Alert
October 18, 2023

A Closer Look at the SEC’s Cybersecurity Rules for Covered Entities and Market Entities

The SEC is continuing its campaign to overhaul cybersecurity, cyber incident reporting, and privacy controls and requirements for financial services industry registrants, their service providers, and corporate America generally. We’ve already analyzed the proposed changes to Regulation S-P that, among other things, seek to implement a notification requirement to individuals affected by data breaches. This alert will focus on the two additional March 2023 cyber proposals:

  1. Proposed new Rule 10, new Form SCIR, and related cybersecurity requirements for “Market Entities” that perform critical services to support the fair, orderly, and efficient operations of the US securities markets, including broker-dealers, FINRA, the MSRB, exchanges, TAs, and clearing agencies.
  2. Proposed expansion of Regulation SCI, including new requirements for and expanding the scope of covered “SCI Entities” to include all clearing agencies exempted from registration, and registered broker-dealers and security-based swap data repositories that exceed certain asset and transaction thresholds.

Quick Takes

  • Firms should be mindful of how the proposed new requirements might intersect with reporting requirements under FINRA Rule 4530 and FINRA’s prior guidance on when and how firms should discuss cyber incidents with their FINRA risk monitoring analysts.
  • If adopted, firms will need to establish controls and processes for compliance with these requirements, including potential updates to their business continuity plans and written supervisory procedures, well in advance of experiencing a cybersecurity incident or “significant cybersecurity incident” as defined in proposed Rule 10. When doing so, firms should prepare for the possibility that any such incident could result in a loss of access to email and firm systems.

Proposed New Rule 10, New Form SCIR, and Related Cybersecurity Requirements for Covered Entities and Market Entities

Proposed Rule 10 applies to all “Market Entities” and “Covered Entities.” The proposed rule defines market entities as all broker-dealers, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, transfer agents, and the Municipal Securities Rulemaking Board.

A covered entity is any broker-dealer that maintains custody of funds and securities, introduces customer accounts on a fully disclosed basis to another broker-dealer, has regulatory capital exceeding $50 million or total assets exceeding $1 billion, is a market maker, or is an alternative trading system. The distinction between a market entity and a covered entity is that some small broker-dealers are not included in the definition of covered entity. Covered entities would be required to comply with heightened requirements.

Written Policies and Procedures for Covered Entities

Under proposed Rule 10, covered entities would need to adopt written policies and procedures to address cybersecurity risks, specifically including the following:

  • Procedures for periodic assessments of cybersecurity risks associated with the covered entity’s information systems and written documentation of the risk assessments. 
    • The term “periodic” is undefined, but the proposal seems to indicate that the assessments must be conducted multiple times per year. Covered entities would need to categorize, prioritize, and document cybersecurity risks and identify service providers that receive, maintain, or process information residing on the covered entity’s systems or otherwise have access to that information. 
  • Controls designed to minimize user-related risks and prevent unauthorized access to the covered entity’s information systems. 
    • These controls would need to (i) establish standards of behavior for individuals with access to the covered entity’s information systems, such as an acceptable use policy; (ii) identify and authenticate users, including requiring multicredential authentication; (iii) establish procedures for the timely distribution, replacement, and revocation of passwords or authentication methods; and (iv) restrict access to systems and information solely as necessary for individuals to perform their job functions.
  • Measures designed to monitor the covered entity’s information systems, protect the covered entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to access the covered entity’s information systems.
    • These measures would need to be based on a periodic risk assessment and account for (i) the sensitivity level and importance of the information to the covered entity’s business operations; (ii) whether any information contains personal  information (defined as any information that can be used, alone or in conjunction with any other information, to identify a person); (iii) where and how the information is accessed, stored, and transmitted as well as how transmitted information is monitored; (iv) the access controls and malware protection of the covered entity’s information systems; and (v) the effect a cybersecurity incident involving the information could have on the covered entity and its customers, counterparties, members, and users.
    • Covered entities’ oversight of service providers would need to ensure that through a written contract between the covered entity and the service provider, the service providers implement and maintain appropriate measures designed to comply with various provisions of proposed Rule 10. 
  • Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the covered entity’s information systems.
    • The SEC emphasizes employing mitigation measures quickly and considering steps such as “implementing a patch management program” and “maintaining a process to track and address reports of vulnerabilities.” 
  • Measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
    • These measures would need to include (i) plans for continued operations; (ii) the protection of the covered entity’s systems and the information residing on those systems; (iii) policies to account for the sharing of cybersecurity incident information internally and externally; and (iv) the reporting of significant cybersecurity incidents consistent with paragraph I of Rule 10.

