U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed three rules related to cybersecurity and reopened the comment period for its Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Investment Advisers and Companies Proposed Rule).¹  The three newly proposed rules include the following:

1. Reg S-P: Amendments to Regulation S-P (Reg S-P) would enhance security obligations for the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents (S-P Covered Entities) to “provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.”²  The Commission unanimously approved the Regulation S-P Proposal, although certain Commissioners voiced concern over it.³
2. Rule 10 Proposal: A new cybersecurity risk management rule (Rule 10) under the Securities Exchange Act would impose significant and first-of-their-kind cybersecurity requirements on broker-dealers, national securities exchanges, clearing agencies, transfer agents, security-based swap dealers (SBSDs), major security-based swap participants (MSBSPs), security-based swap data repositories (SBSDRs), the Municipal Securities Rulemaking Board (MSRB) and the Financial Industry Regulatory Authority (FINRA) (collectively, Market Entities).⁴  The Commission approved the Rule 10 Proposal on a 3-2 vote, with Commissioners Heather Peirce and Mark Uyeda not supporting proposed Rule 10 in part due to concerns that its requirements overlap with other recent SEC proposals.⁵
3. Reg SCI: The Commission’s proposed amendments to Regulation Systems Compliance and Integrity (Reg SCI) under the Securities Exchange Act would expand the designation and requirements applicable to an “SCI Entity” to include registered SBSDRs, registered broker-dealers exceeding a size threshold, and additional clearing agencies exempted from registration.⁶  The Commission proposed the Reg SCI amendments in a 3-2 vote, with Commissioners Peirce and Uyeda dissenting for several reasons, including the significant costs of the Reg SCI Proposal (outweighing its benefits), its highly prescriptive requirements, and its overlapping requirements across other recent SEC proposals.⁷

I. Why This Matters

1. Regulation S-P: The Regulation S-P Proposal would significantly build out the scope of Regulation S-P, including by applying to registered transfer agents for the first time, and adding mandatory data breach notification requirements. Existing Regulation S-P requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures for the protection of customer records and information (Safeguards Rule) and to properly dispose of consumer report information (Disposal Rule). And while the Commission adopted Regulation S-P in 2000, the Regulation S-P Proposal represents the first time the regulation would impose specific requirements concerning the safeguarding of customer information (other than the 2004 Disposal Rule) to ensure the proper disposal of “consumer report information” and specify criteria for notification of investor information data breaches.
2. Rule 10: Proposed Rule 10 would apply to most of the registrants under the Securities Exchange Act. If adopted as proposed, its requirements would likely obligate Market Entities either to develop entirely new cybersecurity risk management programs or to conduct wholesale reviews of existing programs. For the first time, the Market Entities covered by the rule would also have to report significant cybersecurity incidents to the Commission. Firms would therefore need to develop and implement new controls to carry out such reporting promptly and accurately. Failure to do so would carry substantial regulatory risk. Moreover, certain Market Entities would be required to disclose significant cybersecurity incidents on their public websites and to customers.
3. Reg SCI: The Reg SCI Proposal would extend the application of Reg SCI to additional market participants, including broker-dealers that exceed particular asset or activity thresholds, registered SBSDs, and clearing agencies exempted from registration. The Reg SCI Proposal would also expand the obligations for SCI Entities, including enhanced oversight of third-party service providers (including cloud service providers) and require an identification of the current SCI industry standard to which each SCI policy and procedure relates. The Reg SCI Proposal would also expand the current definition of “systems intrusion” to include certain cybersecurity events, including a significant attempted unauthorized entry into SCI systems, and modify SEC reporting requirements for such events. Reg SCI is a highly prescriptive and burdensome regulation with SEC estimated initial compliance costs of nearly $2 million and ongoing annual compliance costs of $1.2 million. The proposed new requirements appear designed to provide a basis for potential enforcement action by requiring that each deficiency and weakness identified as part of the SCI review be provided to the SEC. As dissenting Commissioner Peirce expressed, the Reg SCI Proposal appears designed to create “legal peril” for firms, partially due to overdocumentation instead of mitigating immediate threats to a firm.

II. Analytic Considerations for Evaluating SEC Cybersecurity Proposals

As companies evaluate the SEC cybersecurity proposals to submit comments to the SEC and regarding potential future implementation, we believe the considerations listed below may provide a useful analytic framework.

