The Securities and Exchange Commission (SEC) has a proposed rule to require broker-dealers and other related entities to implement cybersecurity risk management programs, including updated policies and procedures, reporting cybersecurity incidents and reporting disclosures to the SEC as applicable. The rule is designed to protect investors from the growing threat of cyberattacks. In addition to a similar proposed rule for investment advisers and funds, the proposed rule for broker-dealers is expected to be put to a vote to become a final rule during the SEC’s October meeting schedule.
The proposed rule addresses requirements for what it defines as “Covered Entities” and “Non-Covered Entities.” Covered Entities include broker-dealers in certain categories such as the MSRB, clearing agencies, national securities associations, national securities exchanges, SBSDRs, SBS entities and transfer agents. Covered Entities are placed under stricter guidance and compliance requirements in the proposed rule. In contrast, Non-Covered Entities include broker-dealers that limit their business to selling mutual funds by subscription or engaging in private placements for clients, as well as those that only effect securities transactions to assist in mergers and acquisitions, or any related activity. Non-Covered Entities do not include broker-dealers who keep custody of any customer securities and cash, any large proprietary trading firms, market makers or alternative trading systems.
What are the requirements for Covered Entities?
Covered Entities are required to establish, maintain and enforce written policies and procedures designed to address their cybersecurity risk management, which should include and address the following:
- Risk Assessment – Covered Entities must have documented risk assessments that are updated on a regular basis that list cybersecurity risks based on its information system inventory as well as the potential effect of any cybersecurity incident. These risk assessments should also account for potential risks with any service providers. Regarding these service providers, the risk assessment should account for the following:
- Assessed exposure: How does the service provider protect itself against cybersecurity risk? What is the extent of the service provider’s ability to respond to and recover from cybersecurity incidents?
- Incident risk: Could a cybersecurity incident at a service provider lead to process failures or the unauthorized access to or use of information or information systems?
- Resulting impact: What is the impact on regulatory obligations of the Covered Entity if such a cybersecurity incident were to occur?
- User Security and Access – Covered Entities must describe in their risk management policies and procedures how to reduce the risk tied to end users to prevent any unauthorized access to information systems, including user requirements, password management procedures and any procedures involving the allowance or removal of access.
- Information Protection – Periodic assessments must be made to assess the protection of information systems and also how service providers receive, maintain or process the Covered Entity’s information by a written contract.
- Cybersecurity Threat and Vulnerability Management – Covered Entities must address how they will identify and mitigate any threats or vulnerabilities tied to cybersecurity with respect to its information systems.
- Cybersecurity Incident Response and Recovery – Covered Entities must have a plan to respond and recover from a significant cybersecurity incident, as well as comply with the SEC’s requirement to report such incidents directly to the SEC.
- Regarding the notification and reporting of significant cybersecurity incidents, Covered Entities must provide notice to the SEC within 48 hours of concluding that an incident has occurred or is happening currently.
- Annual Review and Required Written Reports – Risk management policies and procedures must be reviewed and assessed at least annually to ensure they are updated to reflect newly identified risks.
Other requirements for Covered Entities include how they make public disclosures about cybersecurity risks and the updates needed for recordkeeping, including written documentation of any risk assessments, cybersecurity incidents, annual reviews and disclosures.
What are the requirements for Non-Covered Entities?
While the compliance requirements for Non-Covered Entities are not as strict, they would still be subject to the following:
- Cybersecurity Policies and Procedures – Establish, maintain and enforce reasonably designed policies and procedures that address their cybersecurity risks, taking into account the size, business and operations of the firm.
- Annual Review – Review and assess the design and effectiveness of the policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.
- SEC Notification – Provide notification to the SEC with immediate written, electronic notice of a significant cybersecurity incident.
- Recordkeeping – Update recordkeeping requirements to maintain and preserve versions of their policies and procedures and the record of the annual review.
Windham Brannon Can Help
If voted as a final rule, the requirements for broker-dealers could create hurdles, specifically with reporting significant cybersecurity incidents within the 48-hour required period to the SEC. Additionally, the requirements for updating cybersecurity risk management policies and procedures could become burdensome for some entities unsure of how to create such changes. Covered Entities would also be forced to consider how to apply the new requirements to any service providers and adhere to the SEC’s disclosure obligations.
Windham Brannon’s cybersecurity and risk management team knows how to help you effectively manage your cyber risks. For questions or more information about the proposed rule and requirements for broker-dealers, contact your Windham Brannon advisor today, or reach out to Al Tanju.
