SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets

In view of the increasing interconnectedness of financial systems and the increased threat of cyber security attacks not least since the invasion of Ukraine, the U.S. Securities and Exchange Commission (SEC) has published a press release to announce an upcoming consultation on a new rule 10 under 17 CFR Part 242 aimed at implementing (cyber) security management requirements on „broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents“ (together covered entities or firms). Among others, the Commission seeks to
(1) require covered entities to create, maintain, and enforce cyber security risk management procedures that help identify and mitigate cyber security threats and thus prevent harm from the financial market. The procedures and policies would have to include – among others –
– a detailed risk assessment of all systems involved, including those with connections to third party service providers, and the assessment of all user accesses, including and particularly internal users;
– the development of access procedures to ensure multi-way authentication and to ensure that only authorized personnel gets access to those systems it truly needs to perform its job;
– a description of measures firms (will) take to monitor information systems and to protect them from unauthorized access. The description will also have to include a regular review of the system involved and the measures outlined in the policies (at least once per year).
(2) require covered entities to enter into „security contracts“ with their third party service providers to ensure an adequate level of cyber security at the provider. Such contracts would have to cover similar requirements of the service provider as the ones applying to the covered entities, such as the maintenance of cyber security policies to identify cyber security risks and to mitigate such risks.
(3) require covered entities to immediately notify the SEC „upon having a reasonable basis to conclude that the significant cyber security incident has occurred or is occurring“, but in no case later than 48 hours following the occurrence. Entities would thereby have to use new Form SCIR and submit it electronically via the SEC’s EDGAR filing system. Form SCIR thereby requires a detailed description of the incident, including a description of the time when the incident occurred and how long it lasted, the nature and the scope of the incident, and the measures that have been taken for mitigation. Additionally, covered entities will have to file an amended Form SCIR in the event of – as quoted:
– Any new material information pertaining to a significant cybersecurity incident previously
reported to the Commission on Part I of Form SCIR being discovered;
– A significant cybersecurity incident is resolved; or
– An internal investigation pertaining to a significant cybersecurity incident is closed.
Finally, firms would have to file Form SCIR once the incident has been resolved. A detailed set of filing instructions is included in the proposed new rule.
The new rule would also require ANY type of security incident to be properly documented and stored and would require entities to publicly disclose on their website a summary description of their cyber security incidents that occurred during the ongoing and the past calendar year.
—————
As these are only the key requirements outlined in new Rule 10, please refer to the original document for more detailed, comprehensive information.