SEC proposes new cyber incident reporting rules for financial orgs

The Securities and Exchange Commission (SEC) proposed new cybersecurity rules for a range of financial organizations that would force them to report incidents within 48 hours of detection and implement certain security policies.

The new rules would also make it mandatory for some financial institutions to annually test and review the effectiveness of their cybersecurity policies and procedures.

“The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades,” said SEC Chair Gary Gensler. “Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”

The rules would cover broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.

The SEC said the new rules would improve the commission’s ability to gain more information about “significant” cybersecurity incidents affecting these kinds of institutions and would improve transparency about the kinds of cybersecurity risks facing the industry.

The commission noted that because so many entities rely on information systems for a variety of tasks, an attack on one institution could impact several others and cause “systemic harm to the U.S. securities markets.”

The proposal now goes through a public comment period for 60 days before regulators decide whether to move forward with it.

The proposal received a mixed response from SEC commissioners — some of whom lauded it while others questioned how the requirements overlapped with others rolled out in recent years.

“This would give the Commission data to assess trends, identify emerging risks, and help coordinate responses to cyber incidents that have the potential to cause broader disruptions, as well as providing the public with information they may need to respond to the incident,” Commissioner Caroline Crenshaw said.

While several officials backed the new rules, Commissioner Mark Uyeda said he does not support the proposal and added that the new rules can “potentially do more harm than good” because the regulatory filings would “demand immediate attention from management all in the midst of responding to a breach and alerting other authorities, including law enforcement.”

“And for what purpose? The SEC does not have a cyber response team that could immediately respond to seal the breach and provide technical assistance,” he said.

He noted that the proposal has several other overlaps with other amendments introduced this week related to incident reporting and requirements for cybersecurity procedures.

Commissioner Hester Peirce – who also said she would not support the proposal – echoed Uyeda’s comments, criticizing the SEC for being an “enforcer… not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers.”

Cybersecurity experts were similarly torn about the value of the proposals. Chris Gray, vice president of customer success at cybersecurity firm Deepwatch, said commissioners were right to worry that the new rules may “dive into the rivers of process and details created for their own sake.”

While something is better than nothing, Gray explained that the “tangled web of required actions” may make implementation and enforcement actions all the more difficult.

“Regardless, ensuring that these agencies and groups achieve the minimum standard level of capability and process, following a risk based analysis driven by the organizations' feedback, is a positive step,” he said.