Listen
to
this
post
On
March
15,
2023,
the
Securities
and
Exchange
Commission
(“SEC”)
proposed
three
rules
related
to
cybersecurity
and
the
protection
of
consumer
information.
The
SEC’s
first
proposal
would
amend
Regulation
S-P.
Regulation
S-P
imposes
privacy,
data
security,
and
data
disposal
rules
on
broker-dealers,
investment
advisers,
and
investment
companies
subject
to
the
SEC’s
authority
under
the
Gramm-Leach-Bliley
Act.
Among
other
requirements,
the
SEC’s
proposed
amendments
would
(1)
require
covered
institutions
to
adopt
a
written
incident
response
program,
including
procedures
to
assess
the
nature
and
scope
of
an
incident
involving
unauthorized
access
to
or
use
of
customer
information,
as
well
as
procedures
to
contain
and
control
such
an
incident,
(2)
incorporate
a
requirement
to
notify
affected
individuals
of
a
data
breach,
and
(3)
require
covered
institutions
to
maintain
written
records
documenting
their
compliance
with
Regulation
S-P’s
rules.
The
SEC
also
proposed
Rule
10,
which
would
require
certain
entities
that
perform
critical
services
to
support
the
U.S.
securities
market
–
namely,
broker-dealers,
the
Municipal
Securities
Rulemaking
Board,
clearing
agencies,
major
security-based
swap
participants,
national
securities
associations,
national
securities
exchanges,
security-based
swap
data
repositories,
security-based
swap
dealers,
and
transfer
agents
(collectively,
Market
Entities”)
–
to,
among
other
requirements,
maintain
and
regularly
update
written
policies
and
procedures
that
address
cybersecurity
risks
and
include
certain
prescribed
content,
provide
immediate
written
notice
to
the
SEC
of
significant
cybersecurity
incidents,
and
publicly
disclose
summary
descriptions
of
cybersecurity
risks
and
incidents.
Finally,
the
SEC
proposed
amendments
to
Regulation
Systems
Compliance
and
Integrity
(“SCI”),
which
was
adopted
in
2014
and
applies
to
(1)
certain
entities
(“SCI
Entities”)
and
their
automated
and
similar
systems
(“SCI
Systems”)
that
directly
support
one
or
more
of
six
key
security
market
functions
(trading,
clearance
and
settlement,
order
routing,
market
data,
market
regulation,
or
market
surveillance),
and
(2)
systems
that,
if
breached,
would
be
reasonably
likely
to
pose
a
security
threat
to
SCI
systems
(“Indirect
SCI
Systems”).
The
proposed
amendments
would
increase
the
scope
of
entities
covered
by
Regulation
SCI
(to
include
registered
security-based
swap
data
repositories;
broker-dealers
registered
with
the
SEC
under
Section
15(b)
that
exceed
certain
thresholds
in
assets
or
transaction
activity;
and
all
clearing
agencies
exempted
from
registration)
and
would
expand
on
the
regulation’s
requirements,
including
by
specifying
content
requirements
for
security
policies
and
procedures
mandated
under
the
Rule,
requiring
notice
to
the
SEC
of
certain
“systems
intrusions”
without
delay,
updating
the
annual
SCI
compliance
review
required
under
the
Rule,
and
requiring
SCI
entities
to
include
key
third-party
providers
in
their
required
BC/DR
testing.
The
public
comment
periods
for
the
proposals
will
remain
open
for
60
days
after
publication
in
the
Federal
Register.
In
addition,
the
SEC
has
re-opened
the
comment
period
for
a
2022
proposal
that
would
require
investment
advisers
and
funds
to
adopt
written
cybersecurity
policies,
report
significant
cybersecurity
incidents
to
the
SEC,
and
publicly
disclose
cybersecurity
risks
and
significant
cybersecurity
incidents
in
the
last
two
fiscal
years
in
their
brochures
and
registration
statements.
About Author
