SEC Proposes Host of New Rules for Data Security, Cybersecurity, and IT Resilience

The Securities and Exchange Commission (SEC or Commission) voted on March 15, 2023, to propose three new sets of rules for data security, cybersecurity, and IT operational resilience. The newly proposed rules would, among other things:

(1) Amend Regulation S-P to require broker-dealers, registered investment advisors (RIAs), and investment companies (funds) to report breaches of "sensitive" nonpublic personal information (NPI) to affected individuals;

(2) Impose cybersecurity risk management and incident notification rules for broker-dealers and other SEC-registered entities, similar to rules the SEC proposed for RIAs and funds last year; and

(3) Expand Regulation SCI to include larger broker-dealers and other entities whose operations "have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue."

The Commission also voted to reopen public comment on the cybersecurity rules for RIAs and funds (the public comment period commenced on March 22, 2023, with a closure date now set for May 22, 2023), meaning those rules will not be finalized in April as the SEC previously intended.

The SEC has opened a 60-day comment period, which will begin following publication in the Federal Register, for the three new sets of proposed rules and the previously proposed rule for RIAs and funds. The SEC poses numerous questions in each of the proposals for public review andf comment.

We summarize below key requirements in each of the three sets of proposed rules.

Proposed Amendments to Regulation S-P

The Commissioners voted 5-0 to propose amendments to Regulation S-P ("Reg S-P")—the only proposal at the March 15 public hearing to receive a unanimous vote. The proposed amendments to Reg S-P, which implement provisions of the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transactions Act (FACT Act), would require asset managers, broker-dealers, mutual funds, and transfer agents to notify affected individuals whose "sensitive customer information" "was, or was reasonably likely to have been, accessed or used without authorization." Sensitive customer information would be defined as "any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."[1] Based on this broad definition, entities covered by Reg S-P would have to notify affected individuals of breaches affecting a much wider range of personal information than is required under state data breach laws.[2] Currently, Reg S-P does not require covered firms to notify customers about data breaches.

Notification to affected individuals would be required under the Reg S-P amendments "as soon as practicable, but not later than 30 days" after a covered institution determines that the breach occurred or is reasonably likely to have occurred. Notification would not be required if "after a reasonable investigation of the incident, [a covered institution determines] that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience."[3]

Financial institutions covered by Reg S-P also would be required to develop "an incident response program to address unauthorized access to or use of customer information." The required incident response program would need to include policies and procedures to assess the nature and scope of incidents involving unauthorized access to or use of customer information, take "appropriate steps" to contain and mitigate the incident, and notify each individual "whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization."[4] A covered financial institution's incident response program would need to address handling of incidents at their service providers—not just at the covered entities themselves. Among other things, covered financial institutions would have to require their service providers to notify them of a data breach within 48 hours. Other proposed amendments to Reg S-P include:

• Harmonizing the scope of personal information covered by Reg S-P's "safeguards rule" and "disposal rule." Currently, the two rules apply to different sets of information. Under the proposed amendments, both rules would apply to "customer information," which would be defined as "any record containing nonpublic personal information [as currently defined in Reg S-P][5] about a customer of a financial institution whether in paper, electronic or other form, that is handled or maintained by the covered institution or on its behalf." Currently, different parts of Reg S-P apply to different and narrower sets of personal information.
• Extending the safeguards rule and disposal rule to apply to registered transfer agents—entities that work for securities issuers to track ownership records, cancel old certificates, and provide other services. Currently, transfer agents are not covered by the safeguards rule, and the disposal rule only applies to transfer agents registered with the SEC. Under the proposed amendments, both rules would apply to transfer agents registered with the SEC or any "appropriate regulatory agency" as defined in 15 U.S.C. 78c(34)(B).
• Implementing a statutory exception to GLBA's annual privacy notice requirement. In 2015, Congress enacted the Fixing America's Surface Transportation Act ("FAST Act"), which exempted entities that only share nonpublic personal information in limited circumstances, such as to service providers and to detect fraud, from providing annual privacy notices to their customers under GLBA.

