In 2023, the U.S. Securities and Exchange Commission (SEC) made it clear that data security, cybersecurity and IT operational resilience remain top of mind for the Commission. In an effort to tackle issues around transparency, recordkeeping and breach reporting requirements, among other areas of focus, the SEC proposed the following three new sets of rules:

  1. Impose cybersecurity risk management and incident notification rules for broker-dealers and other SEC-registered entities. This proposal for registered investment advisers and registered investment companies relating to cyber risk management was set forth back in February 2022. The comment period was supposed to end in March 2023, but the SEC reopened it and accepted additional comments through May 2023.
  2. Amend Regulation S-P (commonly known as a firm’s “privacy policy”) to require broker-dealers, registered investment advisers (RIAs) and registered investment companies to report breaches of “sensitive” nonpublic personal information to affected individuals.
  3. Establish a new cybersecurity risk management rule (referred to as Proposed Rule 10) for broker-dealers, clearing agencies and other SEC-regulated entities that would require these entities to maintain written policies and procedures reasonably designed to address their cybersecurity risks; assess annually the effectiveness of those policies and procedures and document that assessment; and notify the SEC of any “significant cybersecurity incident” within 48 hours after “having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring.”

Ultimately, all three proposed new SEC regulations would, among other things, require regulated entities to formally adopt policies and procedures for responding to cyber incidents; expand the scope of information subject to the rules to include information received from third-party financial institutions; and implement new requirements for reporting cyber incidents to both customers and regulators.