SEC Proposes Rash of New Rules on Cybersecurity

In its efforts to address cybersecurity risks, the U.S. Securities and Exchange Commission (“SEC”) continues to propose rules on cybersecurity. Most recently, on March 15, 2023, the SEC announced its proposal of three cybersecurity measures intended to expand existing rules and create new ones. This announcement amplifies the business and legal communities’ anticipation of the SEC’s expected release of new rules in April 2023.

• The first SEC proposal updates Regulation S-P to require registered brokers, dealers, investment companies, investment advisers, and transfer agents to adopt written policies and procedures addressing unauthorized access to or use of customers’ personal information in the modern age. Although Regulation S-P, as adopted in 2000, already requires such entities to notify customers of its use of their financial information, the proposal expands the requirement to include notifying customers when their information is breached. See https://www.sec.gov/news/press-release/2023-51. 
• The second SEC proposal creates new reporting obligations of cybersecurity incidents to the SEC for certain market entities: broker-dealers, clearing agencies, major security-based swap participants, national securities associations and exchanges, security-based swap dealers, transfer agents, and the Municipal Securities Rulemaking Board. See https://www.sec.gov/news/press-release/2023-52. 
• Finally, the third SEC proposal expands Regulation Systems Compliance and Integrity (“SCI”), a 2014 regulation that currently applies to four dozen self-regulatory organizations, alternative trading systems, plan processors, and clearing agencies. To reflect technological developments in the market, the proposal would cover an additional two dozen registered security-based swap data repositories, clearing agencies exempt from registration, and large broker-dealers. It would also require all covered entities to update their policies, procedures, and notification requirements. See https://www.sec.gov/news/press-release/2023-53. 
  
  

Anyone involved in these areas should pay special attention and consider providing public comment to the SEC after its proposals are published in the Federal Register. If enacted, the rules will require close consideration and compliance. Please contact Kathleen A. McGee or Kate Basmagian for more information.