Proposed Cybersecurity Risk Management Rule

By a 3-2 vote along party lines, the SEC proposed a new Cybersecurity Risk Management Rule, Proposed Rule 10, that would apply to specified "Market Entities," including: broker-dealers, clearing agencies, major security-based swap participants (MSBSPs), the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories (SBSDRs), security-based swap dealers (SBSDs), and transfer agents.

Market Entities would be required to maintain written policies and procedures reasonably designed to address their cybersecurity risks, assess annually the effectiveness of those policies and procedures and document that assessment, and notify the SEC of any "significant cybersecurity incident" within 48 hours after "having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring." A "significant cybersecurity incident" is a cybersecurity incident that: "(i) [s]ignificantly disrupts or degrades the ability of the market entity to maintain critical operations; or (ii) [l]eads to the unauthorized access or use of the information or information systems of the market entity where the unauthorized access or use of such information or information systems results in or is reasonably likely to result in: (A) [s]ubstantial harm to the market entity; or (B) [s]ubstantial harm to a customer, counterparty, member, registrant, or user of the market entity, or to any other person that interacts with the market entity."[6]

Market Entities meeting the definition of a "Covered Entity" would also be required to include:

• Periodic written cybersecurity risk assessments;
• Controls and measures to "minimize user-related risks," monitor the security of information systems and defend them from unauthorized access and use;
• Service provider oversight provisions;
• Cybersecurity risk and vulnerability management procedures; and
• Cybersecurity incident detection, response and recovery procedures.

Covered Entities also would be required to disclose more details about "significant cybersecurity incidents" and their cybersecurity risks using a new Form SCIR.

In distinguishing Covered Entities from other Market Entities, the SEC focused on several factors, including the likelihood that a cybersecurity incident at an entity would affect the operations of U.S. securities markets and other Market Entities. In this way, Proposed Rule 10 is similar to cyber incident notification requirements under the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) and forthcoming rules from the Cybersecurity and Infrastructure Security Agency (CISA), and incident notification rules issued by the federal prudential banking regulators and the National Credit Union Administration (NCUA), all of which focus in part on cyber incidents likely to have significant and systemic operational risks. Under Proposed Rule 10, six categories of broker-dealers would be Covered Entities subject to the additional requirements listed above:

• Carrying broker-dealers (those that maintain custody of securities and cash for other broker dealers);
• Introducing broker-dealers (those that introduce their customers to carrying broker dealers);
• Those with regulatory capital equal to or greater than $50 million;
• Those with total assets equal to or greater than $1 billion;
• Broker-dealers operating as market makers; and
• Those operating an "alternative trading system" (ATS).

Specific types of other Market Entities would be covered entities as well—for example, the Municipal Securities Rulemaking Board and certain self-regulatory organizations (SROs), such as national securities associations and the Financial Industry Regulatory Authority (FINRA).

Proposed Rule 10, and particularly its additional requirements for covered entities, are similar to cybersecurity risk management requirements for investment advisors and funds proposed by the SEC last year. Those proposed rules also require documented annual assessments of their cybersecurity policies and procedures, periodic risk assessments, user security and access controls, information system monitoring and protection, and procedures for cybersecurity risk and vulnerability management and incident response. The requirement for reporting "significant cybersecurity incidents" under Proposed Rule 10 is nearly the same as for reporting "significant adviser cybersecurity incidents" and "significant fund cybersecurity incidents" under the investment advisers and funds proposed rule as well. Both proposed rules require that significant cybersecurity incidents be reported to the SEC within 48 hours.

Proposed Amendments to Reg SCI

As with Proposed Rule 10, the SEC proposed amendments to Regulation Systems Compliance and Integrity (Reg SCI) by a 3-2 party line vote.[7] Reg SCI was adopted in 2014 to regulate the core technology infrastructure supporting U.S. securities markets.

Rule 1001 of Reg SCI requires "SCI Entities" to maintain policies and procedures reasonably designed to ensure adequate capacity, integrity, resiliency, availability, and security of covered information systems, and to provide the SEC with various reports on and oversight of the performance of key systems. Generally speaking, SCI Entities are those that the SEC "has determined are market participants that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of certain types of systems problems,"[8] and include SROs, ATS meeting certain volume thresholds, and others. When SCI Entities experience an "SCI Event," which includes systems disruptions, system intrusions, and systems compliance issues, they are required to notify the SEC within 24 hours and take corrective actions to mitigate harm and resolve the incident. SCI Entities also must establish and test business continuity and disaster recovery plans.

