SEC Proposes Expanded Cybersecurity Disclosure Requirements for Broker-Dealers and Other Market Participants
On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed new requirements for market participants such as broker-dealers, swaps dealers, clearing agencies, national securities associations, transfer agents and others to address their cybersecurity risks. The proposal follows the release of 2011 and 2018 interpretive guidance on the topic, which the SEC had issued to assist public companies when considering, drafting, and issuing disclosures regarding cybersecurity risks and incidents. The SEC also previously issued a March 2022 proposed rule regarding certain cybersecurity disclosure requirements for public companies.
The most recent proposal includes a new Rule 10 under the Securities Exchange Act of 1934 (“Rule 10” or the “proposed rule”) requiring that entities to which the rule applies establish, maintain, and enforce written policies and procedures reasonably designed to address their cybersecurity risks and periodically review the efficacy of those policies and procedures. Under the proposal, all entities subject to the rule must provide notice to, and update the SEC regarding significant cybersecurity incidents using a new Form SCIR. In addition, covered entities (as defined) would have to file Part II of new Form SCIR on the SEC’s Electronic Data Gathering, Analysis, and Retrieval system (“EDGAR”) and post it on a publicly available website.