At least annually, a covered entity would need to review and assess the design and effectiveness of its cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review. Covered entities would also need to prepare a written report that describes the review, the assessment, and any control tests performed; explains their results; documents any cybersecurity incidents that have occurred since the date of the last report; and discusses any material changes to the policies and procedures since the date of the last report. The written report would not need to be filed with the SEC, but presumably would be requested as part of an examination or investigation.

Immediate Written Notice, Report, and Form SCIR

Proposed Rule 10 would require that covered entities provide immediate written notice to the SEC of any significant cybersecurity incident. The notice would need to identify the covered entity, state that the notice is being given to alert the SEC of a significant cybersecurity incident impacting the covered entity, and provide the name and contact information of an employee of the covered entity who can provide further details about the nature and scope of the significant cybersecurity incident. The SEC would keep the immediate notices non-public to the extent permitted by law, and contemplates establishing a dedicated email address to receive such notices. The proposed rule distinguishes between mere “cybersecurity incidents” and “significant cybersecurity incidents.” A cybersecurity incident is “an unauthorized occurrence on or conducted through a market entity’s information systems that jeopardizes the confidentiality, integrity, or availability of the information systems or any information residing on those systems.”

In contrast, a significant cybersecurity incident is defined as a cybersecurity incident (or a group of related cybersecurity incidents) that (i) significantly disrupts or degrades the ability of a market entity to maintain critical operations or (ii) leads to the unauthorized access or use of the information or information systems of a market entity, in which the unauthorized access or use of such information or information systems results in (or is reasonably likely to result in) substantial harm to the market entity or to a customer, counterparty, member, registrant, user of the market entity, or to any other person who interacts with the market entity.

As proposed, a covered entity would need to give the SEC immediate written electronic notice of a significant cybersecurity incident immediately upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring. The release notes that “[i]f proposed Rule 10 is adopted, it is anticipated that a dedicated email address would be set up to receive the notices from …” affected entities. The covered entity would also need to provide immediate notice to the covered entity’s designated examining authority, which is FINRA in most cases.

Subsequent to the immediate notice but within 48 hours of the significant cybersecurity incident, the covered entity would need to file Part I of new proposed Form SCIR with the SEC through the EDGAR system. The SEC will keep Part I of Form SCIR confidential to the extent permitted by law. The covered entity would also need to update and keep current its Form SCIR when any previously reported information becomes materially inaccurate, any new material information is discovered, the incident is resolved, and the internal investigation pertaining to the significant cybersecurity incident is closed. Form SCIR and all updates would also need to transmit copies of Form SCIR and all updates to the covered entity’s designated examining authority.

Disclosure of Cybersecurity Risks and Incidents

Covered entities would need to disclose, via Part II of Form SCIR, a summary description of the cybersecurity risks that could materially affect their business and describe how the covered entity assesses, prioritizes, and addresses those cybersecurity risks. Covered entities would also need to disclose on Part II of Form SCIR each significant cybersecurity incident that occurred during the previous year, including information about the persons affected; the date the incident was discovered; whether any data was stolen, altered, accessed or used; the effect of the incident on the covered entity’s operations; and whether the covered entity or service provider has remediated or is remediating the incident. Covered entities would be required to file Part II of Form SCIR through EDGAR and post a copy on their website. In addition, covered entities carrying or introducing broker-dealers would need to provide Part II of their most recently filed Form SCIR to customers as part of the account opening process and annually thereafter.

