Published on March 15 by the Securities and Exchange Commission (SEC), the proposed three new sets of rules would, amongst other: (i) add new requirements addressing cybersecurity risk to the U.S. securities markets through Proposed Rule 10, (ii) extend the scope of entities covered by Regulation SCI, (ii) and enhance the protection of customer information under Regulation S-P.
Proposed Rule 10, if it becomes law, would impose certain requirements on Covered Entities.
The definition of Covered Entities include, but is not limited, to broker-dealers that (i) maintain custody of cash and securities for customers or other broker-dealers; (ii) introduce customer accounts to another broker or dealer that maintains cash and securities.
Requirements applicable to Covered Entities
Establish, maintain, and enforce written policies and procedures that are reasonably designed to address a Covered Entity’s cybersecurity risks. These policies and procedures must at a minimum include certain elements related to (i) risk assessment; (ii) user security and access; (iii) information protection; (iv) cybersecurity threat and vulnerability management; and (iv) cybersecurity incident response and recovery.
Immediate written electronic notification of the SEC when a significant cybersecurity incident occurs or is occurring.
Provision of subsequent detailed reports about the cybersecurity incident would also have to be provided to the SEC. Such reports would have to be done by filing Part 1 Of proposed Form SCIR through the Electronic Data Gathering, Analysis, and Retrieval System (“EDGAR” or “EDGAR system”).
Completion of two types of public disclosures would have to be done using Part II of proposed Form SCIR, and this to improve transparency with respect to cybersecurity risks and significant cybersecurity incidents: (i) Plain language summary description of the cybersecurity risks that could materially affect the business and operations and how the latter would be assessed and addressed; and (ii) summary description of each significant cybersecurity incident that occurred during the current or previous calendar year, if applicable.
Revision of the existing recordkeeping rules to require Covered Entities to address cybersecurity risks through policies and procedures. This includes measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
Requirements applicable to Non-Covered Broker-Dealers
Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks.
Review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review.
Provision of immediate written electronic notice of a significant cybersecurity incident affecting them to the SEC and their examining authority.
Maintain and preserve versions of their policies and procedures and the record of the annual review.
Proposed Regulation Systems Compliance and Integrity (Reg SCI) currently applies to self-regulatory organizations; alternative trading systems meeting volume thresholds with respect to National Market System (NMS) stocks and non-NMS stocks; exclusive disseminators of consolidated market data; certain competing consolidators of market data meeting a gross revenue threshold; and certain exempt clearing agencies.
The scope of the Proposed Reg SCI would be expanded to include:
Registered security-based swap data repositories
Broker-dealers registered with the SEC and that exceed certain total assets threshold or a transaction activity threshold
All clearing agencies exempted from registration
These entities would be subject to existing requirements which include:
Implementing policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability and promote the maintenance of fair and orderly markets
Taking appropriate corrective action in response to systems issues
Providing notices and reports to the SEC
Disseminating information about systems issues to affected parties
Proposed Regulation S-P would require Covered Institutions to
Adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information.
Have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.
Covered Institutions include broker-dealers, investment companies, registered investment advisers, and transfer agents.
Interested market participants may submit their comment until 60 days after the date of publication of the proposing release in the Federal Register.