SEC Proposes New Cybersecurity Rules for Market Entities

The V&E Cybersecurity Update recently provided guidance on steps public companies can take to prepare for the SEC’s anticipated final rules governing the cybersecurity disclosures of public companies.

The Additional Proposed Rules

The first proposed rule would require all “Market Entities” to “establish, maintain, and enforce written policies and procedures that are reasonably designed to address” an entity’s cybersecurity risks.¹ Included in the definition of “Market Entities” are broker-dealers, clearing agencies, the Municipal Securities Rulemaking Board, transfer agents, major security-based swap participants, and all security-based swap dealers and data repositories.² Market Entities would be required to review these policies and procedures on an annual basis to assess their effectiveness and detect any changes in cybersecurity risk.³ Market Entities would also be required to provide the SEC with immediate written notice upon discovery of a significant cybersecurity incident.⁴ “Covered Entities” — a subset of “Market Entities” that excludes certain small broker-dealers — would be subject to additional requirements, including mandated publication of a yearly summary of their cybersecurity risks and any significant cybersecurity incidents that the entity experienced to the public on its website.⁵

The second proposed rule would enhance the requirements of Regulation S-P, which provides privacy protections for consumer financial information.⁶ Adopted in 2000, Regulation S-P requires covered entities to institute written policies and procedures for the safeguarding of customer records and take measures to ensure the proper disposal of consumer report information.⁷ However, as noted by SEC Chair Gary Gensler, despite the fact that “Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches.”⁸ The proposed rule would therefore “close this gap” by establishing minimum standards for covered entities to notify customers following a data breach incident that may have exposed the customer’s sensitive information.⁹ The proposal would additionally expand Regulation S-P’s safeguarding and disposal rules to cover both “nonpublic personal information that a covered institution collects about its own customers and that it receives from a third party financial institution about a financial institution’s customers.”¹⁰

The final proposed rule would expand the scope of entities covered by the Regulation Systems Compliance and Integrity (“Regulation SCI”) — which regulates the security of the automated, electronic, and similar systems used in securities market functions — to include registered security-based swap data repositories, registered broker-dealers that exceed certain asset or transaction activity thresholds, and additional clearing agencies exempted from registration.¹¹ The proposal would also bolster the obligations currently imposed on entities covered by Regulation SCI, including expansion of the types of SCI-related events that trigger immediate notification to the SEC and management of an entity’s third-party providers.¹²

The agency’s rolling out a smorgasbord of new cybersecurity obligations all at once was met with division across the Commission, sparking criticism of the potential for harmful overlap. Commissioner Mark T. Uyeda remarked that, while it is “crucial that there is a clear regulatory framework to address cybersecurity,” the “‘spaghetti on the wall’ approach” the Commission has taken “with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections.”¹³ Commissioner Hester M. Pierce noted that, while the release for the proposed amendment to Regulation S-P did attempt to hide overlap among the three proposed rules, and “actually goes into considerable detail about the redundancies,” it then “simply declares them appropriate given the different purposes, that they are ‘largely consistent,’ and probably not ‘unreasonably costly.’”¹⁴ “Admittedly,” Pierce stated, “rationalizing these overlapping requirements would be hard.”¹⁵

¹Sec. & Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, 88 Fed. Reg. 20,212, 20,228 (proposed April 5, 2023) (to be codified at 17 C.F.R. pts. 232, 240, 242 & 249).
²Id. at 20,214.
³Id. at 20,228.
⁴Id.
⁵Id.
⁶Sec. & Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 88 Fed. Reg. 20,616 (proposed April 6, 2023) (to be codified at 17 C.F.R. pts. 240, 248, 270 & 275).
⁷Id.
⁸Press Release, U.S. Sec. & Exch. Comm’n, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (March 15, 2023), https://www.sec.gov/news/press-release/2023-51.
⁹Id.; 88 Fed. Reg. 20,620–20,621.
¹⁰Id. at 20,636.
¹¹Regulation Systems Compliance and Integrity, Exchange Act Release No. 34-97143; File No. S7-07-23, at 27 (Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
Currently, Regulation SCI covers certain self-regulatory organizations, (excluding securities futures exchanges) (“SCI SROs”), alternative trading systems, exclusive disseminators of consolidated market data, competing disseminators of consolidated market, and exempt clearing agencies. Id. at 13–14.
¹²Id. at 24–25.
¹³Mark T. Uyeda, Comm’r, U.S. Sec. & Exch. Comm’n, Statement on the Proposed Cybersecurity Risk Management Rule for Market Entities (March 15, 2023), https://www.sec.gov/news/statement/uyeda-statement-enhanced-cybersecurity-031523.
¹⁴Hester M. Peirce, Comm’r, U.S. Sec. & Exch. Comm’n, Statement on Regulation SP: Privacy of Consumer Financial Information and Safeguarding Customer Information (March 15, 2023), https://www.sec.gov/news/statement/peirce-statement-regulation-sp-031523.
¹⁵Id.