Indicates significant changes to regulations for broker-dealers, investment companies, RIA, and other market agents.
The SEC has been signaling the expansion of the compliance around cybersecurity for public financial firms for some time. Increased and intensified state-sanctioned cyber-attacks, data breaches, and ransomware have spotlighted the risk to the U.S. economy, its investment markets, and its investors.
“The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars,” said SEC Chair Gary Gensler in a speech on January 24th. “Hackers have attacked broker-dealers, government agencies, meat processors, and pipelines. These attacks can take many forms from denials-of-service to malware to ransomware.”
Referencing the 2021 Robinhood breach and the SolarWinds incident from 2020, Gensler mentions the joint work of the FBI, CISA, and the Biden administration is ratcheting up to curb the plague—not the COVID-19 pandemic, but the scourge of cybercrime.
He shares that the SEC is looking at ways to strengthen the financial markets’ cyber readiness and hints at a new and expanded compliance framework.
In terms of policy, there are three areas under scrutiny: cyber hygiene and preparedness, cyber incident reporting to the government, and disclosures to the public.
These areas call for IT solutions that prepare for, respond to, and report cyber events. Practices like access management and end-user training, which both reduce the likelihood of cyber incidents, will need to be implemented and reinforced. Additionally, a robust backup system and a disaster recovery plan should be developed or expanded for responding to any events that may happen. Depending on the specific language that ends up in new or expanded regulations, additional IT solutions will most likely be needed for compliance.
As far as which type of organizations may be facing new and strengthened regulations—the list includes SEC registrants in the financial sector, including broker-dealers, investment companies, registered investment advisers, and others. Also in the crosshairs are public companies, third-party service providers, and other organizations not currently registered with SEC, but which support or interact with SEC-registered companies.
Specific regulations that the SEC is proposing to change:
- Expanding Regulation Systems Compliance and Integrity (Reg SCI) to cover more entities, including market-makers, broker-dealers, and other financial entities. Reg SCI requires SEC registrants have robust sound technology programs, business continuity plans, testing protocols, data backups, and more.
- Implementing new regulations for financial sector registrants, like investment companies, investment advisers, and broker-dealers, not covered by Reg SCI around cybersecurity hygiene practices and incident reporting.
- Modernizing Regulation S-P, which deals with data privacy, changing the scheduling and content of notifications to clients about data breaches involving personally identifiable information.
These changes would significantly impact a wide array of companies and subject them to expanded or newly instituted regulations that they may not be prepared to meet.
If your organization requires assistance with keeping up with and implementing these and any other cybersecurity compliance requirements, reach out to our experts. Coretelligent has a suite of solutions, including CoreArmor and CoreBDR, designed to address the compliance and security needs of the financial sector. With over 16+ years of experience helping clients navigate a whole host of IT compliance regulations and bolstering their cybersecurity posture, we can help your firm understand and meet its regulatory requirements.