In 2023, the U.S. Securities and Exchange Commission (SEC) reaffirmed its focus on data security, cybersecurity, and IT operational resilience. The SEC proposed three significant regulatory updates aimed at improving transparency, recordkeeping, and breach reporting across the financial sector. These proposals include the following:
Cybersecurity Risk Management and Incident Notification Rules
The SEC proposed cybersecurity risk management regulations for broker-dealers and other SEC-registered entities, including registered investment advisers (RIAs) and investment companies. Initially introduced in February 2022, the comment period for this proposal was extended to May 2023, allowing additional feedback. Key elements include:
Mandatory Cybersecurity Policies: Entities must develop and implement comprehensive cybersecurity policies and procedures to address risks effectively.
Incident Reporting: Significant cybersecurity incidents must be reported to the SEC using Form ADV-C.
Client and Investor Disclosures: Advisers and funds must disclose cybersecurity risks and incidents in their registration statements or Form ADV Part 2A.
Recordkeeping Requirements: Firms are required to maintain documentation related to their cybersecurity policies, procedures, and incidents.
These rules aim to enhance the cybersecurity readiness of financial institutions and improve protection for investors by addressing gaps in current practices.
Proposed Amendments to Regulation S-P
The SEC proposed updates to Regulation S-P, which governs how firms protect sensitive nonpublic personal information. The amendments would:
- Require firms to notify individuals about data breaches that could compromise their personal or financial information.
- Mandate incident response programs to address unauthorized access to customer data.
- Expand the scope of safeguards to include broader categories of customer information.
- Apply these requirements to additional entities such as transfer agents.
These changes aim to align privacy breach protocols with modern cybersecurity challenges.
Proposed Rule 10: Cybersecurity Risk Management for Broker-Dealers
This rule introduces cybersecurity requirements for broker-dealers, clearing agencies, and other SEC-regulated entities. Key provisions include:
- Annual Policy Reviews: Firms must annually assess the effectiveness of their cybersecurity policies and document these evaluations.
- Incident Notification: Significant cybersecurity incidents must be reported to the SEC within 48 hours.
- Risk Management Requirements: Covered entities must conduct regular risk assessments, implement controls, and disclose cybersecurity risks and incidents publicly through Form SCIR.
Moreover, the rule underscores the SEC’s commitment to addressing vulnerabilities in the financial markets, which are critical to economic stability.
The Importance of Clear Guidance for RIAs
While many RIAs already have cybersecurity compliance programs, these programs often lack formalized guidance. The new SEC proposals provide a clearer framework, helping firms align their practices with regulatory expectations and ensuring consistent cybersecurity standards.
Best Practices for Mitigating Cybersecurity Risks
To prepare for these new rules, firms can take several proactive steps:
- Conduct Thorough Risk Assessments: Evaluate existing cybersecurity policies, systems, and access points to identify vulnerabilities.
- Engage Service Providers: Perform due diligence on third-party providers, including AI vendors, to understand how they handle sensitive data and mitigate risks.
- Enhance Training: Implement firm-wide training programs, including phishing simulations, to educate employees on identifying and addressing cybersecurity threats.
- Adopt Robust Policies: Establish incident response plans and ensure policies are updated to comply with the proposed regulations.
Adapting to Emerging Risks
The SEC’s proposals also highlight the growing risks associated with artificial intelligence (AI). Firms should carefully vet AI tools, ensuring they comply with privacy standards and do not expose sensitive information. Understanding how AI integrates with existing systems is essential for maintaining robust security protocols.
Preparing for Compliance
Financial firms should use these proposals as a roadmap to strengthen their cybersecurity frameworks. By staying informed, conducting comprehensive assessments, and adopting best practices, firms can better position themselves to meet the SEC’s final rules and protect against costly breaches.