regulatory organizations, such as national securities exchanges, registered clearing agencies, registered securities associations, and the Municipal Securities Rulemaking Board; [B] alternative trading systems meeting volume thresholds with respect to National Market System (NMS) stocks and non-NMS stocks; [C] exclusive disseminators of consolidated market data; [D] certain competing consolidators of market data meeting a gross revenue threshold; [E] and certain exempt clearing agencies.”[9] The Regulation covers SCI systems operated directly by the entity as well as indirect SCI systems operated on by or on behalf of an entity that would be reasonably likely to pose a threat to an SCI system if breached; these SCI systems “directly support at least one of six market functions: (i) trading; (ii) clearance and settlement; (iii) order routing; (iv) market data; (v) market regulation; or (vi) market surveillance.[10]
The Commission’s proposed updates would expand the category of SCI entities to cover all [E] exempt clearing agencies, [F] registered security-based data repositories, and [G] large broker-dealer that exceed certain thresholds.[11] The SEC justified the expansion on the basis that “they play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue.”[12]
The SEC is also proposing updates to the requirements for SCI entities “to acknowledge certain technology changes in the market, including cybersecurity and third-party provider management challenges since the adoption of Regulation SCI in 2014, and to account for the experience and insights the Commission and its staff have gained with respect to technology issues surrounding SCI entities and their systems.”[13] These include requiring “SCI entities include key third-party providers in [6] annual BC/DR testing” and updating the definition of “systems intrusion”—that [3] require notice to the Commission—to include events like DDOS attacks.[14]
As with the proposed updates to Regulation S-P, this update would add another layer of regulation for many market participants. If we take the New York broker-dealer example again, that broker-dealer would now have to determine whether an incident was a system intrusion that it has to report to the Commission—along with whether it whether it qualifies a “cybersecurity event” (as defined by 23 NYCRR 500.01) that requires notice to the New York State Department of Financial Services under 23 NYCRR 500.17.[15]
Beyond that, the proposed updates to Regulation SCI cover many of the same topics and entities as the proposed updates to Regulation S-P as well as the new proposed rule on cybersecurity risk management. As the Commission acknowledges, there could be overlap in terms of “provisions requiring policies and procedures that address certain types of cybersecurity risks.”[16] Something similar could occur with reporting requirements for cybersecurity events.[17] The SEC takes the view that such overlaps “would be appropriate because, while the current and proposed cybersecurity requirements of Regulation SCI may impose some broadly similar obligations, it has a different scope and purpose”; the Commission further observes that compliance with all three of these regulations “can be accomplished through similar efforts” in some cases.[18]
New Rule on Cybersecurity Risk Management
Along with the updates to Regulations S-P and SCI, the SEC proposed a new cybersecurity risk management rule on March 15, 2023 that would apply to “broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, ‘Market Entities’).”[19]
The proposal would require these Market Entities “to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks” with annual written review and assessment of those policies.[20] Market Entities—outside of certain small broker-dealers—would also have to immediately provide notice to the Commission of a significant cybersecurity incident and then file a report about the incident. Additionally, those aforementioned Market Entities would also have to file a summary of their cybersecurity risks and significant cybersecurity incidents during the current or previous year with the SEC and make the summary available on their websites—with copies provided to customers of covered broker-dealers at account opening, when the summary is updated, and annually.[21]
Like the updates to Regulations S-P and SCI, the Commission justifies this new rule by noting that Market Entities play a critical role in our economy, with trillions at stake, and that they have become more reliant on information systems over the years.[22] With this reliance comes a “corresponding increase in their cybersecurity risk”—in terms of both threats and magnitude of harm—that the SEC seeks to address with this proposed rule.[23]
As discussed above, these proposed regulations may overlap with the proposed updates to Regulations S-P and SCI. Further, much like the proposed updates to the safeguard rule under Regulation S-P, the policies and procedures requirement under the new cybersecurity risk management regulation could overlap with cybersecurity regulations promulgated by the states.
Conclusion
The Commission’s proposed updates to Regulations S-P and SCI—as well as the new proposed rule on cybersecurity risk management—represent a potentially significant expansion in the scope of the Commission’s regulations in this area to address developments in technology. These proposals could add to an already crowded landscape of cybersecurity regulations, with their interactions with overlapping state requirements and each other’s requirements. In the event that these proposals are adopted, entities will likely need to reassess their cybersecurity policies and procedures to ensure compliance with these additional layers of regulation.
[1] U.S. Securities & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf; U.S. Securities & Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97141.pdf; U.S. Securities & Exch. Comm’n, Regulation Systems Compliance and Integrity (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
[7] U.S. Securities & Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information at 4-6 (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97141.pdf. Note that the current proposed rule does not “permit delayed notifications for law enforcement purposes.” Id. at 5, 60.
[15] In practice providing notice to the Commission would likely dictate providing notice to the Department of Financial Services, since the New York regulation requires notice if “cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.” 23 NYCRR 500.17. However, depending on how broadly system intrusions are defined in the updated rule, there could be situations where a “systems intrusion” under Regulation SCI is not necessarily a “cybersecurity event” under the New York regulations.
[20] U.S. Securities & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents at 55 (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[21] U.S. Securities & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents at 56-57 (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[22] U.S. Securities & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents at 7-23 (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[23] U.S. Securities & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents at 11-12 (March 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
