Last week, on March 15, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) continued its aggressive push to regulate the cybersecurity of entities in the financial services sector, proposing three rules affecting a variety of SEC-regulated entities, including broker-dealers, investment companies, and investment advisers, as covered here . These proposals have been in the works since at least early 2022, when SEC Chair Gary Gensler previewed rulemaking his staff was considering.
In addition, the SEC reopened the comment period with respect to the regulations relating to investment advisers, investment companies, and business development funds for an additional 60 days, after the regulation was initially made available in February 2022. However, similar regulations for publicly traded companies from March 2022, relating to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, remain in draft form, and are still awaiting finalization. Notwithstanding, the Commission has continued to release regulations, in accordance with the Biden-Harris Administration National Cybersecurity Strategy to secure the digital ecosystem for all Americans.
Accordingly, the three new proposals—totaling over 1000 pages—are summarized below. The public has at least 60 days to submit comments to the SEC on the proposed rules.
Regulation S-P
Following the enactment of the Gramm-Leach-Bliley Act of 1999, the SEC promulgated current Regulation S-P, which imposes three requirements on registered broker-dealers, investment companies, and investment advisers (“covered institutions”) related to protecting certain “nonpublic personal information”. First, covered institutions must adopt policies to protect nonpublic personal information (the “Safeguards Rule”). Second, covered institutions must dispose of “consumer report information” in a secure manner (the “Disposal Rule”). Third, covered institutions must implement a privacy notice regarding the nonpublic personal information collected and allow customers to opt out of sharing with non-affiliated third parties.
The SEC’s new proposal would augment the requirements of the Regulation S-P’s Safeguards and Disposal Rules, while imposing new requirements related to investigation and reporting of data breaches. If adopted, the proposed rules would expand the scope of the previous rules to cover “customer information,” defined as any “nonpublic personal information” about a “customer of a financial institution.” § 248.30(e)(5)(i). Currently, Regulation S-P applies to “customer records and information”, which is undefined by the GLBA and Regulation S-P. Accordingly, the amendment is intended to align Regulation S-P with “the objectives of the GLBA” and the definition of “customer information” in the FTC’s Safeguards Rule.
Under the proposal, covered institutions would be required to implement an “incident response program” that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” § 248.30(b)(3). As part of the incident response program, covered entities would be required to notify their customers within 30 days “after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” § 248.30(b)(4)(iii).
However, an entity is not required to provide notice if it determines that “sensitive customer information” was not likely to be use “used in a manner that would result in substantial harm or inconvenience.” § 248.30(b)(4)(i). The term “sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” § 248.30(e)(9)(i). As SEC Commissioner Hester M. Peirce noted in her accompanying statement, the limits of this definition are unclear. In its request for comment, the SEC inquires whether “the proposed standard for providing notification is sufficiently clear[.]”
Finally, the proposed rule would extend these requirements to include “transfer agents” registered with the SEC as covered entities subject to Regulation S-P.
Market Entities: Rule 10 and Form SCIR
By a 3-2 vote, the SEC proposed a new Rule 10 and form SCIR for certain “Market Entities” that operate critical infrastructure for the securities markets: broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. The proposed Rule 10 consists of the three main requirements.
First, Market Entities would be “required to establish, maintain, and enforce written policies and procedures that are reasonably designed to address the [Market Entity’s] cybersecurity risks.” § 242.10(b)(1), (e)(1). At a minimum (except for small broker-dealers), these policies and procedures would need to include provisions addressing: (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents. § 242.10(b)(1)
Second, Market Entities would be required to give the SEC “immediate written electronic notice upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring” § 242.10(c)(1), (e)(2). Under the draft regulations, significant cybersecurity incidents are those that: (1) “significantly disrupt or degrade the ability of the Market Entity to maintain critical operations”; and (2) result in unauthorized access or use of information or information systems that leads to either “substantial harm to the Market Entity” or “substantial harm to a customer, counterparty, member, registrant, or user of the Market Entity, or to any other person that interacts with the Market Entity.” See Proposal sec. II.A.2. Market Entities (other than small broker-dealers) would be required to file a report to the SEC within 48 hours upon having a reasonable basis to conclude a significant cybersecurity incident occurred. § 242.10(b)(2)(i). The form and required content of the report would be set by the SEC in its new form SCIR.
Third, similar to other pending cybersecurity proposals from the SEC, Market Entities (other than small broker-dealers) would be required to disclose “a summary description of the cybersecurity risks that could materially affect the covered entity’s business and operations and how the covered entity assesses, prioritizes, and addresses those cybersecurity risks.” § 242.10(d)(1)(i). Additionally, the Market Entity would be required to disclose a summary of significant cybersecurity incidents for the previous calendar year. § 242.10(d)(1)(ii).
Regulation SCI
By another 3-2 vote, the SEC proposed both expanding the scope of entities subject to its Regulation Systems Compliance and Integrity (“Regulation SCI”) and adding to its requirements. Under the current Regulation SCI, certain “SCI Entities”—including stock exchanges, clearinghouses, and alternative trading systems—must satisfy certain technological and business continuity requirements.
The proposal would add to the list of SCI Entities (1) registered security-based swap data repositories, (2) large broker-dealers, and (3) all clearing agencies exempt from SEC registration. § 242.1000. As Chair Gensler noted in his accompanying statement, the proposal would grow the number of SCI entities from roughly four dozen today to six dozen.
Regulation SCI’s new requirements include several provisions relating to management of third-party service providers, including a requirement that such entities be part of an SCI Entity’s annual business continuity and disaster recovery testing. § 242.1001(a)(2)(v), (ix). Additionally, SCI Entities must conduct risk assessments regarding third-party service providers, “including analyses of third-party provider concentration, of key dependencies if the third-party provider’s functionality, support, or service were to become unavailable or materially impaired, and of any potential security, including cybersecurity, risks posed.” See Proposal sec. III.C.2.a. Other more technical requirements include: (1) mandating an inventory of the SCI Entity’s systems, (2) increasing the required frequency of penetration testing, (3) mandating disclosures of distributed denial of service (DDoS) attacks and other indirect disruptions to the SEC, (4) detailing further the review SCI Entities must conduct, and (5) adopting a safe harbor for SCI Entities that employ industry standards like the National Institute of Standards and Technology’s (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity. See Proposal sec. III.C.1, .3–.5.
***
As the dissenting Commissioners stressed in their statements, the proposals, if adopted, would introduce significant regulatory overlap for several kinds of SEC registrants, including broker-dealers. It is likely that public feedback submitted during the comment period will point to other issues raised by any or all of the cybersecurity proposals.