Cybersecurity Risk Management: The Implications of Proposed SEC Rule 10
Table of Contents
The following is a summary of the Proposed Rule (Proposed Rule 10) for Comment.
The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register, approximately May 14, 2023.
Additionally, the SEC has reopened the comment period on the Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies for 60 days in line with Proposed Rule 10’s comment period.
SEC proposes rule to mitigate increasing cybersecurity risks faced by financial firms
With an increased reliance on information systems, financial firms have seen a corresponding increase in cybersecurity risks, and the tactics used to compromise these systems have grown more sophisticated. The interconnectedness of these systems has further allowed threat actors to exploit vulnerabilities in these systems, which can have a cascading effect from one entity to another.
This poses a severe risk to the U.S. securities markets, which can lead to a loss of confidentiality, integrity, or the availability of information and control. The SEC has stated that the proposed rule is designed to address and mitigate cybersecurity risk by requiring Market Entities to take measures to protect themselves and investors from the harmful impacts of cybersecurity incidents.
The Proposed Rule 10 breaks out Market Entities into two groups, Covered Entities and Non-Covered Entities. It goes into great detail on who and why this rule applies, but just for the sake of clarity, the proposed rule defines certain broker-dealers (defined below), the MSRB, and all clearing agencies, national securities associations, national securities exchanges, SBSDRs, SBS Entities, and transfer agents as Covered Entities. Other broker-dealers would be considered Non-Covered Entities.
The following broker-dealers would be Covered Entities: (1) broker-dealers that maintain custody of securities and cash for customers or other broker-dealers (“carrying broker-dealers”); (2) broker-dealers that introduce their customer accounts to a carrying broker-dealer on a fully disclosed basis (“introducing broker-dealers”); (3) broker-dealers with regulatory capital equal to or exceeding $50 million; (4) broker-dealers with total assets equal to or exceeding $1 billion; (5) broker-dealers that operate as market makers; and (6) broker-dealers that operate an ATS (sometimes collectively referred to as “Covered Broker-Dealers”).
Broker-dealers that do not fall into one of these six categories (sometimes collectively referred to as “Non-Covered Entities” or “Non-Covered Broker-Dealers”) would not be Covered Entities for the purposes of proposed Rule 10. See also section II.A.1.b. of the release (discussing the categories of broker-dealers that would be “Covered Entities” in greater detail).
Summary of the proposed rule
The Securities and Exchange Commission (SEC) is proposing a new rule and form and amendments to existing recordkeeping rules. The proposal requires Market Entities to address cybersecurity risks through policies and procedures, immediate notification to the SEC of the occurrence of a significant cybersecurity incident and, as applicable, reporting detailed information to the SEC about a significant cybersecurity incident, and public disclosures that would improve transparency with respect to cybersecurity risks and significant cybersecurity incidents (Rule 10).
Potential implications to other regulations
It's important to be aware that the adoption of Rule 10, as proposed, may also affect Market Entities subject to Regulation SCI, Regulation S-P, Regulation ATS, and Regulation S-ID. It will be important that Market Entities review their applicable regulations should Rule 10 be adopted as well as stay informed about proposed amendments to existing regulations.
Cybersecurity risk management policies and procedures
Proposed new Rule 10 would require all Market Entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks. The SEC framework for policies and procedures primarily relies on the NIST Framework and CISA Cyber Essentials Starter Kit. The Proposed Rule 10 indicated that Market Entities engaged in business activities regarding crypto assets are exposed to heightened cybersecurity risks. These entities may want to include additional measures tailored to these business activities.
Requirements for Covered Entities under the rule
Cybersecurity risk management policies and procedures for Covered Entities should minimally include:
- Periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments which have been tailored to the nature and scope of the entities business and include the following elements as outlined in the proposal: risk assessment, user security and access, information protection, cybersecurity threat and vulnerability management, and cybersecurity incidence response and recover;
- Controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems;
- Measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to access the Covered Entity’s information systems;
- Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems;
- Measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident;
- Measures designed to ensure compliance with notification and reporting requirements
All Market Entities also, at least annually, would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.
Covered Entities would be required to prepare an annual report on their risk assessment for their policies and procedures. The report should be designed to review the effectiveness of the cybersecurity policies and procedures, reflect any changes highlighting material changes made to the policies and procedures, and documented in a written report that includes the assessment, review process, controls tests performed, summary and explanation for the results, and documentation of any incidents that may have occurred. When testing the effectiveness of the policies and procedures, Covered Entities should evaluate the appropriateness of delegated responsibilities and ensure that the written report is reviewed by the appropriate stakeholders.
Requirements for Non-Covered Entities under the rule
Non-Covered Entities would be required to prepare an annual written record that documents the steps taken for its annual review requirement and any conclusion reached by the entity.
Non-Covered Entities must reasonably design their policies and procedures to address cybersecurity risks when taking into account their size, business, and operations, annually review and assess the design and effectiveness, and have a written record of the annual review and its conclusions to document compliance with the requirement.
