What You Need To Know About the SEC’s New Cybersecurity Policies

On March 15, 2023, the US Securities and Exchange Commission (SEC) announced new cybersecurity rules for Wall Street firms. The proposed rules are designed to protect financial markets against cyberthreats and ensure business continuity during events like natural disasters, outages, and cyberattacks.

The proposed rules were passed during an initial vote at a public meeting last week as part of the SEC’s ongoing efforts to update regulations and combat digital threats. They’re intended to help protect consumer financial data, prevent cyberattacks on financial institutions, and improve the resilience of market infrastructure.

Although the SEC policies are subject to a public comment period and must still undergo a final vote on their adoption, they are expected to be approved later this year. Today, we’ll break down the proposed policies and their implications for financial entities.

What are the penalties for noncompliance with SEC policies?

The SEC has the authority to impose fines and sanctions on firms that fail to meet compliance. Those fines can range from a few thousand dollars to millions of dollars, depending on the severity of the violation. In addition to fines, the SEC can also suspend or revoke a firm's license to operate in the securities industry.

The March 2023 proposed policies have not been finalized or adopted yet. Once they are, though, companies will be subject to significant penalties if they do not comply with them. In 2022 alone, the SEC filed 760 enforcement actions and recovered $6.4 billion in penalties and interest.

What are the SEC’s new cybersecurity policies?

The SEC’s proposed policies are a way for stock exchanges, transaction clearing houses, and other critical financial institutions to protect against cyberattacks and system failures. The three proposed policies are:

An amendment to Regulation S-P to expand data privacy regulations and improve safeguards for customer information.
A cybersecurity risk management rule to help protect market entities from cyberthreats.
An amendment to Regulation SCI to improve the resilience of key market infrastructure.

The SEC notes that market entities may be able to leverage the same action — i.e., instituting strong cybersecurity programs — to meet compliance with more than one of the proposed rules at once. Below, we’ll break down each of the rules in detail and explain what you can expect.

Regulation S-P: safeguarding customer data

Although brokers, investment advisers, and other financial institutions already implement security measures to protect personal customer data, the increase in cyberattacks has led the SEC to call for more rigorous safeguards. Their first proposed policy does this by amending an existing policy, Regulation S-P. Enacted in 2000, Regulation S-P requires registered broker-dealers, investment companies, and investment advisers to adopt written policies to secure customer records.

The proposed 2023 amendments to Regulation S-P would add to these existing protections. It would impose new data protection requirements for transfer agents, and it would require all affected entities to adopt an incident response program. Chief among this incident response program is mandatory customer notification within 30 days.

Although similar requirements already exist in some states, the new SEC amendments would create a federal baseline for notifying customers across the country whenever there is a breach of their sensitive information.

Cybersecurity risk management

With more than a trillion dollars of transactions daily, the US securities markets are considered by the SEC to be a crucial component of the country’s economic infrastructure. Unfortunately, that makes them a major target for cyberattacks. As financial institutions have increased their use of cloud computing, mobile apps, and other new technologies, cybercriminals have increased the frequency and sophistication of their attacks on those technologies.

As a result of this increase in attacks, SEC Commissioner Caroline A. Crenshaw says, “Robust cybersecurity risk management practices are critical, both to safeguard investor funds and data, and to guard against potential market-wide instability.”

The SEC’s proposed Cybersecurity Risk Management Rule would require that market entities like national securities exchanges, broker-dealers, security-based swap entities, and transfer agents all implement cybersecurity policies to be prepared for cyberattacks. These policies would require recordkeeping and, in some cases, disclosures about anticipated risks and plans for handling those risks.

The Cybersecurity Risk Management Rule would also require that any significant cybersecurity incidents are immediately reported to the SEC and promptly reported to the public. Taken together, these requirements are intended to protect both investors and the markets from a wide variety of cyberthreats.

Regulation SCI: expanding resilience requirements

The SEC’s third proposed rule involves amending the 2014 Regulation SCI to expand the number of stock exchanges, registered clearing agencies, and other institutions that must comply with it. The 2014 regulation ensured that certain types of companies had systems robust and resilient enough to maintain market activities without collapse.

Now, since both the financial sector and the technologies it relies on have evolved significantly in the past seven years, the SEC wants to extend their 2014 regulation to more market entities. Specifically, the proposed amendment would extend Regulation SCI to security-based swap data repositories, certain registered broker-dealers, and additional clearing agencies.

The ultimate goal of this amendment is to help ensure that the technology systems relied on by key financial entities remain robust, resilient, and secure.

Data resilience and compliance with ShardSecure

The financial landscape continues to evolve rapidly, and technology is keeping pace. As Caroline Crenshaw put it in her March 15 statement on the proposed regulations, “Technology is no longer just fundamental to the operation of the markets — it is the markets, and managing it is vital for investor protection and fair, orderly, and efficient market operations.”

ShardSecure helps financial institutions and other companies strengthen their data security and data resilience to meet modern-day threats. Offering high availability and self-healing data as well as protection against unauthorized access, our data control platform allows companies to strengthen their data security both in the cloud and on-prem.

To learn more about ShardSecure’s technology, visit our resources page.