On March 15, 2023, the United States Securities and Exchange Commission (SEC) took a major step towards strengthening cybersecurity in the financial sector by proposing three new rules. These rules aim to improve privacy, data security, and compliance measures while addressing the growing need for transparency in the constantly evolving digital landscape.

The first proposed rule involves amendments to Regulation S-P. Regulation S-P enforces privacy, data security, and data disposal rules on broker-dealers, investment advisers, and investment companies under the SEC’s authority pursuant to the Gramm-Leach-Bliley Act. The amendments would require covered institutions to implement a written incident response program, notify affected individuals of data breaches, and maintain written records to document compliance with Regulation S-P rules.

The second proposed rule introduces Rule 10, which would require specific entities performing critical services in support of the U.S. securities market, collectively referred to as “market entities,” to maintain and regularly update written policies and procedures addressing cybersecurity risks. It would also require market entities to provide immediate written notice to the SEC of significant cybersecurity incidents, and publicly disclose summary descriptions of cybersecurity risks and incidents.

The third proposed rule pertains to amendments to Regulation Systems Compliance and Integrity (SCI), which was adopted in 2014 and applies to specific entities and their automated systems supporting key security market functions. The proposed amendments aim to expand the scope of entities covered by Regulation SCI, enhance the regulation’s requirements, and necessitate the inclusion of key third-party providers in required Business Continuity/Disaster Recovery (BC/DR) testing.

These new cybersecurity rule proposals demonstrate the SEC’s commitment to safeguarding consumer information and fortifying cybersecurity measures within the financial sector. By amending Regulation S-P, introducing Rule 10, and revising Regulation SCI, the SEC aims to create a more secure and transparent environment for both market participants and consumers.

The public comment periods for these proposals will remain open for 60 days after publication in the Federal Register. Moreover, the SEC has re-opened the comment period for a 2022 proposal that would require investment advisers and funds to adopt written cybersecurity policies, report significant cybersecurity incidents to the SEC, and publicly disclose cybersecurity risks and significant incidents from the last two fiscal years in their brochures and registration statements.

As the regulatory landscape continues to evolve, it is essential for financial institutions and market entities to remain informed and prepared to comply with these proposed rules once enacted. With the public comment periods for these proposals currently open, financial institutions and market entities are encouraged to submit their feedback to the SEC.