What You Need to Know
Summary of New Proposed Rule 10
Proposed Rule 10 would require all Market Entities (everyone but small broker-dealers) – referred to in the Rule as Covered Entities – to adopt written policies and procedures to address cybersecurity risks. These written policies and procedures must include the following:
- Periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments;
- Controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems;
- Measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to access the Covered Entity’s information systems;
- Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems; and
- Measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
Proposed Rule 10 would also require immediate written electronic notice of a significant cybersecurity incident to the SEC and the filing of a new form SCIR. The SCIR form would gather information about the significant cybersecurity incident and the Covered Entity’s efforts to respond to and recover from the incident.
Finally, the proposal would require Covered Entities to publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year on Part II of proposed Form SCIR. A Covered Entity would need to file the form with the SEC and post it on its website. Covered Entities that are carrying or introducing broker-dealers would also need to provide the form to customers at account opening, when information on the form is updated, and annually.
Summary of Proposed Amendments to Regulation S-P
The second proposed rule would amend Regulation S-P covering almost all Market Entities to create additional protections for customer information and create a federal minimum standard for data breach regulations. The proposed amendments would require covered institutions to adopt an incident response program as part of their written policies and procedures under the safeguards rule. The proposal would require an incident response program to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, include procedures to assess the nature and scope of any such incident, and contain and control such incidents. The proposal would also apply certain requirements related to incident response to covered institutions’ relationships with third-party service providers.
The proposed amendments would require covered institutions to notify affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide the notice as soon as practicable, but not later than 30 days after a covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. A covered institution would not need to provide the notification if the covered institution determines that the sensitive customer information was not actually and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
Additionally, the proposed amendments would enhance customer notification by:
- Expanding the safeguards and disposal rules to cover “customer information,” a new defined term referring to a record containing “nonpublic personal information,” a term already in use for other components of Regulation S-P, about a customer of a financial institution. The proposed amendments would therefore apply both rules to both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from a third-party financial institution about customers of that financial institution;
- Requiring covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
- Conforming Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the 2015 Fixing America’s Surface Transportation Act, which would provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are satisfied; and
- Extending the safeguards rule to transfer agents registered with the Commission or another appropriate regulatory agency. In addition, the proposed amendments would extend the disposal rule from covering only transfer agents registered with the Commission to also transfer agents registered with another appropriate regulatory agency.
What You Need to Know Right Now
First – the proposed cybersecurity regulations are not yet final. Market Entities have the opportunity to comment on the proposals. This is a chance for Market Entities to influence the future of cybersecurity in the industry. Some of the concerns raised by the SEC include conflict with state data breach laws. Mark T. Uyeda, an SEC Commissioner, noted:
“lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
These are just a few of the many topics that the SEC has opened for comments. Numerous other issues exist. The attorneys at Pastore LLC are highly skilled in both the financial sector and cybersecurity. Pastore LLC can help you draft and file comments before the proposals become final. Comments are due 60 days after the proposed rules appear in the Federal Register, which is expected to occur in the next 4 weeks.
Second – it is inevitable that some form of cybersecurity enhancement rules will be enacted in the near future. Now is the time to start planning compliance. The attorneys at Pastore LLC can assist you in formatting written policies and procedures. Pastore LLC attorneys are creative and understand the overall data privacy, data breach and cybersecurity landscape. Pastore LLC attorneys can work with internal compliance and legal departments to develop the best plan for a Market Entity’s needs.
Don’t wait! Change is coming and Market Entities need to plan for the future regulations now. Pastore LLC can help.
 Fact Sheet – Addressing Cybersecurity Risk to the U.S. Securities Markets.