• conflicts, redundancy, needs harmonization
• reasonable, sound, helpful
• coordination with/deference to other agencies
• overly prescriptive, inflexible, too intrusive
• proper legal authority
• not justified under cost-benefit analysis, unduly burdensome, too costly
• not evidence-based
• rationale not explained
• relevant factors not considered
• counterproductive
• timeframes too compressed
• propriety of SEC definitions and risk groupings

Notably, the SEC’s approach in these proposed rules differs from the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, which acknowledge the importance of providing financial institutions flexibility and confidentiality in reporting incidents to the agencies and minimizing the burden on firms to do so.⁸

III. Overlap and Differences Among the Proposals

The following chart depicts which entities would be subject, generally, to each of the four proposed rules:

The Commission acknowledges that certain entities will be subject to many of the recent proposals but indicates that each proposal has a different scope and would not be inconsistent with the others. However, the Commission has requested comment on areas where the various proposals may create practical implementation difficulties or become particularly costly for covered entities. The following is a nonexclusive list of overlaps and differences among the proposals:

• Information Security Policies and Procedures: Rule 10 is broader in scope than Regulation S-P and Reg SCI and instead would require Market Entities to establish, maintain, and enforce a wide range of written policies and procedures that are reasonably designed to address their cybersecurity risks, compared with an incident response program under the Regulation S-P Proposal, and policies and procedures for an SCI system’s capacity, integrity, resiliency, availability, and security under the Reg SCI Proposal. Unlike Reg SCI, Rule 10 covers systems that are beyond the scope of Regulation SCI systems. Unlike Regulation S-P, Rule 10 covers any information (not just “customer information”) residing in a covered entity’s information systems as well as those information systems.The Commission also discusses the similarities of policies and procedures required by such proposals and confirms that a covered institution could implement one set of comprehensive policies and procedures that addresses each of the proposals so long as that one set covers the specific requirements of each rule.¹³
• Service Providers: Rule 10 includes several requirements related to service providers. For instance, Rule 10 requires Market Entities to conduct periodic assessments of cybersecurity risks associated with a covered entity’s information systems and information residing on those systems — and one of the elements of such an assessment would be assessing services providers. Additionally, Rule 10 would require a covered entity to include appropriate measures in contracts with its service providers, although it does not mandate that service providers notify their covered entities of a security incident within 48 hours as the Regulation S-P Proposal does.
• Disposal Rule: Rule 10 includes several similar policies and procedures related to the Disposal Rule under the Regulation S-P Proposal, including controls requiring standards of behavior for individuals authorized to access information systems, such as an acceptable use policy; identifying and authenticating individual users, such as through the combination of two or more credentials for access and verification; establishing password distribution, replacement, and revocation procedures restricting access to information systems to those who need to have access; and securing remote access technologies. The Rule 10 Proposal would also require periodic assessments of a covered entity’s information systems and information that resides on them — and the Commission indicates that a “broker-dealer or transfer agent that implements these requirements of the Exchange Act Cybersecurity Proposal should generally satisfy the proposed requirements of the Disposal Rule that customer information or consumer information held for a business purpose must be properly disposed of, to the extent that such information is stored electronically and, therefore, falls within the scope of the Exchange Act Cybersecurity Proposal.”¹⁴
• Security Incident Disclosure
  • Regulation S-P: Disclosure is required to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization or, in some cases, all individuals whose sensitive customer information resides in the customer information system that was accessed or used without authorization.
  • Rule 10: Under Rule 10, if a market entity experiences a “significant cybersecurity incident,” it will be required to disclose a summary description of each such incident that has occurred during the current or previous calendar year and to provide updated disclosures if the information required to be disclosed materially changes, including after the occurrence of a new significant cybersecurity incident or when information about a previously disclosed significant cybersecurity incident materially changes. Disclosure of a “significant cybersecurity incident” would be delivered to the public at large (filing Part II of proposed Form SCIR and posting copy of form on its corporate internet website).
  • Reg SCI: Disclosure is required to members, participants, or customers, as applicable, of the SCI Entity if it determines that a covered SCI system has experienced an intrusion, disruption, or compliance issue.

IV. Regulation S-P Proposal

Key components from the Regulation S-P Proposal include the following.

