The SEC last week proposed changes to Regulation Systems Compliance and Integrity (Reg SCI) and Regulation S-P, also called the Safeguarding Rule, at an open hearing.
The current Reg SCI, adopted in 2014, requires SCI entities to have security policies, take corrective action in response to system issues and undergo business continuity and disaster recovery testing. Under the proposal, BC/DR tests must also address the unavailability of a third party to which the SCI entity outsources. They also must immediately notify the SEC of a wider range of cyber events, such as those that deny access to systems and processes of the SCI entity.
SCI entities include self-regulatory organizations like FINRA, stock and options exchanges, registered clearing agencies and alternative trading systems.
If the new rule is adopted, SCI entities would have to make significant changes to some of their policies. They would need to update their procedures to include “the maintenance of a written inventory and classification of all SCI systems and a program for life cycle management; a program to prevent the unauthorized access to such systems and information therein; and a program to manage and oversee certain third-party providers, including cloud service providers, of covered systems.”
The proposed update to Reg SCI would also expand the entities that are subject to the rule. Currently, SCI entities are those involved in trading, clearance and settlement, and market regulation. Under the proposal, registered security-based swap data repositories, clearing agencies that are exempt from registration and large broker/dealers would also be subject to the rule.
The proposal was approved by a 3-2 vote, with SEC Commissioners Mark Uyeda and Hester Peirce dissenting. Uyeda expressed specific concern about the reporting requirements of the proposed Reg SCI and how it would interact with reporting requirements from other rules. Reg SCI requires immediate notification to the SEC of “significant cybersecurity incidents.” Uyeda wrote that overlapping reporting requirements can be confusing and might undermine cybersecurity if registrants are more concerned about reporting in a timely manner than addressing the breach.
An update to Reg S-P, which was also proposed by the SEC on Wednesday, would require broker/dealers, registered investment advisers and transfer agents to adopt policies for the protection of customer records and notify clients affected by data breaches that put them at risk. Covered institutions must have written policies that outline an incident response program to address unauthorized access to customer information and to provide timely notification to affected individuals.
The covered institutions must inform customers of a data breach “as soon as practicable,” but cannot wait longer than 30 days from the date they became aware of the breach.
SEC Commissioner Caroline Crenshaw, who voted for both proposals, said the update to Reg S-P is important because it would expand safeguarding requirements to transfer agents, who are uncovered under the existing Reg S-P, which was finalized in 2000.
SEC Chairman Gary Gensler, who also voted for both proposals, said in a statement that covered institutions currently have no obligation to inform their customers of data breaches, even though awareness would allow those customers to take steps to mitigate the damage done to them by the breach.