Non-Covered Broker-Dealers would not be subject to the requirements of proposed Rule 10 to:
- Include certain elements in their cybersecurity risk management policies and procedures
- File confidential reports that provide information about the significant cybersecurity incident with the Commission and, for some Covered Entities, other regulators
- Make public disclosures about their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year
Defining a cybersecurity incident
Proposed Rule 10 broadly defines a cybersecurity incident as any unauthorized occurrence on or conducted through a Market Entity’s information systems or affecting the information on the system that jeopardizes the confidentiality, integrity, or availability of the information systems or any information residing on those systems regardless of the method used by the actor.
Defining a significant cybersecurity incident
A significant cybersecurity event could lead to improper use of information to harm individuals, provide an unfair advantage to unauthorized users over other market participants, or negatively impact information systems. Proposed Rule 10 provides a two-pronged definition of a "significant cybersecurity incident."
The first prong refers to a cybersecurity incident or group of related incidents that disrupt or degrade a Market Entity's ability to maintain critical operations. This type of harm can prevent the Market Entity from performing functions or accessing information on the system, which could impact the fair, orderly, and efficient functioning of the US securities markets.
The second prong refers to a cybersecurity incident or group of incidents that lead to unauthorized access or use of information or information systems of the Market Entity, resulting in substantial harm to the Market Entity or its customers, counterparties, members, registrants, users, or any other person that interacts with the Market Entity.
Notifications and reporting of significant cybersecurity incidents
All Market Entities (including broker-dealers and security-based swap dealers) also would need to give the SEC immediate (i.e., same day) written electronic notice of a significant cybersecurity incident upon having a reasonable basis to conclude that the significant cybersecurity incident had occurred or is occurring.
The SEC will require immediate written electronic notification if a Covered Entity has reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring without waiting until the conclusion is definite. The immediate notification requirement is intended to provide the SEC the opportunity to assess the situation promptly to help ascertain the Covered Entity’s operating status and engage in discussions with the Covered Entity to understand better what steps it is taking to protect its customers, counterparties, members, registrants, or users. Additionally, Covered Entity broker-dealers will be required to provide written notification to their designated examining authority (DEA), transfer agent, and appropriate regulatory agency (ARA).
Proposed form SCIR part I and part II
After providing immediate written electronic notice of a significant cybersecurity incident, Covered Entities would need to confidentially report to the SEC by filing Part I of proposed Form SCIR through EDGAR. The form would elicit information about the significant cybersecurity incident and the Covered Entity’s efforts to respond to and recover from the incident. The initial Part 1 filing should be filed promptly but no more than 48 hours after the Covered Entity has reasonably determined that a significant cybersecurity incident has occurred or is occurring.
Part I includes extensive information about the Covered Entity such as their legal name, business name, tax identification number, unique identification code, central index key number, type of Market Entity, and contact information for a designated employee authorized to provide information to the SEC. Part I of the form would contain fields for the individual executing the form to sign and date the form, certifying that the information provided is current, true, and complete.
To help streamline the filing process, Covered Entities could gather and prepare this information prior to the first filing as well as identifying who, including other agencies (e.g., law enforcement, government agencies), notifications should take place. Once the proposed requirements regarding the information required for the filing are finalized, covered entities could develop a checklist to help streamline the filing.
Covered Entities will be required to promptly amend SCIR Part I to update information about the significant cybersecurity incident if any of the below update requirements are triggered. As with the initial notification, amendments should be sent to the Covered Entities’ designated examining authority (DEA), transfer agent, and appropriate regulatory agency (ARA).
- Any information previously reported to the Commission on the form pertaining to the significant cybersecurity incident becomes materially inaccurate
- Any new material information pertaining to the significant cybersecurity incident previously reported to the Commission on the form is discovered
- After the significant cybersecurity incident is resolved
- If there is internal investigation pertaining to the significant cybersecurity incident, after the investigation is closed
The proposed rule would require Covered Entities to publicly disclose summary descriptions (i.e., not meant to be overtly detailed) of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year on Part II of proposed Form SCIR. A Covered Entity would need to file the form with the Commission and post it on its website.
Covered Entities that are carrying or introducing broker-dealers would also need to provide the form to customers at account opening, when information on the form is updated, and annually.
Non-Covered Entities would be required to give the same written electronic notifications to the SEC and other relevant agencies as Covered Entities of any significant cybersecurity incident upon having a reasonable basis to conclude that an incident has occurred or is occurring.
Covered Entities and Non-Covered Entities would need to preserve certain records relating to the requirements of proposed Rule 10 in accordance with amended or existing recordkeeping requirements applicable to them (Rule 10 Records). Since each type of Covered Entity is subject to its own record retention rule, the SEC did not state how long records would be required but plans to amend the existing record retention rules for these entities. For Non-Covered Entities, the SEC is proposing a retention period of three years after terminating the use of policies and procedures and all other records.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.