CLS Blue Sky Blog

Davis Polk Discusses New SEC Cybersecurity Requirements for Regulated Market Participants

The SEC proposed an array of new cybersecurity-related requirements in the form of: (1) an expansive new Rule 10, (2) extending the reach of Regulation SCI, and (3) expanding Regulation S-P, including to require incident response programs. The SEC also reopened the comment period for new cybersecurity rules for investment advisers and investment companies.

New requirements for market entities

On March 15, the SEC proposed a new Rule 10 under the Securities Exchange Act of 1934 (Exchange Act), which would impose new cybersecurity requirements on “Market Entities.” That group includes many types of broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. Some of the requirements apply to a subset of Market Entities referred to as “Covered Entities.” The proposal, which takes up more than 500 pages, defines “Covered Entities” and has four core requirements:

Regulation SCI amendments

The SEC proposed amendments to Regulation Systems Compliance and Integrity (Reg SCI). Reg SCI currently imposes a number of requirements concerning system operations and compliance, including: having comprehensive policies and procedures reasonably designed to ensure that certain systems maintain operational capability and promote the maintenance of fair and orderly markets; having policies and procedures reasonably designed to insure certain systems operate in a manner that is compliant with the Exchange Act and the entity’s own rules and governing documents; taking corrective action in response to system issues; providing notice to the Commission; and conducting annual compliance reviews.

The proposed amendments would expand the scope of SCI entities covered by the rule. Currently, SCI entities are self-regulatory organizations (SROs), certain large ATSs, plan processors, certain clearing agencies, and SCI competing consolidators (if and when they come into existence). Under the proposed amendments, the reach of the rule would be extended to:

This change would bring the largest broker-dealers, along with swap data repositories and certain exempt clearing agencies under the umbrella of Reg SCI.

The amendments would also add new requirements, including:

In a statement, Commissioner Hester Peirce objected to the proposed amendments as overly prescriptive. She argued that the updates to Reg SCI would create “micromanagement” of the covered entities’ operations, many of which already have market, reputation, and regulatory incentives to adequately maintain their systems in order to perform key market functions. Commissioner Peirce noted that the Reg SCI amendments overlap significantly—but not entirely—with the Commission’s proposed Regulation S-P and Cybersecurity Risk Management Rule without rationalizing whether, and where, deltas exist between these rules.

Regulation S-P amendments

Regulation S-P, adopted in 2000 and known as the “Safeguards Rule,” requires brokers, dealers, investment companies, and registered investment advisers (the “covered institutions”) to adopt written policies and procedures for safeguards to protect customer records and information.  The regulation also requires proper disposal of information, both by covered institutions as well as transfer agents registered with the SEC. The SEC’s proposal would expand the rule by adding a requirement for an incident response program and also a requirement to notify affected individuals in the event of a data breach. Specifically, the proposal includes:

Cybersecurity risk management for registered investment advisers and funds

The SEC also reopened the comment period for proposed rules that would impose significant new cybersecurity requirements for registered investment advisers and investment companies (summarized in our prior client update). The proposed rules, written to cover all registered funds, would require policies and procedures, annual reviews, reporting to the SEC, disclosures to investors, and recordkeeping. The reopened comment period allows firms to evaluate the proposed rule for registered investment advisers and investment companies in connection with the new proposed requirements for Market Entities and amendments to Regulation SCI and Regulation S-P.

Takeaways

These sweeping new requirements would greatly increase the SEC’s management of regulated entities’ approach to cybersecurity and system integrity. Current SEC regulation is targeted at certain risks, such as protecting customer information under Regulation S-P or preventing identity theft under Regulation S-ID. It also is focused on select market participants of significant market importance, such as the entities currently covered by Regulation SCI. The proposed rules would put the SEC in the business of dictating the elements of comprehensive cybersecurity programs across a wide swath of market participants including, for the first time, SEC-mandated incident response requirements. Although the SEC said that the proposed Rule 10 is not meant to be a one-size-fits-all approach, it contains multiple parts and sub-parts of detailed requirements, defines many new terms and concepts to be learned and followed, and imposes standardized notice and disclosure through new forms that must be filed with the SEC.

Commissioner Peirce expressed concerns about the Commission’s proposed approach in her statement opposing the proposed new Rule 10, including these comments:

Unfortunately, with this proposal, the Commission has apparently decided its role is to be an enforcer demanding that a firm dealing with a cybersecurity attack first and repeatedly attend to the Commission’s voracious hunger for data. The Commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers. . . .

When we engage with a regulated entity that has suffered a cyberattack, we deal with a victim. We typically deal with a victim who has made great effort to protect its systems and its customers’ data and is devoting significant resources to mitigate the harm from such an attack. Our priority should be to provide what support and information we can to assist the firm in this effort and, following resolution, to gather information that will help other firms in the future. Instead, this proposal demonstrates that our priority is to create even more legal peril for a firm in this situation, legal peril that will distract employees of the firm from mitigating the immediate threat to the firm and its customers as they navigate the aggressive deadlines and open-ended information demands of the Commission.

On their face, the proposals would seem to impose substantial new costs across the industry, especially considering the nearly 1,200 total pages of new guidance and explanation. The SEC concluded otherwise, estimating, for example, that the average internal costs per Covered Entity for the new policy and procedure and annual review requirements of Rule 10 would be only $14,531.54 per Covered Entity and $29.1 million in total (in addition to external costs of $3,472 per Covered Entity and $6.9 million in total external costs). The SEC estimated that a compliance attorney and assistant general counsel would require a total of 31.67 hours—four working days—to comply with the rules. It is difficult to square these estimates with the expansive new requirements; one wonders whether a firm could even read the three proposals and respond to the SEC’s many requests for comment in that amount of time. The accuracy of the cost estimate may provide a basis to challenge the rules if they are adopted.

The proposal also would create new hindsight enforcement risk. The SEC frequently brings enforcement cases involving policy and procedure requirements, such policies and procedures to prevent the misuse of material, nonpublic information under Exchange Act Section 15(g) and Investment Advisers Act Section 204A. Cybersecurity-related enforcement actions have been on the rise in recent years, a trend that is sure to continue if the proposed suite of new requirements is adopted.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s memorandum, “SEC proposes sweeping new package of cybersecurity requirements for regulated market participants,” dated March 21, 2023, and available here.

Exit mobile version