[Federal Register Volume 88, Number 65 (Wednesday, April 5, 2023)]
[Proposed Rules]
[Pages 20212-20354]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05767]
[[Page 20211]]
Vol. 88
Wednesday,
No. 65
April 5, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 232, 240, 242, et al.
Cybersecurity Risk Management Rule for Broker-Dealers, Clearing
Agencies, Major Security-Based Swap Participants, the Municipal
Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-
Based Swap Dealers, and Transfer Agents; Proposed Rule
��Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 /
Proposed Rules��
[[Page 20212]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 232, 240, 242 and 249
[Release No. 34-97142; File No. S7-06-23]
RIN 3235-AN15
Cybersecurity Risk Management Rule for Broker-Dealers, Clearing
Agencies, Major Security-Based Swap Participants, the Municipal
Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-
Based Swap Dealers, and Transfer Agents
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing a new rule and form and amendments to existing recordkeeping
rules to require broker-dealers, clearing agencies, major security-
based swap participants, the Municipal Securities Rulemaking Board,
national securities associations, national securities exchanges,
security-based swap data repositories, security-based swap dealers, and
transfer agents to address cybersecurity risks through policies and
procedures, immediate notification to the Commission of the occurrence
of a significant cybersecurity incident and, as applicable, reporting
detailed information to the Commission about a significant
cybersecurity incident, and public disclosures that would improve
transparency with respect to cybersecurity risks and significant
cybersecurity incidents. In addition, the Commission is proposing
amendments to existing clearing agency exemption orders to require the
retention of records that would need to be made under the proposed
cybersecurity requirements. Finally, the Commission is proposing
amendments to address the potential availability to security-based swap
dealers and major security-based swap participants of substituted
compliance in connection with those requirements.
DATES: Comments should be received on or before June 5, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/submitcomments.htm); or
Send an email to [email protected]. Please include
File Number S7-06-23 on the subject line.
Paper Comments
Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-06-23. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules/proposed.shtml). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Randall W. Roy, Deputy Associate
Director and Nina Kostyukovsky, Special Counsel, Office of Broker-
Dealer Finances (with respect to the proposed cybersecurity rule and
form and the aspects of the proposal unique to broker-dealers); Matthew
Lee, Assistant Director and Stephanie Park, Senior Special Counsel,
Office of Clearance and Settlement (with respect to aspects of the
proposal unique to clearing agencies and security-based swap data
repositories); John Guidroz, Assistant Director and Russell Mancuso,
Special Counsel, Office of Derivatives Policy (with respect to aspects
of the proposal unique to major security-based swap participants and
security-based swap dealers); Michael E. Coe, Assistant Director and
Leah Mesfin, Special Counsel, Office of Market Supervision (with
respect to aspects of the proposal unique to national securities
associations and national securities exchanges); Moshe Rothman,
Assistant Director, Office of Clearance and Settlement (with respect to
aspects of the proposal unique to transfer agents) at (202) 551-5500,
Division of Trading and Markets; and Dave Sanchez, Director, Adam
Wendell, Deputy Director, and Adam Allogramento, Special Counsel,
Office of Municipal Securities (with respect to aspects of the proposal
unique to the Municipal Securities Rulemaking Board) at (202) 551-5680,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-7010.
SUPPLEMENTARY INFORMATION: The Commission is proposing to add the
following new rule and form under the Securities Exchange Act of 1934
(``Exchange Act''): (1) 17 CFR 242.10 (``Rule 10''); and (2) 17 CFR
249.642 (``Form SCIR''). The Commission also is proposing related
amendments to the following rules: (1) 17 CFR 232.101; (2) 17 CFR
240.3a71-6; (3) 17 CFR 240.17a-4; (4) 17 CFR 240.17Ad-7; (5) 17 CFR
240.18a-6; and (6) 17 CFR 240.18a-10. Further, the Commission is
proposing to amend certain orders that exempt clearing agencies from
registration.
------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Regulation S-T............................ Sec. 232.101
Rule 3a71-6............................... Sec. 240.3a71-6
Rule 17a-4................................ Sec. 240.17a-4
Rule 17Ad-7............................... Sec. 240.17Ad-7
Rule 18a-6................................ Sec. 240.18a-6
Rule 18a-10............................... Sec. 240.18a-10
Rule 10................................... Sec. 242.10
Form SCIR................................. Sec. 249.624
------------------------------------------------------------------------
Table of Contents
I. Introduction
A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets
1. In General
2. Critical Operations of Market Entities Are Exposed to
Cybersecurity Risk
B. Overview of the Proposed Cybersecurity Requirements
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
1. ``Covered Entity''
2. ``Cybersecurity Incident''
3. ``Significant Cybersecurity Incident''
4. ``Cybersecurity Threat''
5. ``Cybersecurity Vulnerability''
6. ``Cybersecurity Risk''
7. ``Information''
8. ``Information Systems''
9. ``Personal Information''
10. Request for Comment
B. Proposed Requirements for Covered Entities
1. Cybersecurity Risk Management Policies and Procedures
2. Notification and Reporting of Significant Cybersecurity
Incidents
3. Disclosure of Cybersecurity Risks and Incidents
4. Filing Parts I and II of Proposed Form SCIR in EDGAR Using a
Structured Data Language
[[Page 20213]]
5. Recordkeeping
C. Proposed Requirements for Non-Covered Broker-Dealers
1. Cybersecurity Policies and Procedures, Annual Review,
Notification, and Recordkeeping
2. Request for Comment
D. Cross-Border Application of the Proposed Cybersecurity
Requirements to SBS Entities
1. Background on the Cross-Border Application of Title VII
Requirements
2. Proposed Entity-Level Treatment
3. Availability of Substituted Compliance
E. Amendments to Rule 18a-10
1. Proposal
2. Request for Comment
F. Market Entities Subject to Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID
1. Discussion
2. Request for Comment
G. Cybersecurity Risk Related to Crypto Assets
III. General Request for Comment
IV. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Cybersecurity Risks and Current Relevant Regulations
2. Market Structure
D. Benefits and Costs of Proposed Rule 10, Form SCIR, and Rule
Amendments
1. Benefits and Costs of the Proposals to the U.S. Securities
Markets
2. Policies and Procedures and Annual Review Requirements for
Covered Entities
3. Regulatory Reporting of Cybersecurity Incidents by Covered
Entities
4. Public Disclosure of Cybersecurity Risks and Significant
Cybersecurity Incidents
5. Record Preservation and Maintenance by Covered Entities
6. Policies and Procedures, Annual Review, Immediate
Notification of Significant Cybersecurity Incidents, and Record
Preservation Requirements for Non-Covered Broker-Dealers
7. Substituted Compliance for Non-U.S. SBS Entities
E. Effects on Efficiency, Competition, and Capital Formation
F. Reasonable Alternatives
1. Alternatives to the Policies and Procedures Requirements of
Proposed Rule 10
2. Alternatives to the Requirements of Proposed Form SCIR and
Related Notification and Disclosure Requirements of Proposed Rule 10
3. General Request for Comment
V. Paperwork Reduction Act Analysis
A. Summary of Collections of Information
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
4. Substituted Compliance (Rule 3a71-6)
B. Proposed Use of Information
C. Respondents
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Total Initial and Annual Reporting Burdens
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6, and Clearing Agency Exemption
Orders (and Existing Rules 13n-7 and 17a-1)
4. Substituted Compliance (Rule 3a71-6)
E. Collection of Information is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Retention Period for Recordkeeping Requirements
H. Request for Comment
VI. Initial Regulatory Flexibility Act Analysis
A. Reasons for, and Objectives of, Proposed Action
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
B. Legal Basis
C. Small Entities Subject to Proposed Rule, Form SCIR, and
Recordkeeping Rule Amendments
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Reporting, Recordkeeping, and Other Compliance Requirements
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, and 18a-6
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
F. Significant Alternatives
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
G. Request for Comment
VII. Small Business Regulatory Enforcement Fairness Act
VIII. Statutory Authority
I. Introduction
A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets
1. In General
Cybersecurity risk has been described as ``an effect of uncertainty
on or within information and technology.'' \1\ This risk can lead to
``the loss of confidentiality, integrity, or availability of
information, data, or information (or control) systems and [thereby to]
potential adverse impacts to organizational operations (i.e., mission,
functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.'' \2\ The U.S. Financial Stability
Oversight Counsel (``FSOC'') in its 2021 annual report stated that a
destabilizing cybersecurity incident could potentially threaten the
stability of the U.S. financial system through at least three channels:
---------------------------------------------------------------------------
\1\ See the National Institute of Standards and Technology
(``NIST''), U.S. Department of Commerce, Computer Security Resource
Center Glossary, available at https://csrc.nist.gov/glossary (``NIST
Glossary'') (definition of ``cybersecurity risk''). The NIST
Glossary consists of terms and definitions extracted verbatim from
NIST's cybersecurity and privacy-related publications (i.e., Federal
Information Processing Standards (FIPS), NIST Special Publications
(SPs), and NIST Internal/Interagency Reports (IRs)) and from the
Committee on National Security Systems (CNSS) Instruction CNSSI-
4009. The NIST Glossary may be expanded to include relevant terms in
external or supplemental sources, such as applicable laws and
regulations. The Cybersecurity Enhancement Act of 2014 (``CEA'')
updated the role of NIST to include identifying and developing
cybersecurity risk frameworks for voluntary use by critical
infrastructure owners and operators. The CEA required NIST to
identify ``a prioritized, flexible, repeatable, performance based,
and cost-effective approach, including information security measures
and controls that may be voluntarily adopted by owners and operators
of critical infrastructure to help them identify, assess, and manage
cyber risks.'' See 15 U.S.C. 272(e)(1)(A)(iii). In response, NIST
has published the Framework for Improving Critical Infrastructure
Cybersecurity (``NIST Framework''). See also NIST, Integrating
Cybersecurity and Enterprise Risk Management (ERM) (Oct. 2020),
available at https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf (``All types of organizations, from corporations to
federal agencies, face a broad array of risks. For federal agencies,
the Office of Management and Budget (OMB) Circular A-11 defines risk
as `the effect of uncertainty on objectives'. The effect of
uncertainty on enterprise mission and business objectives may then
be considered an `enterprise risk' that must be similarly managed .
. . Cybersecurity risk is an important type of risk for any
enterprise.'') (footnotes omitted).
\2\ See NIST Glossary (definition of ``cybersecurity risk'').
See also The Board of the International Organization of Securities
Commissions (``IOSCO''), Cyber Security in Securities Markets--An
International Perspective (Apr. 2016), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf (``IOSCO
Cybersecurity Report'') (``In essence, cyber risk refers to the
potential negative outcomes associated with cyber attacks. In turn,
cyber attacks can be defined as attempts to compromise the
confidentiality, integrity and availability of computer data or
systems.'') (footnote omitted).
---------------------------------------------------------------------------
First, the incident could disrupt a key financial service
or utility for which there is little or no substitute. This could
include attacks on central banks; exchanges; sovereign and subsovereign
creditors, including U.S. state and local governments; custodian banks;
payment clearing and settlement systems; or other firms or services
that lack substitutes or are sole service providers.
Second, the incident could compromise the integrity of
critical
[[Page 20214]]
data. Accurate and usable information is critical to the stable
functioning of financial firms and the system; if such data is
corrupted on a sufficiently large scale, it could disrupt the
functioning of the system. The loss of such data also has privacy
implications for consumers and could lead to identity theft and fraud,
which in turn could result in a loss of confidence.
Third, a cybersecurity incident that causes a loss of
confidence among a broad set of customers or market participants could
cause customers or participants to question the safety or liquidity of
their assets or transactions, and lead to significant withdrawal of
assets or activity.\3\
---------------------------------------------------------------------------
\3\ FSOC, Annual Report (2021), at 168, available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (``FSOC
2021 Annual Report'').
---------------------------------------------------------------------------
The U.S. securities markets are part of the Financial Services
Sector, one of the sixteen critical infrastructure sectors ``whose
assets, systems, and networks, whether physical or virtual, are
considered so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination
thereof.'' \4\ These markets are over $100 trillion in total size, and
more than a trillion dollars' worth of transactions flow through them
each day. For example, the market capitalization of the U.S. equities
market was valued at $49 trillion as of the first quarter of 2022,\5\
and as of May 2022, the average daily trading dollar volume in the U.S.
equities market was $659 billion.\6\ The market capitalization of the
U.S. fixed income market was valued at $52.9 trillion as of the fourth
quarter of 2021,\7\ and as of May 2022, the average daily trading
dollar volume in the U.S. fixed income market was $897.8 billion.\8\
---------------------------------------------------------------------------
\4\ Cybersecurity and Infrastructure Security Agency (``CISA''),
U.S. Department of Homeland Security, Critical Infrastructure
Sectors, available at https://www.cisa.gov/critical-infrastructure-sectors. See also Presidential Policy Directive--Critical
Infrastructure Security and Resilience, Presidential Policy
Directive, PPD-21 (Feb. 12 2013).
