Enter to open, tab to navigate, enter to select
SEC Proposes Cybersecurity Risk Management Rule for Broker-Dealers and SBS Entities
Practical Law Legal Update w-038-8352 (Approx. 6 pages)
SEC Proposes Cybersecurity Risk Management Rule for Broker-Dealers and SBS Entities
by Practical Law Corporate and Securities
| Published on 16 Mar 2023 • USA (National/Federal) |
The SEC proposed a new rule and form, as well as amendments to existing recordkeeping rules, to require broker-dealers, clearing agencies, major security-based swap participants, security-based swap dealers, transfer agents, and certain other entities performing services that support the US securities markets to address cybersecurity risks.
Specifically, proposed new Rule 10 under the Exchange Act would establish cybersecurity risk management requirements for "market entities," which include:
- Clearing agencies.
- Major security-based swap participants (MSBSPs) and security-based swap dealers (SBSDs) (collectively, SBS Entities).
- Security-based swap data repositories (SBSDRs).
- The Municipal Securities Rulemaking Board (MSRB).
- National securities exchanges.
Proposed Rule 10 would require all market entities to:
- Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks.
- At least annually, review and assess the design and effectiveness of their cybersecurity polices and procedures.
- Notify the SEC of significant cybersecurity incidents.
Additional requirements would be imposed on "covered entities," which are market entities other than certain small broker-dealers.
The comment period on the proposal will remain open until 60 days after publication in the Federal Register. The requirements of proposed Rule 10, as well as the proposed amendments to existing recordkeeping requirements, are discussed in further detail below.
Written Cybersecurity Policies and Procedures
Under proposed Rule 10, all market entities would be required to:
- Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks.
- Annually review and assess the design and effectiveness of their cybersecurity risk management policies and procedures.
For covered entities, such policies and procedures must require:
- Periodic assessments of cybersecurity risks associated with the covered entity's information systems and information residing on those systems.
- Controls designed to minimize user-related risks and prevent unauthorized access to the covered entity's systems.
- Measures designed to monitor the covered entity's information systems and protect the information on them from unauthorized access or use, based on the periodic assessment.
- Measures designed to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities.
- Measures designed to detect, respond to, and recover from a cybersecurity incident.
Covered entities would also be required to prepare a written report describing its annual review and assessment. Market entities that are not covered entities would only be required to create a record of its review and assessment.
Cybersecurity Incident Reporting and Risk Disclosure
Proposed Rule 10 would also require all market entities to give the SEC immediate written electronic notice of a significant cybersecurity incident when the entity has a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring.
Covered entities must file a report on significant cybersecurity incidents on Part I of proposed new Form SCIR within 48 hours of having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. Covered entities would also be required to file an amended Part I of Form SCIR with updated information under certain circumstances, as specified in Rule 10, including:
- If any information previously reported becomes materially inaccurate.
- If any new material information pertaining to the incident previously reported is discovered.
- When the incident is resolved.
- After an internal investigation into the incident is closed, if applicable.
In addition, covered entities would also be required to provide a summary description of its cybersecurity risks and significant cybersecurity incidents. The disclosure would be provided by:
- Filing Part II of proposed new Form SCIR with the SEC via EDGAR.
- Posting a copy of its most recently filed Part II of Form SCIR on an easily accessible portion of its website.
Broker-dealers would also have to provide new customers with a copy of its most recent Part II of Form SCIR when opening an account and annually thereafter using the same means the customer elects to receive account statements.
Form SCIR would be required to be filed with the SEC electronically via EDGAR in accordance with the EDGAR Filer Manual and Regulation S-T.
Recordkeeping
In addition to proposed new Rule 10 and Form SCIR, the SEC is also proposing to amend existing recordkeeping requirements to identify Rule 10 records as records that need to be preserved and maintained by certain covered entities. In particular, the SEC proposing to amend the recordkeeping requirements for:
- Broker-dealers.
- SBS Entities.
- Transfer agents.
The amendments would require these covered entities to retain Rule 10 records for three years.
For more information on recordkeeping requirements for broker-dealers and SBS entities, see Practice Notes, Broker-Dealer Recordkeeping and US Derivatives Regulation: SEC Recordkeeping, Reporting, and Notification Requirements for Security-Based Swaps.
For up-to-date information on the status of SEC rulemaking, see Practice Note, SEC Rulemaking Tracker.