Safeguards Rule Revision: Incident Response Program That Includes Customer Notification:

The Regulation S-P Proposal introduces a requirement for covered entities to implement policies and procedures to respond to and notify affected individuals of “unauthorized access to or use of customer information.” (References to unauthorized “access” below include “use” as well.) The incident response program must include written policies and procedures for the S-P Covered Entity to

1.  assess the nature and scope of an incident and types of information accessed
2. take appropriate steps to contain and control the incident
3. enter written contracts with “service providers” requiring notification from such service providers of any security incident as soon as possible but no later than 48 hours after becoming aware of a breach in security that results in unauthorized access to a customer information system maintained by the service providerThe Regulation S-P Proposal defines “service provider” as “any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a [S-P Covered Entity].”¹⁵
4. notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed; however, notification would not be required if the access was not reasonably likely to be used in a manner that would result in substantial harm or inconvenienceThe Regulation S-P Proposal defines“sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information”“substantial harm or inconvenience” to mean “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial” (and provides examples of relevant harms)

The SEC proposes that breach notification should be provided as soon as practical but not later than 30 days after the S-P Covered Entity becomes aware of the unauthorized access. The notification requirement includes an exception for active national security concerns, which would apply only when an S-P Covered Entity receives a written request from the Attorney General of the United States that the required under the regulation would impose a risk to national security.

The Regulation S-P Proposal requests comment on several aspects of the Safeguards Rule revisions, including best practices relating to incident response programs; whether the Commission should mandate timeframes for incident response activities; the appropriateness and scope of the currently proposed elements, including whether additional elements should be considered; whether remote work arrangements should be considered as part of the Safeguards Rule; and whether the scope of the proposed incident response program is appropriate.

Expanding the Scope of Information Protected Under the Safeguards Rule and Disposal Rule

The Regulation S-P Proposal expands the information covered by the Safeguards Rule and Disposal Rule by expanding the protections of such rules to a newly defined term, “customer information.” Specifically, the Regulation S-P Proposal

• proposes the new term, “customer information,” which means “any record containing ‘nonpublic personal information’ (as defined in Regulation S-P) about ‘a customer of a financial institution,’ whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf”; this definition is intended to conform with the Federal Trade Commission (FTC) definition of customer information
• clarifies that the Safeguards Rule and Disposal Rule will apply to “all customer information in the possession of a covered institution, and all consumer information that a covered institution maintains or otherwise possesses for a business purpose, as applicable, regardless of whether such information pertains to the covered institution’s own customers or to customers of other financial institutions and has been provided to the covered institution” (the inclusion of information pertaining to customers of other financial institutions is not currently codified under the GLBA and may require additional compliance efforts)

The Regulation S-P Proposal requests comment on several aspects of the scope of information protected under the Safeguards Rule and Disposal Rule, including when the definition should be more or less expansive; whether there are any gaps in coverage; whether employees’ nonpublic personal information should be protected by the Safeguards Rule; and whether the definition or proposed scope is too broad or narrow.

Expanding the Scope of the Safeguards Rule and the Disposal Rule to Cover All Transfer Agents

The Regulation S-P Proposal would extend both the Safeguards Rule and Disposal Rule to apply to any transfer agent registered with the Commission or the Comptroller of the Currency (Comptroller), Board of Governors of the Federal Reserve System (Board of Governors), or the Federal Deposit Insurance Corporation (FDIC).¹⁶  The Commission proposes such an expansion due to transfer agents’ substantial role in processing customer information related to securityholders. Notably, the FTC has not adopted similar standards for transfer agents.

The Regulation S-P Proposal requests comment on several aspects of the expansion of the Safeguards Rule and the Disposal Rule to cover registered transfer agents, including the advantages and disadvantages.

Other Proposed Changes

The Commission indicated that it tailored its proposed amendments to ensure that there will be no change in the treatment of notice-registered broker-dealers under the Safeguards Rule and the Disposal Rule, which are registered with the Commodity Futures Trading Commission. Moreover, the Regulation S-P Proposal also proposes amendments to provide exemptions to the annual notice provision portion of Regulation S-P to ensure compliance with the 2015 Fixing America’s Surface Transportation Act (FAST Act). To qualify for the exception to not provide annual notice, an institution must satisfy two provisions: (1) It must share nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of Section 6802 of the GLBA, and (2) the institution has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent policy.

