SEC proposes new cybersecurity measures

The Securities and Exchange Commission has released a series of proposed regulations meant to bolster the cybersecurity practices of public companies and increase oversight of technology.

One of them directly concerns companies' cybersecurity policies and practices. Under the proposed regulations, entities would have to enact a number of new procedures, including:

• Periodic assessments of cybersecurity risks associated with the company's information systems and written documentation of the risk assessments; 
• Controls designed to minimize user-related risks and prevent unauthorized access to its information systems; 
• Measures designed to monitor the business' information systems and protect its information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or can otherwise access its information systems; 
• Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to information systems; and,
• Measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.

Furthermore, the proposed regulations would require entities that have experienced a "significant cybersecurity incident" to disclose the event and the company's efforts to respond to and recover from it to the SEC using a new form. The proposed rule also offers a definition of a "significant cybersecurity incident."

Finally, entities would need to publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year on Part II of proposed Form SCIR. They would need to file the form with the SEC and post it on its website. Entities that are carrying or introducing broker-dealers would also need to provide the form to customers at account opening, when information on the form is updated, and annually.

"I am pleased to support this proposal because, if adopted, it would set standards for market entities' cybersecurity practices," said SEC Chair Gary Gensler in a statement. "The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets."

The proposed rule would apply to broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.

Proposed notification update

The SEC has also proposed expanding Regulation S-P, a rule passed in the year 2000 that, broadly, required broker-dealers, investment companies and certain investment advisors to enact policies meant for safeguarding customer records and information. The commission noted that there have been many technological changes since then that necessitate updating the rule.

Under the proposed update, covered entities would need to notify individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. This notification must be done as soon as is practicable, with 30 days as a maximum. The exception is when the sensitive customer information was not actually and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.

They would also have to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule. In addition, the proposed amendments would extend the disposal rule from covering only transfer agents registered with the SEC to also transfer agents registered with another appropriate regulatory agency.

"Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches," said Gensler. "I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves."

Expansion of SCI entity definition

The SEC also proposed expanding the definition of an "SCI entity," which are subject to Regulation SCI, a rule that governs technology infrastructure in the securities market.

Under the proposal, covered entities would be expanded to include registered security-based swap data repositories; broker-dealers registered with the commission under Section 15(b) that exceed a total assets threshold or a transaction activity threshold in NMS stocks, exchange listed options, U.S Treasury securities, or agency securities; and all clearing agencies exempted from registration.

The proposal also outlines more specifically what the SEC means by required policies and procedures; expands the definition of "system intrusion" to include additional types of cyber events and threats; specifies that objective personnel must conduct the SCI compliance review; specifies that SCI entities include key third-party providers in annual BC/DR testing; and updates Regulation SCI's recordkeeping provisions and Form SCI consistent with these amendments.