\5\ See Securities Industry and Financial Markets Association
(``SIFMA''), Research Quarterly: Equities (Apr. 27, 2022), available
at https://www.sifma.org/resources/research/research-quarterly-equities/.
\6\ See SIFMA, US Equity and Related Statistics (June 1, 2022),
available at https://www.sifma.org/resources/research/us-equity-and-related-securities-statistics/.
\7\ See SIFMA, Research Quarterly: Fixed Income--Outstanding
(Mar. 14, 2022), available at https://www.sifma.org/resources/research/research-quarterly-fixed-income-outstanding/.
\8\ See SIFMA, US Fixed Income Securities Statistics (June 9,
2022), available at https://www.sifma.org/resources/research/us-fixed-income-securities-statistics/.
---------------------------------------------------------------------------
The sizes of these markets are indicative of the central role they
play in the U.S. economy in terms of the flow of capital, including the
savings of individual investors who are increasingly relying on them
to, for example, build wealth to fund their retirement, purchase a
home, or pay for college for themselves or their family. Therefore, it
is critically important to the U.S. economy, investors, and capital
formation that the U.S. securities markets function in a fair, orderly,
and efficient manner.\9\
---------------------------------------------------------------------------
\9\ The Commission's tripartite mission is to: (1) protect
investors; (2) maintain, fair, orderly, and efficient markets; and
(3) facilitate capital formation. See, e.g., Commission, Our Goals,
available at https://www.sec.gov/our-goals.
---------------------------------------------------------------------------
The fair, orderly, and efficient operation of the U.S. securities
markets depends on different types of entities performing various
functions to support, among other things, disseminating market
information, underwriting securities issuances, making markets in
securities, trading securities, providing liquidity to the securities
markets, executing securities transactions, clearing and settling
securities transactions, financing securities transactions, recording
and transferring securities ownership, maintaining custody of
securities, paying dividends and interest on securities, repaying
principal on securities investments, supervising regulated market
participants, and monitoring market activities. Collectively, these
functions are performed by entities regulated by the Commission:
broker-dealers, broker-dealers that operate an alternative trading
system (``ATS''), clearing agencies, major security-based swap
participants (``MSBSPs''), the Municipal Securities Rulemaking Board
(``MSRB''), national securities associations, national securities
exchanges, security-based swap data repositories (``SBSDRs''),
security-based swap dealers (``SBSDs'' or collectively with MSBSPs,
``SBS Entities''), and transfer agents (collectively, ``Market
Entities'').\10\
---------------------------------------------------------------------------
\10\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------
To perform their functions, Market Entities rely on an array of
electronic information, communication, and computer systems (or similar
systems) (``information systems'') and networks of interconnected
information systems. While Market Entities have long relied on
information systems to perform their various functions, the
acceleration of technical innovation in recent years has exponentially
expanded the role these systems play in the U.S. securities
markets.\11\ This expansion has been driven by the greater efficiencies
and lower costs that can be achieved through the use of information
systems.\12\ It also has been driven by newer entrants (financial
technology (Fintech) firms) that have developed business models that
rely heavily on information systems (e.g., applications on mobile
devices) to provide services to investors and other participants in the
securities markets and more established Market Entities adopting the
use of similar technologies.\13\ The COVID-19 pandemic also has
contributed to the greater reliance on information systems.\14\
---------------------------------------------------------------------------
\11\ See, e.g., Bank of International Settlements, Erik Feyen,
Jon Frost, Leonardo Gambacorta, Harish Natarajan, and Mathew Saal,
Fintech and the digital transformation of financial services:
implications for market structure and public policy, BIS Papers No.
117 (July 2021), available at https://www.bis.org/publ/bppdf/bispap117.pdf (``BIS Papers 117'') (``Significant technology
advances have taken place in two key areas that have contributed to
the current wave of technology-based finance:'' Increased
connectivity . . . [and] Low-cost computing and data storage . .
.'').
\12\ Id. (``Technology has reduced the costs of, and need for,
much of the traditional physical infrastructure that drove fixed
costs for the direct financial services provider . . . Financial
intermediaries can reduce marginal costs through technology-enabled
automation and `straight through' processing, which are accelerating
with the expanded use of data and [artificial intelligence]-based
processes. Digital innovation can also help to overcome spatial
(geographical) barriers, and even to bridge differences across legal
jurisdictions . . .''). See also United Nations, Office for Disaster
Risk Reduction, Constantine Toregas and Joost Santos, Cybersecurity
and its cascading effect on societal systems (2019), available at
https://www.undrr.org/publication/cybersecurity-and-its-cascading-effect-societal-systems (``Cybersecurity and its Cascading Effect on
Societal Systems'') (``Modern society has benefited from the
additional efficiency achieved by improving the coordination across
interdependent systems using information technology (IT) solutions.
IT systems have significantly contributed to enhancing the speed of
communication and reducing geographic barriers across consumers and
producers, leading to a more efficient and cost-effective exchange
of products and services across an economy.'').
\13\ BIS Papers 117 (``Internet and mobile technology have
rapidly increased the ability to transfer information and interact
remotely, both between businesses and directly to the consumer.
Through mobile and smartphones, which are near-ubiquitous,
technology has increased access to, and the efficiency of, direct
delivery channels and promises lower-cost, tailored financial
services . . . Incumbents large and small are embracing digital
transformation across the value chain to compete with fintechs and
big techs. Competitive pressure on traditional financial
institutions may force even those that are lagging to transform or
risk erosion of their customer base, income, and margins.'').
\14\ Id. (``The COVID-19 pandemic has accelerated the digital
transformation. In particular, the need for digital connectivity to
replace physical interactions between consumers and providers, and
in the processes that produce financial services, will be even more
important as economies, financial services providers, businesses and
individuals navigate the pandemic and the eventual post-COVID-19
world.''). See also McKinsey & Company, How Covid-19 has pushed
companies over the technology tipping point--and transformed
business forever (Oct. 5, 2020), available at https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever#/ (noting that due to
the COVID-19 pandemic, ``companies have accelerated the digitization
of their customer and supply-chain interactions and of their
internal operations by three to four years [and] the share of
digital or digitally enhanced products in their portfolios has
accelerated by a shocking seven years'').
---------------------------------------------------------------------------
[[Page 20215]]
This increased reliance on information systems by Market Entities
has caused a corresponding increase in their cybersecurity risk.\15\
This risk can be caused by the actions of external threat actors,
including organized or individual threat actors seeking financial gain,
nation states conducting espionage operations, or individuals engaging
in protest, acting on grudges or personal offenses, or seeking
thrills.\16\ Internal threat actors (e.g., disgruntled employees or
employees seeking financial gain) also can be sources of cybersecurity
risk.\17\ Threat actors may target Market Entities because they handle
financial assets or proprietary information about financial assets and
transactions.\18\ In addition to threat actors, errors of employees,
service providers, or business partners can create cybersecurity risk
(e.g., mistakenly exposing confidential or personal information by, for
example, sending it through an unencrypted email to unintended
recipients).\19\
---------------------------------------------------------------------------
\15\ See, e.g., Financial Services Information Sharing and
Analysis Center (``FS-ISAC''), Navigating Cyber 2022 (Mar. 2022),
available at: www.fsisac.com/navigatingcyber2022-report (detailing
cyber threats that emerged in 2021 and predictions for 2022); Danny
Brando, Antonis Kotidis, Anna Kovner, Michael Lee, and Stacey L.
Schreft, Implications of Cyber Risk for Financial Stability, FEDS
Notes, Washington: Board of Governors of the Federal Reserve System
(May 12, 2022), available at https://doi.org/10.17016/2380-7172.3077
(``Implications of Cyber Risk for Financial Stability'') (``Cyber
risk in the financial system has grown over time as the system has
become more digitized, as evidenced by the increase in cyber
incidents. That growth has brought to light unique features of cyber
risk and the potentially greater scope for cyber events to affect
financial stability.''); United States Government Accountability
Office (``GAO''), Critical Infrastructure Protection: Treasury Needs
to Improve Tracking of Financial Sector Cybersecurity Risk
Mitigation Efforts, GAO-20-631 (Sept. 2020), available at https://www.gao.gov/assets/gao-20-631.pdf (``GAO Cybersecurity Report'')
(``The federal government has long identified the financial services
sector as a critical component of the nation's infrastructure. The
sector includes commercial banks, securities brokers and dealers,
and providers of the key financial systems and services that support
these functions. Altogether, the sector holds about $108 trillion in
assets and faces a variety of cybersecurity-related risks. Key risks
include (1) an increase in access to financial data through
information technology service providers and supply chain partners;
(2) a growth in sophistication of malware--software meant to do
harm--and (3) an increase in interconnectivity via networks, the
cloud, and mobile applications.''); Cybersecurity and its Cascading
Effect on Societal Systems (``Nonetheless, IT dependence has also
exposed critical infrastructure and industry systems to a myriad of
cyber security risks, ranging from accidental causes, technological
glitches, to malevolent willful attacks.'').
\16\ See, e.g., Verizon, Data Breach Investigations Report
(2022) available at https://www.verizon.com/business/resources/Tba/reports/dbir/2022-data-breach-investigations-report-dbir.pdf
(``Verizon DBIR'') (finding that 73% of the data breaches analyzed
in the report were caused by external actors). The Verizon DBIR is
an annual report that analyzes cyber security incidents (defined as
a security event that compromises the integrity, confidentiality or
availability of an information asset) and breaches (defined as an
incident that results in the confirmed disclosure--not just
potential exposure--of data to an unauthorized party). To perform
the analysis, data about the cybersecurity incidents included in the
report are catalogued using the Vocabulary for Event Recording and
Incident Sharing (VERIS). VERIS is a set of metrics designed to
provide a common language for describing security incidents in a
structured and repeatable manner. More information about VERIS is
available at: http://veriscommunity.net/index.html. See also
Microsoft, Microsoft Digital Defense Report (Oct. 2021), available
at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi
(``Microsoft Report'') (``The last year has been marked by
significant historic geopolitical events and unforeseen challenges
that have changed the way organizations approach daily operations.
During this time, nation state actors have largely maintained their
operations at a consistent pace while creating new tactics and
techniques to evade detection and increase the scale of their
attacks'').
\17\ See, e.g., Verizon DBIR (finding that 18% of the data
breaches analyzed in the report were caused by internal actors). But
see id. (``Internal sources accounted for the fewest number of
incidents (18 percent), trailing those of external origin by a ratio
of four to one. The relative infrequency of data breaches attributed
to insiders may be surprising to some. It is widely believed and
commonly reported that insider incidents outnumber those caused by
other sources. While certainly true for the broad range of security
incidents, our caseload showed otherwise for incidents resulting in
data compromise. This finding, of course, should be considered in
light of the fact that insiders are adept at keeping their
activities secret.'').
\18\ See, e.g., GAO Cybersecurity Report (``The financial
services sector faces significant risks due to its reliance on
sophisticated technologies and information systems, as well as the
potential monetary gain and economic disruption that can occur by
attacking the sector''); IOSCO Cybersecurity Report (``[T]he
financial sector is one of the prime targets of cyber attacks. It is
easy to understand why: the sector is `where the money is' and it
can represent a nation or be a symbol of capitalism for some
politically motivated activists.'').
\19\ See Verizon DBIR (finding that error (defined as anything
done (or left undone) incorrectly or inadvertently) as one of action
types leading to cybersecurity incidents and breaches).
---------------------------------------------------------------------------
Another factor increasing the cybersecurity risk to Market Entities
is the growing sophistication of the tactics, techniques, and
procedures employed by threat actors.\20\ This trend is further
exacerbated by the ability of threat actors to purchase tools to engage
in cyber-crime.\21\ Threat actors employ a number of tactics to cause
harmful cybersecurity incidents.\22\ One tactic is the use of malicious
software (``malware'') that is uploaded into a computer system and used
by threat actors to compromise the confidentiality of information
stored or operations performed (e.g., monitoring key strokes) on the
system or the integrity or availability of the system (e.g., command
and control attacks where a threat actor is able to infiltrate a system
to install malware to enable it to remotely send commands to infected
devices).\23\ There are a number of different forms of malware,
including adware, botnets, rootkit, spyware, Trojans, viruses, and
worms.\24\
---------------------------------------------------------------------------
\20\ See, e.g., Bank of England, CBEST Intelligence-Led Testing:
Understanding Cyber Threat Intelligence Operations (Version 2.0),
available at https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf (``Bank of England CBEST
Report'') (``The threat actor community, once dominated by amateur
hackers, has expanded to include a broad range of professional
threat actors, all of whom are strongly motivated, organised and
funded. They include: state-sponsored organisations stealing
military, government and commercial intellectual property; organised
criminal gangs committing theft, fraud and money laundering which
they perceive as low risk and high return; non-profit hacktivists
and for-profit mercenary organisations attempting to disrupt or
destroy their own or their client's perceived enemies.''); Microsoft
Report (``Sophisticated cybercriminals are also still working for
governments conducting espionage and training in the new
battlefield'').
