March 16, 2023
SEC Reopens Public Comment on The Cybersecurity and Risk Management Rule and Proposes Changes to Reg S-P to Enhance Protection of Customer Information
On Wednesday, March 15, the U.S. Securities and Exchange Commission (SEC) held an opening meeting and announced three proposed rules touching on cybersecurity and also reopened its proposed Cybersecurity Risk Management Rule for more public commentary. The new proposals touch on the technology used by market entities and securities markets themselves along with amendments to Regulation S-P. The SEC’s proposals would go beyond current requirements by addressing the expanded use of technology and its corresponding risks, another demonstration that the SEC is taking a much stronger stance on cybersecurity-related concerns.
The SEC released two cybersecurity-related proposals in 2022, the Cybersecurity Risk Management Rule and the Outsourced Service Provider Rule. Our team of regulatory experts will cover these proposals in more detail, including how RIAs can start to prepare for compliance, in our webinar on Tuesday, March 21 at 12:00 ET. To register, click here.
The Commission said that reopening the public comment period for the Cybersecurity and Risk Management Rule gives advisers the opportunity to analyze the rule and “prepare comments in light of other regulatory developments.” Good advice, since there are overlapping requirements for managing risks and disclosure across all of these proposed rules. For example, the ADV 2A Item 20 proposed in the Cybersecurity and Risk Management Rule requires the disclosure of cyber incidents and the amendments to Regulation S-P contain requirements to disclose breaches.
The press release announcing these proposed amendments to Regulation S-P indicates they would “enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.”
Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures to help protect customer records and information.
The proposed amendments to Reg S-P would require “covered institutions” (referring to: broker-dealers, investment companies, registered investment advisers, and transfer agents) to:
The proposal would also make a number of additional changes to Regulation S-P, including:
The proposal will be published in the Federal Register, and the public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.
To read the full press release, click here.
While the proposed rule codifies many best practices and SEC expectations, it increases the burden on firms to provide notice disclosures above and beyond the current expectations, including various state requirements. Taken along with the 2022 proposals, the SEC is clearing looking to regulate cybersecurity risks by increasing the risk management and disclosure requirements across multiple regulations. There is time for your opinion to be heard during these new and newly reopened comment periods for each regulation. This is also a great time to assess your firm’s risks and begin preparation for compliance with the increasing regulatory burdens these proposals will bring.
Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.