Statement

Statement on Enhanced Cybersecurity for Market Entities

Washington D.C.

Today, the Commission is considering a proposal on cybersecurity practices for broker-dealers, clearinghouses, and other market entities. I am pleased to support this proposal because, if adopted, it would set standards for these market entities’ cybersecurity practices.

The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Market entities across our capital markets increasingly rely on complex and ever-evolving information systems. Those who seek to harm these systems have become more sophisticated as well: in their tactics, techniques, and procedures.

Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal, if adopted, would help promote every part of our mission, particularly regarding investor protection and orderly markets.

While building on various requirements relating to books and records, today’s proposal is the first explicitly to address cybersecurity practices for the majority of these market entities. This proposal would address financial sector market entities’ cybersecurity in three key ways.

First, this proposal would require market entities to adopt written policies and procedures that are reasonably designed to address the market entity’s cybersecurity risks. Further, market entities other than smaller broker-dealers would be required to include in these policies and procedures that relate to (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents.

Second, the proposal would require that market entities notify the Commission of significant cyber incidents. In addition, market entities, other than small broker-dealers, would be required to file subsequent reports with the Commission providing more information about the significant cybersecurity incident. This would increase the Commission’s insight into risks affecting these market entities. It also would provide insight into risks that might cut across multiple entities or the financial sector.

Third, the proposal would require market entities, other than smaller broker-dealers, to disclose to the public a summary description of cybersecurity risks that could materially affect the entity, as well as significant cybersecurity incidents in the current or previous calendar year. I believe such disclosure would help investors make informed decisions when deciding to which firms they might entrust their finances, data, and personal information.

Critically, the proposal concerns a broad array of a firm’s information systems, which are any of the systems owned or used by the entity. As described in the release, these systems relate to the information resources owned or used by the covered entity.

The Commission also separately voted to reopen for public comment proposed amendments regarding similar cybersecurity enhancements for investment companies and investment managers.[1]

Taken together, these amendments, if adopted, would benefit investors, issuers, and markets in the face of growing cybersecurity risks.

I’d like to thank the members of the SEC staff who worked on this proposal, including:

  • Randall Roy, Nina Kostyukovsky, Haoxiang Zhu, David Saltiel, Andrea Orr, Michael Macchiaroli, Thomas McGowan, Ray Lombardo, Matthew Lee, Stephanie Park, Kevin Schopp, Moshe Rothman, Carol McGee, John Guidroz, Russell Mancuso, Michael E. Coe, Leah Mesfin, Tyler Raimo, Cate Whiting, Elizabeth De boyrie, Heidi Pilpel, David Liu, Erika Berg, Katriana Roh, David Hsu, Rob Hegarty, Roman Ivanchenko, Joshua Nimmo, Devin Ryan, James Wintering, Susan Pokembla, Ed Schellhorn, Roni Bergoffen, Laura Compton, Jennifer Colihan, and William Miller in the Division of Trading and Markets;
  • Greg Price, Jessica Wachter, Oliver Richard, Juan Echeverri, Wei Liu, Daniel Bresler, Michael Willis, Julie Marlowe, Greg Scopino, Parhaum Hamidi, Lauren Moore, Robert Girouard, Carolina Schulte, Michael Davis, and Jill Henderson in the Division of Economic and Risk Analysis;
  • Ronesha Butler, Maureen Johansen, David Mendel, Megan Barbero, Meridith Mitchell, Malou Huth, and Robert Teply in the Office of the General Counsel;
  • David Hirsch and Diana Tani in the Division of Enforcement;
  • Keith Cassidy, Dan Dewaal, Alexis Hall, Joseph Murphy, and Carrie O’Brien in the Division of Examinations;
  • Sarah ten Siethoff, Melissa Roverts Harke, David Joire, Chris Staley, and Rachel Kuo in the Division of Investment Management;
  • Jane Patterson and Todd Canali in the EDGAR Business Office;
  • Jon Balcom, Steve Benham, and Kevin Baumann in the Office of International Affairs;
  • James Scobey in the Office of Information Technology;
  • Dave Sanchez, Adam Wendell, and Adam Allogramento in the Office of Municipal Securities; and
  • Valerie Szczepanik in the Office of the Strategic Hub for Innovation and Financial Technology.

[1] See Gary Gensler, “Statement on Cybersecurity Reforms in the Investment Management Industry” (Feb. 9, 2022), available at https://www.sec.gov/news/statement/gensler-statement-cybersecurity-reforms-020922.

Last Reviewed or Updated: March 15, 2023