\21\ See, e.g., Microsoft Report (``Through our investigations
of online organized crime networks, frontline investigations of
customer attacks, security and attack research, nation state threat
tracking, and security tool development, we continue to see the
cybercrime supply chain consolidate and mature. It used to be that
cybercriminals had to develop all the technology for their attacks.
Today they rely on a mature supply chain, where specialists create
cybercrime kits and services that other actors buy and incorporate
into their campaigns. With the increased demand for these services,
an economy of specialized services has surfaced, and threat actors
are increasing automation to drive down their costs and increase
scale.'').
\22\ See, e.g., Financial Industry Regulatory Authority
(``FINRA''), Common Cybersecurity Threats, available at:
www.finra.org/rules-guidance/guidance/common-cybersecurity-threats
(``FINRA Common Cybersecurity Threats'') (summarizing common
cybersecurity threats faced by broker-dealers to include phishing,
imposter websites, malware, ransomware, distributed denial-of-
service attacks, and vendor breaches, among others).
\23\ See CISA, Malware Tip Card, available at https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf (``CISA
Malware Tip Card'') (``Malware, short for ``malicious software,''
includes any software (such as a virus, Trojan, or spyware) that is
installed on your computer or mobile device. The software is then
used, usually covertly, to compromise the integrity of your device.
Most commonly, malware is designed to give attackers access to your
infected computer. That access may allow others to monitor and
control your online activity or steal your personal information or
other sensitive data.'').
\24\ See, e.g., CISA Malware Tip Card (``Adware [is] a type of
software that downloads or displays unwanted ads when a user is
online or redirects search requests to certain advertising websites.
Botnets [are] networks of computers infected by malware and
controlled remotely by cybercriminals, usually for financial gain or
to launch attacks on websites or networks. Many botnets are designed
to harvest data, such as passwords, Social Security numbers, credit
card numbers, and other personal information . . . Rootkit [is] a
type of malware that opens a permanent ``back door'' into a computer
system. Once installed, a rootkit will allow additional viruses to
infect a computer as various hackers find the vulnerable computer
exposed and compromise it. Spyware [is] a type of malware that
quietly gathers a user's sensitive information (including browsing
and computing habits) and reports it to unauthorized third parties.
Trojan [is] a type of malware that disguises itself as a normal file
to trick a user into downloading it in order to gain unauthorized
access to a computer. Virus [is] a program that spreads by first
infecting files or the system areas of a computer or network
router's hard drive and then making copies of itself. Some viruses
are harmless, others may damage data files, and some may destroy
files entirely. Worm [is] a type of malware that replicates itself
over and over within a computer.'').
---------------------------------------------------------------------------
[[Page 20216]]
A second tactic is a variation of malware known as ``ransomware.''
\25\ In this scheme, the threat actor encrypts the victim's data making
it unusable and then demands payment to decrypt it.\26\ Ransomware
schemes have become more prevalent with the widespread adoption and use
of crypto assets.\27\ It is a common tactic used against the financial
sector.\28\ Commission staff has observed that this tactic has
increasingly been employed against certain Market Entities.\29\
---------------------------------------------------------------------------
\25\ See CISA, Ransomware 101, available at https://www.cisa.gov/stopransomware/ransomware-101 (``Ransomware is an ever-
evolving form of malware designed to encrypt files on a device,
rendering any files and the systems that rely on them unusable.
Malicious actors then demand ransom in exchange for decryption.
Ransomware actors often target and threaten to sell or leak
exfiltrated data or authentication information if the ransom is not
paid. In recent years, ransomware incidents have become increasingly
prevalent among the Nation's state, local, tribal, and territorial
(SLTT) government entities and critical infrastructure
organizations.'').
\26\ See, e.g., Federal Bureau of Investigation (``FBI''),
internet Crime Report (2021), available at https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf (``FBI internet Crime
Report'') (``Ransomware is a type of malicious software, or malware,
that encrypts data on a computer, making it unusable. A malicious
cyber criminal holds the data hostage until the ransom is paid. If
the ransom is not paid, the victim's data remains unavailable. Cyber
criminals may also pressure victims to pay the ransom by threatening
to destroy the victim's data or to release it to the public.'').
\27\ See, e.g., Institute for Security and Technology, Combating
Ransomware: A Comprehensive Framework For Action: Key
Recommendations from the Ransomware Task Force (Apr. 2021),
available at https://securityandtechnology.org/ransomwaretaskforce/report (``The explosion of ransomware as a lucrative criminal
enterprise has been closely tied to the rise of Bitcoin and other
cryptocurrencies, which use distributed ledgers, such as blockchain,
to track transactions.'').
\28\ See, e.g., FBI internet Crime Report (stating that it
received 649 complaints that indicated organizations in the sixteen
U.S. critical infrastructure sectors were victims of a ransomware
attack, with the financial sector being the source of the second
largest number of complaints).
\29\ See, Office of Compliance, Inspections and Examinations
(now the Division of Examinations (``EXAMS'')), Commission, Risk
Alert, Cybersecurity: Ransomware Alert (July 10, 2020), available at
https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf (``EXAMS
Ransomware Risk Alert'') (observing an apparent increase in
sophistication of ransomware attacks on Commission registrants,
including broker-dealers). Any staff statements represent the views
of the staff. They are not a rule, regulation, or statement of the
Commission. Furthermore, the Commission has neither approved nor
disapproved their content. These staff statements, like all staff
statements, have no legal force or effect: they do not alter or
amend applicable law; and they create no new or additional
obligations for any person.
---------------------------------------------------------------------------
Another group of tactics are various social engineering schemes. In
a social engineering attack, the threat actor uses social skills to
convince an individual to provide access or information that can be
used to access an information system.\30\ ``Phishing'' is a variation
of a social engineering attack in which an email is used to convince an
individual to provide information (e.g., personal or account
information or log-in credentials) that can be used to gain
unauthorized access to an information system.\31\ Threat actors also
use websites to perform phishing attacks.\32\ ``Spear phishing'' is a
variation of phishing that targets a specific individual or group.\33\
``Vishing'' and ``smishing'' are variations of social engineering that
use phone communications or text messages, respectively, for this
purpose.\34\ These social engineering tactics also are used to deceive
the recipient of an electronic communication (e.g., an email or text
message) to open a link or attachment in the communication that uploads
malware on to the recipient's information systems.\35\
---------------------------------------------------------------------------
\30\ See, e.g., CISA, Security Tip (ST04-014)--Avoiding Social
Engineering and Phishing Attacks, available at https://www.cisa.gov/uscert/ncas/tips/ST04-014 (``CISA Security Tip (ST04-014)'').
\31\ See, e.g., CISA Security Tip (ST04-014); Microsoft Report
(``Phishing is the most common type of malicious email observed in
our threat signals. These emails are designed to trick an individual
into sharing sensitive information, such as usernames and passwords,
with an attacker. To do this, attackers will craft emails using a
variety of themes, such as productivity tools, password resets, or
other notifications with a sense of urgency to lure a user to click
on a link.'').
\32\ See, e.g., Microsoft Report (``The phishing web pages used
in these attacks may utilize malicious domains, such as those
purchased and operated by the attacker, or compromised domains,
where the attacker abuses a vulnerability in a legitimate website to
host malicious content. The phishing sites frequently copy well-
known, legitimate login pages, such as Office 365 or Google, to
trick users into inputting their credentials. Once the user inputs
their credentials, they will often be redirected to a legitimate
final site--such as the real Office 365 login page--leaving the user
unaware that actors have obtained their credentials. Meanwhile, the
entered credentials are stored or sent to the attacker for later
abuse or sale.'').
\33\ See, e.g., U.S. Office of the Director of National
Intelligence, Spear Phishing and Common Cyber Attacks, available at
https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf (``ODNI Spear Phishing
Alert'') (``A spear phishing attack is an attempt to acquire
sensitive information or access to a computer system by sending
counterfeit messages that appear to be legitimate. `Spear phishing'
is a type of phishing campaign that targets a specific person or
group and often will include information known to be of interest to
the target, such as current events or financial documents. Like
other social engineering attacks, spear phishing takes advantage of
our most basic human traits, such as a desire to be helpful, provide
a positive response to those in authority, a desire to respond
positively to someone who shares similar tastes or views, or simple
curiosity about contemporary news and events.'').
\34\ See, e.g., CISA Security Tip (ST04-014).
\35\ See, e.g., ODNI Spear Phishing Alert (``The goal of spear
phishing is to acquire sensitive information such as usernames,
passwords, and other personal information. When a link in a phishing
email is opened, it may open a malicious site, which could download
unwanted information onto a user's computer. When the user opens an
attachment, malicious software may run which could compromise the
security posture of the host. Once a connection is established, the
attacker is able to initiate actions that could compromise the
integrity of your computer, the network it resides on, and data.'').
---------------------------------------------------------------------------
In addition to malware and social engineering, threat actors may
try to circumvent or thwart the information system's logical security
mechanisms (i.e., to ``hack'' the system).\36\ There are many
variations of hacking.\37\ One tactic is a ``brute force'' attack in
which the threat actor attempts to determine an unknown value (e.g.,
log-in credentials) using an automated process that tries a large
number of possible values.\38\ The Commission staff has observed that a
variation of this tactic has increasingly been employed by threat
actors against certain Market Entities to access their customers'
accounts.\39\ The ability of
[[Page 20217]]
threat actors to hack into information systems can be facilitated by
vulnerabilities in information systems, including for example the
software run on the systems.\40\
---------------------------------------------------------------------------
\36\ See Verizon DBIR (definition of ``hacking''); see also NIST
Glossary (defining a ``hacker'' as an ``unauthorized user who
attempts to or gains access to an information system'').
\37\ See, e.g., Web Application Security Consortium, WASC Threat
Classification: Version 2.00 (1/1/2010), available at https://projects.webappsec.org/f/WASC-TC-v2_0.pdf (``WASC Classification
Report'').
\38\ See, e.g., WASC Classification Report (``The most common
type of a brute force attack in web applications is an attack
against log-in credentials. Since users need to remember passwords,
they often select easy to memorize words or phrases as passwords,
making a brute force attack using a dictionary useful. Such an
attack attempting to log-in to a system using a large list of words
and phrases as potential passwords is often called a `word list
attack' or a `dictionary attack.' '').
\39\ See EXAMS, Commission, Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf (``EXAMS Safeguarding Client Accounts
Risk Alert'') (``The Office of Compliance Inspections and
Examinations (`OCIE') has observed in recent examinations an
increase in the number of cyber-attacks against SEC-registered
investment advisers (`advisers') and brokers and dealers (`broker-
dealers,' and together with advisers, `registrants' or `firms')
using credential stuffing. Credential stuffing is an automated
attack on web-based user accounts as well as direct network login
account credentials. Cyber attackers obtain lists of usernames,
email addresses, and corresponding passwords from the dark web and
then use automated scripts to try the compromised user names and
passwords on other websites, such as a registrant's website, in an
attempt to log in and gain unauthorized access to customer
accounts.'').
\40\ See, e.g., CISA, Alert (AA22-117A): 2021 Top Routinely
Exploited Vulnerabilities, available at https://www.cisa.gov/uscert/ncas/alerts/aa22-117a (``CISA 2021 Vulnerability Report'')
(``Globally, in 2021, malicious cyber actors targeted internet-
facing systems, such as email servers and virtual private network
(VPN) servers, with exploits of newly disclosed vulnerabilities. For
most of the top exploited vulnerabilities, researchers or other
actors released proof of concept (POC) code within two weeks of the
vulnerability's disclosure, likely facilitating exploitation by a
broader range of malicious actors. To a lesser extent, malicious
cyber actors continued to exploit publicly known, dated software
vulnerabilities--some of which were also routinely exploited in 2020
or earlier. The exploitation of older vulnerabilities demonstrates
the continued risk to organizations that fail to patch software in a
timely manner or are using software that is no longer supported by a
vendor.''). To address this risk, CISA maintains a Known Exploited
Vulnerability (KEV) catalogue that identifies known vulnerabilities.
See, e.g., CISA, Reducing The Significant Risk of Known Exploited
Vulnerabilities, available at https://www.cisa.gov/known-exploited-vulnerabilities (``CISA strongly recommends all organizations review
and monitor the KEV catalog and prioritize remediation of the listed
vulnerabilities to reduce the likelihood of compromise by known
threat actors.'').
