SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities
At an open meeting on March 15, 2023, the U.S. Securities and Exchange Commission voted three to two1 to propose a new rule, form and amendments (together, “Proposed Rule”) and published an accompanying release (“Release”)2 regarding recordkeeping requirements relating to cybersecurity for broker-dealers, clearing agencies, major security-based swap participants (“MSBSPs”), the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories (“SBSDRs”), security-based swap dealers (“SBSDs,” or collectively with MSBSPs, “SBS Entities”) and transfer agents (together, Market Entities). The Proposed Rule, which would amend the Securities Exchange Act of 1934 to add a new Rule 10 and Form SCIR, is intended to address Market Entity cybersecurity risks. The Proposed Rule would require the implementation of certain written policies and procedures regarding cybersecurity, “immediate” notification to the SEC of a significant cybersecurity incident and public disclosures regarding the Market Entities’ cybersecurity risks and significant cybersecurity incidents and would update and amend certain recordkeeping requirements.
The Proposed Rule comes amid a busy cybersecurity and data privacy rulemaking agenda for the SEC. The Proposed Rule is in some respects similar to the SEC’s February 2022 cybersecurity risk management rule proposal (2022 Cyber Risk Management Rule Proposal), which proposed new and amended rules regarding cybersecurity risk management, cyber incident reporting and cyber risk disclosure for SEC-registered investment advisers, SEC-registered investment companies and closed-end funds that have elected to be treated as business development companies under the Investment Company Act of 1940. The Proposed Rule also comes on the heels of the SEC’s proposal to amend Regulation S-P, which would require registered broker-dealers, investment companies and investment advisers to address safeguards for the protection of customer records and information. For a more detailed discussion, please see our Dechert OnPoint regarding the proposed amendments to Regulation S-P.
This Dechert OnPoint summarizes the Proposed Rule’s main elements and identifies next steps and key takeaways for Covered Entities (as defined below).
Background
The Release reflects the SEC’s view that “it is critically important that Market Entities take steps to protect their information systems and the information residing on those systems from cybersecurity risk.” The Release notes that a Market Entity that fails to do so is more vulnerable to succumbing to a significant cybersecurity incident. As such, the Proposed Rule’s stated purpose is to require that Market Entities address cybersecurity risks, to improve the SEC’s ability to obtain information about significant cybersecurity incidents impacting Market Entities and to improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.
As noted above, the Proposed Rule is in many respects similar to the 2022 Cyber Risk Management Proposal. Commissioner Mark T. Uyeda criticized the Proposed Rule in a statement, noting that the Proposed Rule did not take into account many of the public comments received on the 2022 proposal and expressing concerns that the SEC was taking a “spaghetti on the wall” approach with respect to cybersecurity, which could “create confusion and conflicts, and could even weaken cybersecurity protections.”3 Commissioner Hester M. Peirce also criticized the Proposed Rule in her statement, calling it a “tool to enhance our year-end enforcement statistics [rather] than a serious proposal to make the securities market more secure.”4
Categories of Market Entities Under the Proposed Rule
Under the Proposed Rule, there are two categories of Market Entities: Covered Entities and Non-Covered Entities.5 The Proposed Rule would place more stringent requirements on “Covered Entities,” which would include broker-dealers that fall into certain categories,6 “the MSRB, and all clearing agencies, national securities associations, national securities exchanges, SBSDRs, SBS Entities, and transfer agents.” “Non-Covered Entities” would include those broker-dealers that are subject only to the Proposed Rule’s baseline requirements “[i]n light of their limited business activities.” Non-Covered Entities might, for instance, include firms that limit their business to selling mutual funds on a subscription-way basis or engaging in private placements for clients. The term would also include firms that limit their business to effecting securities transactions to facilitate mergers, acquisitions, business sales and business combinations. However, a Non-Covered Entity would not include broker-dealers that maintain custody of customer securities and cash, connect to broker-dealers that maintains custody of customer securities pursuant to introducing relationships, are large proprietary trading firms, operate as market makers or operate alternative trading systems.
