Three Key Updates on SEC Cybersecurity Regulations
On March 15, the U.S. Securities and Exchange Commission (SEC) issued three important updates regarding cybersecurity rule proposals:
- Comment period for proposed cybersecurity risk management rules for investment advisers and funds (Advisers Act Rule 206(4)-9) reopened for 60 days
- Proposed updates to Regulation S-P
- New rule proposal, Rule 10 under Securities Exchange Act, for broker-dealers and other market entities addressing cybersecurity risks
These updates represent a shift that normalizes standards across market participants and increases the governance expectations for cybersecurity risk and incidents.
Proposed rule 206(4)-9 comment period extended
The SEC reopened the comment period for Advisers Act Rule 206(4)-9, cybersecurity incident reporting, for another 60 days, giving the public until May 14 to provide additional feedback on the rule. This means the much-anticipated April finalization date is now extended as well. Click here for information about how to submit comments for this proposed rule. Similar rules were proposed for investment companies (mutual funds) and business development companies.
Want to know more about proposed rule 206(4)-9?
Watch our on-demand webcast, “Unpacking the SEC’s Proposed Cyber Rules”. This webcast outlines the proposed rules and amendments and describes how they can affect private fund managers. Discussion topics include:
- Cybersecurity policy and procedure
- Reporting of a “significant” cybersecurity incident
- Board of Directors oversight of cyber programs
Proposed edits to Regulation S-P
The SEC proposed updates to Regulation S-P for broker-dealers, investment companies, and registered investment advisers. Regulation S-P currently requires firms to disclose how they use clients’ financial information but does not require them to disclose data breaches. According to SEC Chair Gary Gensler, these proposed updates aim to close the information gap and further protect and inform investors about risks to their personal financial data.
Customer information would be further protected under the updated Regulation S-P by:
- Requiring covered institutions to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information;
- Requiring covered institutions to have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization; and
- Broadening the scope of information covered by Regulation S-P’s requirements.
Proposed updates to Regulation S-P include:
- Incident Response Program - This proposal would require covered institutions to have an incident response program that is designed to detect, respond to, and recover from unauthorized access to/use of customer information. It further requires that firms have written policies and procedures in place to assess the scope of such an incident and subsequently control future incidents.
- Customer Notification Requirement – The proposed amendments require that covered institutions must notify individuals whose information was reasonably likely to have been accessed without authorization no later than 30 days after the institution becomes aware that customer information was accessed or is reasonably likely to have been accessed.
- Expanding safeguards for disposing of customer information - The SEC wishes to further expand the safeguards and disposal rules to cover “customer information” to better protect customer data.
Proposed Rule 10
The proposed rule would require market entities to take additional steps to address their cybersecurity risks. This rule will affect broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (Market Entities).
Key requirements of the proposed rule include:
- “All Market Entities (Covered Entities and Non-Covered Entities) are required to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks.”
- “All Market Entities also, at least annually, would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the period covered by the review.”
- “All Market Entities would need to provide the Commission with an immediate written electronic notice of a significant cybersecurity incident upon having a reasonable basis to conclude that the significant cybersecurity incident had occurred or is occurring.”
- Market Entities that are Covered Entities “would be required to: (1) i certain elements in their cybersecurity risk management policies and procedures;137 (2) file Part I of proposed Form SCIR with the Commission and, for some Covered Entities, other regulators to report information about a significant cybersecurity incident; 138 and (3) make public disclosures on Part II of proposed Form SCIR about their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year."
Though the proposed rules are new, the content should look familiar to many firms as these requirements are similar to the SEC’s proposed Advisers Act Rule 206(4)-9 and other SEC proposals and statements, and reinforces cybersecurity risk as one of the top focus areas of the SEC.
How we help
ACA Aponix® can help your firm develop, implement, and maintain the required information security program to meets the SEC's regulatory requirements, including:
- Support and advice to build and to assess an organization’s cybersecurity risk, identify cybersecurity program gaps, and draft and execute against a mitigation roadmap.
- Risk assessments and mock regulatory exams to identify and remediate gaps in a firm’s current cybersecurity and regulatory state.
- Policy development, business continuity planning, and impact analysis complete with robust policies, plans, and procedures to better protect your company from data breaches and efficiently recover from a cyber incident or significant business disruption.
For questions about the proposed SEC cybersecurity rules and regulations, or to find out how we can help you meet your regulatory obligations, please reach out to your ACA consultant or contact us.