In a recently released statement, the SEC is proposing a new cybersecurity requirement for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”).
The rule, according to SEC Chair Gary Gensler, follows the cybersecurity risks that have “grown significantly in recent decades”. The proposed rules would benefit investors, issuers, and market participants alike by putting proper regulations in place “fit for a digital age”.
The proposal would require “Market Entities” to:
- implement policies and procedures that are reasonably designed to address their cybersecurity risks;
- annually review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review; and
- immediately notify the Commission via written electronic notice of any and all significant cybersecurity incidents.
The proposal would also require “Covered Entities” to*:
- perform periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments;
- have controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems;
- have measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to
access the Covered Entity’s information systems;
- have measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems;
- have measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
- expand, beyond immediate electronic notification to the Commission, the reporting of cybersecurity incidents (on proposed Form SCIR, Part I); and
- require certain public disclosures regarding cybersecurity risks and significant cybersecurity incidents (on proposed Form SCIR, Part II).
*NOTE: Certain types of small broker-dealers (excluded from the definition of Covered entity in the proposed rule) would not be subject to these additional requirements (e.g., a registered broker-dealer with less than $50 million in regulatory capital or that has less than $1 billion in total assets).
To learn more about the proposal, read the full SEC press release here or the SEC fact sheet here.