Proposed Rules for Covered Entities
Policies and Procedures
The Proposed Rule would require a Covered Entity to establish, maintain and enforce written policies and procedures that are reasonably designed to address the Covered Entity’s cybersecurity risks. These policies and procedures would need to include the following elements:
- Risk Assessment. A Covered Entity would be required to categorize and prioritize cybersecurity risks based on an inventory of its information systems and the information residing thereon, as well as the potential effect of a cybersecurity incident on the Covered Entity. Covered Entities would also need to assess the cybersecurity risks associated with their use of these service providers. Risk assessments would need to be documented in writing.
- User Security and Access. As noted in the Release, the Proposed Rule would require that a Covered Entity’s cybersecurity risk management policies and procedures “include controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems and the information residing on those systems.” The Proposed Rule includes various technical requirements related to user access, including the adoption of an acceptable use policy, procedures for authenticating users, password management protocols, information access procedures, and policies related to removing access.
- Information Protection. Each Covered Entity’s cybersecurity risk management policies and procedures would need to address information protection in two ways. First, a Covered Entity would need to conduct a periodic assessment of their information systems (and information residing thereon) and use those assessments to develop policies and procedures that include measures designed to protect the Covered Entity’s information systems. The periodic assessments would need to take into account a variety of factors, including: the sensitivity level and importance of the information, whether any of the information is personal information, where and how the information is accessed, stored and transmitted, and the potential effect a cybersecurity incident involving the information could have. Second, a Covered Entity would need to oversee service providers that receive, maintain or process the Covered Entity’s information, (or are otherwise permitted to access the Covered Entity’s information systems and the information residing on those systems) by written contract.
- Cybersecurity Threat and Vulnerability Management. A Covered Entity’s policies and procedures would need to include “measures designed to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities” with respect to its information systems and the information residing on those systems.
- Cybersecurity Incident Response and Recovery. The Proposed Rule would require each Covered Entity’s cybersecurity risk management policies and procedures to include “measures designed to detect, respond to, and recover from a cybersecurity incident.” The Proposed Rule explains that the term “Significant Cybersecurity Incident” would have a two-pronged definition. The first prong would be a cybersecurity incident, or group of related incidents, that “significantly disrupts or degrades the ability of the [Market Entity] to maintain critical operations.” The second prong would be a cybersecurity incident, or group of related incidents, that “leads to the unauthorized access or use of the information or information systems of the [Market Entity],” that results in or is reasonably likely to result in: (i) substantial harm to the Market Entity; or (ii) substantial harm to a “customer, counterparty, member, registrant, or user of the Market Entity, or to any other person that interacts with the [Market Entity].” Under the Proposed Rule, policies and procedures would need to be reasonably designed to ensure the Covered Entity’s continued operations, the protection of the Covered Entity’s information systems and the information residing on those systems, and compliance with applicable reporting requirements. Importantly, as discussed further below, the Proposed Rule would require a Covered Entity to provide the SEC7 “immediate written electronic notice”8 of a significant cybersecurity incident.
- Annual Review and Required Written Reports. The Proposed Rule would require a Covered Entity to review and assess the design and effectiveness of its cybersecurity policies and procedures at least annually and ensure the policies and procedures reflect changes in cybersecurity risks during the review period. A Covered Entity would also need to prepare a written report that: describes the review, the assessment, and any control tests performed; explains the results of the assessment; documents any cybersecurity incident that occurred since the date of the last report; and discusses any material changes to the policies and procedures since the date of the last report.
The SEC is seeking comments on multiple areas related to the proposed elements of the policies and procedures requirements. For example, the SEC is looking for input on: (i) sources the SEC should consider as benchmarks (e.g., the NIST Framework), (ii) whether additional elements should be added to the policies and procedures requirements, (iii) whether the regulations should require the use of multi-factor authentication, (iv) whether periodic penetration tests should be required and (v) contractual requirements for service providers. The SEC did not address any overlap with the Financial Industry Regulatory Authority’s Rule 4370 (Business Continuity Plans and Emergency Contact Information), which requires broker-dealers that are FINRA member firms to create, maintain and review at least annually written policies and procedures to address certain business disruptions, including cyber events, and to disclosure their business continuity plans to customers.