V. Rule 10 Proposal

According to the SEC, proposed Rule 10 is designed to protect U.S. securities markets and investors from the threats and adverse effects posed by cybersecurity risks and to improve the SEC’s ability to obtain information about significant cybersecurity incidents. The SEC states that increased reliance on information systems by Market Entities has caused a corresponding increase in their cybersecurity risk from threat actors, both internal and external. These threat actors may use a range of tactics to cause harmful cybersecurity incidents, including ransomware,¹⁷  social engineering schemes (e.g., spear phishing¹⁸), and hacks (e.g., brute-force attacks¹⁹ or denial-of-service attacks²⁰). Given the interconnectedness of Market Entities’ information systems, the Commission also states that a significant cybersecurity incident at one Market Entity has the potential to spread to other Market Entities in a cascading process that could cause widespread disruptions threatening the fair, orderly, and efficient operation of the U.S. securities markets.

Scope of the Cybersecurity Risk Management Proposal

Proposed Rule 10 would require implementation of cybersecurity risk management policies and procedures, notification and reporting of significant cybersecurity incidents, and public disclosures of cybersecurity risks and incidents. Proposed Rule 10 also includes recordkeeping requirements for Market Entities and a substituted compliance framework for Market Entities that are non-U.S. SBSDs and MSBSPs.

Market Entities

Proposed Rule 10 would generally apply to all Market Entities. “Market Entities” comprise “Covered Entities” and broker-dealers that are not included in the definition of a Covered Entity (“Non-Covered Entity Broker-Dealers”). Each of these two groups of Market Entities would be subject to some of the same types of requirements under Proposed Rule 10, as explained in more detail below. However, generally speaking, Market Entities that are Covered Entities would be subject to a more significant set of requirements than Market Entities that are Noncovered Entity Broker-Dealers.

A “Covered Entity” would be defined to include the MSRB, FINRA, registered clearing agencies, registered national securities exchanges, registered SBSDRs, registered SBSDs, registered MSBSPs, registered transfer agents, and certain broker-dealers. Specifically, the following broker-dealers would be Covered Entities:

1. broker-dealers that maintain custody of securities and cash for customers or other broker-dealers (i.e., carrying broker-dealers)
2. broker-dealers that introduce their customers’ accounts to a carrying broker-dealer on a fully disclosed basis (i.e., introducing broker-dealers)
3. broker-dealers with regulatory capital of $50 million or more
4. broker-dealers with total assets of $1 billion or more
5. broker-dealers that operate as market makers
6. broker-dealers that operate an alternative trading system (ATS)

As noted above, a Noncovered Entity Broker-Dealer would also be a Market Entity and would subject to certain requirements under proposed Rule 10.

Cybersecurity Risk Management Policies and Procedures

Proposed Rule 10 would require all Market Entities (regardless of whether the entity is a Covered Entity or a Noncovered Entity Broker-Dealer) to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks. All Market Entities would be required to review and assess, at least annually, the design and effectiveness of their cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review. They also would be required to prepare a report (in the case of Covered Entities) and a record (in the case of Noncovered Entity Broker-Dealers) with respect to the annual review.

Noncovered Entity Broker-Dealers would have to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their risks, taking into account their size, business, and operations. In contrast, a Covered Entity would need to establish, maintain, and enforce written policies and procedures that generally include the following elements as described in greater detail in the proposal:

• periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments
• controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems
• measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to access the Covered Entity’s information systems
• measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems
• measures to detect, respond to, and recover from a cybersecurity incident
• written documentation of any cybersecurity incident and regarding the response to and recovery from the incident

Notification and Reporting to the SEC of Significant Cybersecurity Incidents

Upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring, all Market Entities would have to give the Commission immediate written electronic notice through its EDGAR system by filing Part I of proposed Form SCIR. The proposal provides a two-pronged definition of “significant cybersecurity incident.” A significant cybersecurity incident would be a cybersecurity incident or group of related cybersecurity incidents that

1. significantly disrupts or degrades the ability of the market entity to maintain critical operations or
2. leads to the unauthorized access or use of the information or information systems of the market entity that results in or is reasonably likely to result in
   (i) substantial harm to the market entity or
   (ii) substantial harm to a customer, counterparty, member, registrant, or user of the market entity or to any other person that interacts with the market entity.²¹

In addition to the immediate electronic notice, Covered Entities would need to report and update information about the significant cybersecurity incident by filing Part I of proposed Form SCIR with the Commission. The Covered Entity would need to file the form using the EDGAR system promptly, but no later than after 48 hours, upon developing a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. The form elicits information about the incident, such as date of discovery, duration, and law enforcement cooperation.