---------------------------------------------------------------------------
Threat actors also cause harmful cybersecurity incidents through
denial-of-service (``DoS'') attacks.\41\ This type of attack may
involve botnets or compromised servers sending ``junk'' data or
messages to an information system that a Market Entity uses to provide
services to investors, market participants, or other Market Entities
causing the system to fail or be unable to process operations in a
timely manner. DoS attacks are a commonly used tactic.\42\
---------------------------------------------------------------------------
\41\ See CISA, Security Tip (ST04-015)--Understanding Denial-of-
Service Attacks, available at https://www.cisa.gov/uscert/ncas/tips/ST04-015 (``A denial-of-service (DoS) attack occurs when legitimate
users are unable to access information systems, devices, or other
network resources due to the actions of a malicious threat actor.
Services affected may include email, websites, online accounts
(e.g., banking), or other services that rely on the affected
computer or network. A denial-of-service condition is accomplished
by flooding the targeted host or network with traffic until the
target cannot respond or simply crashes, preventing access for
legitimate users. DoS attacks can cost an organization both time and
money while their resources and services are inaccessible.'').
\42\ See Verizon DBIR (finding that DoS attacks represented 46%
of the total cybersecurity incidents analyzed).
---------------------------------------------------------------------------
The tactics, techniques, and procedures employed by threat actors
can impact the information systems a Market Entity operates directly
(e.g., a web application or email system).\43\ They also can adversely
impact the Market Entity and its information systems through its
connection to information systems operated by third-parties such as
service providers (e.g., cloud service providers), business partners,
customers, counterparties, members, registrants, or users.\44\ Further,
the tactics, techniques, and procedures employed by threat actors can
adversely impact the Market Entity and its information systems through
its connection to information systems operated by utilities or central
platforms to which the Market Entity is connected (e.g., a securities
exchange, securities trading platform, securities clearing agency, or a
payment processor).\45\
---------------------------------------------------------------------------
\43\ See, e.g., Verizon DBIR (finding that the top assets
breached in cyber security incidents are servers hosting web
applications and emails, and stating that because they are
``internet-facing'' they ``provide a useful venue for attackers to
slip through the organization's `perimeter' '').
\44\ See, e.g., Ponemon Institute LLC, The Cost of Third-Party
Cybersecurity Risk Management (Mar. 2019), available at https://info.cybergrx.com/ponemon-report (``Third-party breaches remain a
dominant security challenge for organizations, with over 63% of
breaches linked to a third party.'').
\45\ See, e.g., Financial Markets Authority, New Zealand, Market
Operator Obligations Targeted Review--NZX (January 2021), available
at https://www.fma.govt.nz/assets/Reports/Market-Operator-Obligations-Targeted-Review-NZX.pdf (``New Zealand FMA Report'')
(describing an August 2020 cybersecurity incident at New Zealand's
only regulated financial product market that caused a trading halt
of approximately four days).
---------------------------------------------------------------------------
If cybersecurity risk materializes into a significant cybersecurity
incident, a Market Entity may lose its ability to perform a key
function causing harm to the Market Entity, investors, or other market
participants. Moreover, given the interconnectedness of Market
Entities' information systems, a significant cybersecurity incident at
one Market Entity has the potential to spread to other Market Entities
in a cascading process that could cause widespread disruptions
threatening the fair, orderly, and efficient operation of the U.S.
securities markets.\46\ Further, the disruption of a Market Entity that
provides critical services to other Market Entities through connected
information systems could cause cascading disruptions to those other
Market Entities to the extent they cannot obtain those critical
services from another source.\47\
---------------------------------------------------------------------------
\46\ See, e.g., Implications of Cyber Risk for Financial
Stability (``Cyber shocks can lead to losses hitting many firms at
the same time because of correlated risk exposures (sometimes called
the popcorn effect), such as when firms load the same malware-
infected third-party software update.''); The Bank for International
Settlements, Committee on Payments and Market Infrastructures
(``CPMI'') and IOSCO, Guidance on cyber resilience for financial
market infrastructures (June 2016), available at https://www.bis.org/cpmi/publ/d146.pdf (``[T]here is a broad range of entry
points through which a [financial market intermediary (``FMI'')]
could be compromised. As a result of their interconnectedness, cyber
attacks could come through an FMI's participants, linked FMIs,
service providers, vendors and vendor products . . . . Because an
FMI's systems and processes are often interconnected with the
systems and processes of other entities within its ecosystem, in the
event of a large-scale cyber incident it is possible for an FMI to
pose contagion risk (i.e., propagation of malware or corrupted data)
to, or be exposed to contagion risk from, its ecosystem.'').
\47\ See, e.g., Implications of Cyber Risk for Financial
Stability (``And the interconnectedness of the financial system
means that an event at one or more firms may spread to others (the
domino effect). For example, a cyber event at a single bank can
disrupt the bank's ability to send payments and have cascading
effects on other banks' liquidity and operations.'').
---------------------------------------------------------------------------
A significant cybersecurity incident also can result in
unauthorized access to and use of personal, confidential, or
proprietary information.\48\ In the case of personal information, this
can cause harm to investors and others whose personal information was
accessed or used (e.g., identity theft).\49\ This could lead to theft
of investor assets. In the case of confidential or proprietary
information, this can cause harm to the business of the person whose
proprietary information was accessed or used (e.g., public exposure of
trading positions or business strategies) or provide the unauthorized
user with an unfair advantage over other market participants (e.g.,
trading based on confidential business information). Unauthorized
access to proprietary information also can lead to theft of a Market
Entity's valuable intellectual property.
---------------------------------------------------------------------------
\48\ See, e.g., Bank of England CBEST Report (``One class of
targeted attack is Computer Network Exploitation (CNE) where the
goal is to steal (or exfiltrate) confidential information from the
target. This is effectively espionage in cyberspace or, in
information security terms, compromising confidentiality.'').
\49\ The NIST Glossary defines ``identity fraud or theft'' as
``all types of crime in which someone wrongfully obtains and uses
another person's personal data in some way that involves fraud or
deception, typically for economic gain.''
---------------------------------------------------------------------------
Cybersecurity incidents affecting Market Entities can cause
substantial harm to other market participants, including investors. For
example, significant cybersecurity incidents caused by malware can
cause the loss of the Market Entity's data, or the data of other market
participants.\50\ These
[[Page 20218]]
incidents also can lead to business disruptions that are not just
costly to the Market Entity but also the other market participants that
rely on the Market Entity's services.
---------------------------------------------------------------------------
\50\ CISA, Cyber Essentials Starter Kit--The Basics for Building
a Culture of Cyber Readiness (Spring 2021), available at https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf (``CISA
Cyber Essentials Starter Kit'') (``Malware is designed to spread
quickly. A lack of defense against it can completely corrupt,
destroy or render your data inaccessible.'').
---------------------------------------------------------------------------
A Market Entity also may incur substantial remediation costs due to
a significant cybersecurity incident.\51\ For example, the incident may
result in reimbursement to other market participants for cybersecurity-
related losses and payment for their use of identity protection
services. A Market Entity's failure to protect itself adequately
against a significant cybersecurity incident also may increase its
insurance premiums. In addition, a significant cybersecurity incident
may expose a Market Entity to litigation costs (e.g., to defend
lawsuits brought by individuals whose personal information was stolen),
regulatory scrutiny, reputational damage, and, if a result of a
compliance failure, penalties. Finally, a sufficiently severe
significant cybersecurity incident could cause the failure of a Market
Entity. Given the interconnectedness of Market Entities, a significant
cybersecurity incident that degrades or disrupts the critical functions
of one Market Entity could cause harm to other Market Entities (e.g.,
by cutting off their access to a critical service such as securities
clearance or by exposing them to the same malware that degraded or
disrupted the critical functions of the first Market Entity). This
could lead to market-wide outages that compromise the fair, orderly,
and efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------
\51\ See, e.g., IBM Security, Cost of Data Breach Report 2022,
available at https://www.ibm.com/security/data-breach (noting the
average cost of a data breach in the financial industry is $5.97
million); FBI internet Crime Report (noting that cybercrime victims
lost approximately $6.9 billion in 2021).
---------------------------------------------------------------------------
For these reasons, the Commission is proposing new rule
requirements that are designed to protect the U.S. securities markets
and investors in these markets from the threat posed by cybersecurity
risks.\52\
---------------------------------------------------------------------------
\52\ The Commission has pending proposals to address
cybersecurity risk with respect to investment advisers, investment
companies, and public companies. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies, Release Nos. 33-11028, 34-94917, IA-
5956, IC-34497 (Feb. 9, 2022) [87 FR 13524, (Mar. 9, 2022)]
(``Investment Management Cybersecurity Release''); Cybersecurity
Risk Management, Strategy, Governance, and Incident Disclosure,
Release Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022) [87 FR
16590 (Mar. 23, 2022)]. In addition, as discussed in more detail
below in section II.F. of this release, the Commission is proposing
to amend Regulation SCI (17 CFR 242.1000 through 1007) and
Regulation S-P (17 CFR 248.1 through 248.30) concurrent with this
release. See Regulation Systems Compliance and Integrity, Release
No. 34-97143 (Mar. 15, 2023) (File No. S7-07-23) (``Regulation SCI
2023 Proposing Release''); Regulation S-P: Privacy of Consumer
Financial Information and Safeguarding Customer Information, Release
Nos. 34-97141, IA-6262, IC-34854 (Mar. 15, 2023) (File No. S7-05-23)
(``Regulation S-P 2023 Proposing Release''). The Commission
encourages commenters to review the proposals with respect to
Regulation SCI and Regulation S-P to determine whether they might
affect their comments on this proposing release. See also section
II.F. of this release (seeking specific comment on how the proposals
in this release would interact with Regulation SCI and Regulation S-
P as they currently exist and would be amended). Further, the
Commission has reopened the comment period for the Investment
Management Cybersecurity Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Regulation SCI 2023
Proposing Release and the Regulation S-P 2023 Proposing Release that
the Commission should consider in connection with the Investment
Management Cybersecurity Release. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies; Reopening of Comment Period, Release
Nos. 33-11167, 34-97144, IA-6263, IC-34855 (Mar. 15, 2023), [88 FR
16921 (Mar. 31, 2023)]. The Commission encourages commenters to
review the Investment Management Cybersecurity Release and the
comments on that proposal to determine whether they might affect
their comments on this proposing release. The comments on the
Investment Management Cybersecurity Release are available at:
https://www.sec.gov/comments/s7-04-22/s70422.htm. Lastly, the
Commission also proposed rules and amendments regarding an
investment adviser's obligations with respect to outsourcing certain
categories of ``covered functions,'' including cybersecurity. See
Outsourcing by Investment Advisers, Release No. IA-6176 (Oct. 26,
2022), [87 FR 68816 (Nov. 16, 2022)]. The Commission encourages
commenters to review that proposal to determine whether it might
affect comments on this proposing release.
---------------------------------------------------------------------------
2. Critical Operations of Market Entities Are Exposed to Cybersecurity
Risk
The fair, orderly, and efficient operation of the U.S. securities
markets depends on Market Entities performing various functions without
disruption. Market Entities rely on information systems and networks of
interconnected information systems to perform their functions. This
exposes them to the harms that can be caused by threat actors using the
tactics, techniques, and procedures discussed above (among others) and
by errors of employees or third-party service providers (among others).
The GAO has stated that the primary cybersecurity risks identified by
financial sector firms are: (1) internal actors; \53\ (2) malware; \54\
(3) social engineering; \55\ and (4) interconnectivity.\56\ As
discussed below, a significant cybersecurity incident can cause serious
harm to Market Entities and others who use their services or are
connected to them through information systems and, if severe enough,
negatively impact the fair, orderly, and efficient operations of the
U.S. securities markets.
---------------------------------------------------------------------------
\53\ See GAO Cybersecurity Report (``Risks due to insider
threats involve careless, poorly trained, or disgruntled employees
or contractors hired by an organization who may intentionally or
inadvertently introduce vulnerabilities or malware into information
systems. Insiders may not need a great deal of knowledge about
computer intrusions because their knowledge of a target system often
allows them to gain unrestricted access to cause damage to the
system or to steal system data. Results of insider threats can
include data destruction and account compromise.'').
\54\ Id. (``The risk of malware exploits impacting the
[financial] sector has increased as malware exploits have grown in
sophistication'').
\55\ Id. (``The financial services sector is at risk due to
social engineering attacks, which include a broad range of malicious
activities accomplished through human interaction that enable
attackers to gain access to sensitive data by convincing a
legitimate, authorized user to give them their credentials and/or
other personal information'').
\56\ Id. (``Interconnectivity involves interdependencies
throughout the financial services sector and the sharing of data and
information via networks, the cloud, and mobile applications.
Organizations in the financial services sector utilize data
aggregation hubs and cloud service providers, and new financial
technologies such as algorithms based on consumers' data and risk
preferences to provide digital services for investment and financial
advice.'').
---------------------------------------------------------------------------
a. Common Uses of Information Systems by Market Entities
Market Entities need accurate and accessible books and records,
among other things, to manage and conduct their operations, manage and
mitigate their risks, monitor the progress of their business, track
their financial condition, prepare financial statements, prepare
regulatory filings, and prepare tax returns. Increasingly, these
records are made and preserved on information systems.\57\ These
recordkeeping information systems also store personal, confidential,
and proprietary business information about the Market Entity and its
customers, counterparties, members, registrants, or users.
