Statement on the Proposed Cybersecurity Risk Management Rule for Market Entities
Thank you, Chair Gensler, and thank you to the staff for their presentations. The Commission is considering whether to propose specific requirements for broker-dealers, clearing agencies, national securities exchanges, transfer agents, self-regulatory organizations, and swap dealers and repositories, among others (“covered entities”) regarding cybersecurity. The proposal includes a new Rule 10 and Form SCIR. Under proposed Rule 10, covered entities would be required to establish, maintain, and enforce written policies and procedures reasonably designed to address their cybersecurity risks and periodically review their effectiveness.
The proposal would further require covered entities to comply with new reporting requirements. Covered entities would need to provide immediate written notice to the Commission of a significant cybersecurity incident if they have a reasonable basis to conclude that an incident has occurred or is occurring. Covered entities would also file Part I of new Form SCIR confidentially on EDGAR within 48 hours, which would contain detailed information about the incident and would need to be continually updated if material developments occur. These prescriptive deadlines can potentially do more harm than good as these Commission regulatory filings would demand immediate attention from management all in the midst of responding to a breach and alerting other authorities, including law enforcement. And for what purpose? The SEC does not have a cyber response team that could immediately respond to seal the breach and provide technical assistance.
Covered entities would also have to file Part II of new Form SCIR on EDGAR and to post it on a publicly available website. Part II would require covered entities to provide a summary description of cybersecurity risks, how the covered entity assesses, prioritizes, and addresses those risks, and a summary of significant cybersecurity incidents. Part II would be sent to customers by certain broker-dealers at account opening and would need to be updated for material changes to the Form’s information. As brokerage customers already receive a voluminous set of disclosures at account opening, this raises the question as to what will be the effect of such additional disclosures. One possible outcome is that customers will ignore it as yet another piece of legalese in a stack of dense legal disclosures. The Commission could have used its express authority given under the Dodd-Frank Act[1] to conduct investor testing on the effectiveness of this disclosure prior to making this proposal, but it chose to not do so.
If today’s proposal provides a sense of déjà vu, perhaps it is because many of the requirements are substantially similar to the February 2022 proposal from the Division of Investment Management.[2] I am perplexed as to why this proposal does not appear to react to the public comments received on the 2022 proposal. While the proposal being considered today concerns different entities – though some broker-dealers may be dually-registered as investment advisers – these proposals are substantially similar with respect to the reporting requirements and customer disclosures. Today’s proposal should have taken the prior comments into account and I’m glad the staff did. However, the Commission should have considered re-proposing the Investment Management rule in response to those comments.
In addition, today we are considering two other proposals that overlap with this proposal: amendments to Regulation SCI and Regulation S-P.[3] As amended, Regulation SCI and Regulation S-P would require policies and procedures to address certain types of cybersecurity risks. For example, Regulation SCI would require immediate written or telephonic notice and subsequent reporting to the Commission on Form SCI for “significant cybersecurity incidents” as would proposed Rule 10. Regulation SCI and Regulation S-P would similarly require notifications sent to customers and others about cybersecurity incidents.
Make no mistake about it: cybersecurity is an incredibly important topic and the potential for harm to market participants and investors is significant, and to the markets and economy as a whole. It is crucial that there is a clear regulatory framework to address cybersecurity. The Commission’s “spaghetti on the wall” approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections. While the proposals acknowledge the possibility of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs. A preferable approach would have been to propose a set of coordinated rules and to consider those costs and benefits both individually and as a package.
For the foregoing reasons, I cannot support today’s proposal. I thank the Divisions of Trading and Markets and Economic and Risk Analysis, as well as the Office of the General Counsel, for their efforts.
[1] 15 U.S.C. 77s(e).
[2] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Release No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 2022)], available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf. The proposal would require investment advisers, registered investment advisers, and business development companies to implement a cybersecurity risk program. In connection with today’s proposals, the Commission is re-opening the comment period for that proposal.
[3] Regulation Systems Compliance and Integrity, Exchange Act Release No. 97143 (Mar. 15, 2023); Regulation S‑P: Privacy of Consumer Financial Information and Safeguarding Customer, Exchange Act Release No. 97141 (Mar. 15, 2023).
Last Reviewed or Updated: March 16, 2023