The Securities and Exchange Commission is seeking to broaden the range of companies in the securities market that would be subject to stricter regulations for compliance and integrity of their information systems, while proposing a host of new requirements for those businesses around cybersecurity and their use of third-party cloud providers.
The 465-page proposed rule, which was first announced on Mar. 15, includes updates to more than two dozen existing laws and regulations. Among the changes would be an expansion of how the SEC defines a covered systems intrusion, a requirement for annual penetration testing of covered systems, new requirements around notifying the commission and any affected parties about a breach, and designate key third-party providers like cloud service providers for participation in annual business continuity and disaster recovery testing.
The new rules could give the SEC greater visibility over cyberattacks on the financial ecosystem. While current law requires covered entities to report on “successful” system intrusions that result in the direct compromise of critical systems, the new definition would fold in a number of cybersecurity incidents, like distributed denial of service (DDoS) and other attacks that “disrupt or significantly degrade” a covered system.
It would also define any unauthorized or inadvertent access to data within these systems — by outsiders or employees — as a covered incident.
They would also expand regulatory SCI coverage to Security-Based Data Swap Repositories (SBDSRs), as well as a subset of the 3,500 registered broker dealers who exceed certain size thresholds and clearing agencies that were previously exempt from the heightened rules. While only “a small portion” of cryptocurrency asset trading is done by current registered broker dealers, the commission said systems used to trade or manage cryptocurrency assets may also be subject to the new rules.
The agency said the new rules are directed at “key market participants,” who “play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue.” They are being proposed, in part, to account for “new types of registered entities that are highly dependent on interconnected technology,” the increasingly remote post-COVID workforce, and the increased use of cloud services and other third party products that may introduce new business risks.
“Given the continued and increasing risks associated with cybersecurity for SCI entities, the Commission believes it is appropriate to enhance the cybersecurity provisions of Regulation SCI to help ensure that SCI systems and indirect SCI systems of the most important entities in our securities markets remain secure,” the proposed rule states.
The proposed enhancements would cover any systems or technologies at those firms that support the trading of securities, clearance and settlement, order routing, market data, market regulation or market surveillance, as well as any systems that represent “a single point of failure” in the U.S. securities market. It would include not just systems owned and operated by those entities, but also ones managed by third parties — like cloud providers — on the firm’s behalf.
The U.S. government, particularly under the Biden administration, has increasingly focused on the role that third party cloud providers play in the cybersecurity ecosystem. These entities host or manage massive chunks of their customers’ IT infrastructure and are frequent targets of state and criminal hacking groups, who can leverage that access as a launchpad to attack their customers downstream. Leveraging regulations and other tools to gain better visibility over malicious activity in the cloud was one of the recommendations that came out of the White House National Cyber Strategy last month.
As one example of how these entities can put financial companies at risk, the SEC said an attack on a cloud provider’s hypervisor, which enables the sharing of physical compute and memory resources across multiple virtual machines, could also disrupt or even disable SCI-covered systems and qualifies as a systems intrusion.
The commission also highlight the need for including SBDSRs in particular because of the role these entities play in providing “important infrastructure that assists relevant authorities in performing their market oversight,” such as the collection of market data used by regulators to conduct oversight and enforcement.
“Data maintained by SBSDRs may assist regulators in preventing market abuses, performing supervision, and resolving issues and positions if an institution fails,” the proposed rule reads. “SBSDRs are required to collect and maintain accurate SBS transaction data so that relevant authorities can access and analyze the data from secure, central locations, thereby putting the regulators in a better position to monitor for potential market abuse and risks to financial stability.”
The proposed regulations — which must go through a formal comment and rule-making process that could take months or years before being finalized — are part of a tranche of new cybersecurity-related requirements the SEC has imposed on financial companies over the past few years. The agency has sought to compel publicly traded companies and other entities to notify the government when they are hacked, detail cyber expertise on their boards, expand privacy protections, and require broker dealers to expand the type of customer information protected by data privacy regulations.