---------------------------------------------------------------------------
\57\ Some Market Entities may store certain or all of their
records in paper format. This discussion pertains to recordkeeping
systems that store records electronically on information systems.
---------------------------------------------------------------------------
The complexity and scope of these books and records systems ranges
from ones used by large Market Entities that comprise networks of
systems that track thousands of different types of daily transactions
(e.g., securities trades and movements of assets) to ones used by small
Market Entities comprising off-
[[Page 20219]]
the-shelf accounting software and computer files on a desktop computer.
In either case, the impact on the confidentiality, integrity, or
availability of the information system being compromised as a
consequence of a significant cybersecurity incident can be devastating
to the Market Entity and its customers, counterparties, members,
registrants or users. For example, it could cause the Market Entity to
cease operations or allow threat actors to use personal information
about the customers of the Market Entity to steal their identities.
Market Entities also use information systems so that their
employees can communicate with each other and with external persons.
These include email, text messaging, and virtual meeting applications.
The failure of these information systems as a result of a significant
cybersecurity incident can seriously disrupt the Market Entity's
ability to carry out its functions. Moreover, these outward facing
information systems are vectors that threat actors use to cause harmful
cybersecurity incidents by, for example, tricking an employee through
social engineering into downloading malware in an attachment to an
email.
b. Broker-Dealers
Broker-dealers perform a number of functions in the U.S. securities
markets, including underwriting the issuance of securities for publicly
and privately held companies, making markets in securities, brokering
securities transactions, dealing securities, operating an ATS,
executing securities transactions, clearing and settling securities
transactions, and maintaining custody of securities for investors. Some
broker-dealers may perform multiple functions; whereas others may
perform a single function. Increasingly, these functions are performed
through the use of information systems. For example, broker-dealers use
information systems to connect to securities exchanges, ATSs, and other
securities markets in order to transmit purchase and sell orders.
Broker-dealers also use information systems to connect to clearing
agencies or clearing broker-dealers to transmit securities settlement
instructions and transfer funds. They use information systems to
communicate and transact with other broker-dealers. In addition, they
use information systems to provide securities services to investors,
including information systems that investors use to access their
securities accounts and transmit orders to purchase or sell securities.
Depending on the functions undertaken by a broker-dealer, a
significant cybersecurity incident could affect customers, including
retail investors. For example, a significant cybersecurity incident
could result in the broker-dealer experiencing a systems outage, which
in turn could leave customers unable to purchase or sell securities
held in their account and the broker-dealer unable to trade for itself.
In addition, broker-dealers maintain records and information related to
their customers that include personal information, such as names,
addresses, phone numbers, employer information, tax identification
information, bank information, and other detailed and individualized
information related to broker-dealer obligations under applicable
statutory and regulatory provisions.\58\ If personal information held
by a broker-dealer is accessed or stolen by unauthorized users, it
could result in harm (e.g., identity theft or conversion of financial
assets) to many individuals, including retail investors.
---------------------------------------------------------------------------
\58\ See, e.g., 17 CFR 240.17a-3(a)(17) (requiring broker-
dealers to make account records of the customer's or owner's name,
tax identification number, address, telephone number, date of birth,
employment status, annual income, net worth, and the account's
investment objectives). Broker-dealers also must comply with
relevant anti-money laundering (AML) laws, rules, orders, and
guidance. See, e.g., Commission, Anti-Money Laundering (AML) Source
Tool for Broker-Dealers, (May 16, 2022), available at https://www.sec.gov/about/offices/ocie/amlsourcetool.
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at a broker-dealer
could provide a gateway for threat actors to attack the self-regulatory
organizations (``SROs'')--such as national securities exchanges and
registered clearing agencies--ATSs, and other broker-dealers to which
the firm is connected through information systems and networks of
interconnected information systems.\59\ This could cause a cascading
effect where a significant cybersecurity incident initially impacting
one broker-dealer spreads to other Market Entities. Moreover, the
information systems that link a broker-dealer to other Market Entities,
its customers, and other service providers are vectors that expose the
broker-dealer to cybersecurity risk arising from threats that originate
in information systems outside the broker-dealer's control.
---------------------------------------------------------------------------
\59\ Section 3(a)(26) of the Exchange Act defines a self-
regulatory organization as any national securities exchange,
registered securities association, registered clearing agency, or
(with limitations) the MSRB. See 15 U.S.C. 78c(a)(26).
---------------------------------------------------------------------------
In addition, some broker-dealers operate ATSs. An ATS is a trading
system for securities that meets the definition of ``exchange'' under
federal securities laws but is not required to register with the
Commission as a national securities exchange if it complies with the
conditions to an exemption provided under Regulation ATS, which
includes registering as a broker-dealer.\60\ Registering as a broker-
dealer requires becoming a member of an SRO, such as FINRA, and
membership in FINRA subjects an ATS to FINRA's rules and oversight.
Since Regulation ATS was adopted in 1998, ATSs' operations have
increasingly relied on complex automated systems to bring together
buyers and sellers for various securities, which include--for example--
electronic limit order books and auction mechanisms. These developments
have made ATSs significant sources of orders and trading interest for
securities. ATSs employ information systems to accept, store, and match
orders pursuant to pre-programmed methods and to communicate the
execution of these orders for trade reporting purposes and for
clearance and settlement of the transactions. ATSs, in particular ATSs
that are ``NMS Stock ATSs,'' \61\ use information systems to connect to
various trading centers in order to receive market data that ATSs use
to price and execute orders that are entered on the ATS. A significant
cyber security incident could disrupt the ATS's critical infrastructure
and significantly impede the ability of the ATS to (among other
things): (1) receive market data; (2) accept, price, and match orders;
or (3) report transactions. This, in turn, could negatively impact the
ability of ATS subscribers to trade and execute the orders of their
investors or purchase certain securities at favorable or predictable
prices or in a timely manner to the extent the ATS provides
[[Page 20220]]
liquidity to the market for those securities.
---------------------------------------------------------------------------
\60\ 17 CFR 242.300 through 242.304. Exchange Act Rule 3a1-
1(a)(2) exempts from the definition of ``exchange'' under Section
3(a)(1) of the Exchange Act an organization, association, or group
of persons that complies with Regulation ATS. See 17 CFR 240.3a1-
1(a)(2). Regulation ATS requires an ATS to, among other things,
register as a broker-dealer, file a Form ATS with the Commission to
notice its operations, and establish written safeguards and
procedures to protect subscribers' confidential trading information.
See 17 CFR 242.301(b)(1), (2), and (10), respectively. The broker-
dealer operator of the ATS controls all aspects of the ATS's
operations and is legally responsible for its operations and for
ensuring that the ATS complies with applicable federal securities
laws and the rules and regulations thereunder, including Regulation
ATS. See Regulation of NMS Stock Alternative Trading Systems,
Exchange Act Release No. 83663 (July 18, 2018) [83 FR 38768, 38819-
20 (Aug. 7, 2018)] (``Regulation of NMS Stock Alternative Trading
Systems Release'').
\61\ See 17 CFR 242.300(k) (defining the term ``NMS Stock
ATS'').
---------------------------------------------------------------------------
c. Clearing Agencies
Clearing agencies are broadly defined in the Exchange Act and
undertake a variety of functions.\62\ An entity that meets the
definition of a ``clearing agency'' is required to register with the
Commission or obtain from the Commission an exemption from registration
prior to performing the functions of a clearing agency.\63\
---------------------------------------------------------------------------
\62\ See 15 U.S.C. 78c(a)(23)(A).
\63\ See 15 U.S.C. 78q-1(b); 17 CFR 240.17Ab2-1.
---------------------------------------------------------------------------
Two common functions of registered clearing agencies are operating
as a central counterparty (``CCP'') or a central securities depository
(``CSD''). Registered clearing agencies that provide these services are
``covered clearing agencies'' under Commission regulations.\64\ A CCP
acts as the buyer to every seller and the seller to every buyer,
providing a trade guaranty with respect to transactions submitted for
clearing by the clearing agency's participants.\65\ A CSD acts as a
depository for handling securities, whereby all securities of a
particular class or series of any issuer deposited within the system
are treated as fungible. Market Entities may use a CSD to transfer,
loan, or pledge securities by bookkeeping entry without the physical
delivery of certificates. A CSD also may permit or facilitate the
settlement of securities transactions more generally.\66\ Currently,
all clearing agencies registered with the Commission that are actively
providing clearance and settlement services are covered clearing
agencies.\67\
---------------------------------------------------------------------------
\64\ See 17 CFR 240.17Ad-22. See also Standards for Covered
Clearing Agencies, Exchange Act Release No. 78961 (Sept. 28, 2016)
[81 FR 70786, 70793 (Oct. 13, 2016)] (``CCA Standards Adopting
Release''). As discussed below, some clearing agencies operate
pursuant to Commission exemptions from registration.
\65\ See 17 CFR 240.17Ad-22 (``Rule 17Ad-22''); Definition of
``Covered Clearing Agency'', Exchange Act Release No. 88616 (Apr. 9,
2020) [85 FR 28853, 28855-56 (May 14, 2020)] (``CCA Definition
Adopting Release'').
\66\ See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad-22; CCA
Definition Adopting Release, 81 FR at 28856.
\67\ The active covered clearing agencies are: (1) The
Depository Trust Company (``DTC''); (2) Fixed Income Clearing
Corporation (``FICC''); (3) National Securities Clearing Corporation
(``NSCC''); (4) Intercontinental Exchange, Inc. (``ICE'') Clear
Credit LLC (``ICC''); (5) ICE Clear Europe Limited (``ICEEU''); (6)
The Options Clearing Corporation (``Options Clearing Corp.''); and
(7) LCH SA. Certain clearing agencies are registered with the
Commission but are not covered clearing agencies. See CCA Standards
Adopting Release, 81 FR at 70793. In particular, although subject to
paragraph (d) of Rule 17Ad-22, the Boston Stock Exchange Clearing
Corporation (``BSECC'') and Stock Clearing Corporation of
Philadelphia (``SCCP'') are currently registered with the Commission
as clearing agencies but conduct no clearance or settlement
operations. See Self-Regulatory Organizations; The Boston Stock
Clearing Corporation; Notice of Filing and Immediate Effectiveness
of Proposed Rule Change To Amend the Articles of Organization and
By-Laws, Exchange Act Release No. 63629 (Jan. 3, 2011) [76 FR 1473,
1474 (Jan. 10, 2011)] (``BSECC Notice''); Self-Regulatory
Organizations; Stock Clearing Corporation of Philadelphia; Notice of
Filing and Immediate Effectiveness of Proposed Rule Change Relating
to the Suspension of Certain Provisions Due to Inactivity, Exchange
Act Release No. 63268 (Nov. 8, 2010) [75 FR 69730, 69731 (Nov. 15,
2010)] (``SCCP Notice'').
---------------------------------------------------------------------------
Registered clearing agencies also are SROs under section 19 of the
Exchange Act, and their proposed rules are subject to Commission review
and published for notice and comment. While certain types of proposed
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
Additionally, section 17A(b)(1) of the Exchange Act provides the
Commission with authority to exempt a clearing agency or any class of
clearing agencies (``exempt clearing agencies'') from any provision of
section 17A or the rules or regulations thereunder.\68\ An exemption
may be effected by rule or order, upon the Commission's own motion or
upon application, and conditionally or unconditionally.\69\ The
Commission has provided exemptions from registration as a clearing
agency for clearing agencies that provide matching services.\70\
Matching services centrally match trade information between a broker-
dealer and its institutional customer. The Commission also has provided
exemptions for non-U.S. clearing agencies to perform the functions of a
clearing agency with respect to transactions of U.S. participants
involving U.S. government and agency securities.\71\
---------------------------------------------------------------------------
\68\ 15 U.S.C. 78q-1(b)(1). See also 15 U.S.C. 78mm (providing
the Commission with general exemptive authority).
\69\ See 15 U.S.C. 78q-1(b)(1). The Commission's exercise of
authority to grant exemptive relief must be consistent with the
public interest, the protection of investors, and the purposes of
Section 17A of the Exchange Act, including the prompt and accurate
clearance and settlement of securities transactions and the
safeguarding of securities and funds.
