On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

• Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
• New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
• Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]

As Commissioner Hester Peirce observed, each Proposed Rule “overlaps and intersects with each of the others, as well as other existing and proposed regulations.” [5] Therefore, while each of the Proposed Rules relates to similar cybersecurity goals, each must be considered in turn to determine whether a particular company is covered and what steps the company would need to undertake should the Proposed Rules become final.

Below we discuss each set of Proposed Rules in more detail and provide some takeaways and tips for cybersecurity preparedness regardless of industry.

Proposed Reg S-P Amendments

Reg S-P, adopted in 2000, requires that brokers, dealers, investment companies, and registered investment advisers adopt written policies and procedures regarding the protection and disposal of customer records and information.[6] But, as Chair Gensler explained in a statement in support of the Proposed Reg S-P Amendments, “[t]hough the current rule requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” and the Proposed Reg S-P Amendments look to “close this gap.”[7]

In particular, “[w]hile all 50 states have enacted laws in recent years requiring firms to notify individuals of data breaches, standards differ by state, with some states imposing heightened notification requirements relative to other states,” and the SEC seeks, through the Proposed Reg S-P Amendments, to provide “a Federal minimum standard for customer notification” for covered entities.[8] This includes a definition of “sensitive customer information” which is broader than that used in at least 12 states; a 30-day notification deadline, which is shorter than timing currently mandated by 15 states (plus 32 states which do not include a notification deadline or permit delayed notifications for law enforcement purposes); and required notification unless the covered institution finds no risk of harm, unlike 21 states which only require notice if, after investigation, the covered institution does find risk of harm.[9]

Furthermore, while Reg S-P currently applies to broker-dealers, investment companies, and registered investment advisors, the Proposed Reg S-P Amendments would expand the scope to transfer agents.[10] It also would apply customer information safeguarding and disposal rules to customer information that a covered institution receives from other financial institutions and to a broader set of information by newly defining the term “customer information” which, for non-transfer agents, would “encompass any record containing ‘nonpublic personal information’ (as defined in Regulation S-P) about ‘a customer of a financial institution,’ whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf,” and for transfer agents, which “typically do not have consumers or customers” for purposes of Reg S-P, would have a similar definition with respect to “any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is handled or maintained by the transfer agent or on its behalf.”[11]

Proposed Cybersecurity Risk Management Rule

The Proposed Cybersecurity Risk Management Rule will impact a variety of “different types of entities performing various functions” in the financial markets defined as “Market Entities,” including “broker-dealers, broker-dealers that operate an alternative trading system, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.”[12]

As Chair Gensler explained, the Proposed Cybersecurity Risk Management Rule is designed to “address financial sector market entities’ cybersecurity,” by, among other things, requiring Market Entities to adopt written policies and procedures to address their cybersecurity risks, to notify the SEC of significant cyber incidents, and, with the exception of smaller broker-dealers, to disclose to the public a summary description of cybersecurity risks that could materially affect the entity and significant cybersecurity incidents in the current or previous calendar year.[13]

According to the SEC, these policies and procedures are “not intended to impose a one-size-fits-all approach to addressing cybersecurity risks,” and are designed to provide Market Entities “with the flexibility to update and modify their policies and procedures as needed[.]”[14] However, there are certain minimum policies and procedures that would be required, such as periodic assessments of cybersecurity risks,[15] controls designed to minimize user-related risks and prevent unauthorized system access,[16] periodic assessment of information systems,[17] oversight of service providers that receive, maintain, or process the entity’s information (including  written contracts between the entity and its service providers),[18] measures designed to detect, mitigate, and remediate cybersecurity threats and vulnerabilities,[19] measures designed to detect, respond to, and recover from cybersecurity incidents,[20] and an annual review of the design and effectiveness of cybersecurity policies and procedures (with a written report).[21] For most regulated entities, such measures are already in place.

