The Securities and Exchange Commission (SEC) has unveiled a proposal that would impose cybersecurity requirements on various entities in the financial industry. The proposal aims to address the increasing cybersecurity risks faced by broker-dealers, clearing agencies, security-based swap dealers, and other market participants. SEC Chair Gary Gensler expressed his support for the proposal, highlighting the need for robust cybersecurity practices in today’s digital age. With the growing nature and impact of cyber threats, it is crucial for investors, issuers, and market participants to have confidence in the protection of their data and the stability of the markets.
Market Entities heavily rely on information systems to carry out their functions and services, making them prime targets for threat actors seeking to disrupt operations or gain unauthorized access to sensitive data. Cybersecurity risks can also arise from internal sources, such as employee errors or vulnerabilities introduced by service providers and business partners. Given the interconnectedness of these entities, a significant cybersecurity incident can have far-reaching consequences, potentially causing systemic harm to the U.S. securities markets. The SEC’s proposal seeks to address these risks comprehensively.
Under the proposed requirements, all Market Entities would be mandated to establish policies and procedures that are reasonably designed to mitigate cybersecurity risks. Additionally, they would be required to conduct annual reviews and assessments of their cybersecurity policies to ensure their effectiveness and alignment with evolving threats. The proposal also introduces new notification and reporting requirements to enhance the SEC’s ability to obtain information about significant cybersecurity incidents. Furthermore, Covered Entities would be subject to additional public disclosure obligations, promoting transparency and providing stakeholders with a clearer understanding of the cybersecurity risks that could impact the U.S. securities markets.
The proposal will be published in the Federal Register, and a 60-day public comment period will follow its publication. This period will allow industry stakeholders, experts, and the public to provide feedback on the proposed requirements, ensuring a comprehensive and informed approach to cybersecurity regulation in the financial sector. As the digital landscape continues to evolve, regulatory measures like these are crucial in safeguarding the integrity of financial markets and bolstering investor protection in an era of increasing cyber threats.
At Elevate, we work with broker-dealers and registered investment advisors to ensure you have adequate controls in place to pass examinations and mitigate cybersecurity threats. Connect with a consulting specialist to ensure you are in compliance with existing and upcoming regulations.