Notification and Reporting of Significant Cybersecurity Incidents to the SEC
Reporting Requirements on Form SCIR
Filing of Part I of Form SCIR. In addition to providing immediate written electronic notice to the SEC, a Covered Entity would need to report detailed information about a significant cybersecurity incident to the SEC by filing (on a confidential basis) Part I of proposed Form SCIR through EDGAR. A Covered Entity would be required to file Part I of proposed Form SCIR “promptly, but no later than 48 hours, upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring.”
Filing Amended Part I of Form SCIR. There are four circumstances under which the Proposed Rule would require a Covered Entity to file an amended Part I of proposed Form SCIR: (i) if any information previously reported becomes materially inaccurate, (ii) if new material information is discovered, (iii) after the significant cybersecurity incident is resolved or (iv) if the Covered Entity conducts an internal investigation of the significant cybersecurity incident, at the investigation’s conclusion. The amended form would need to be filed within 48 hours of a triggering event.
The SEC is seeking comment on multiple areas related to the proposed elements of the reporting requirement, including whether: (i) the Proposed Rule should specify how a Covered Entity provides initial notification to the SEC, (ii) the deadline to file a proposed Form SCIR should be extended (e.g., from 48 hours to 72 or 96 hours), (iii) the deadline to file a proposed Form SCIR should be modified to account for internal investigations and (iv) Non-Covered Entities should be required to complete Part I of proposed Form SCIR.
Public Disclosures Relating to Cybersecurity Incidents
The Proposed Rule would require a Covered Entity to make two types of public disclosures relating to cybersecurity on Part II of proposed Form SCIR. First, the Covered Entity would need to provide a plain-English summary description of the cybersecurity risks that could materially affect its business operations and how it assesses, prioritizes, and addresses those risks.9 Second, the Covered Entity would need to provide a summary description of the significant cybersecurity incidents it experienced during the current or previous calendar year, if applicable. That summary would need to include certain prescribed information, including the person(s) affected, the date the incident was discovered and whether it is ongoing, whether data was stolen, altered, or accessed or used for unauthorized purposes; the effect of the incident on the Covered Entity’s operations and whether the Covered Entity, or service provider, has remediated or is currently remediating the incident.
Updated Recordkeeping Requirements
Finally, the Proposed Rule includes updated recordkeeping requirements for Covered Entities that would align with Covered Entities’ new obligations under the Proposed Rule. These recordkeeping requirements would broadly require Covered Entities to create written documentation of risk assessments, cybersecurity incidents, annual reviews of policies and procedures designed to address cybersecurity risks, and disclosures of cybersecurity risks.
Proposed Rules for Non-Covered Entities
Although Non-Covered Entities are not subject to the same stringent cyber risk-management requirements as Covered Entities,10 the Proposed Rule would require them to implement baseline measures pertaining to cybersecurity matters. Non-Covered Entities would be required to adopt written policies and procedures that are reasonably designed to address their cybersecurity risks. Further, at least annually, Non-Covered Entities would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures and document the annual review. Additionally, as noted in the Release, they would be required to provide the SEC with “immediate written electronic notice of a significant cybersecurity incident affecting them.” Finally, they would need to preserve their cyber risk management policies and procedures and records of their annual reviews.
