Proposed new SEC cybersecurity requirements for financial service firms

On March 15, 2023, the SEC Division of Investment Management and Division of Trading and Markets (the Commission) held an open meeting related to proposed rule changes focused on cybersecurity controls and written procedures to be implemented by covered financial service firms.

Item I – Cybersecurity rules under Regulation S-P

With respect to Regulation S-P, the Commission voted 5-0 for proposed amendments requiring broker-dealers, registered investment advisors and investment companies registered with the Commission to adopt written policies and procedures for incident response programs addressing unauthorized access to customer information and data.

More specifically, the noted entities will be required to “adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to certain affected individuals. The proposed amendments would also broaden the scope of information covered under these rules and extend application of these rules to cover transfer agents registered with the Commission or another appropriate regulatory authority.”

Additionally, if there is a breach in customer information, the covered member has 30 days to notify the affected customer.

Item II: Cybersecurity rules under the Securities Exchange Act of 1934

The second topic of discussion was a proposal for new rules requiring certain registrants under the Securities Exchange Act of 1934, “to address cybersecurity risks through policies and procedures, notification and reporting to the Commission, public disclosure, and record retention.” Ultimately, implementing the rules and safeguards would require notification of a breach in cybersecurity to the SEC. The proposed rules would require policies and procedures to specifically address certain areas, which can be found on the SEC fact sheet. The proposal was approved by a 3-2 vote.

The requirements would apply to following covered entities:

• Broker-dealers and clearing agencies,
• Major security-based swap participating entities,
• The Municipal Securities Rulemaking Board,
• National securities associations,
• National securities exchanges,
• Security-based swap data repositories,
• Security-based swap dealers, and
• Transfer agents

Item III: Expansion of scope and provisions under Regulation SCI

Lastly was a 3-2 vote in favor of the proposed expansion of the scope of entities includable as self-regulated entities under Regulation SCI and an update of the regulation to require added system compliances and integrity measures.

There is no current date on when these measures would take effect.

Overall, these rules would add additional security measures to give additional comfort to investors that there are sufficient controls in place to safeguard the process. If your firm could use help implementing cybersecurity policies and procedures to meet the oncoming requirements proposed by the Commission, our Risk Advisory team can help you.

Further details on the information above can be found on the SEC website.