A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations

20 March 2023
View Debevoise In Depth
Key takeaways:

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed cybersecurity rules for SEC registrants that include: proposed new cybersecurity obligations for broker-dealers, security-based swap dealers, major security-based swap participants, transfer agents, a variety of market infrastructure providers, and securities SROs (“Market Entities”); amendments to Regulation S-P; and amendments to Regulation SCI. In this post, we outline the key requirements of the Proposed Rules and offer takeaways to help firms navigate and prepare for compliance with these complex proposed regulations. We will also be discussing these issues during our live webcast on March 21, 2023.

The proposed cybersecurity rules would impose significant new regulatory burdens, including:

  • For Market Entities, new cybersecurity obligations regarding immediate incident notification, public disclosure of risks and incidents, and written policies and procedures.
  • For Reg S-P Covered Institutions (registered investment advisers, registered funds, broker-dealers, and transfer agents), requirements for incident response programs, customer notification of incidents involving unauthorized access to or use of “sensitive customer information,” recordkeeping, expanded Safeguards and Disposal Rules, and an updated annual privacy notice requirement.
  • For Reg SCI entities, an expanded definition of “SCI Entities,” enhanced policies and procedures requirements, annual penetration testing, and an expanded definition of “Systems Intrusion” to include more cyber events.