Note: This blog was originally published to Finextra on March 28, 2023
On March 15th, 2023, the U.S. Securities and Exchange Commission (SEC) released a new proposal to address cybersecurity risks to the U.S. securities markets.
From the surface, having greater regulation regarding cybersecurity would certainly benefit investors, issuers and market participants alike. Yet, the proposal has sparked concerns over its potential to actually increase costs and potentially even increase risks associated with cybersecurity. As I will elaborate in a moment, some SEC Commissioners have even expressed their non-support for the new proposal.
The SEC has proposed new rules for broker-dealers, clearing agencies, national securities exchanges, transfer agents, regulatory organizations, swap dealers, and data repositories. The official SEC press release states that:
“The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.”
This proposal stands to make major changes in how market entities deal with cybersecurity, with some of the biggest requirements of the proposal including:
The clear advantage of this proposal is that it brings new light to the risk of cybersecurity.
Yet, this proposal also has key disadvantages that need to be addressed.
On the same day the proposal was released, SEC Commissioner Mark T. Uyeda also released a statement in which he expressed his non-support for the proposal. Among the many reasons Commissioner Uyeda lists, one of the most prominent disadvantages named is that the proposal does not take into account the public comments made about a very similar proposal released in 2022, related to cybersecurity risk management for registered investment advisers and funds.
Commissioner Uyeda further states that:
“The Commission’s “spaghetti on the wall” approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections. While the proposals acknowledge the possibility of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs.”
In the statement’s conclusion, the Commissioner states that a better approach to regulating cybersecurity is to propose a set of coordinated rules. These rules should include a cost assessment and provide both individual and package benefits.
Commissioner Uyeda is not the only member of the SEC to express their doubts, either. SEC Commissioner Hester M. Pierce released a statement of non-support as well, asserting that the current proposal’s rules are “so broad as to be impossible to implement.”
Commissioner Pierce further notes that these new rules will be particularly hard on small entities and can potentially create new barriers to entry for new market players, ultimately creating a catalyst for increased consolidation. As a whole, Commissioner Pierce expresses concern about overwhelming smaller entities.
This lack of unification between overlapping sets of rules, as well as the lack of acknowledgment of the impact of the new rules on smaller businesses, is not a new problem in the SEC.
For example, the afore-mentioned February 2022 proposal related to cybersecurity risk management for registered investment advisers, as well as the SEC’s May 2022 proposal for a new set of rules to enhance and standardize climate-related disclosures for investors. FundGuard commented on these proposals, reaching a conclusion that mirrors Commissioner Uyeda’s in many ways.
In FundGuard’s publically published comment, it was stated that:
“The fact of the matter is that the fundamental and dramatic shifts taking place in the world today, very often driven by digital technology, mean that collectively we need to be creative about tackling disconnects and challenges that exist in the bedrock of the systems we use to do business.”
The reaction and public comments to all these proposals ultimately reveal a universal truth — that the industry needs to implement systemic change for such proposals to be truly effective. Additionally, though the SEC proposal remarks on not wanting to create a one-size-fits-all solution, the proposal in its current state imposes several requirements that do not take into account the unique perspectives or scenarios faced by each type of market entity.
A key way in which the SEC’s proposal can be improved is by focusing more on the standardization of cybersecurity and creating a better foundation for systemic change. At the heart of this change, the need for technological innovation is evident.
As I stated in a previously published blog:
“Cybercrime and the cybersecurity needed to mitigate the potential crimes are driven by technology advances and digitalization, including the move to the cloud. Due to this shift in how organizations operate, traditional business continuity processes (BCP) and approaches no longer apply.”
Further, from a competitive advantage point of view, being too tentative about your cloud migration can mean the gap between you and your competitors widens to such an extent that you never catch up.
For cybersecurity to be better managed across the industry, it is necessary to shift away from cumbersome legacy technology. In turn, the SEC must focus its regulatory sights more on the technologies needed to achieve this shift, such as providing a standardized framework for enacting cybersecurity measures within the cloud.
However, systemic change at this level can be tricky, especially with the aforementioned lack of unification.
As a result, the burden of cybersecurity management continues to fall more so on the shoulders of each institution, as these institutions must consider how to abide by new SEC rulings while also maintaining a highly competitive technical infrastructure.
With the new rules and requirements of the SEC’s latest proposal for market entities, it is vital for firms to have a well-defined approach to cybersecurity.
The SEC has made it clear that it is shifting its focus to emphasize greater cybersecurity measures. However, the regulatory authority still has a long way to go in terms of making these new rules and regulations flexible and adaptable to each entity’s unique situation.
This makes it more pertinent than ever for organizations to adopt a more scalable, flexible, and cost-effective approach to cybersecurity and the relevant reporting requirements.
FundGuard is committed to helping our clients thrive and compete by providing a modern framework to enable more informed decisions, reduce operations risk, comply with changing regulations, and radically raise productivity.
Contact us to learn how our cloud native NAV Contingency, ABOR and IBOR solutions mitigate the costs and risks of separate applications while boosting security, compliance and the ability to innovate and digitalize.
Fund Investment Management, Cybersecurity and the Cloud: What You Need to Know and the Questions You Should be Asking
FundGuard’s Comments to the SEC on Proposed Enhancements and Standardization of Climate-Related Disclosures for Investors
Ultimus Partners with FundGuard to Provide a Technology-Driven NAV Contingency Solution
The Unburdened System: Throwing off the Old to Make Way for the N