What to Expect Next and Key Takeaways
The Proposed Rule would impose significant new cybersecurity-related requirements on Covered Entities. We expect there will be significant industry comment on the Proposed Rule as well as the SEC’s other related cybersecurity proposals. The public comment period will close on June 5, 2023. The following are a few key takeaways regarding the Proposed Rule:
- The “Immediate” Incident Notification Requirement and 48-Hour Reporting Requirement Would Pose Serious Obstacles to Covered Entities. The “immediate” incident notification requirement and the 48-hour reporting timeline in the Proposed Rule would, if adopted, be shorter than nearly all currently applicable existing data breach laws.11 The Proposed Rule would add the burden of an additional “immediate” incident notification, which was not contemplated in the 2022 Cyber Risk Management Rule Proposal, in addition to the requirement to file a prescribed form with the SEC. Most state data breach laws do not give an exact timeframe for reporting an incident, and those that do contemplate notice with a 30- or 45-day timeframe. The 48-hour reporting requirement proposal also is shorter than the 72-hour reporting requirement under the European Union and UK’s General Data Protection Regulation (GDPR) and the New York State Department of Financial Services Cybersecurity Regulation. If the Proposed Rule is adopted, a Covered Entity will need to file an immediate notice with the SEC and additionally identify, compile and timely report required information to the SEC at the same time as they are actively responding to an ongoing cyberattack. In practice, it often takes more than 48 hours – and in many cases, several weeks – for forensic investigations to determine the scope of an attack and identify key information needed to be able to determine whether an event is actually a “significant” cybersecurity incident, including what, if any, data has been accessed or exfiltrated by an attacker. Additionally, the “facts” often change significantly from what may appear initially to be the case—and what may appear to be a significant cybersecurity event in the first 48 hours very often turns out to be not the case once it is investigated. Moreover, the Proposed Rule would impose substantial burdens on a company right in the time period in which it is trying to fend off a threat actor; a highly counterproductive approach. If the Proposed Rule takes effect as written, the immediate notification requirement and the 48-hour reporting requirement will undoubtedly present a substantial challenge for Covered Entities dealing with cyberattacks.
- There are Considerable Similarities with the 2022 Cyber Risk Management Proposal. The Proposed Rule bears many substantial similarities to the 2022 Cyber Risk Management Proposal. As an example, both proposals include requirements for the implementation of policies and procedures addressing periodic cybersecurity risk assessments, user security and access, information protection, threat vulnerability and management, incident response and recovery, reporting significant cybersecurity events to the SEC within abbreviated time periods, disclosures of cybersecurity risks and incidents to clients and shareholders annually and after significant cybersecurity risks, and certain recordkeeping requirements. The SEC has reopened the comment period on the 2022 Cyber Risk Management Proposal until May 22, 2023.
- Covered Entities Would Need to Account for How to Apply the New Requirements to Service Providers. Many Covered Entities rely heavily on service providers to process and protect their information and information systems. Conducting comprehensive periodic assessments of cybersecurity risks associated with Covered Entity information systems and information could be a time-consuming and potentially costly undertaking. Under the Proposed Rule, Covered Entities also would need to revisit the contracts they have in place with third parties to ensure agreements are broad enough to meet Covered Entities’ new obligations under the Proposed Rule, and that they have appropriate rights to audit the cybersecurity practices of such service providers. Moreover, often these are contracts of adhesion, in which the Covered Entities have little or no control.
- The Proposed Rule Would Add to Covered Entities’ Disclosure Obligations. The Proposed Rule’s requirement to amend and provide supplemental disclosures to clients, investors, and shareholders in the event of changes to cybersecurity risks and, in the wake of significant cybersecurity incidents, is likely to increase operating costs for Covered Entities. Further, it may alert a threat actor that the company knows the attack is underway, when it may be beneficial to keep that information confidential as the company responds to the attack. It may be expected that industry participants will seek clarification from the SEC on the timeframe for when such updates must be made, given the shifting factual landscape that can result when dealing with a sophisticated threat actor.
Footnotes
1) Commissioners Gensler, Crenshaw and Lizárraga voted for the proposal. Commissioners Peirce and Uyeda voted against the proposal.
2) Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34–97142 (Mar. 15, 2023).
3) See Commissioner Mark T. Uyeda, Statement on the Proposed Cybersecurity Risk Management Rule for Market Entities, (Mar. 15, 2023) (Uyeda Statement)
4) See Commissioner Hester M. Peirce, Statement on Proposed Cybersecurity Rule 10 and Form SCIR, (Mar. 15, 2023) (Peirce Statement).