Proposed Reg SCI Amendments

Finally, the SEC has proposed amendments to Reg SCI, a 2014 rule adopted to “strengthen the technology infrastructure of the U.S. securities markets, reduce the occurrence of systems issues in those markets, improve their resiliency when technological issues arise, and establish an updated and formalized regulatory framework” for the SEC’s oversight of these systems.[22]  Reg SCI applies to “SCI Entities,” which include self-regulatory organizations, certain large Alternative Trading Systems, and certain other market participants deemed to have “potential to impact investors, the overall market, or the trading of individual securities in the event of certain types of systems problems.”[23]

The Proposed Reg SCI Amendments would expand the definition of SCI Entity to include registered Security-Based Swap Data Repositories, registered broker-dealers exceeding a size threshold, and additional clearing agencies exempt from registration.[24] They also would broaden requirements to which SCI Entities are subject, including  required notice to the SEC and affected persons of any “systems intrusions,” which would include a “range of cybersecurity events.”[25]

Takeaways

While the Proposed Rules are not adopted as-of-yet, companies which could be covered should take the opportunity to reevaluate their cybersecurity practices and policies, both to mitigate as much as possible the risk of a cyber-attack and to be prepared to address an attack, including meeting all notification requirements, should one occur.

Among other things, best practices include:

• A written cyber risk assessment which categorizes and prioritizes cyber risk based on an inventory of the information systems’ components, including the type of information residing on the network and the potential impact of a cybersecurity incident;
• A cybersecurity vulnerability assessment to assess threats and vulnerabilities; determine deviations from acceptable configurations, enterprise or local policy; assess the level of risk; and develop and/or recommend appropriate mitigation countermeasures in both operational and nonoperational situations;
• A written incident response plan that defines how the company will respond to and recover from a cybersecurity incident, including timing and method of reporting such incident to regulators, persons or other entities;
• A business continuity plan designed to reasonably ensure continued operations when confronted with a cybersecurity incident and maintain access to information;
• Tabletop exercises to review and test incident response and business continuity plans;
• Annual review of policies and procedures.

As a next step, each of the Proposed Rules will be published on the Federal Register and open for comment for sixty days following this publication. Regardless of whether the Proposed Rules are adopted, they represent the SEC’s increasing awareness of, and desire to mitigate, cybersecurity incidents, and companies should be prepared accordingly.

[1] Gensler, Gary, Opening Statement before the March 15 Commission Meeting (SEC, March 15, 2023).

[2] See Press Release, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (SEC, March 15, 2023). The full text of the Proposed Reg S-P Amendments can be found here.

[3] See Press Release, SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets (SEC March 15, 2023). The full text of the Proposed Cybersecurity Risk Management Rule can be found here.

[4] See Press Release, SEC Proposes to Expand and Update Regulation SCI (SEC, March 15, 2023). The full text of the Proposed Reg SCI Amendments can be found here.
In addition, on March 15, 2023 the SEC re-opened comments on proposed cybersecurity risk management rules for investment advisors until May 22, 2023. For our analysis of these proposed rules, see How Fund Industry Can Prepare For SEC’s Cyber Proposal (Law360, March 4, 2022). The SEC is also presently considering comments on a different proposed rule mandating certain cybersecurity disclosures by public companies. See Carlson, Scott and Riley, Danny, SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies (Carpe Datum Blog, April 14, 2022).

[5] Peirce, Hester, Statement on Regulation SP: Privacy of Consumer Financial Information and Safeguarding Customer Information (SEC, March 15, 2023).

[6] Proposed Reg S-P Amendments, supra n.2 at 1.

[7] Gensler, Gary, Statement on Amendments to Regulation S-P (SEC, March 15, 2023).

[8] Proposed Reg S-P Amendments, supra n.2 at 4.

[9] Id. at 4-6.

[10] Proposed Reg S-P Amendments, supra n.2, at 6-7.

[11] Id. at 74-75, 82.

[12] Proposed Cybersecurity Risk Management Rule, supra n. 3 at 9-10 (internal definitions of terms omitted).

[13] Gensler, Gary, Statement on Enhanced Cybersecurity for Market Entities (SEC, March 15, 2023).

[14] Proposed Cybersecurity Risk Management Rule, supra n. 3 at 103.

[15] Id. at 103-108.

[16] Id. at 109-112.

[17] Id. at 113-115.

[18] Id. at 115-116.

[19] Id. at 116-118.

[20] Id. at 118-124.

[21] Id. at 124-126.

[22] Proposed Reg SCI Amendments, supra n.4 at 10.

[23] Id. at 13-14.

[24] Id. at 24.

[25] Id. at 24-25.