The Covered Entity would also need to file an amended Part I of Form SCIR in the following circumstances: (1) if any information previously reported becomes materially inaccurate; (2) if any new material information is discovered; (3) once the significant cybersecurity incident is resolved; or (4) after closing an internal investigation pertaining to the significant cybersecurity incident. Part I of proposed Form SCIR would be submitted confidentially to the Commission.

Public Disclosure of Cybersecurity Risks and Incidents

Using Part II of proposed Form SCIR, Covered Entities would have to publicly disclose summaries of their cybersecurity risks and the significant cybersecurity incidents during the current or previous calendar year. Part II of Form SCIR would be filed with the Commission using EDGAR and posted on the Covered Entity’s public website. Covered Entities that are carrying or introducing broker-dealers must also provide Part II of Form SCIR to customers at account opening, when information on Part II is updated, and annually. A Covered Entity would be required to update the Part II disclosures if the information materially changes, for example, after the occurrence of a new significant cybersecurity incident or if a significant cybersecurity incident is no longer within the look-back period.

Recordkeeping

All Covered Entities and Noncovered Entity Broker-Dealers would have to preserve certain records relating to the requirements of proposed Rule 10 in accordance with amended or existing recordkeeping requirements applicable to them under the Securities Exchange Act or, in the case of exempt clearing agencies, pursuant to conditions in relevant exemption orders. The proposed amendments would specify that the Rule 10 Records for Covered Entities and Noncovered Entity Broker-Dealers must be retained for three years. They would also provide that that exempt clearing agencies must retain Rule 10 Records for a period of at least five years after the record is made or five years after terminating its use of the written policies and procedures.

Substituted Compliance

Finally, the Commission is proposing amendments to address the potential availability of substituted compliance for non-U.S. SBSDs and MSBSPs. Substituted compliance would represent a mechanism for the non-U.S. firms to satisfy the proposed cybersecurity requirements by instead complying with comparable foreign requirements.

Discussion of Blockchain and Digital Asset Securities

Proposed Rule 10 briefly addresses cybersecurity risk related to cryptoassets.²² Specifically, it states that because the creation, distribution, custody, and transfer of cryptoassets relies almost exclusively on information systems, a Market Entity that engages in business activities involving cryptoassets could be exposed heightened cybersecurity risks.

VI. Reg SCI

Background

The SEC adopted Reg SCI in 2014 to modernize and enhance its oversight over the technological infrastructure of market participants that play a critical role in the functioning of U.S. securities markets. Today, Reg SCI applies to SCI Entities, which include national securities exchanges, FINRA, clearing agencies (as well as certain exempt clearing agencies), the securities information processors (responsible for disseminating consolidated market data), certain competing consolidators that exceed specific market data revenue thresholds, and certain ATSs that exceed specific volume thresholds. Reg SCI is generally designed to ensure that SCI Entities appropriately manage and monitor the performance of electronic systems (known as SCI systems) that directly support (1) trading, (2) clearance and settlement, (3) order routing, (4) market data, (5) market regulation, or (6) market surveillance.

Under Reg SCI, SCI Entities are required to, among other things,

• establish written policies and procedures reasonably designed to ensure that their systems have capacity, integrity, resiliency, availability, and security to maintain operational capability and meet additional specified requirements
• provide notice and reports to the Commission regarding certain systems-related events (known as SCI events and comprising a “system disruption,” “systems intrusion,” and “systems compliance issue”) and take corrective action regarding SCI events, as necessary, and disseminate to members or participants information related to such events
• report to the SEC material changes to SCI systems each calendar quarter as well as conduct an annual review (known as the SCI review) to assess compliance with Reg SCI and provide the SCI review to the SEC
• require that members or participants participate in testing of business continuity and disaster recovery plans and coordinate testing on an industry- or sector-wide basis

Reg SCI is a highly prescriptive rule with detailed obligations and procedures related to each of the foregoing requirements.

Proposed Amendments to Reg SCI

The SEC proposes three key areas of changes to Reg SCI: (1) extending the application to additional types of market participants, (2) expanding the requirements applicable to SCI entities, and (3) additional miscellaneous changes.

