Our Take: financial services regulatory update - March 17, 2023

On March 15th, the SEC issued three proposals concerning customer data protection, cybersecurity risk management for broker-dealers, and amendments to Regulation Systems Compliance and Integrity (Reg SCI). It also reopened the comment period on a previous cybersecurity risk management proposal for investment advisers and funds.

• Customer data protection. The first proposal comprises amendments to rules under Regulation S-P, which requires registrants to protect and properly dispose of customer data. The amendments would require broker-dealers, investment companies and advisers to have policies and procedures around incident response programs to address unauthorized access to customer information. These institutions would also generally be required to notify customers whose sensitive information “was or is reasonably likely to have been accessed or used without authorization” no later than 30 days after becoming aware of the incident.
• Cybersecurity risk management for broker-dealers. The second proposal would apply new cybersecurity risk management requirements to broker-dealers, clearing agencies, major security-based swap (SBS) participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, SBS data repositories, SBS dealers, and transfer agents (collectively, Market Entities). Under the proposal, Market Entities would be required to implement – and review at least annually – policies and procedures “reasonably designed to address their cybersecurity risks” and prevent unauthorized access to information systems. Market Entities would also need to send the SEC “immediate written electronic notice of a significant cybersecurity incident” and publicly disclose information on such incidents would also need to be publicly disclosed on proposed Form SCIR.
• Amendments to Reg SCI. The third proposal on the agenda concerns amendments to Reg SCI that would expand the scope of entities subject to the regime and update certain provisions. The proposed amendments would expand the scope of Reg SCI¹ to cover registered security-based swap data repositories, clearing agencies that are exempt from registration, and certain large broker-dealers. The amendments would also add new requirements for all covered entities to maintain a written system inventory and program for life cycle management, preventing unauthorized access to critical systems, and managing certain third-parties, including cloud service providers. In addition, the proposal would expand the types of events that would trigger immediate SEC notification.
• Cybersecurity risk management for advisers and funds. The cybersecurity risk management standards for registered investment advisers and funds, which were previously proposed in February 2022, would require them to adopt and implement policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposal states that “reasonably designed” policies and procedures should contain elements including implementation responsibility, risk assessments, user security and access, information protection, threat and vulnerability management, incident response and recovery. The proposal also introduces a new confidential form, Form ADV-C, that advisers would be required to file with the SEC within 48 hours of significant cybersecurity incidents affecting the adviser, its fund or private fund clients.

Comments on all four proposals will be accepted for 60 days following publication in the Federal Register.

Our Take

With these proposals, Chair Gary Gensler has checked off nearly every target in his January 2022 speech outlining plans to shore up information security-related defenses across the capital markets. As he foreshadowed, these proposals would ensure that all major categories of financial institutions overseen by the SEC have comprehensive cybersecurity policies and procedures. Most firms already have cybersecurity policies and procedures at various stages of maturity, but even those with advanced programs will need to closely compare their capabilities with the elements described in these proposals and make plans to close any gaps. Notably, all four proposals include a provision around notifying either the SEC, customers, or both, of cybersecurity or data breach incidents, meaning that affected firms will need to develop or enhance reaction plans to develop, validate and issue the necessary communications. All of the proposals also echo Treasury’s recent cloud report in recognizing the prevalence of migrating data to cloud service providers and the resulting importance of effective third party risk management and oversight. As such, firms impacted by these proposals will need to develop a better understanding of where sensitive data is located, how access is restricted and authenticated, and what mechanisms are in place to detect and react to breaches - including through their third party service providers. As they are affected by all three of the new proposals, large broker-dealers will have the most work ahead and should begin to develop strategies and consider resource needs for potentially overlapping implementation schedules.

^{1 Reg SCI was adopted in 2014 to require certain market participants that are key to the functioning of the US securities market – including securities exchanges, registered clearing agencies and alternative trading systems – to have comprehensive policies and procedures for establishing, operating, maintaining, and securing critical technology systems.}

These notable developments hit our radar this week:

• Fed announces July FedNow launch. On March 16th, the Fed announced that its FedNow service, which will provide 24x7x365 real-time gross settlement with integrated clearing functionality, will launch in July. The announcement notes that the Fed will begin certifying early adopters in April.
• SEC set to adopt Form PF amendments. On March 22nd, the SEC will meet to finalize amendments to Form PF, a confidential reporting form instituted following the financial crisis to require advisers to certain private equity and hedge funds to report financial, ownership, performance and exposure details to the government on a quarterly and annual basis. The amendments were proposed in January 2022 would require advisers to PE funds and large hedge funds to file reports within one day of certain events, lower the current threshold for filing by large PE advisers, and require them to report more granular information including details on their strategies, use of leverage and portfolio company financings, and portfolio company restructurings or recapitalizations.