SEC Proposes Multiple New Cybersecurity and Privacy Rules for Securities Market Participants

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed new cybersecurity and privacy rules for broker-dealers, registered investment advisers (registered advisers), investment companies (funds), and other securities market participants. Concurrently, the SEC re-opened the comment period on proposed cybersecurity rules for registered advisers and funds that were initially proposed in February 2022.

The new rule proposals, key elements of which are described below, consist of (1) amendments to Regulation S-P, (2) new cybersecurity rules for broker-dealers and certain other market entities, and (3) amendments to Regulation SCI. The proposed rules underscore the SEC’s concern about the risks posed for market participants by cybersecurity vulnerabilities and the Commission’s determination to address those risks through regulatory discipline, which follows recent enforcement actions, as well as the inclusion of cybersecurity in SEC Division of Examinations risk alerts and annual examination priorities. The SEC is clearly signaling that vigilance in mitigating cybersecurity risks is expected, and regulated entities should ensure that they have defensible policies, procedures, and practices that address these risks.

Regulated entities and other market participants also have the opportunity to shape the final versions of the proposed cybersecurity and privacy rules by filing comments with the SEC. Comments will be due within 60 days of publication of the proposals in the Federal Register.

Proposed Amendments to Regulation S-P

In 2000, Regulation S-P was adopted to regulate the manner in which broker-dealers, registered advisers, and funds treat their customers’ “nonpublic personal information.” Among other things, Regulation S-P requires these “covered institutions” to adopt written policies and procedures for safeguarding customer records and information (the safeguards rule) and to dispose of consumer report information and records properly (the disposal rule).¹

The SEC’s proposed amendments to Regulation S-P would, among other things, require covered institutions to adopt additional policies and procedures, create new customer notification and recordkeeping requirements, and expand the scope of customer information that is protected by the regulation. In particular:

• Under the proposed amendments, a covered institution’s written policies and procedures for safeguarding customer records and information would need to include an incident response program that is “reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.”

• The incident response program would be required to include procedures for notifying customers of data breaches, and the amendments would establish a “Federal minimum standard” for data breach notifications by covered institutions. For example:

  • A covered institution would be required to notify individuals whose “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization unless the institution determines that the information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.²

  • The notification would be required “as soon as practicable,” but no later than 30 days after the institution becomes aware that unauthorized access to or use of customer information has (or is reasonably likely to have) occurred. The proposed rules would permit the 30-day notification requirement to be extended by up to an additional 30 days, but only if the U.S. Attorney General informs the covered institution that customer notice would pose a substantial risk to national security.

  • Covered institutions also would be required to include in their written contracts with third-party service providers a requirement that the service providers take appropriate measures that are designed to protect against unauthorized access to or use of customer information. According to the proposed rule, one such measure would be to notify the covered institution of a breach “as soon as possible,” but no later than 48 hours after becoming aware of the breach.

• In addition, the amendments would extend protection under the safeguards rule and the disposal rule to all “customer information,” including nonpublic personal information of individuals who are customers of other financial institutions. In other words, a covered institution would be responsible for protecting the nonpublic personal information of customers of any financial institution.

• Finally, the amendments would impose new recordkeeping requirements on covered institutions with respect to compliance with the safeguards rule and the disposal rule.³

Proposed New Cybersecurity Rules

Last year, the SEC proposed cybersecurity rules that would apply to registered advisers and funds, as well as another set of cybersecurity rules that would apply to public companies.⁴ The SEC is now proposing new cybersecurity requirements for broker-dealers and various other market participants (referred to collectively as Market Entities).⁵

In particular, new proposed Rule 10 would require Market Entities to: (1) establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks, (2) annually review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk, (3) prepare a report or record with respect to the annual review, and (4) give the SEC immediate notice of any significant cybersecurity incident once there is a reasonable basis to conclude that one has occurred or is occurring.

Proposed Rule 10 also includes additional requirements for “Covered Entities,” which are defined as Market Entities other than certain smaller broker-dealers:⁶

• A Covered Entity’s cybersecurity policies and procedures would be required to include (1) periodic risk assessments, (2) controls designed to minimize user-related risks and prevent unauthorized access to information systems, (3) measures designed to monitor information systems, protect information from unauthorized access or use, and oversee service providers that access information or information systems, (4) measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities, and (5) measures to detect, respond to, and recover from cybersecurity incidents.
• For every significant cybersecurity incident, a Covered Entity would be required to file (confidentially) with the SEC Part I of new Form SCIR. The filing, which would need to be made “promptly, but no later than 48 hours” after discovering an incident, would have to describe the incident and how the Covered Entity responded to it and mitigated its adverse effects. In certain circumstances, such as upon the discovery of new material information pertaining to an incident, the Covered Entity also would have to make one or more amended filings.
• Covered Entities also would be required to file Part II of new Form SCIR, which would have to be made available to the public on the reporting Covered Entity’s website.⁷ The Part II form would need to describe significant cybersecurity incidents experienced by the reporting entity during the current or previous calendar year, as well as a summary description of the cybersecurity risks that could materially affect the entity’s business and operations and how the entity assesses, prioritizes, and addresses those risks.
• In addition, Covered Entities would be required to create written documentation of their cybersecurity risk assessments as well as any cybersecurity incidents, and these and other “Rule 10 Records” would be subject to existing record preservation and maintenance rules (such as Rule 17a-4 of the Securities Exchange Act of 1934 for broker-dealers).

