SEC Looks Into Cybersecurity for Market Entities

The Securities and Exchange Commission (SEC) is considering a proposal on cybersecurity practices for broker-dealers, clearinghouses, and other market entities.

Gary Gensler

Chair Gary Gensler said he is pleased to support this proposal because, if adopted, it would set standards for these market entities’ cybersecurity practices.

The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades.

“Market entities across our capital markets increasingly rely on complex and ever-evolving information systems,” Gensler said.

“Those who seek to harm these systems have become more sophisticated as well: in their tactics, techniques, and procedures,” he added.

Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age, he said.

“This proposal, if adopted, would help promote every part of our mission, particularly regarding investor protection and orderly markets,” Gensler said.

While building on various requirements relating to books and records, today’s proposal is the first explicitly to address cybersecurity practices for the majority of these market entities.

This proposal would address financial sector market entities’ cybersecurity in three key ways, he said.

First, this proposal would require market entities to adopt written policies and procedures that are reasonably designed to address the market entity’s cybersecurity risks.

Further, market entities other than smaller broker-dealers would be required to include in these policies and procedures that relate to (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents.

Second, the proposal would require that market entities notify the Commission of significant cyber incidents.

In addition, market entities, other than small broker-dealers, would be required to file subsequent reports with the Commission providing more information about the significant cybersecurity incident. This would increase the Commission’s insight into risks affecting these market entities. It also would provide insight into risks that might cut across multiple entities or the financial sector.

Third, the proposal would require market entities, other than smaller broker-dealers, to disclose to the public a summary description of cybersecurity risks that could materially affect the entity, as well as significant cybersecurity incidents in the current or previous calendar year.

“I believe such disclosure would help investors make informed decisions when deciding to which firms they might entrust their finances, data, and personal information.

Critically, the proposal concerns a broad array of a firm’s information systems, which are any of the systems owned or used by the entity. As described in the release, these systems relate to the information resources owned or used by the covered entity,” Chair Gensler said.

The Commission also separately voted to reopen for public comment proposed amendments regarding similar cybersecurity enhancements for investment companies and investment managers.[1]

“Taken together, these amendments, if adopted, would benefit investors, issuers, and markets in the face of growing cybersecurity risks,” Gensler said.