March 22, 2023
Who may be interested: Broker-Dealers, Transfer Agents, Clearing Agencies, Compliance Staff (with respect to new requirements for certain market entities) and Registered Investment Advisers and Investment Companies (with respect to reopening of comment period)
Quick Take: The SEC proposed new requirements for several different market entities designed to mitigate cybersecurity risk, including requirements relating to written policies and procedures and notifications about cybersecurity incidents.
The SEC recently proposed requirements aimed at reducing and addressing cybersecurity risk for market intermediaries, including broker-dealers, clearing agencies, national securities associations and exchanges, transfer agents, and major security-based swap participants, among others (“Market Entities”).
Under the proposal, Market Entities would be required to implement written policies and procedures reasonably designed to address cybersecurity risks and to review such policies and procedures at least annually. The annual review would cover the design and effectiveness of the policies and procedures, including whether such policies reflect changes in cybersecurity risk over the time period included in the review. Market Entities would also be required under the proposal to notify the SEC electronically in the event of a significant cybersecurity incident.
Market Entities other than small broker-dealers (“Covered Entities”) would face additional requirements. Policies and procedures implemented by Covered Entities would need to include:
The proposal would impose new disclosure requirements for Covered Entities on proposed Form SCIR, including confidential disclosure of any significant cybersecurity incident on Part I of the Form and publicly available summary descriptions of cybersecurity risks and prior incidents on Part II of the Form. Covered Entities would be required to post Part II of the Form on their website and, in the case of carrying broker-dealers or introducing broker-dealers, provide Part II to customers when opening accounts.
Comments on the proposal are due 60 days after publication of the proposing release in the Federal Register.
The proposed rule can be found here.
In a corresponding action, the SEC reopened the comment period for proposed cybersecurity rules applicable to registered investment advisers, registered investment companies and business development companies to allow for consideration and comment on the proposal in light of other regulatory developments and SEC proposals. The initial comment period ended on April 11, 2022. The reopened comment period will remain open for 60 days after the publication of the reopening release in the Federal Register.
The proposal can be found here.
For more information, Seward & Kissel’s client alert on the proposal is available here.
February 20, 2024
February 16, 2024
February 15, 2024
February 14, 2024
February 8, 2024
January 25, 2024
January 24, 2024
January 5, 2024
January 3, 2024
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
One Battery Park Plaza
New York, NY 10004
Phone (212) 574-1200
Fax (212) 480-8421
901 K Street, NW
Washington, DC 20001
Phone (202) 737-8833
Fax (212) 480-8421