\70\ See Global Joint Venture Matching Services--US, LLC; Order
Granting Exemption from Registration as a Clearing Agency, Exchange
Act Release No. 44188 (Apr. 17, 2001) [66 FR 20494 (Apr. 23, 2001)]
(granting an exemption to provide matching services to Global Joint
Venture Matching Services US LLC, now known as DTCC ITP Matching
U.S. LLC) (``DTCC ITP Matching Order''); Bloomberg STP LLC; SS&C
Technologies, Inc.; Order of the Commission Approving Applications
for an Exemption From Registration as a Clearing Agency, Exchange
Act Release No. 76514 (Nov. 25, 2015) [80 FR 75388 (Dec. 1, 2015)]
(granting an exemption to provide matching services to each of
Bloomberg STP LLC and SS&C Technologies, Inc.) (``BSTP SS&C
Order''). In addition, on July 1, 2011, the Commission published a
conditional, temporary exemption from clearing agency registration
for entities that perform certain post-trade processing services for
security-based swap transactions. See Order Pursuant to Section 36
of the Securities Exchange Act of 1934 Granting Temporary Exemptions
From Clearing Agency Registration Requirements Under Section 17A(b)
of the Exchange Act for Entities Providing Certain Clearing Services
for Security-Based Swaps, Exchange Act Release No. 34-64796 (July 1,
2011) [76 FR 39963 (July 7, 2011)]. The order facilitated the
Commission's identification of entities that operate in that area
and that accordingly may fall within the clearing agency definition.
Recently, the Commission indicated that the 2011 Temporary Exemption
may no longer be necessary. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 34-94615 (Apr. 6, 2022) [87
FR 28872, 28934 (May 11, 2022)] (stating that the ``Commission
preliminarily believes that, if it adopts a framework for the
registration of [security-based swap execution facilities
(``SBSEFs'')], the 2011 Temporary Exemption would no longer be
necessary because entities carrying out the functions of SBSEFs
would be able to register with the Commission as such, thereby
falling within the exemption from the definition of `clearing
agency' in existing Rule 17Ad-24.'').
\71\ See Euroclear Bank SA/NV; Order of the Commission Approving
an Application To Modify an Existing Exemption From Clearing Agency
Registration, Exchange Act Release No. 79577 (Dec. 16, 2016) [81 FR
93994 (Dec. 22, 2016)] (providing an exemption to Euroclear Bank SA/
NV (successor in name to Morgan Guaranty Trust Company of NY))
(``Euroclear Bank Order''); Self-Regulatory Organizations; Cedel
Bank; Order Approving Application for Exemption From Registration as
a Clearing Agency, Exchange Act Release No. Release No. 38328 (Feb.
24, 1997) [62 FR 9225 (Feb. 28, 1997)] (providing an exemption to
Clearstream Banking, S.A. (successor in name to Cedel Bank, societe
anonyme, Luxembourg)) (``Clearstream Banking Order''). Furthermore,
pursuant to the Commission's statement on CCPs in the European Union
(``EU'') authorized under the European Markets Infrastructure
Regulation (``EMIR''), an EU CCP may request an exemption from the
Commission where it has determined that the application of
Commission requirements would impose unnecessary, duplicative, or
inconsistent requirements in light of EMIR requirements to which it
is subject. See Statement on Central Counterparties Authorized under
the European Markets Infrastructure Regulation Seeking to Register
as a Clearing Agency or to Request Exemptions from Certain
Requirements Under the Securities Exchange Act of 1934, Exchange Act
Release No. 34-90492 (Nov. 23, 2020) [85 FR 76635, 76639 (Nov. 30,
2020)], https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf (stating that in seeking an exemption, an EU CCP
could provide ``a self-assessment . . . [to] explain how the EU
CCP's compliance with EMIR corresponds to the requirements in the
Exchange Act and applicable SEC rules thereunder, such as Rule 17Ad-
22 and Regulation SCI.'').
---------------------------------------------------------------------------
Registered and exempt clearing agencies rely on information systems
to perform the functions described above. Given their central role, the
information systems operated by clearing agencies are critical to the
operations of the U.S. securities markets. For registered clearing
agencies, in particular, these information systems include those that
set and calculate margin obligations and other charges, perform netting
and calculate payment obligations, facilitate the movement of funds and
securities, or effectuate end-of-day settlement.
[[Page 20221]]
Certain exempt clearing agencies (e.g., Euroclear and Clearstream) may
provide CSD functions like covered clearing agencies while other exempt
clearing agencies (e.g., DTCC ITP) may not provide such functions.
Nonetheless, any entity that falls within the definition of a clearing
agency centralizes technology functions in a manner that increases its
potential to become a single point of failure in the case of a
significant cybersecurity incident.\72\
---------------------------------------------------------------------------
\72\ See generally Board of Governors of the Federal Reserve
System (``Federal Reserve Board''), Commission, Commodity Futures
Trading Commission (``CFTC''), Risk Management of Designated
Clearing Entities (July 2011), available at https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf (report to the Senate
Committees on Banking, Housing, and Urban Affairs and Agriculture,
Nutrition, and Forestry and the House Committees on Financial
Services and Agriculture stating that a designated clearing entity
(``DCE'') ``faces two types of non-financial risks--operational and
legal--that may disrupt the functioning of the DCE. . . . DCEs face
operational risk from both internal and external sources, including
human error, system failures, security breaches, and natural or man-
made disasters.'').
---------------------------------------------------------------------------
The technology behind clearing agency information systems is
subject to growing innovation and interconnectedness, with multiple
clearing agencies sharing links among their systems and with the
systems of other Market Entities. This growing interconnectivity means
that a significant cybersecurity incident at a registered clearing
agency could, for example, prevent it from acting timely to carry out
its functions, which, in turn, could negatively impact other Market
Entities that utilize the clearing agency's services.\73\ Further, a
significant cybersecurity incident at a registered or exempt clearing
agency could provide a gateway for threat actors to attack the members
of the clearing agency and other financial institutions that connect to
it through information systems. Moreover, the information systems that
link the clearing agency to its members are vectors that expose the
clearing agency to cybersecurity risk.
---------------------------------------------------------------------------
\73\ See also EXAMS, Commission, Staff Report on the Regulation
of Clearing Agencies (Oct. 1, 2020), available at https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf (staff
stating that ``consolidation among providers of clearance and
settlement services concentrates clearing activity in fewer
providers and has increased the potential for providers to become
single points of failure.'').
---------------------------------------------------------------------------
The records stored by clearing agencies on their information
systems include proprietary information about their members, including
confidential business information (e.g., information about the
financial condition of the members used by the clearing agency to
manage credit risk). Each clearing agency also is required to keep all
records made or received by it in the course of its business and in the
conduct of its self-regulatory activity. A significant cybersecurity
incident at a clearing agency could lead to the improper use of this
information to harm the members (e.g., public exposure of confidential
financial information) or provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential business information). Moreover, a disruption to a
registered clearing agency's operations as a result of a significant
cybersecurity incident could interfere with its ability to perform its
responsibilities as an SRO (e.g., interrupting its oversight of
clearing member activities for compliance with its rules and the
federal securities laws), and, therefore, materially impact the fair,
orderly, and efficient functioning of the U.S. securities markets.
d. The Municipal Securities Rulemaking Board
The MSRB is an SRO that serves as a regulator of the U.S. municipal
securities market with a mandate to protect municipal securities
investors, municipal entities, obligated persons, and the public
interest.\74\ Pursuant to the Exchange Act, the MSRB shall propose and
adopt rules with respect to transactions in municipal securities
effected by broker-dealers and municipal securities dealers and with
respect to advice provided to or on behalf of municipal entities or
obligated persons by broker-dealers, municipal securities dealers, and
municipal advisors with respect to municipal financial products, the
issuance of municipal securities, and solicitations of municipal
entities or obligated persons undertaken by broker-dealers, municipal
securities dealers, and municipal advisors.\75\ Pursuant to the
Exchange Act, the MSRB's rules shall be designed to prevent fraudulent
and manipulative acts and practices, to promote just and equitable
principles of trade, to foster cooperation and coordination with
persons engaged in regulating, clearing, settling, processing,
information with respect to, and facilitating transactions in municipal
securities and municipal financial products, to remove impediments to
and perfect the mechanism of a free and open market in municipal
securities and municipal products, and in general, to protect
investors, municipal entities, obligated persons, and the public
interest.\76\ As an SRO, the MSRB's proposed rules are subject to
Commission review and published for notice and comment. While certain
types of proposed rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------
\74\ See 15 U.S.C. 78o-4. Information about the MSRB and its
functions is available at: www.msrb.org.
\75\ See 15.U.S.C. 78o-4(b)(2).
\76\ See 15.U.S.C. 78o-4(b)(2)(C).
---------------------------------------------------------------------------
The MSRB relies on information systems to carry out its mission
regulating broker-dealers, municipal securities dealers, and municipal
advisors. For example, the MSRB operates the Electronic Municipal
Market Access website (``EMMA''). EMMA provides transparency to the
U.S. municipal bond market by disclosing free information on virtually
all municipal bond offerings, including real-time trade prices, bond
disclosure documents, and certain market statistics.\77\ The MSRB also
provides data to the Commission, broker-dealer examining authorities,
and banking supervisors to assist in their examination and enforcement
efforts involving participants in the municipal securities markets. The
MSRB also maintains other data on the U.S. municipal securities
markets. This data can be used by the public and others to understand
better these markets. The MSRB is also required to keep all records
made or received by it in the course of its business and in the conduct
of its self-regulatory activity.
---------------------------------------------------------------------------
\77\ Broker-dealers, and municipal securities dealers that trade
municipal securities are subject to transaction reporting
obligations under MSRB Rule G-14. EMMA, established by the MSRB in
2009, is currently designated by the Commission as the official
repository of municipal securities disclosure providing the public
with free access to relevant municipal securities data, and is the
central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires broker-dealers and municipal securities dealers to submit
transaction data to the MSRB within 15 minutes of trade execution,
and such near real-time post-trade transaction data can be accessed
through the MSRB's EMMA website.
---------------------------------------------------------------------------
A significant cybersecurity incident could disrupt the operation of
EMMA and could negatively impact the fair, orderly, and efficient
operation of the U.S. municipal securities market. For example, the
loss or corruption of transparent price information could cause
investors to stop purchasing or selling municipal securities or
negatively impact the ability of investors to liquidate or purchase
municipal securities at favorable or predictable prices or in a timely
manner. In addition, the unauthorized access or use of personal or
proprietary
[[Page 20222]]
information of the persons who are registered with the MSRB could cause
them harm through identity theft or the disclosure of confidential
business information.
Further, a significant cybersecurity incident impacting the MSRB
could provide a gateway for threat actors to attack registrants that
connect to the MRSB through information systems and networks of
interconnected information systems. Moreover, the information systems
that link the MSRB to its registrants are vectors that expose the MSRB
to cybersecurity risk.
e. National Securities Associations
A national securities association is an SRO created to regulate
broker-dealers and the off-exchange broker-dealer market.\78\
Currently, FINRA is the only national securities association registered
under section 15A of the Exchange Act. As a national securities
association, FINRA must have rules for its members that, among other
things, are designed to prevent fraudulent and manipulative acts and
practices, to promote just and equitable principles of trade, to foster
cooperation and coordination with persons engaged in regulating,
clearing, settling, or processing information with respect to (and
facilitating transactions in) securities, to remove impediments to and
perfect the mechanism of a free and open market and a national market
system, and, in general, to protect investors and the public
interest.\79\ FINRA's rules also must provide for discipline of its
members for violations of any provision of the Exchange Act, Exchange
Act rules, the rules of the MSRB, or its own rules.\80\ A national
securities association is an SRO under section 19 of the Exchange Act,
and its proposed rules are subject to Commission review and are
published for notice and comment. While certain types of proposed FINRA
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
---------------------------------------------------------------------------
\78\ See 15 U.S.C. 78o-3(a); Exemption for Certain Exchange
Members, Exchange Act Release No. 95388 (July 29, 2022) [87 FR 49930
(Aug. 12, 2022)] (proposing amendments to national securities
association membership exemption for certain exchange members).
\79\ See 15 U.S.C. 78o-3(b)(6).
\80\ See 15 U.S.C. 78o-3(b)(7).
---------------------------------------------------------------------------
FINRA also performs other functions of vital importance to the U.S.
securities markets. It developed and operates the Trade Reporting and
Compliance Engine (``TRACE''), which facilitates the mandatory
reporting of over-the-counter transactions in eligible fixed-income
securities.\81\ In addition, FINRA operates the Trade Reporting
Facility (``TRF''). FINRA members report over-the-counter transactions
in national market system (``NMS'') stocks to the TRF, which are then
included in publicly disseminated consolidated equity market data
pursuant to an NMS plan.\82\ Further, pursuant to plans declared
effective by the Commission under Exchange Act Rule 17d-2 (``Rule 17d-
2''),\83\ FINRA frequently acts as the sole SRO with regulatory
responsibility with respect to certain applicable laws, rules, and
regulations for its members that are also members of other SROs (e.g.,
national securities exchanges).\84\ Some of these Rule 17d-2 plans
facilitate the conduct of market-wide surveillance, including for
insider trading.\85\ The disruption of these FINRA activities by a
significant cybersecurity incident could interfere with its ability to
carry out its regulatory responsibilities (e.g., disclosing
confidential information pertaining to its surveillance of trading
activity), and, therefore, materially impact the fair, orderly, and
efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------
\81\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730. This rule requires FINRA members
to report transactions in TRACE-Eligible Securities, which the rule
defines to include a range of fixed-income securities.
