The Securities and Exchange Commission has proposed new rules for all market entities, including broker dealers and the Municipal Securities Rulemaking Board, to help address cybersecurity risks as one part of a three-part proposal intended to strengthen cybersecurity protections.
Proposed new Rule 10, if implemented, would require entities across markets to establish, maintain and enforce policies and procedures designed to address cybersecurity risks and would require firms to review and assess the design and effectiveness of their policies and procedures. They would also be forced to notify the SEC via written electronic notice if a significant cybersecurity incident occurs.
"I am pleased to support this proposal because, if adopted, it would set standards for market entities' cybersecurity practices," said SEC Chair Gary Gensler. "The nature, scale and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. The proposal would help promote every part of our mission particularly regarding investor protection and orderly markets."
The policies and procedures would need to include periodic assessments of cybersecurity risks, controls designed to minimize risks and prevent unauthorized access to the entities systems, measures designed to monitor its systems, measures to detect, mitigate and remediate cybersecurity threats and vulnerabilities and measures designed to detect, respond to and recover a cybersecurity incident.
The proposal was introduced as one of a three-part proposal, which also includes updates to Regulation S-P or the "safeguards rule," in addition to amendments to Regulation System Compliance and Integrity or Reg SCI.
For Regulation S-P, the SEC is proposing to require written policies and procedures for an entity's incident response program such as notifying individuals if their sensitive information is compromised in a data breach.
"Consumers in states with stronger protections than those provided for under the proposed Federal minimum standard would not be harmed by this proposal and would continue to benefit from those stronger protections," said SEC commissioner Jaime Lizarraga. "The affirmative requirement for notification helps ensure that customers receive timely notice of breach and are afforded an opportunity to protect themselves."
Amendments to Reg SCI would expand the scope to account for heightened cybersecurity risks and would extend coverage under Reg SCI to security-based swap data repositories, large broker-dealers and certain exempt clearing agencies.
"Large broker-dealers are scoped in because of the important role they play in our capital markets," Lizarraga said. "Retail broker-dealers and their customers depend on the availability, integrity and resiliency of the systems of the largest carrying broker-dealers to execute, clear and settle transactions. A catastrophic systems failure at a large carrying broker could effectively cut off access to the markets to their customers, with significant and disproportionate harm to retail investors."
The proposals will be published in the Federal Register and the public comment period will be 60 days after publication.