In today’s interconnected and digital business landscape, the need for robust cybersecurity measures has never been more pronounced. The financial sector, with the sensitive data it houses and fiduciary responsibilities it has, face a unique level of cyber risk. Recognizing this, regulators, such as the Securities and Exchange Commission (SEC), have introduced and proposed amendments to cybersecurity rules meant to fortify the defenses of financial firms.
Adherence to these rules not only safeguards sensitive information but also fosters a culture of trust and transparency in the ever-evolving landscape of financial technology.
Adopted, SEC cybersecurity rules
Regulators set forth cybersecurity rules that have become foundational to many firms’ cybersecurity compliance programs. The foundational rules lay the groundwork, emphasizing privacy, identity theft prevention and standardized disclosure. These rules include:
The Gramm-Leach-Bliley Act mandates that financial institutions must divulge their privacy policies and practices to customers, refraining from disclosing nonpublic personal information to nonaffiliated third parties without explicit consent. Investment advisers, brokers, dealers and investment companies fall under the purview of the SEC in adhering to Regulation S-P. This rule establishes a baseline for safeguarding consumer information, promoting transparency and empowering customers to control the use of their data.
The Commodity Futures Trading Commission (CFTC) and SEC jointly issued rules to combat identity theft risks. These rules compel financial institutions and creditors to develop and implement identity theft prevention programs, with a focus on detecting, preventing and mitigating identity theft in connection with both existing and new accounts. Special requirements for credit and debit card issuers add an extra layer of scrutiny, emphasizing the importance of validating notifications of changes of address under specific conditions.
In September 2023, the SEC adopted new rules to standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents for public companies. These rules necessitate disclosures about material cybersecurity incidents or events, as well as periodic disclosures about processes to assess, identify and manage cybersecurity risks.
Proposed, SEC cybersecurity rules
Since the development of those foundational cybersecurity rules, the SEC has proposed regulations meant to further fortify firms and enhance transparency surrounding significant cybersecurity risks and incidents. The proposed rules extend the regulatory net, encompassing a broader spectrum of financial entities and demanding heightened vigilance. These proposed rules include:
The SEC’s proposed rules under the Advisers Act and Investment Company Act seek to compel registered investment advisers and investment companies to adopt and implement cybersecurity policies. The proposal includes a requirement for advisers to report significant cybersecurity incidents to the Commission. Amendments to various disclosure forms aim to enhance transparency surrounding significant cybersecurity risks and incidents. Additionally, new recordkeeping requirements are proposed to ensure a comprehensive approach to cybersecurity governance.
This proposal expands the scope to include broker-dealers, clearing agencies, security-based swap participants and other key players in the securities markets. It introduces requirements for policies and procedures, immediate notification of significant cybersecurity incidents to the Commission, detailed reporting and public disclosures.
How these changes might impact your firm’s cybersecurity compliance program
While the proposed rules are subject to public comment and may change before adoption, they indicate some of the changes that regulators want cybersecurity compliance programs to make. Therefore, it’s a good idea to start thinking about how to comply with the proposed rules now.
- Implementation of cybersecurity policies.
Your firm will need to adopt and implement cybersecurity policies as mandated by the proposed rules. This may involve assessing and enhancing existing policies or developing new ones to meet the specified requirements.
- Recordkeeping requirements.
The introduction of new recordkeeping requirements implies a need for a more robust approach to cybersecurity governance. Your firm may need to implement systems and processes to ensure thorough documentation of cybersecurity measures taken, incidents which have occurred and the subsequent responses.
- Scope expansion.
If your firm falls under the expanded scope, which now includes broker-dealers, clearing agencies and other securities market participants, it will need to ensure that policies and procedures are in place to address cybersecurity risks specific to its role in the securities markets.
- Notification protocols and incident reporting.
There will be a new obligation to report significant cybersecurity incidents to the SEC. This will likely require your firm to establish clear procedures for identifying, assessing and promptly reporting such incidents to ensure compliance with regulatory requirements. Therefore, your firm may need to establish efficient and timely notification protocols to comply with this requirement.
- Public disclosures and enhanced transparency.
The new rules demand thorough reporting and public disclosure of cybersecurity incidents, requiring your firm to brace for heightened scrutiny. Develop clear communication strategies for addressing these incidents with regulatory bodies and the public. Also, update disclosure processes to offer more comprehensive information on cybersecurity in reports and communications.
Complying with COMPLY
These changes reflect a broader regulatory focus on cybersecurity across the financial industry. As financial firms navigate these cybersecurity rules, a proactive and comprehensive approach to risk management is imperative.
Therefore, your firm needs a proactive partner – like COMPLY.
COMPLY offers tailored consulting and technology services to help your firm’s cybersecurity compliance programs meet regulators’ expectations. These services not only help your firm identify red flags but adeptly address them and stay ahead of compliance risks.
Not only that, but we’ve created tools to help your firm navigate the cyber space. Download The Ultimate Guide to Cybersecurity Compliance for further guidance. By utilizing COMPLY’s tools and solutions, your firm can ensure it protects its own and its clients’ data.