• (1) Expanded Scope of SCI Entities

Under the Reg SCI Proposal, the SEC would expand the definition of “SCI entity” to include (i) registered SBSDRs, (ii) registered broker-dealers exceeding a size threshold (SCI broker-dealers), and (iii) additional clearing agencies exempted from registration (exempt clearing agencies).²³

An SCI broker-dealer would be defined as a broker-dealer that meets one of two tests based either on total assets of the broker-dealer or transaction volume. Specifically, an SCI broker-dealer would be any broker-dealer that

(1) in at least two of the four preceding calendar quarters reported to the SEC on its quarterly FOCUS reports (Form X-17A-5), total assets in an amount that equals 5% or more of the total assets of all security brokers and dealers or

(2) during at least four of the preceding six calendar months,

a. NMS stocks – transacted 10% or more of the average daily dollar volume in NMS stocks,²⁴

b. exchange-listed options – transacted 10% or more of the average daily dollar volume,

c. Treasuries – transacted 10% or more of the average daily dollar volume, or

d. agency securities²⁵ – transacted average daily dollar volume in an amount that equals 10% or more of the total average daily dollar volume.

The SEC estimates there would be at least 17 SCI broker-dealers that would currently meet these criteria. However, all broker-dealers that may approach these thresholds would likely need to develop procedures to carefully monitor their transactions and asset volumes. SCI broker-dealers would generally have six months to come into compliance with Reg SCI after meeting these criteria.

(2) Expanded Obligations for Reg SCI Policies and Procedures

Under the Regulation SCI Proposal, all SCI entities would have expanded obligations with respect to their policies and procedures. Specifically, in addition to the existing requirements under Reg SCI, all SCI entities would be required to implement policies and procedures that include

• an inventory, classification, and lifecycle management program for SCI systems and indirect SCI systems²⁶
• a program to manage and oversee third-party providers (including cloud service providers) that provide or support SCI or indirect SCI systems²⁷
• business continuity/disaster recovery plans (BC/DR plans) that address the unavailability of any third-party provider without which there would be a material impact on critical SCI systems
• a program to prevent unauthorized access to SCI systems and information therein
• identification of current SCI industry standards with which each such policy and procedure is consistent

The final prong of these new requirements would be particularly challenging as it would require an SCI entity to “tick and tie” each of its policies and procedures to current “SCI industry standards,” which are not expressly defined and are constantly evolving.²⁸

(3) Other Proposed Changes to Reg SCI

The Reg SCI Proposal would also set forth a variety of additional changes to Reg SCI, including the following:

Amended Definition of “Systems Intrusion” to Include “Significant Attempted Unauthorized Entries” and Notice Requirements to Affected Persons

The Reg SCI Proposal would amend the definition of “systems intrusion” — which is a type of SCI event — to include additional “cyber events and threats.”²⁹  Currently, a “system intrusion” is any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.³⁰  Under the Regulation SCI Proposal, a “system intrusion” would include two additional categories of disruption: (i) a cybersecurity event that disrupts, or significantly degrades, the regular operation of an SCI system, and (ii) any significant attempted unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity, as determined by the SCI entity according to established reasonable written criteria.³¹

Under Reg SCI today, all SCI events (i.e., systems intrusions, systems disruptions, or systems compliance issues, as defined under Reg SCI) must be reported to the Commission immediately unless the SCI entity reasonably determines that the SCI event would have no or a de minimis impact on the SCI entity. Under the Regulation SCI Proposal, the SEC would exclude “systems intrusions” from this de minimis impact requirement — meaning that all “systems intrusions” would have to be reported to the Commission immediately.

SCI entities are also generally required today to report certain SCI events to their members/participants. However, under the Reg SCI Proposal, an SCI entity would not be required to report “significant attempted unauthorized entry” to their members/participants.

Amendments to the Requirements for an SCI Review

Currently under Reg SCI, an entity must perform an annual “SCI review.”³² Under the Reg SCI Proposal, the SEC would amend the SCI review requirements to require that penetration testing of SCI systems be conducted annually rather than once every three years. Additionally, the SCI review would newly require additional detail, including in particular

(i) “a list of the controls reviewed and a description of each such control which shall include assessments of: the risks related to the capacity, integrity, resiliency, availability, and security; internal control design and operating effectiveness; and an assessment of third-party provider management risks and controls”³³

(ii) “a description of each deficiency and weakness identified by the SCI review”³⁴

Under Reg SCI currently, an SCI entity must provide a report of the SCI review to its board of directors or equivalent thereof as well as to the SEC.

