On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) voted to propose three measures to protect customer information and hold covered institutions accountable for cyberattacks.

The first set of measures would expand requirements under Regulation S-P for "covered institutions"—broker-dealers, registered investment advisors, investment companies and transfer agents. Key enhancements include:

  1. Applying the protections of the safeguards rule (Rule 248.30(a)) and disposal rule (Rule 248.30(b)) to "customer information," a new defined term that would include both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information that a covered institution receives about customers of other financial institutions.
  2. Requiring covered institutions to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information.
  3. Establishing federal minimum standards for covered institutions to provide data breach notifications to affected individuals, with limited exceptions, as soon as practicable but not later than 30 days after the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.
  4. Expanding the safeguards rule to cover transfer agents registered with the Commission or another appropriate regulatory agency, and expanding the disposal rule from covering only those registered with the Commission to also include those registered with another appropriate regulatory agency.

SEC Chair Gary Gensler commented, "Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches. . . . I think we should close this gap."1 In practical effect, investment advisors currently provide notice under state data breach notification statutes and the proposed amendments will simplify the data breach notification process by providing one uniform approach to notification.

The Commission likewise proposed a broad new rule and form (proposed new Rule 10) applying to "market entities"2 that perform critical services to support the fair, orderly and efficient operations of the U.S. securities markets. Proposed new Rule 10 would require market entities to "implement policies and procedures that are reasonably designed to address their cybersecurity risks," including annual review of cyber policies, periodic cybersecurity risk assessments, implementation of monitoring and risk mitigation controls to prevent unauthorized access, and adoption of incident response plans. The proposed rule also includes new public disclosure requirements for cybersecurity risks and incidents, and imposes on market entities a duty to provide the Commission with immediate electronic notice for significant cybersecurity incidents.

Finally, the SEC also proposed to update and expand Regulation Systems Compliance and Integrity ("Regulation SCI")3, adding registered security-based swap data repositories, clearing agencies exempt from registration and certain large broker-dealers to the scope of SCI entities. Regulation SCI would also be amended to mandate that SCI entities maintain programs for inventory, classification and lifecycle management for SCI systems, to manage and oversee third-party providers and to prevent unauthorized access to SCI systems.

The public comment period for all three proposals will be open for 60 days after publication of the proposing release in the Federal Register.

The three proposals reflect the SEC's continued interest in cybersecurity. Last year the SEC also proposed two other major cybersecurity measures, both slated for final action this April:

  • Requiring investment advisers and funds to adopt written cybersecurity policies and report significant cybersecurity breaches directly to the SEC on a confidential form. Advisors and funds would also have to publicly disclose significant cybersecurity incidents that occurred within their last two fiscal years on their brochures and registration statements.4
  • Requiring public companies to enhance and standardize disclosures regarding cybersecurity risk, management, strategy and governance, as well as incident reporting. A public company would have to report a cybersecurity incident within four business days after determining it had experienced a material cybersecurity incident.5

Footnotes

1. U.S. Securities and Exchange Commission, Press Release, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (March 15, 2023), available at https://www.sec.gov/news/press-release/2023-51

2. "Market entities" include broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.

3. Regulation SCI refers to the set of rules adopted to address technological vulnerabilities in securities markets, and covers the automated systems underpinning various securities market functions, including trading, clearance and settlement, order routing and market regulation.

4. U.S. Securities and Exchange Commission, Proposed Rule, Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews (February 9, 2022), available at https://www.sec.gov/rules/proposed/2022/ia-5955.pdf.

5. U.S. Securities and Exchange Commission, Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (March 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.