Cyber security is an area that has rapidly evolved over the past few years. Once a threat that was considered obscure by some and not significant by others, it is now a key area of focus for many. The stakes today are by any definition significant. A breach can result in millions of records held by an issuer or market participant such as a broker-dealer being obtained and perhaps disseminated. Frequently those records contain personal information of thousands if not millions of persons, including financial and credit card data. As activity in this area has evolved the Commission and DOJ have investigated and filed cases.
Last year the Commission proposed rules for issuers designed to require the creation of policies and procedures to protect the company and its information. The proposals also including reports obligations in case of a breach. Now the agency is proposing that market participants adopt similar rules.
Proposed Rule 10 is at the center of the proposed rules for market participants. It would require that Market Entities – essentially most broker-dealers other those some small firms – address the risks presented in the area by adopting a set of policies and procedures which are reasonably designed to address the risks. Those policies and procedures would be reviewed each year and amended or updated in view of the evolving cyber risks. Market entities would also be required to provide the Commission with a written electronic notice immediately if there is a reasonable basis for believing that a significant breach has occurred as well as updates and disclosure as discussed below.
Form SCIR – updates/disclosure
Covered entities would be required under Rule 10 to complete Form SCIR to update the Commission and provide disclosure. One section of the form provides the Commission with periodic updates. Another section focuses on disclosure. It provides summary descriptions of the cyber risks and significant incidents experienced in the current and prior year that are to be published on the broker-dealer’s website. Customers opening a new account would be furnished a copy of the disclosures as well as existing customers when updates are made, including the yearly update. This material is designed to be posted on the firm website.
The proposals initiated by the Commission build on those launched last year for issuers and the series of enforcement actions which predated those proposals. Collectively, the proposals last year and now are designed to provide an overall response to the rapidly increasing threat posed by cyber while assuring the markets and the public that confidential information will be protected.
To be sure, the proposals are a good starting point, thoughtfully designed to address the key points of a threat that is well recognized, acknowledged by many and rapidly evolving. At the same time, they are controversial even among the Commissioners who acknowledge the threat. Chair Gensler and Commissioners Crenshaw and Lizarraga support the proposals. Commissioners Peirce and Uyeda do not. No doubt there will be a variety of comments furnished to the agency before the process is completed.