Expanding Business Continuity/Disaster Recover Testing to Apply to Third-Party Service Providers

Currently under Reg SCI, an SCI entity must designate key members or participants to participate in annual BC/DR plan testing. Under the Regulation SCI Proposal, these BC/DR testing requirements would extend to third-party service providers.

Recordkeeping and Form SCI

Currently under Reg SCI, an SCI entity must keep records with respect to virtually all aspects of its compliance with Reg SCI. Upon ceasing to be an SCI entity, a former SCI entity must today ensure that its records remain available to the SEC for the prescribed recordkeeping retention period. Under the Reg SCI Proposal, the SEC would amend this definition to ensure that it captures scenarios where an SCI entity continues to do business or remains a registered entity but may cease to qualify as an SCI entity.

VII. Comment Period

The public comment period will remain open until 60 calendar days after the publication of the proposals in the Federal Register. The Regulation S-P Proposal and the proposed Rule 10 have each been published in the Federal Register;³⁵  the comment period for both will close on June 5, 2023. The Reg SCI Proposal has also been published in the Federal Register;³⁶  the comment period will close on June 13, 2023.

¹ For further information on the rule, see Brown et al., Newly Proposed SEC Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds, https://www.sidley.com/en/insights/newsupdates/2022/03/newly-proposed-sec-cybersecurity-risk-mgmt-rules-amendments-registered-investment-advisers-funds

²Securities Exchange Act Release No. 97141 (Mar. 15, 2023) (Regulation S-P Proposal), https://www.sec.gov/rules/proposed/2023/34-97141.pdf. The Regulation S-P Proposal is issued under Section V of the Gramm-Leach-Bliley Act (GLBA) as well as statutory authority under the Securities Exchange Act of 1934 (Securities Exchange Act), Investment Company Act of 1940 (Investment Company Act), and Investment Advisers Act of 1940 (Investment Advisers Act)

³Commissioner H. Peirce, Statement on Regulation SP: Privacy of Consumer Financial Information and Safeguarding Customer Information (Mar. 15, 2023), https://www.sec.gov/news/statement/peirce-statement-regulation-sp-031523; Commissioner M. Uyeda, Statement on the Proposed Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (Mar. 15, 2023), https://www.sec.gov/news/statement/uyeda-statement-regulation-sp-031523.

⁴Securities Exchange Act Release No. 97142 (Mar. 15, 2023) (Rule 10 Proposal), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.

⁵Commissioner H. Peirce, Statement on Proposed Cybersecurity Rule 10 and Form SCIR (Mar. 15, 2023), https://www.sec.gov/news/statement/peirce-statement-enhanced-cybersecurity-031523; Commissioner M. Uyeda, Statement on the Proposed Cybersecurity Risk Management Rule for Market Entities (Mar. 15, 2023), https://www.sec.gov/news/statement/uyeda-statement-enhanced-cybersecurity-031523.

⁶Exchange Act Release No. 97143 (Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf (Reg SCI Proposal).

⁷Commissioner H. Peirce, Comments on Proposed Expansion of Regulation SCI (Mar. 15, 2023), https://www.sec.gov/news/statement/peirce-statement-regulation-sci-031523; Commissioner M. Uyeda, Statement on the Proposed Amendments to Regulation Systems Compliance and Integrity (Mar. 15, 2023), https://www.sec.gov/news/statement/uyeda-statement-regulation-sci-031523.

⁸Computer-Security Incident Notification Rule, 86 FR 66424 (“The final rule is designed to ensure that the appropriate agency receives timely notice of significant emergent incidents, while providing flexibility to the banking organization to determine the content of the notification. Such a limited notification requirement will alert the agencies to such incidents without unduly burdening banking organizations with detailed reporting requirements, especially when certain information may not yet be known to the banking organizations”).

⁹Note that Reg S-P applies only to the “customer information” (as defined in the Regulation S-P Proposal implementing the GLBA) that such entities collect, process, or can access.

¹⁰Under the Rule 10 Proposal, only certain broker-dealers are considered Market Entities and, thus, subject to additional requirements as described in Sections II(A)(1)(b) and II(C).

¹¹Under the Regulation SCI Proposal, only broker-dealers that exceed a total assets threshold or a transaction activity threshold in National Market System (NMS) stocks, exchange listed options, U.S. Treasury securities, or Agency securities would be considered SCI Entities.

¹²SCI entities currently also include alternative trading systems meeting volume thresholds with respect to NMS stocks and non-NMS stocks; exclusive disseminators of consolidated market data; certain competing consolidators of market data meeting a gross revenue threshold; and certain exempt clearing agencies.

