The SEC has issued new cybersecurity risk management requirements. The requirements will apply to "Market Entities", including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents.
According to the SEC, Market Entities increasingly rely on information systems to perform their functions and provide their services and thus are targets for threat actors who may seek to disrupt their functions or gain access to the data stored on the information systems for financial gain.
Cybersecurity risk also can be caused by the errors of employees, service providers, or business partners. The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.
The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.
The proposal — through new notification requirements applicable to all Market Entities and additional reporting requirements applicable to Market Entities other than certain types of small broker-dealers referred to as “Covered Entities” — would improve the commission’s ability to obtain information about significant cybersecurity incidents affecting these entities. Further, new public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.