On March 15th, 2023, the U.S. Securities and Exchange Commission (SEC) released a new proposal to address cybersecurity risks to the U.S. securities markets.
From a surface-level perspective, having greater regulation regarding cybersecurity would certainly benefit investors, issuers and market participants alike. Yet, the proposal has sparked concerns over its potential to actually increase costs and potentially
even increase risks associated with cybersecurity. As I will elaborate in a moment, some SEC Commissioners have even expressed their non-support for the new proposal.
What is the SEC’s New Cybersecurity Risk Management Proposal?
The SEC has proposed new rules for broker-dealers, clearing agencies, national securities exchanges, transfer agents, regulatory organizations, swap dealers, and data repositories. The official SEC press release states that:
“The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies
and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.”
This proposal stands to make major changes in how market entities deal with cybersecurity, with some of the biggest requirements of the proposal including:
-
Rule 10 Change: One of the key rule changes in this proposal is the introduction of Rule 10, which requires all covered entities to “establish, maintain, and enforce written policies and procedures that are reasonably designed to address
the Covered Entity’s cybersecurity risks.” Specifically, Rule 10 requires that an entity’s policies and procedures must address cybersecurity risk assessment, user security and accessibility, information protection, threat and vulnerability management, and
cybersecurity incident response and recovery.
-
New Reporting Requirements: The proposal requires covered entities to annually review and assess policies and procedures surrounding cybersecurity. This review and assessment must be completed in the form of a report, with these new reporting
requirements intended to help covered entities better protect themselves and mitigate cybersecurity risks. Additionally, the new reporting requirements also require a report when a cybersecurity incident occurs, as this helps organizations to recover more
effectively from the incident.
-
Completion of Form SCIR: As part of Rule 10’s new requirements, covered entities would also need to begin completing Parts I and II of the newly proposed Form SCIR, as well as file these parts of the form in a structured data language. Specifically,
covered entities are expected to use eXtensible Markup Language (XML) as the structured data language, rather than submitting via an unstructured language such as HTML or ASCII.
The Potential Disadvantages of the SEC’s Proposal
The clear advantage of this proposal is that it brings new light to the risk of cybersecurity.
Yet, this proposal also has key disadvantages that need to be addressed.
On the same day the proposal was released, SEC Commissioner Mark T. Uyeda also released a statement in which he expresses his non-support for the proposal. Among the many reasons Commissioner Uyeda lists, one of the most prominent disadvantages named is
that the proposal does not take into account the public comments made about a very similar proposal released in 2022, related to cybersecurity risk management for registered investment advisers.
Commissioner Uyeda further states that:
“The Commission’s “spaghetti on the wall” approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections. While the proposals acknowledge the possibility
of potential overlap, they fail to address those concerns and simply ask commenters to specifically identify areas of duplication and costs.”
In the statement’s conclusion, the Commissioner states that a better approach to regulating cybersecurity is to propose a set of coordinated rules. These rules should include a cost assessment and provide both individual and package benefits.
Commissioner Uyeda is not the only member of the SEC to express their doubts, either.
SEC Commissioner Hester M. Pierce released a statement of non-support as well, asserting that the current proposal’s rules are “so broad as to be impossible to implement.”
Commissioner Pierce further notes that these new rules will be particularly hard on small entities and can potentially create new barriers to entry for new market players, ultimately creating a catalyst for increased consolidation. As a whole, Commissioner
Pierce expresses concern about overwhelming smaller entities.
This lack of unification between overlapping sets of rules, as well as the lack of acknowledgment of the impact of the new rules on smaller businesses, is not a new problem in the SEC.
For example, the afore-mentioned February 2022 proposal related to cybersecurity risk management for registered investment advisers, as well as the SEC’s May 2022 proposal for a new set of rules to enhance and standardize climate-related disclosures for
investors. FundGuard commented on these proposals, reaching a conclusion that mirrors Commissioner Uyeda’s in many ways.
In FundGuard’s publically published comment, it was stated that:
“The fact of the matter is that the fundamental and dramatic shifts taking place in the world today, very often driven by digital technology, mean that collectively we need to be creative about tackling disconnects and challenges that exist in the bedrock
of the systems we use to do business.”
The reaction and public comments to all these proposals ultimately reveal a universal truth — that the industry needs to implement systemic change for such proposals to be truly effective.
Additionally, though the SEC proposal remarks on not wanting to create a one-size-fits-all solution, the proposal in its current state imposes several requirements that do not take into account the unique perspectives or scenarios faced by each type of market
entity.
How Can Cybersecurity Rules be Systemically Implemented & Changed?
A key way in which the SEC’s proposal can be improved is by focusing more on the standardization of cybersecurity and creating a better foundation for systemic change.
At the heart of this change, the need for technological innovation is evident.
For cybersecurity to be better managed across the industry, it is necessary to shift away from cumbersome legacy technology. In turn, the SEC must focus its regulatory sights more on the technologies needed to achieve this shift, such as providing a standardized
framework for enacting cybersecurity measures within the cloud.
As I stated back in 2022:
“ — if you opt for supposedly cloud-enabled services that merely overlay cloud-based managed services onto legacy infrastructure and software, you remain vulnerable to the same security risks that you did with your legacy technology.” Further, from a competitive
advantage point of view, being too tentative about your cloud migration can mean the gap between you and your competitors widens to such an extent that you never catch up.”
However, systemic change at this level can be tricky, especially with the aforementioned lack of unification.
As a result, the burden of cybersecurity management continues to fall more so on the shoulders of each institution, as these institutions must consider how to abide by new SEC rulings while also maintaining a highly competitive technical infrastructure.
Implementing a Strong Cybersecurity Framework Today is Vital
With the new rules and requirements of the SEC’s latest proposal for market entities, it is vital for investment accounting and asset management firms to have a well-defined approach to cybersecurity.
The SEC has made it clear that it is shifting its focus to emphasize greater cybersecurity measures. However, the regulatory authority still has a long way to go in terms of making these new rules and regulations flexible and adaptable to each entity’s unique
situation.
This makes it more pertinent than ever for organizations to adopt a more scalable, flexible, and cost-effective approach to cybersecurity and the relevant reporting requirements.
Written by Yaniv Zecharya, CTO and Co-Founder at FundGuard.