SEC cybersecurity rules: the sequel

In March 2023, the Securities and Exchange Commission issued three proposed rules covering cybersecurity. Cybersecurity initiatives have been in the works since February 2022, and proposed rules are beginning to be finalized, including Final Rule 33-11216, which requires disclosure of material cybersecurity incidents within four business days.

The March 2023 proposals expand in a big way on the original ideas in both breadth and entities in scope. 

Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information 

This proposal amends the existing Regulation S-P to require broker-dealers, investment companies, registered investment advisers, and transfer agents to have a well-defined incident response program in place, including a 30-day notification requirement for individuals whose sensitive information was likely leaked.  

Regulation Systems Compliance and Integrity (SCI)

In an attempt to keep up with the new cybersecurity risks associated with the growing use of cloud-service providers, this proposal expands the scope of entities subject to SEC’s systems resiliency rule to include: registered security-based swap data repositories; certain broker-dealers; and all clearing agencies exempted from registration. 

The proposal also requires new policies and procedures around third party oversight (including cloud service providers), Business Continuity and Disaster Recovery (BC/DR) plans, cyber events, and objective assessment of cybersecurity risk, notification of systems intrusions to the Commission without delay, and annual penetration testing. 

Cybersecurity Risk Management Rule

In addition to broker-dealers and clearing agencies, this proposal adds Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents to its broad list of Market Entities. The proposal recommends enforcing policies and procedures aimed at addressing cyber risk, including: 

• Measures designed to monitor IS systems and protect information
• Measures to detect, mitigate, and remediate cyber threats and vulnerabilities
• Measures to detect, respond to, and recover from a cybersecurity incident
• Immediate electronic incident disclosure followed by an official report
• Public disclosure of their cyber risks and the significant cyber incidents they experienced 

Navigating the next chapter: The SEI advantage 

• SEI Sphere’s cybersecurity solution provides incident analysis as well as incident mitigation and remediation. 
• SEI Sphere’s cloud solution includes design and architecture services, monitoring and resiliency plans (including Business Continuity and Disaster Recovery), and cloud security. 
• SEI Sphere’s network operations solution provides monitoring and notification, incident management, triage and remediation, and recovery and maintenance. 

As a regulated financial institution ourselves, SEI also adheres to the SEC guidelines and can handle these requirements better than most. SEI Sphere’s comprehensive cybersecurity program manages, detects, and remediates the ever-evolving cyber threats facing the financial services industry. We are more than just a provider—we are your partner. 

Source: SEC Gov Rules Proposed