We’re nearing the end of Q1 2023, and the SEC has been busy. Following their record number of enforcement actions last year and their continued deliberation with the Commodity Futures Exchange Commission (“CFTC”) on who gets to regulate the cryptocurrency market, the SEC issued new rule change proposals and reopened a comment period on a previous rule proposal. We want to make sure you’re up to date with the pertinent happenings of the Securities Exchange Commission so we’ve provided a quick rundown of four SEC releases this week that you should know about.
SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information
The SEC has proposed new amendments to Regulation S-P that would enhance the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to provide notice to individuals affected by certain types of data breaches that might put these investors and clients at risk of identity theft or other harm. This new proposal would require covered institutions to adopt specific written policies and procedures for an incident response program to address unauthorized access to customer information.
The proposed amendments would make multiple additional changes to Regulation S-P that would broaden and align the scope of certain rules and safeguards for investors. Click here to read the SEC’s full press release on the proposed changes for Regulation S-P.
2. SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets
One of the SEC’s core examination priorities for 2023 is information security. This priority has been listed by the SEC every year since 2020 so, knowing it is an incredibly high priority, these proposed new requirements come as no surprise.
The SEC had proposed new requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (all collectively, “Market Entities”) to address their cybersecurity risks – whether latent or realized.
This proposal would require Market Entities to implement specific policies and procedures that are reasonably designed to address their individual cybersecurity risks and, annually at a minimum, review and assess the design and effectiveness of their cybersecurity policies and procedures. This also includes whether there are any changes in cybersecurity risk over the time period covered by the review. This proposal would then improve the Commission’s ability to obtain information about any significant cybersecurity incidents affecting these entities. Click here to read the SEC’s full release.
3. SEC Proposes to Expand and Update Regulation SCI
The SEC has proposed amendments to expand and update Regulation Systems Compliance and Integrity (“SCI”) – the set of rules adopted in 2014 to help address technological vulnerabilities in the U.S. securities markets and improve Commission oversight of the core technology of key U.S. securities market entities.
The massive growth in electronic trading now allows consistently increasing volumes of securities transactions in a broad range of asset classes at increasing speed by competing trading platforms. Plus, the popularity of remote work and increased outsourcing from third-party providers continue to drive the markets’ and market participants’ reliance on new and developing technology.
These amendments would expand the scope of SCI entities to include registered security-based swap data repositories; all clearing agencies that are exempt from registration; and certain large broker-dealers, in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, U.S. Treasury securities, or Agency securities, among other strengthened requirements of Regulation SCI.
Click here to read the SEC’s full release.
4. SEC Reopens Comment Period for ProposedCybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
The SEC has reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies, and business development companies originally proposed by the Commission in February of 2022.
This comment period will allow interested persons more time to analyze the issues and prepare comments considering other regulatory developments over the last year. Click here to read the SEC’s full release.
As mentioned previously, cyber and information security are one of the top-of-mind priorities for the Securities Exchange Commission in 2023. Joot is available to assist you and your firm with all things related to compliance and security. Contact our team to learn more about how Joot changes compliance for good.