SEC Proposed Rules on Cybersecurity
Note: This blog was originally published to Finextra on March 28, 2023
On March 15th, 2023, the U.S. Securities and Exchange Commission (SEC) released a new proposal to address cybersecurity risks to the U.S. securities markets.
From the surface, having greater regulation regarding cybersecurity would certainly benefit investors, issuers and market participants alike. Yet, the proposal has sparked concerns over its potential to actually increase costs and potentially even increase risks associated with cybersecurity. As I will elaborate in a moment, some SEC Commissioners have even expressed their non-support for the new proposal.
What is the SEC’s New Cybersecurity Risk Management Proposal?
The SEC has proposed new rules for broker-dealers, clearing agencies, national securities exchanges, transfer agents, regulatory organizations, swap dealers, and data repositories. The official SEC press release states that:
“The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.”
This proposal stands to make major changes in how market entities deal with cybersecurity, with some of the biggest requirements of the proposal including:
- Rule 10 Change: One of the key rule changes in this proposal is the introduction of Rule 10, which requires all covered entities to “establish, maintain, and enforce written policies and procedures that are reasonably designed to address the Covered Entity’s cybersecurity risks.” Specifically, Rule 10 requires that an entity’s policies and procedures must address cybersecurity risk assessment, user security and accessibility, information protection, threat and vulnerability management, and cybersecurity incident response and recovery.
- New Reporting Requirements: The proposal requires covered entities to annually review and assess policies and procedures surrounding cybersecurity. This review and assessment must be completed in the form of a report, with these new reporting requirements intended to help covered entities better protect themselves and mitigate cybersecurity risks. Additionally, the new reporting requirements also require a report when a cybersecurity incident occurs, as this helps organizations to recover more effectively from the incident.
- Completion of Form SCIR: As part of Rule 10’s new requirements, covered entities would also need to begin completing Parts I and II of the newly proposed Form SCIR, as well as file these parts of the form in a structured data language. Specifically, covered entities are expected to use eXtensible Markup Language (XML) as the structured data language, rather than submitting via an unstructured language such as HTML or ASCII.
The Potential Disadvantages of the SEC’s Proposal
The clear advantage of this proposal is that it brings new light to the risk of cybersecurity.
Yet, this proposal also has key disadvantages that need to be addressed.
On the same day the proposal was released, SEC Commissioner Mark T. Uyeda also released a statement in which he expressed his non-support for the proposal. Among the many reasons Commissioner Uyeda lists, one of the most prominent disadvantages named is that the proposal does not take into account the public comments made about a very similar proposal released in 2022, related to cybersecurity risk management for registered investment advisers and funds.
Commissioner Uyeda further states that:
“The Commission’s “spaghetti on the wall” approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections. While the proposals acknowledge the possibility of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs.”
In the statement’s conclusion, the Commissioner states that a better approach to regulating cybersecurity is to propose a set of coordinated rules. These rules should include a cost assessment and provide both individual and package benefits.
Commissioner Uyeda is not the only member of the SEC to express their doubts, either. SEC Commissioner Hester M. Pierce released a statement of non-support as well, asserting that the current proposal’s rules are “so broad as to be impossible to implement.”
Commissioner Pierce further notes that these new rules will be particularly hard on small entities and can potentially create new barriers to entry for new market players, ultimately creating a catalyst for increased consolidation. As a whole, Commissioner Pierce expresses concern about overwhelming smaller entities.
This lack of unification between overlapping sets of rules, as well as the lack of acknowledgment of the impact of the new rules on smaller businesses, is not a new problem in the SEC.
For example, the afore-mentioned February 2022 proposal related to cybersecurity risk management for registered investment advisers, as well as the SEC’s May 2022 proposal for a new set of rules to enhance and standardize climate-related disclosures for investors. FundGuard commented on these proposals, reaching a conclusion that mirrors Commissioner Uyeda’s in many ways.
In FundGuard’s publically published comment, it was stated that:
“The fact of the matter is that the fundamental and dramatic shifts taking place in the world today, very often driven by digital technology, mean that collectively we need to be creative about tackling disconnects and challenges that exist in the bedrock of the systems we use to do business.”
The reaction and public comments to all these proposals ultimately reveal a universal truth — that the industry needs to implement systemic change for such proposals to be truly effective. Additionally, though the SEC proposal remarks on not wanting to create a one-size-fits-all solution, the proposal in its current state imposes several requirements that do not take into account the unique perspectives or scenarios faced by each type of market entity.
How Can Cybersecurity Rules be Systemically Implemented & Changed?
A key way in which the SEC’s proposal can be improved is by focusing more on the standardization of cybersecurity and creating a better foundation for systemic change. At the heart of this change, the need for technological innovation is evident.
As I stated in a previously published blog:
“Cybercrime and the cybersecurity needed to mitigate the potential crimes are driven by technology advances and digitalization, including the move to the cloud. Due to this shift in how organizations operate, traditional business continuity processes (BCP) and approaches no longer apply.”
Further, from a competitive advantage point of view, being too tentative about your cloud migration can mean the gap between you and your competitors widens to such an extent that you never catch up.
For cybersecurity to be better managed across the industry, it is necessary to shift away from cumbersome legacy technology. In turn, the SEC must focus its regulatory sights more on the technologies needed to achieve this shift, such as providing a standardized framework for enacting cybersecurity measures within the cloud.
However, systemic change at this level can be tricky, especially with the aforementioned lack of unification.
As a result, the burden of cybersecurity management continues to fall more so on the shoulders of each institution, as these institutions must consider how to abide by new SEC rulings while also maintaining a highly competitive technical infrastructure.
Implementing a Strong Cybersecurity Framework Today is Vital
With the new rules and requirements of the SEC’s latest proposal for market entities, it is vital for firms to have a well-defined approach to cybersecurity.
The SEC has made it clear that it is shifting its focus to emphasize greater cybersecurity measures. However, the regulatory authority still has a long way to go in terms of making these new rules and regulations flexible and adaptable to each entity’s unique situation.
This makes it more pertinent than ever for organizations to adopt a more scalable, flexible, and cost-effective approach to cybersecurity and the relevant reporting requirements.
A Modern Framework
FundGuard is committed to helping our clients thrive and compete by providing a modern framework to enable more informed decisions, reduce operations risk, comply with changing regulations, and radically raise productivity.
Contact us to learn how our cloud native NAV Contingency, ABOR and IBOR solutions mitigate the costs and risks of separate applications while boosting security, compliance and the ability to innovate and digitalize.
Fund Investment Management, Cybersecurity and the Cloud: What You Need to Know and the Questions You Should be Asking
FundGuard’s Comments to the SEC on Proposed Enhancements and Standardization of Climate-Related Disclosures for Investors
Ultimus Partners with FundGuard to Provide a Technology-Driven NAV Contingency Solution
The Unburdened System: Throwing off the Old to Make Way for the N