\82\ In addition, FINRA operates the Alternative Display
Facility (``ADF''), which allows members to display quotations and
report trades in NMS stocks. Although there are currently no users
of the ADF, FINRA has issued a pre-quotation notice advising that a
new participant intends to begin using the ADF, subject to
regulatory approval. See Self-Regulatory Organizations; Financial
Industry Regulatory Authority, Inc.; Notice of Filing of a Proposed
Rule Change Relating to Alternative Display Facility New Entrant,
Exchange Act Release No. 96550 (Dec. 20, 2022) [87 FR 79401 (Dec.
27, 2022)].
\83\ 17 CFR 240.17d-2. Pursuant to a plan declared effective by
the Commission under Rule 17d-2, the Commission relieves an SRO of
those regulatory responsibilities allocated by the plan to another
SRO.
\84\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amended Plan for the Allocation
of Regulatory Responsibilities Between the Financial Industry
Regulatory Authority, Inc. and MEMX LLC, Exchange Act Release No.
96101 (Oct. 18, 2022) [87 FR 64280 (Oct. 24, 2022)].
\85\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amendment to the Plan for the
Allocation of Regulatory Responsibilities Among Cboe BZX Exchange,
Inc., Cboe BYX Exchange, Inc., NYSE Chicago, Inc., Cboe EDGA
Exchange, Inc., Cboe EDGX Exchange, Inc., Financial Industry
Regulatory Authority, Inc., MEMX LLC, MIAX PEARL, LLC, Nasdaq BX,
Inc., Nasdaq PHLX LLC, The Nasdaq Stock Market LLC, NYSE National,
Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca,
Inc., Investors' Exchange LLC, and Long-Term Stock Exchange, Inc.
Relating to the Surveillance, Investigation, and Enforcement of
Insider Trading Rules, Exchange Act Release No. 89972 (Sept. 23,
2020) [85 FR 61062 (Sept. 29, 2020)].
---------------------------------------------------------------------------
FINRA uses other information systems to perform its
responsibilities as an SRO. For example, it operates a number of
information systems that its members use to make regulatory
filings.\86\ These systems include the FINRA's eFOCUS system through
which its broker-dealer members file periodic (monthly or quarterly)
confidential financial and operational reports.\87\ FINRA Gateway is
another information system that it uses as a compliance portal for its
members to file and access information. A disruption of FINRA's
business operations caused by a significant cybersecurity incident
could disrupt its ability to carry out its responsibilities as an SRO
(e.g., by disrupting its oversight of broker-dealer activities for
compliance with its rules and the federal securities laws or its review
of broker-dealers' financial condition), and could therefore materially
impact the fair, orderly, and efficient functioning of the U.S.
securities markets.
---------------------------------------------------------------------------
\86\ Further information about these filing systems is available
at: https://www.finra.org/filing-reporting/regulatory-filing-systems.
\87\ The eFOCUS system provides firms with the capability to
electronically submit their Financial and Operational Combined
Uniform Single (FOCUS) Reports to FINRA. FINRA member broker-dealers
are required to prepare and submit FOCUS reports pursuant to
Exchange Rule 17a-5 (17 CFR 240.17a-5) (``Rule 17a-5'') and FINRA's
FOCUS Report filing plan. See, e.g., Self-Regulatory Organizations;
Notice of Filing and Order Granting Accelerated Approval of Proposed
Rule Change by the National Association of Securities Dealers, Inc.
Relating to the Association's FOCUS Filing Plan, Exchange Act
Release No. 36780, (Jan. 26, 1996) [61 FR 3743 (Feb. 1, 1996)].
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at FINRA could
provide a gateway for threat actors to attack members that connect to
it through information systems and networks of interconnected
information systems. Moreover, the information systems that link FINRA
to its members are vectors that expose FINRA to cybersecurity risk.
Additionally, the records stored by FINRA on its information
systems include proprietary information about its members, including
confidential business information (e.g., information about the
operational and financial condition of its broker-dealer members) and
confidential personal information about registered persons affiliated
with member firms. FINRA also is required to keep all records made or
received by it in the course of its business and in the conduct of its
self-regulatory activity. A significant cybersecurity incident at FINRA
could lead to the improper use of this information to harm the members
[[Page 20223]]
(e.g., public exposure of confidential financial information) or their
registered persons (e.g., public exposure of personal information).
Further, it could provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential financial information about its members).
f. National Securities Exchanges
Under the Exchange Act, an ``exchange'' is any organization,
association, or group of persons, whether incorporated or
unincorporated, that constitutes, maintains, or provides a market place
or facilities for bringing together purchasers and sellers of
securities or for otherwise performing with respect to securities the
functions commonly performed by a stock exchange (as that term is
generally understood), and includes the market place and the market
facilities maintained by that exchange.\88\ Section 5 of the Exchange
Act \89\ requires an organization, association, or group of persons
that meets the definition of ``exchange'' under section 3(a)(1) of the
Exchange Act, unless otherwise exempt, to register with the Commission
as a national securities exchange pursuant to section 6 of the Exchange
Act. Registered national securities exchanges also are SROs, and must
comply with regulatory requirements applicable to both national
securities exchanges and SROs.\90\ Section 6 of the Exchange Act
requires, among other things, that the rules of a national securities
exchange be designed to prevent fraudulent and manipulative acts and
practices; to promote just and equitable principles of trade; to foster
cooperation and coordination with persons engaged in facilitating
transactions in securities; to remove impediments to, and perfect the
mechanism of, a free and open market and a national market system; and,
in general, to protect investors and the public interest; and that the
rules of a national securities exchange not be designed to permit
unfair discrimination between customers, issuers, brokers, or
dealers.\91\ As SROs under section 19 of the Exchange Act, the proposed
rules of national securities exchanges are subject to Commission review
and are published for notice and comment.\92\ While certain types of
proposed exchange rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------
\88\ See 15 U.S.C. 78c(a)(1). Exchange Act Rule 3b-16 (``Rule
3b-16'') defines terms used in the statutory definition of
``exchange'' under section 3(a)(1) of the Exchange Act. Under
paragraph (a) of Rule 3b-16, an organization, association, or group
of persons is considered to constitute, maintain, or provide such a
marketplace or facilities if they ``[b]ring[ ] together the orders
for securities of multiple buyers and sellers'' and use
``established non-discretionary methods (whether by providing a
trading facility or by setting rules) under which such orders
interact with each other, and the buyers and sellers entering such
orders agree to the terms of a trade.'' See 17 CFR 240.3b-16(a). In
January 2022, the Commission: (1) proposed amendments to Rule 3b-16
to include systems that offer the use of non-firm trading interest
and provide communication protocols to bring together buyers and
sellers of securities; (2) re-proposed amendments to Regulation ATS
for ATSs that trade government securities or repurchase and reverse
repurchase agreements on government securities; (3) re-proposed
amendments to Regulation SCI to apply to ATSs that meet certain
volume thresholds in U.S. Treasury securities or in a debt security
issued or guaranteed by a U.S. executive agency or government-
sponsored enterprise; and (4) proposed amendments to, among other
things, Form ATS-N, Form ATS-R, Form ATS, and the fair access rule
under Regulation ATS. See Amendments Regarding the Definition of
``Exchange'' and Alternative Trading Systems (ATSs) That Trade U.S.
Treasury and Agency Securities, National Market System (NMS) Stocks,
and Other Securities, Exchange Act Release No. 94062 (Jan. 26, 2022)
[87 FR 15496 (Mar. 18, 2022)] (``Amendments Regarding the Definition
of `Exchange' and ATSs Release''). The Commission encourages
commenters to review that proposal with respect to ATSs and the
comments on that proposal to determine whether they might affect
comments on this proposing release.
\89\ 15 U.S.C. 78e.
\90\ See, e.g., 15 U.S.C. 78f and 78s.
\91\ See 15 U.S.C. 78f(b)(5).
\92\ See 15 U.S.C. 78s.
---------------------------------------------------------------------------
National securities exchanges use information systems to operate
their marketplaces and facilities for bringing together purchasers and
sellers of securities. In particular, national securities exchanges
rely on automated, complex, and interconnected information systems for
trading, routing, market data, regulatory, and surveillance purposes.
They also use information systems to connect to members, other national
securities exchanges, plan processors, and clearing agencies to
facilitate order routing, trading, trade reporting, and the clearing of
securities transactions. They also provide quotation, trade reporting,
and regulatory information to the securities information processors to
ensure that current market data information is available to market
participants.\93\ A significant cyber security incident at a national
securities exchange could disrupt or disable its ability to provide
these market functions, causing broader disruptions to the securities
markets.\94\ For example, a significant cyber security incident could
severely impede the ability to trade securities, or could disrupt the
public dissemination of consolidated market data, impacting investors
and the maintenance of fair, orderly, and efficient markets. In
addition, the information systems that link national securities
exchanges to their members are vectors that expose the exchange to
cybersecurity risk.
---------------------------------------------------------------------------
\93\ The national securities exchanges will provide quotation,
trade reporting, and regulatory information to competing
consolidators and self-aggregators after the market data
infrastructure rules have been implemented. See Market Data
Infrastructure, Exchange Act Release No. 90610 (Dec. 9, 2020) [86 FR
18596 (Apr. 9, 2021)] (``MDI Adopting Release''). In July 2012, the
Commission adopted Rule 613 of Regulation NMS, which required
national securities exchanges and national securities associations
(the ``Participants'') to jointly develop and submit to the
Commission a national market system plan to create, implement, and
maintain a consolidated audit trail (the ``CAT''). See Consolidated
Audit Trail, Exchange Act Release No. 67457 (July 18, 2012) [77 FR
45722 (Aug. 1, 2012)]; 17 CFR 242.613. In November 2016, the
Commission approved the national market system plan required by Rule
613 (the ``CAT NMS Plan''). See Joint Industry Plan; Order Approving
the National Market System Plan Governing the Consolidated Audit
Trail, Exchange Act Release No. 78318 (Nov. 15, 2016) [81 FR 84696
(Nov. 23, 2016)] (the ``CAT NMS Plan Approval Order''). The
Participants conduct the activities related to the CAT in a Delaware
limited liability company, Consolidated Audit Trail, LLC (the
``Company''). The Participants jointly own on an equal basis the
Company. As such, the CAT's Central Repository is a facility of each
of the Participants. See CAT NMS Plan Approval Order, 81 FR at
84758. It would also qualify as an ``information system'' of each
national securities exchange and each national securities
association under proposed Rule 10. FINRA CAT, LLC--a wholly-owned
subsidiary of FINRA--has entered into an agreement with the Company
to act as the plan processor for the CAT. However, because the CAT
System is operated by FINRA CAT, LLC on behalf of the national
securities exchanges and FINRA, the Participants remain ultimately
responsible for the performance of the CAT and its compliance with
any statutes, rules, and regulations. The goal of the CAT NMS Plan
is to create a modernized audit trail system that provides
regulators with more timely access to a more comprehensive set of
trading data, thus enabling regulators to more efficiently and
effectively analyze and reconstruct broad-based market events,
conduct market analysis in support of regulatory decisions, and to
conduct market surveillance, investigations, and other enforcement
activities. The CAT accepts data that are submitted by the
Participants and broker-dealers, as well as data from certain market
data feeds like SIP and OPRA.
\94\ See, e.g., New Zealand FMA Report (describing an August
2020 cybersecurity incident at New Zealand's only regulated
financial product market that caused a trading halt of approximately
four days).
---------------------------------------------------------------------------
Similarly, proprietary market data systems of exchanges are widely
used and relied upon by a wide swath of market participants for
detailed information about quoting and trading activity on an exchange.
A significant cybersecurity incident that disrupts the availability or
integrity of these feeds could have a significant impact on the trading
of securities because market participants may withdraw from trading
without access to current quotation and trade information. This could
interfere with the maintenance of fair, orderly, and efficient markets.
National securities exchanges also use information systems to
perform their
[[Page 20224]]
responsibilities as SROs. In particular, exchanges employ market-
regulation systems to assist with obligations such as enforcing their
rules and the federal securities laws with respect to their members. A
disruption of a national securities exchange's business operations
caused by a significant cybersecurity incident could disrupt its
ability to carry out its regulatory responsibilities as an SRO and,
therefore, materially impact the fair, orderly, and efficient
functioning of the U.S. securities markets.
Each exchange also is required to keep all records made or received
by it in the course of its business and in the conduct of its self-
regulatory activity. The records stored by national securities
exchanges on their information systems include proprietary information
about their members, including confidential business information (e.g.,
information about the financial condition of their members). The
records also include information relating to trading, routing, market
data, and market surveillance, among other areas.\95\ A significant
cybersecurity incident at a national securities exchange could lead to
the improper use of this information to harm exchange members (e.g.,
public exposure of confidential financial information) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).
