By Suzanne Cosgrove
The SEC proposed new rules Wednesday that would require all securities market entities to establish, maintain and enforce written policies and procedures to address cybersecurity risks, and to assess the effectiveness of those policies and procedures at least annually, including whether they reflect changes in cybersecurity risk over the period covered by the review (Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34-97142, March 15, 2023).
The rules would impact participants at all levels of the securities industry, the SEC said, including most broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board (MSRB), national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.
The proposed “Rule 10” regulations would compel financial firms to immediately notify the SEC of a significant cybersecurity incident by providing a written electronic notice of the event and report detailed information about the incident to the Commission on Part I of a proposed reporting vehicle, called Form SCIR. The new form is designed to collect information about cybersecurity incidents, as well as the covered entity’s efforts to respond to and recover from them.
In addition, the firms would be required to publicly disclose summaries of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year on Part II of the proposed Form SCIR – filing the form with the Commission and posting it on its website.
As part of the proposal, the Commission also included amendments to existing clearing agency exemption orders that would require the retention of records needed under the new cybersecurity requirements.
If adopted, the rules would set standards for market entities’ cybersecurity practices, said SEC Chair Gary Gensler in a statement. “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age,” Gensler added.
The SEC has published a cybersecurity Fact Sheet that summarizes the 530-page proposal and highlights key Rule 10 recommendations. “This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets,” Gensler said.
The big picture. In an apparently related action, the SEC Wednesday also reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies and business development companies.
The investment adviser rules were proposed by the Commission last year, on February 9, 2022, and the original comment period ended on April 11, 2022.
The Commission said the reopened comment period will allow interested persons additional time to analyze the issues in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure.
Too much paperwork? In a strongly worded reaction to the proposed Rule 10 and Form SCIR, SEC Commissioner Hester Peirce agreed that there are heavy reputational and financial costs associated with cybersecurity breaches. “Addressing this challenge constructively requires the Commission to work with firms in a way that helps them shore up cyber-defenses and minimize the consequences of cyberattacks,” she said.
But Peirce said she would not support the current proposal. “The Commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers,” she said.
“This proposal demonstrates that our priority is to create even more legal peril for a firm in this situation, legal peril that will distract employees of the firm from mitigating the immediate threat to the firm and its customers as they navigate the aggressive deadlines and open-ended information demands of the Commission,” Peirce said.
Commissioner Mark Uyeda also raised concerns about the proposed regime. Requiring covered entities to provide written notice immediately and file a form within 48 hours of an incident “would demand immediate attention from management all in the midst of responding to a breach and alerting other authorities, including law enforcement. And for what purpose? The SEC does not have a cyber response team that could immediately respond to seal the breach and provide technical assistance.”
Uyeda also objected that the SEC did not use its express authority under Dodd-Frank to test whether the proposed disclosures to investors would be effective. It is possible, he said, that customers who already receive voluminous disclosures from their broker-dealers may simply ignore the additional cybersecurity disclosures.
Finally, Uyeda wondered why the new proposal was not informed by public comments received on a similar proposal from the Division of Investment Management. Along with that 2022 proposal are two other new proposals that overlap with the newly proposed cybersecurity rules. “It is crucial that there is a clear regulatory framework to address cybersecurity,” Uyeda wrote. “While the proposals acknowledge the possibility of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs. A preferable approach would have been to propose a set of coordinated rules and to consider those costs and benefits both individually and as a package.”
This is Release No. 34-97142.