Proposed Amendments to Regulation SCI

Regulation SCI is the SEC’s regulatory framework for oversight of the U.S. securities markets’ core technology infrastructure. Regulation SCI applies only to “SCI entities,” which include, for example, national securities exchanges, registered securities associations, and registered clearing agencies. Regulation SCI requires such entities to establish, maintain, and enforce certain policies and procedures, as well as comply with additional requirements. Upon discovering a cybersecurity incident, an SCI entity must notify the SEC, take corrective action, and disseminate certain information about the event to members or participants of the entity.

The SEC’s proposed amendments to Regulation SCI would expand the definition of SCI entities to include broker-dealers that exceed a total assets threshold or a transaction activity threshold (i.e., the largest broker-dealers), as well as security-based swap data repositories and clearing agencies that are exempt from registration. The SEC is not proposing to include registered advisers or funds within the definition of SCI entities.

The proposed amendments also would, among other things, (1) require that SCI entities’ policies and procedures address certain additional items, such as management of third-party service providers, (2) expand the types of cybersecurity events that are covered by the regulation, (3) impose changes to annual reviews that SCI entities must conduct of their compliance with the regulation, as well as to annual business continuity and disaster recovery testing, and (4) revise the regulation’s recordkeeping provisions.

Takeaways, Open Questions, and Next Steps

With respect to the proposed Regulation S-P amendments, SEC Chair Gary Gensler stated that the “basic idea for covered firms is if you’ve got a breach, then you’ve got to notify.” That may be the basic idea, but as demonstrated by the mere length of the proposed rule releases (nearly 1,200 pages), there are numerous areas of complexity. And the hundreds of questions the SEC has posed with the proposed rules indicate that the Commission is far from settled on the appropriate way to handle this complexity. For example:

• It is unclear how regulated entities should be required to handle state law privacy and security requirements while complying with the SEC’s privacy and cybersecurity rules. With respect to customer notification requirements, although some states offer safe harbors in circumstances where entities are subject to federal regulation, the proposed rules do not address whether and to what extent there may be preemption of state law when a safe harbor is not available. The SEC has requested commenters to identify scenarios in which a covered institution would be unable to comply with state law and the proposed amendments to Regulation S-P.
• The SEC has expressly recognized that some state laws require (or permit) entities to delay customer notification for law enforcement investigations, whereas the proposed notification provisions of Regulation S-P can be delayed only for up to 30 days and only if the U.S. Attorney General determines that customer notice would pose a substantial risk to national security. The lack of a law enforcement exception to proposed disclosure requirements was a common complaint of commenters to the SEC’s 2022 cybersecurity rule proposals, and it is likely that this issue will be raised in comments to the proposed Regulation S-P amendments as well.

Comments on the three new rule proposals (and the previously proposed cybersecurity rule for registered advisers and funds) are due by 60 days after their publication in the Federal Register. In the three new proposed rule releases, the SEC has included 370 numbered requests for comment, many of which include multiple questions or subparts. This is an opportunity for registered advisers, funds, broker-dealers, and others to potentially impact the formulation of the SEC’s final rules. Arnold & Porter regularly assists clients in filing comments on proposed federal regulations, and parties interested in assistance with submitting comments to the SEC are encouraged to contact any of this Advisory’s authors or their Arnold & Porter contact(s).

In the meantime, registered advisers (and other market participants, as appropriate) should make sure that they already have in place thoughtful and customized cybersecurity policies and procedures, and they should be prepared to amend them as needed if the applicable laws change.

*           *           *

Arnold & Porter has former SEC senior leaders and subject matter experts who work collaboratively to provide practical cybersecurity solutions for investment advisers, funds, broker-dealers, other investment firms and financial services companies, public companies, and other clients.

Our Securities Enforcement & Litigation practice includes former SEC senior leaders who have experience defending clients in SEC investigations into cybersecurity incidents and related disclosures. Our Privacy, Cybersecurity & Data Strategy practice helps clients create risk-mitigated, global, scalable, and flexible privacy and cyber programs and data strategies for innovative data products, services and uses. Our Investment Management and Financial Services practices provide a full range of legal services to investment advisers, funds, swap dealers, broker-dealers, and other investment firms and financial services companies, including advice on addressing cybersecurity risk and complying with SEC rules.

Please reach out to any author of this Advisory or your regular Arnold & Porter contact for more information.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.