The proposed amendments would, among other things:

• Expand the scope of Reg SCI to include registered security-based swap data repositories (SBSDRs), registered broker-dealers exceeding an asset or transaction activity threshold, and additional clearing agencies exempted from registration. The SEC proposed to subject these additional types of entities to all provisions of Regulation SCI "because they play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue."[9]
• Require SCI Entities to address in their already required policies and procedures: systems classification and lifecycle management; third-party service provider management, including cloud service providers and providers of critical SCI systems; access controls; and identification of current SCI industry standards. Among other things, SCI Entities would be required to undertake risk assessments of their third-party providers, consider whether their operations may be overly dependent on a particular provider, and consider "exit strategies" if they choose to disengage a provider. SEC Entities also would have to review their contracts with third-party providers to ensure that those contracts were consistent with the SCI Entity's obligations under Reg SCI. SCI Entities that aligned their policies and procedures to widely accepted cybersecurity or IT frameworks, such as the NIST Cybersecurity Framework, ISO standards, or COBIT could avail themselves of a safe harbor for their Rule 1001 obligations.
• Expand the definition of a "systems intrusion" to include two types of cybersecurity events: those that disrupt or significantly degrade the normal operations of an SCI system, and significant attempted unauthorized entry into SCI systems. The Proposed Rule states that each SCI Entity would be responsible for establishing its own reasonable criteria to determine a "significant attempted unauthorized entry," but that events like targeted campaigns, attempted attacks from known sophisticated threat actors, and events that may have caused significant harm had they been successful should be included.
• Require SCI Entities to undergo annual penetration testing.
• Impose additional requirements for required reviews of SCI systems. For example, SCI Entities would be required to perform three types of assessments of their SCI systems: risk assessments related to capacity, integrity, resiliency, availability, and security; assessment of internal control and operating effectiveness of logical and physical security controls, development processes, IT service continuity, and other elements; and assessments of third-party provider management risks and controls.

Next Steps

With a majority of the Commissioners voting in favor of the rule proposals, each will move forward to publication in the Federal Register. Thereafter, the public will be afforded the opportunity to provide feedback during a 60-day comment period.

DWT's Privacy and Security and Financial Services practice groups will continue to monitor the development of these proposals and the SEC's other activities related to data security, cybersecurity and IT operational resilience.

* Michael Buckalew is a regulatory analyst with Davis Wright Tremaine LLP.

[1] Proposed Amendments to Reg S-P, at 186.

[2] Commenters at the March 15 open meeting expressed concerns that the proposed breach notification requirements for Reg S-P would overlap and conflict with state data breach laws. The Commission generally appeared undeterred, noting among other things that any questions about preemption of state law could be resolved by courts.

[3] Proposed Amendments to Reg S-P, at 15. Commenters at the March 15 hearing also noted concerns with the unusually narrow law enforcement exception in the proposed breach notification requirements. State breach notification laws generally allow entities to delay notifications if a law enforcement agency—including federal, state or local agencies—advises that notification would impede a law enforcement investigation. The proposed notification requirements for Reg S-P would allow delay only “after receiving a written request from the Attorney General of the United States that the notice required under this rule poses a substantial risk to national security.” Id. at 61.

[4] Id. at 40.

[5] Reg S-P defines “nonpublic personal information” as: “(i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.” “Personally identifiable financial information” is defined as “any information: (i) A consumer provides to [a financial institution] to obtain a financial product or service from [the financial institution]; (ii) About a consumer resulting from any transaction involving a financial product or service between [a financial institution] and a consumer; or (iii) [A financial institution] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer.” 17 C.F.R. § 248.3 (t)-(u).

[6] Proposed Rule 10, at 512.

[7] Commissioners Peirce and Uyeda both dissented from the votes to publish Proposed Rule 10 and the Reg SCI amendment for comment.

[8] Proposed Amendments to Rule SCI, at 13-14.

[9] Id. at 28.