5) The Proposed Rule also refers to Non-Covered Entities as “Non-Covered Broker Dealers.”
6) The SEC explained in the Release that certain broker-dealers considered Covered Entities would include: “(1) broker-dealers that maintain custody of securities and cash for customers or other broker-dealers (“carrying broker-dealers”); (2) broker-dealers that introduce their customer accounts to a carrying broker-dealer on a fully disclosed basis (“introducing broker-dealers”); (3) broker-dealers with regulatory capital equal to or exceeding $50 million; (4) broker-dealers with total assets equal to or exceeding $1 billion; (5) broker-dealers that operate as market makers; and (6) broker-dealers that operate an [alternative trading system].”
7) In addition to notifying the SEC, notice also must be given to: (i) in the case of a broker or dealer, the examining authority of the broker or dealer; and (ii) in the case of a transfer agent, the appropriate regulatory agency of the transfer agent.
8) The Proposed Rule does not define the term “immediate” in this context, but the SEC provided the following context in the Release:
This proposed immediate written notification requirement is modelled on other notification requirements that apply to broker-dealers and SBSDs pursuant to other Exchange Act rules. Under these existing requirements, broker-dealers and certain SBSDs must provide the [SEC] with same-day written notification if they undergo certain adverse events, including falling below their minimum net capital requirements or failing to make and keep current required books and records. The objective of these requirements is to provide the [SEC] staff with the opportunity to respond when a broker-dealer or SBSD is in financial or operational difficulty. Similarly, the written notification requirements of proposed Rule 10 are designed to provide the [SEC] staff with the opportunity to begin assessing the situation promptly when a Covered Entity is experiencing a significant cybersecurity incident by, for example, assessing the Covered Entity’s operating status and engaging in discussions with the Covered Entity to understand better what steps it is taking to protect its customers, counterparties, members, registrants, or users. In addition, a Covered Entity that is a broker-dealer would need to provide the written notice to its examining authority, and a transfer agent would need to provide the written notice to its [appropriate regulatory agency]. The objective is to notify other supervisory authorities to allow them the opportunity to respond to the significant cybersecurity incident impacting the Covered Entity.
According to the Release, the written notice “would need to identify the Covered Entity, state that the notice is being given to alert the [SEC] of a significant cybersecurity incident impacting the Covered Entity and provide the name and contact information of an employee of the Covered Entity who can provide further details about the nature and scope of the significant cybersecurity incident.”
9) In determining materiality, a Covered Entity would be required to consider, among other things: the likelihood and extent to which the risk could disrupt or degrade the Covered Entity’s ability to maintain critical operations; whether the risk could adversely affect the confidentiality, integrity or availability of information on the Covered Entity’s system; and whether the incident could harm the Covered Entity or its customers, counterparties, members, registrants, users or other persons. Additionally, the Covered Entity would need to include a summary description of each cybersecurity incident that occurred during the current or previous calendar year, if applicable.
10) Specifically, the Release notes that Non-Covered Broker-Dealers would not be subject to the Proposed Rule’s requirements to: “(1) include certain elements in their cybersecurity risk management policies and procedures; (2) file confidential reports that provide information about the significant cybersecurity incident with the [SEC] and, for some Covered Entities, other regulators; and (3) make public disclosures about their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year.”
11) Commissioners Uyeda and Peirce noted these concerns in their dissenting statements. Commissioner Uyeda opined that “[t]hese prescriptive deadlines can potentially do more harm than good as these [SEC] regulatory filings would demand immediate attention from management all in the midst of responding to a breach and alerting other authorities, including law enforcement. And for what purpose? The SEC does not have a cyber response team that could immediately respond to seal the breach and provide technical assistance.” See Uyeda Statement, supra note 3. Similarly, Commissioner Peirce noted that the proposal “demonstrates that our priority is to create even more legal peril for a firm in this situation, legal peril that will distract employees of the firm from mitigating the immediate threat to the firm and its customers as they navigate the aggressive deadlines and open-ended information demands of the [SEC].” See Peirce Statement, supra note 4.