Mar 15 [press releases] -- Public comments invited on each, due 60 days after Federal Register notice publication.
1) SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information -- Comments due June 5, 2023
The Securities and Exchange Commission today proposed amendments to Regulation S-P that would enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm. . . .
Regulation S-P currently requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for the protection of customer records and information (“safeguards rule”). Regulation S-P also requires the proper disposal of consumer report information (“disposal rule”). Today’s proposal, if adopted, would update the rule’s requirements to address the expanded use of technology and corresponding risks since the Commission originally adopted Regulation S-P in 2000.
The Commission’s proposal would require broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The proposed amendments would also require, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide this notice as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
The proposed amendments would also make a number of additional changes to Regulation S-P, including:
Broadening and aligning the scope of the safeguards rule and disposal rule to cover “customer information,” a new defined term. This change would extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
Extending the safeguards rule, including the proposed enhancements, to transfer agents registered with the Commission or another appropriate regulatory agency, and expanding the existing scope of the disposal rule to include transfer agents registered with another appropriate regulatory agency rather than only those registered with the Commission; and
Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.
Fact sheet: https://www.sec.gov/files/34-97141-fact-sheet.pdf
FRN with proposed rule: https://www.federalregister.gov/d/2023-05774
[70 pages] -- published April 6, 2023
Press release: https://www.sec.gov/news/press-release/2023-51
2) SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets -- comments due June 5, 2023
The Securities and Exchange Commission today proposed requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks. . . .
Market Entities increasingly rely on information systems to perform their functions and provide their services and thus are targets for threat actors who may seek to disrupt their functions or gain access to the data stored on the information systems for financial gain. Cybersecurity risk also can be caused by the errors of employees, service providers, or business partners. The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.
The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. The proposal — through new notification requirements applicable to all Market Entities and additional reporting requirements applicable to Market Entities other than certain types of small broker-dealers (collectively, “Covered Entities”) — would improve the Commission’s ability to obtain information about significant cybersecurity incidents affecting these entities. Further, new public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.
Fact sheet: https://www.sec.gov/files/34-97142-fact-sheet.pdf
FRN with proposed rule: https://www.federalregister.gov/d/2023-05767
[143 pages] published April 5, 2023
Press release: https://www.sec.gov/news/press-release/2023-52
3) SEC Proposes to Expand and Update Regulation Systems Compliance and Integrity (SCI) -- comments due by June 13, 2023
The Securities and Exchange Commission today proposed amendments to expand and update Regulation Systems Compliance and Integrity (SCI), the set of rules adopted in 2014 to help address technological vulnerabilities in the U.S. securities markets and improve Commission oversight of the core technology of key U.S. securities markets entities (SCI entities). . . .
Trading and technology have evolved since Regulation SCI’s adoption in 2014. The growth in electronic trading allows ever-increasing volumes of securities transactions in a broader range of asset classes at increasing speed by competing trading platforms, including those offered by broker-dealers that play multiple roles in the markets. New types of registered entities that are highly dependent on interconnected technology have entered the markets. The prevalence of remote workforces and increased outsourcing to third party providers continue to drive the markets’ and market participants’ reliance on new and evolving technology.
To reflect technological developments in the markets, the proposed amendments would expand the scope of SCI entities to include registered security-based swap data repositories; all clearing agencies that are exempt from registration; and certain large broker-dealers, in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, US Treasury securities, or Agency securities.
The proposed amendments would also strengthen the requirements Regulation SCI imposes on SCI entities, including by requiring that an SCI entity’s policies and procedures include the maintenance of a written inventory and classification of all SCI systems and a program for life cycle management; a program to prevent the unauthorized access to such systems and information therein; and a program to manage and oversee certain third-party providers, including cloud service providers, of covered systems.
The proposed amendments would also expand the types of SCI events experienced by an SCI entity that would trigger immediate notification to the Commission, update the rule’s annual SCI review and business continuity and disaster recovery testing requirements, and update certain of the regulation’s recordkeeping provisions.
Fact sheet: https://www.sec.gov/files/34-97143-fact-sheet.pdf
FRN with proposed rule: https://www.federalregister.gov/d/2023-05775
published April 14, 2023
Press release: https://www.sec.gov/news/press-release/2023-53
4) SEC Reopens Comment Period for Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds -- comments due by May 22, 2023
The Securities and Exchange Commission today reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies, and business development companies that were proposed by the Commission on February 9, 2022. The initial comment period ended on April 11, 2022.
The reopened comment period will allow interested persons additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission should consider. [Comments are due by May 22, 2023.]
Fact sheet: https://www.sec.gov/files/33-11028-fact-sheet.pdf
Proposed rule: https://www.sec.gov/rules/proposed/2023/33-11167.pdf
Press release: https://www.sec.gov/news/press-release/2023-54
FRN: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies; Reopening of Comment Period (3.21.23)
The Securities and Exchange Commission (“Commission”) is reopening the comment period for a release (“Investment Management Cybersecurity Release”) proposing new rules under the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”) that would require registered investment advisers (“advisers”) and investment companies (“funds”) to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the Commission about certain cybersecurity incidents, and maintain related records. Reopening the comment period for the Investment Management Cybersecurity Release will allow interested persons additional time to analyze the issues and prepare their comments in light of other regulatory developments on cybersecurity. Comments should be received on or before May 22, 2023.
5) WSJ -- SEC Proposes New Cybersecurity Rules for Financial Firms: Commissioners seek to require data-breach customer notifications and strengthen infrastructure