Who may be interested: Broker-Dealers, Transfer Agents, Clearing Agencies, Compliance Staff (with respect to new requirements for certain market entities) and Registered Investment Advisers and Investment Companies (with respect to reopening of comment period)

Quick Take: The SEC proposed new requirements for several different market entities designed to mitigate cybersecurity risk, including requirements relating to written policies and procedures and notifications about cybersecurity incidents.

The SEC recently proposed requirements aimed at reducing and addressing cybersecurity risk for market intermediaries, including broker-dealers, clearing agencies, national securities associations and exchanges, transfer agents, and major security-based swap participants, among others (“Market Entities”).

Under the proposal, Market Entities would be required to implement written policies and procedures reasonably designed to address cybersecurity risks and to review such policies and procedures at least annually. The annual review would cover the design and effectiveness of the policies and procedures, including whether such policies reflect changes in cybersecurity risk over the time period included in the review. Market Entities would also be required under the proposal to notify the SEC electronically in the event of a significant cybersecurity incident. 

Market Entities other than small broker-dealers (“Covered Entities”) would face additional requirements. Policies and procedures implemented by Covered Entities would need to include:

• periodic, documented assessments of risks;
• controls to minimize user risks and prevent unauthorized access;
• measures for monitoring information systems and for protecting against unauthorized access or use, including measures to oversee service providers that are permitted access;
• measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities; and
• measures to handle a cybersecurity incident as well as procedures to document an incident, the response to that incident, and the recovery from it.

The proposal would impose new disclosure requirements for Covered Entities on proposed Form SCIR, including confidential disclosure of any significant cybersecurity incident on Part I of the Form and publicly available summary descriptions of cybersecurity risks and prior incidents on Part II of the Form. Covered Entities would be required to post Part II of the Form on their website and, in the case of carrying broker-dealers or introducing broker-dealers, provide Part II to customers when opening accounts.

Comments on the proposal are due 60 days after publication of the proposing release in the Federal Register.

The proposed rule can be found here.

In a corresponding action, the SEC reopened the comment period for proposed cybersecurity rules applicable to registered investment advisers, registered investment companies and business development companies to allow for consideration and comment on the proposal in light of other regulatory developments and SEC proposals. The initial comment period ended on April 11, 2022. The reopened comment period will remain open for 60 days after the publication of the reopening release in the Federal Register.

The proposal can be found here.