A new proposed Rule 10 would require the implementation of adequate policies and procedures to address cybersecurity risk by all market entities. These policies and procedures would need to be regularly reviewed in order to ensure that they remain fit for purpose as cyber threats continue to evolve. All market entities would be required to immediately notify the SEC of a Significant Cybersecurity Incident (see definition below).
Alongside the new rule, a new Form SCIR is being proposed, which would comprise two parts, Part I providing information on any Significant Cybersecurity Incident to the regulator, Part II disclosing information on significant cybersecurity risks and incidents experienced by the entity in the current or previous calendar year.
Risk level
The SEC’s proposals include the creation of a defined term “Covered Entity”. Organizations would be designated as covered entities based on the level of risk they pose to investors and the financial sector. The regulatory net is cast very widely here and covered entities include the vast majority of market participants including;
- broker dealers;
- clearing agencies;
- major security-based swap participants;
- the Municipal Securities Rulemaking Board;
- FINRA;
- national securities exchanges;
- security-based swap data repositories;
- security-based swap dealers;
- transfer agents.
Covered entities would be required to implement policies and procedures that include some key additional requirements including;
- periodic risk assessments;
- user controls;
- system monitoring and protection;
- detection, mitigation and remediation;
- response and recovery.
Periodic risk assessments would not only cover the entity’s own systems, but would also involve the identification of service providers that an entity uses and an assessment of the cybersecurity risks connected with these. The new rule also requires the “oversight of providers that receive, maintain, or process the covered entity’s information” or have access to these.
Significant Cybersecurity Incident
Covered entities would also be subject to additional specific disclosure and reporting obligations, including the public release of Part II of Form SCIR. For broker dealers, for example, Part II of the form would need to be provided to customers at account opening.
Key terms defined in the proposed rule include cybersecurity incident, risk, vulnerability and threat. Also included in the definitions is the concept of a Significant Cybersecurity Incident, which is one that either:
- disrupts or degrades the ability of the market entity to maintain critical operations; or
- leads to unauthorized access to information that might result in substantial harm to the entity or other connected parties
In addition to the new rule a number of existing recordkeeping and retention rules are being amended to bring the new policies and procedures within their scope. The regulatory thrust here is aimed at market participants helping ward off systemic harm to the financial system directly as a result of a cybersecurity incident. The SEC, like other regulators globally, is fully aware of the interconnectedness of the financial system and is attempting to address the potential for systemic contagion connected to a cybersecurity incident simultaneously impacting multiple market entities.
In a connected release, the SEC is reopening the comment period for the proposed cybersecurity risk management rules aimed at registered investment advisers and funds. The initial comment period for these ended in April 11, 2022.