In March 2023, the U.S. Securities and Exchange Commission (SEC) voted to propose several measures to protect customer information and hold covered institutions accountable for cyberattacks.

If adopted, the proposed rules would represent a significant step forward in the SEC’s efforts to improve cybersecurity in the securities industry. Although there is some debate over the proposed rules, the SEC’s goal is to promote greater accountability and transparency among regulated entities.

What are the proposed rules?

The first proposed rule would require regulated entities to implement certain baseline cybersecurity controls and report cybersecurity incidents to the SEC. The rule would also require regulated entities to conduct periodic risk assessments and maintain records of cybersecurity events.

The second proposed rule would establish a framework for incident response and require regulated entities to notify the SEC within 24 hours of experiencing a cybersecurity incident that could have a material impact on their business.

The third proposed rule would require regulated entities to disclose certain cybersecurity risks and incidents to investors and the public in a timely and transparent manner.

Who do they apply to?

The new requirements would apply to broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”).

What’s next?

The SEC has reopened the comment period for the first proposed rule to allow industry stakeholders to provide additional feedback on the rule’s scope and implementation. The SEC is seeking input on various aspects of the proposed rules, including the costs and benefits of implementation, the appropriate scope of the rules, and the potential impact on smaller and mid-sized entities.