SEC Issues New Mandates to Revolutionize Cybersecurity Measures
The Securities and Exchange Commission proposed new cybersecurity requirements today for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”).
“I am pleased to support this proposal because, if adopted, it will establish standards for Market Entities’ cyber related security practices,” SEC Chair Gary Gensler said. “In recent decades, the nature, scale, and impact of cybersecurity risks have grown significantly.” Investors, issuers, and market participants would all benefit from knowing that these entities have digital-age safeguards in place.
This proposal would help to advance every aspect of our mission, particularly investor protection and market order.”
Market Entities are increasingly reliant on information systems to perform their functions and provide their services, making them targets for threat actors looking to disrupt their operations or gain access to data stored on the information systems for financial gain. Employee, service provider, or business partner errors can also pose a cybersecurity risk.
The interconnectedness of Market Entities raises the possibility that a significant cybersecurity incident will impact multiple Market Entities at the same time, causing systemic harm to the US securities markets.
The proposal would require all Market Entities to implement cybersecurity policies and procedures that are reasonably designed to address their cyber related security risks and to review and assess the design and effectiveness of their security related to cyber policies and procedures at least annually, including whether they reflect changes in cybersecurity risk over the time period covered by the review.
The proposal would improve the Commission’s ability to obtain information about significant cybersecurity incidents affecting these entities by imposing new notification requirements on all Market Entities and additional reporting requirements on Market Entities other than certain types of small broker-dealers (collectively, “Covered Entities”).
Furthermore, new public disclosure requirements for Covered Entities would increase transparency about cybersecurity risks that could harm the US securities markets.
The proposed release will appear in the Federal Register. The public comment period will be open until 60 days after the proposed release is published in the Federal Register.
To read more posts by NfoNews, Click here.