Proposed new SEC cybersecurity requirements for financial service firms

By Eric Gronroos, Baker Tilly

On March 15, 2023, the SEC Division of Investment Management and Division of Trading and Markets (the Commission) held an open meeting related to proposed rule changes focused on cybersecurity controls and written procedures to be implemented by covered financial service firms.

Item I – Cybersecurity rules under Regulation S-P

With respect to Regulation S-P, the Commission voted 5-0 for proposed amendments requiring broker-dealers, registered investment advisors and investment companies registered with the Commission to adopt written policies and procedures for incident response programs addressing unauthorized access to customer information and data.

More specifically, the noted entities will be required to “adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to certain affected individuals. The proposed amendments would also broaden the scope of information covered under these rules and extend application of these rules to cover transfer agents registered with the Commission or another appropriate regulatory authority.”

Additionally, if there is a breach in customer information, the covered member has 30 days to notify the affected customer.

Item II: Cybersecurity rules under the Securities Exchange Act of 1934

The second topic of discussion was a proposal for new rules requiring certain registrants under the Securities Exchange Act of 1934, “to address cybersecurity risks through policies and procedures, notification and reporting to the Commission, public disclosure, and record retention.” Ultimately, implementing the rules and safeguards would require notification of a breach in cybersecurity to the SEC. The proposed rules would require policies and procedures to specifically address certain areas, which can be found on the SEC fact sheet. The proposal was approved by a 3-2 vote.

The requirements would apply to following covered entities:

  • Broker-dealers and clearing agencies,
  • Major security-based swap participating entities,
  • The Municipal Securities Rulemaking Board,
  • National securities associations,
  • National securities exchanges,
  • Security-based swap data repositories,
  • Security-based swap dealers, and
  • Transfer agents