Covered entities would also need to update their Form SCIR Part II disclosures if the information that is required to be disclosed materially changes, including after the occurrence of a significant cybersecurity incident and when information about a previously disclosed significant cybersecurity incident changes. Rule 10 records would need to be maintained for a period of three years.

Market Entities

Smaller broker-dealers (other than introducing firms) that limit their business to functions such as facilitating private placements or subscription-way mutual fund transactions and M&A brokers would not be covered entities and would have fewer obligations compared to covered entities, including:

  • Establishing, maintaining, and enforcing written policies and procedures that are reasonably designed to address their cybersecurity risks;
  • Annually assessing and certifying the design and effectiveness of their cybersecurity policies and procedures, including a review of any changes to the cybersecurity risk profile of the market entity during the year; and
  • Providing an immediate written electronic notice to the SEC and the firm’s designated examining authority of a significant cybersecurity incident upon having a reasonable basis to conclude that the significant cybersecurity incident had occurred or is occurring.

Proposed Expansion of and Updates to Regulation SCI

The proposed amendments to Regulation SCI, initially adopted in 2014, would expand the definition of SCI entities to include registered security-based swap data repositories, certain broker-dealers registered with the SEC that exceed a new “total assets” threshold or a “transaction activity” threshold, and all clearing agencies exempted from registration as a clearing agency. In general, Regulation SCI requires SCI entities to (i) establish written policies and procedures reasonably designed to ensure that their SCI systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets; (ii) take corrective action when SCI systems are not functioning correctly; (ii) provide certain notification to the SEC regarding SCI events; (iv) conduct periodic testing of systems including for disaster recovery; and (v) review SCI compliance annually.

A broker-dealer would be an SCI entity if:

  • In at least two of the four preceding calendar quarters, the broker-dealer reported on its FOCUS Report total assets in an amount that equals 5% or more of the total assets of all security brokers and dealers,1 or
  • During four of the preceding six calendar months, the broker-dealer transacted average daily volume in an amount that equals 10% or more of the average daily volume in any category of NMS stocks, exchange-listed options, U.S. Treasury Securities, or Agency Securities as reported pursuant to the respective transaction reporting plan for each asset class. Broker-dealers who report both tape and non-tape transactions will want to pay close attention to these metrics to ensure their tape-reported transactions remain under applicable limits.

A broker-dealer would be required to comply with the requirements of Regulation SCI six months after satisfying either threshold for the first time.

The proposed amendments would also mandate certain changes to SCI entity policies and procedures, amend the definition of “systems intrusion” to include any cybersecurity attack that disrupts, or significantly degrades, the normal operation of an SCI system,” require that objective personnel (i.e., “persons who were not involved in the process for development, testing, and implementation of the systems being reviewed” and do not otherwise have conflicts of interest, unless such conflicts have been adequately mitigated) assess risks and overall SCI compliance at least annually, specify that SCI entities include key third-party providers in any business continuity and disaster recovery testing, and make conforming updates to SCI recordkeeping provisions and Form SCI.

What’s Next

The public comment period closed on June 5, 2023. In conjunction with the proposal, the SEC also reopened the comment period for cybersecurity risk management rules and requirements that the commission previously proposed for registered investment advisers and funds, emphasizing the SEC’s focus in this area. Our prior client alert provides an overview of the proposed requirements. It is likely that these proposed rules are heading for final adoption this fall.

 


[1] To assess whether it exceeds the threshold for a relevant calendar quarter, a broker-dealer would divide its total assets reported on Form X-17A-5, FOCUS Report Part II, Item 940 for that quarter by the total assets of all security brokers and dealers for the preceding quarter, as made available by the Federal Reserve.