¹³Regulation S-P Proposal, 113–14 (“(1) the cybersecurity-related policies and procedures required under Regulation S-P and Regulation SCI fit within and are consistent with the scope of the policies and procedures required under the Exchange Act Cybersecurity Proposal, and (2) the Exchange Act Cybersecurity Proposal policies and procedures also address the more narrowly-focused cybersecurity-related policies and procedures requirements under the Regulation S-P and Regulation SCI Proposals”).

¹⁴Id. 120 – 21.

¹⁵Id. 244.

¹⁶Section 3(a)(34) of the Securities Exchange Act provides that an entity that is required to register in connection with its transfer agent functions may have a banking regulator (i.e., the Comptroller, Board of Governors, or the FDIC) as its “appropriate regulatory agency” rather than the SEC where the firm is a type of banking entity. These rules will apply to both types of transfer agents.

¹⁷See CISA, Ransomware 101, available at https://www.cisa.gov/stopransomware/ransomware-101.

¹⁸See, e.g., U.S. Office of the Director of National Intelligence, Spear Phishing and Common Cyber Attacks, available at https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf.

¹⁹See, e.g., WASC Classification Report (“The most common type of a brute force attack in web applications is an attack against log-in credentials. Since users need to remember passwords, they often select easy to memorize words or phrases as passwords, making a brute force attack using a dictionary useful. Such an attack attempting to log-in to a system using a large list of words and phrases as potential passwords is often called a ‘word list attack’ or a ‘dictionary attack’ ”).

²⁰See CISA, Security Tip (ST04-015) – Understanding Denial-of-Service Attacks, available at https://www.cisa.gov/uscert/ncas/tips/ST04-015 (“A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible”).

²¹Proposed Rule 10 defines “information” and “information system” broadly. “Information” is defined as “any records or data related to the Market Entity’s business residing on the Market Entity’s information systems”; while “information systems” is defined as “information resources owned or used by the Market Entity, including, for example, physical or controlled by the information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the Market Entity’s information to maintain or support the Market Entity’s operations.”

²²The Cybersecurity Risk Management Proposal states that its use of the term “crypto asset” or “digital asset” refers to an asset that is issued and/or transferred using distributed ledger or blockchain technology, including so-called virtual currencies, coins, and tokens.

²³Reg SCI Proposal at 23-24.

²⁴This volume would exclude off-exchange transactions where the broker-dealer was not an executing party.

²⁵Agencies securities would be defined as a debt security issued or guaranteed by a U.S. executive agency, as defined in 5 U.S.C. 105, or government-sponsored enterprise, as defined in 2 U.S.C. 622(8).

²⁶An “indirect SCI system” means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.17 CFR 242.1000.

²⁷This would additionally require (i) initial and periodic review of contracts with such third-party providers for consistency with the SCI entity’s obligations under Reg SCI and (ii) a risk-based assessment of each third-party provider’s criticality to the SCI entity, including analyses of third-party provider concentration, of key dependencies if the third-party provider’s functionality, support, or service were to become unavailable or materially impaired and of any potential security, including cybersecurity, risks posed.

²⁸Under Rule 1001(a)(4) of current Reg SCI, an SCI entity’s policies and procedures are deemed reasonably designed if they are “consistent with current SCI industry standards.” SCI industry standards are described as “information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.” 17 CFR 242.1001(a)(4).

²⁹Reg SCI Proposal at 19.

³⁰Id. at 20.

³¹Id. at 132-133.

³²An “SCI review” is defined as a review, following established procedures and standards, performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and containing (1) a risk assessment with respect to such systems of an SCI entity and (2) an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.

³³Id. 148.

³⁴Id. 

³⁵Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Federal Register (Apr. 6, 2023), https://www.federalregister.gov/documents/2023/04/06/2023-05774/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information; Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Federal Register (Apr. 5, 2023), https://www.federalregister.gov/documents/2023/04/05/2023-05767/cybersecurity-risk-management-rule-for-broker-dealers-clearing-agencies-major-security-based-swap.

³⁶Regulation Systems Compliance and Integrity (Apr. 14, 2023), https://www.federalregister.gov/documents/2023/04/14/2023-05775/regulation-systems-compliance-and-integrity?utm_medium=email&utm_campaign=subscription+mailing+list&utm_source=federalregister.gov.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.