---------------------------------------------------------------------------
\95\ For example, as discussed above, the national securities
exchanges and FINRA jointly operate the CAT System, which collects
and stores information relating market participants, and their order
and trading activities.
---------------------------------------------------------------------------
g. Security-Based Swap Data Repositories
Title VII of the Dodd-Frank Wall Street Reform and Consumer
Protection Act (``Title VII of the Dodd-Frank Act''), enacted in 2010,
provided for a comprehensive, new regulatory framework for swaps and
security-based swaps, including regulatory reporting and public
dissemination of transactions in security-based swaps.\96\ In 2015, the
Commission established a regulatory framework for SBSDRs to provide
improved transparency to regulators and help facilitate price discovery
and efficiency in the SBS market.\97\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the security-based swap market,\98\ thereby supporting
the Dodd-Frank Act's goal of public dissemination for all security-
based swaps to enhance price discovery to market participants.\99\ The
collection and dissemination of security-based swap data by SBSDRs
provide transparency in the security-based swap market for regulators
and market participants.
---------------------------------------------------------------------------
\96\ Public Law 111-203, 124 Stat. 1376 (2010), section 761(a)
(adding Exchange Act section 3(a)(75) (defining SBSDR)) and section
763(i) (adding Exchange Act section 13(n) (establishing a regulatory
regime for SBSDRs)).
\97\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 74246 (Feb.
11, 2015) [80 FR 14438 (Mar. 19, 2015)] (``SBSDR Adopting
Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Exchange Act Release No. 74244
(Feb. 11, 2015) [80 FR 14563 (Mar. 19, 2015)] (``SBSR Adopting
Release'').
\98\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\99\ See, e.g., SBSDR Adopting Release, 80 FR at 14604.
---------------------------------------------------------------------------
In addition, as centralized repositories for security-based swap
transaction data that is used by regulators, SBSDRs provide an
important infrastructure assisting relevant authorities in performing
their market oversight.\100\ Data maintained by SBSDRs can assist
regulators in addressing market abuses, performing supervision, and
resolving issues and positions if an institution fails.\101\ SBSDRs are
required to collect and maintain accurate security-based swap
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\102\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic details.
---------------------------------------------------------------------------
\100\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010) [75 FR 77306, 77307 (Dec. 10, 2010)], corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'') (``The data maintained by an [SBSDR] may also
assist regulators in (i) preventing market manipulation, fraud, and
other market abuses; (ii) performing market surveillance, prudential
supervision, and macroprudential (systemic risk) supervision; and
(iii) resolving issues and positions after an institution fails.'').
\101\ See SBSDR Proposing Release at 77307.
\102\ See SBSDR Adopting Release, 80 FR at 14440 (stating that
``[SBSDRs] are required to collect and maintain accurate [security-
based swap] transaction data so that relevant authorities can access
and analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
---------------------------------------------------------------------------
SBSDRs use information systems to perform these functions,
including to disseminate market data and provide price transparency in
the security-based swap market. They also use information systems to
operate centralized repositories for security-based swap data for use
by regulators. These information systems provide an important market
infrastructure that assists relevant authorities in performing their
market oversight.\103\ As discussed above, data maintained by SBSDRs
may, for example, assist regulators in addressing market abuses,
performing supervision, and resolving issues and positions if an
institution fails.
---------------------------------------------------------------------------
\103\ See Committee on Payments and Settlement Systems
(``CPSS''), Technical Committee of IOSCO, Principles for financial
markets intermediaries (Apr. 2012), available at https://www.bis.org/cpmi/publ/d101a.pdf (``FMI Principles'') (Principle for
financial markets intermediaries (``PFMI'') 1.14 stating that ``[b]y
centralising the collection, storage, and dissemination of data, a
well-designed [trade repository (``TR'')] that operates with
effective risk controls can serve an important role in enhancing the
transparency of transaction information to relevant authorities and
the public, promoting financial stability, and supporting the
detection and prevention of market abuse.''). In 2014, the CPSS
became the Committee on Payments and Market Infrastructures
(``CPMI'').
---------------------------------------------------------------------------
SBSDRs are subject to certain cybersecurity risks that if realized
could impede their ability to meet the goals set out in Title VII of
the Dodd-Frank Act and the Commission's rules.\104\ For example, SBSDRs
process and disseminate trade data using information systems. If these
information systems suffer from a significant cybersecurity incident,
public access to timely and reliable trade data for the derivatives
markets could potentially be compromised.\105\ Also, if the data stored
at an SBSDR is corrupted by a threat actor through a cybersecurity
attack, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, SBSDRs
[[Page 20225]]
use information systems to receive and maintain personal, confidential,
and proprietary information and data. The unauthorized use or access of
this information could be used to create unfair business or trading
advantages and, in the case of personal information, to steal
identities.
---------------------------------------------------------------------------
\104\ See SBSDR Adopting Release, 80 FR at 14450 (``[SBSDRs]
themselves are subject to certain operational risks that may impede
the ability of [SBSDRs] to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\105\ See FMI Principles (PFMI 1.14, Box 1 stating that ``[t]he
primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at an SBSDR could
provide a gateway for threat actors to attack Market Entities and
others that connect to it through information systems. Moreover, the
links established between an SBSDR and other entities, including
unaffiliated clearing agencies and other SBSDRs, are vectors that
expose the SBSDR to cybersecurity risk arising from threats that
originate in information systems outside the SBSDR's control.\106\
---------------------------------------------------------------------------
\106\ See FMI Principles (PFMI at 3.20.20 stating that ``[a] TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT and
related resources. A TR can establish links with another TR or with
another type of FMI. Such links may expose the linked [financial
market infrastructures (``FMIs'')] to additional risks if not
properly designed. Besides legal risks, a link to either another TR
or to another type of FMI may involve the potential spillover of
operational risk. The mitigation of operational risk is particularly
important because the information maintained by a TR can support
bilateral netting and be used to provide services directly to market
participants, service providers (for example, portfolio compression
service providers), and other linked FMIs.''). The CPMI and IOSCO
issued guidance for cyber resilience for FMIs, including CSDs,
securities settlement systems (``SSSs''), CCPs, and trade
repositories. See CPMI-IOSCO, Guidance on cyber resilience for
financial market infrastructures (June 2016), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf; see also CPMI-
IOSCO, Implementation monitoring of the PFMI: Level 3 assessment on
Financial Market Infrastructures' Cyber Resilience (Nov. 2022),
available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf (presenting the results of an assessment of the state
of cyber resilience (as of February 2021) of FMIs from 29
jurisdictions that participated in the exercise in 2020 to 2022).
---------------------------------------------------------------------------
h. SBS Entities
The SBS Entities covered by the proposed rulemaking are SBSDs and
MSBSPs. An SBSD generally refers to any person who: (1) holds itself
out as a dealer in security-based swaps; (2) makes a market in
security-based swaps; (3) regularly enters into security-based swaps
with counterparties as an ordinary course of business for its own
account; or (4) engages in any activity causing it to be commonly known
in the trade as a dealer or market maker in security-based swaps.\107\
An SBSD does not, however, include a person that enters into security-
based swaps for such person's own account, either individually or in a
fiduciary capacity, but not as a part of regular business.\108\
---------------------------------------------------------------------------
\107\ See 15 U.S.C. 78c(a)(71); 17 CFR 240.3a71-1 et seq.
\108\ See 15 U.S.C. 78c(a)(71)(C); 17 CFR 240.3a71-1(b).
---------------------------------------------------------------------------
An MSBSP generally includes any person that is not a security-based
swap dealer and that satisfies one of the following three alternative
statutory tests: (1) it maintains a ``substantial position'' in
security-based swaps, excluding positions held for hedging or
mitigating commercial risk and positions maintained by any employee
benefit plan (or any contract held by such a plan) for the primary
purpose of hedging or mitigating any risk directly associated with the
operation of the plan, for any of the major security-based swap
categories determined by the Commission; (2) its outstanding security-
based swaps create substantial counterparty exposure that could have
serious adverse effects on the financial stability of the U.S. banking
system or financial markets; or (3) it is a ``financial entity'' that
is ``highly leveraged'' relative to the amount of capital it holds (and
that is not subject to capital requirements by an appropriate federal
banking agency) and maintains a ``substantial position'' in outstanding
security-based swaps in any major category as determined by the
Commission.\109\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------
\109\ See 15 U.S.C. 78c(a)(67); 17 CFR 240.3a67-1 et seq.
---------------------------------------------------------------------------
SBS Entities play (or, in the case of MSBSPs, could play) a
critical role in the U.S. security-based swap market.\110\ SBS Entities
rely on information systems to transact in security-based swaps with
other market participants, to receive and deliver collateral, to create
and maintain books and records, and to obtain market information to
update books and records, and manage risk.
---------------------------------------------------------------------------
\110\ Currently, this role is fulfilled by SBSDs, given there
are no MSBSPs registered with the Commission.
---------------------------------------------------------------------------
A disruption to an SBS Entity's operations caused by a significant
cybersecurity incident could have a large negative impact on the U.S.
security-based swap market given the concentration of dealers in this
market. Further, a disruption in the security-based swap market could
negatively impact the broader securities markets by, for example,
causing participants to liquidate positions related to, or referenced
by, the impacted security-based swaps to mitigate losses to
participants' positions or portfolios or due to loss of trading
confidence. A disruption in the security-based swap market also could
negatively impact the broader securities markets by causing
participants to liquidate the collateral margining the security-based
swaps for similar reasons or to cover margin calls. The consequences of
a business disruption to an SBS Entity's functions--such as those that
may be caused by a significant cybersecurity incident--may be amplified
because, unlike many other securities transactions, securities-based
swap transactions give rise to an ongoing obligation between
transaction counterparties during the life of the transaction.\111\
This means that each counterparty bears the risk of its counterparty's
ability to perform under the terms of a security-based swap until the
transaction is terminated. A disruption of an SBS Entity's normal
business activities because of a significant cybersecurity incident
could produce spillover or contagion by negatively affecting the
willingness or the ability of market participants to extend credit to
each other, and could substantially reduce liquidity and valuations for
particular types of financial instruments.\112\ The security-based swap
market is large \113\ and thus a disruption of an SBS Entity's
operations due to a significant cybersecurity incident could negatively
impact sectors of the U.S. economy.\114\
---------------------------------------------------------------------------
\111\ See Further Definition of ``Swap Dealer,'' ``Security-
Based Swap Dealer,'' ``Major Swap Participant,'' ``Major Security-
Based Swap Participant'' and ``Eligible Contract Participant'',
Exchange Act Release No. 66868 (Apr. 27, 2012) [77 FR 30596, 30616-
17 (May 23, 2012)] (``Further Definition Release'') (noting that
``[i]n contrast to a secondary market transaction involving equity
or debt securities, in which the completion of a purchase or sale
transaction can be expected to terminate the mutual obligations of
the parties to the transaction, the parties to a security-based swap
often will have an ongoing obligation to exchange cash flows over
the life of the agreement'').
\112\ See Cross-Border Security-Based Swap Activities; Re-
Proposal of Regulation SBSR and Certain Rules and Forms Relating to
the Registration of Security-Based Swap Dealers and Major Security-
Based Swap Participants, Exchange Act Release No. 69490 (May 1,
2013) [78 FR 30967, 30980-81 (May 23, 2013)] (``Cross-Border
Proposing Release'').
\113\ See, e.g., Commission, Report on Security-Based Swaps
Pursuant to Section 13(m)(2) of the Securities Exchange Act of 1934
(July 15, 2022) available at https://www.sec.gov/files/report-on-security-based-swaps-071522.pdf.
\114\ See Cross-Border Proposing Release, 78 FR at 30972 (``The
Dodd-Frank Act was enacted, among other reasons, to promote the
financial stability of the United States by improving accountability
and transparency in the financial system. The 2008 financial crisis
highlighted significant issues in the over-the-counter (`OTC')
derivatives markets, which . . . are capable of affecting
significant sectors of the U.S. economy.'') (footnotes omitted).
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at an SBS Entity
could provide a gateway for threat actors to attack the exchanges,
SBSDRs, clearing agencies, counterparties, and other SBS Entities to
[[Page 20226]]
which the firm is connected through information systems and networks of
interconnected information systems. Moreover, the information systems
that link SBS Entities to other Market Entities are vectors that expose
the SBS Entity to cybersecurity risk arising from threats that
originate in information systems outside the SBS Entity's control. SBS
Entities also store proprietary and confidential information about
their counterparties on their information systems, including financial
information they use to perform credit analysis. A significant
cybersecurity incident at an SBS Entity could lead to the improper use
of this information to harm the counterparties (e.g., public exposure
of confidential financial information) or provide the unauthorized user
with an unfair advantage over other market participants (e.g., trading
based on confidential business information).
i. Transfer Agents
A transfer agent is any person who engages on behalf of an issuer
of securities or on behalf of itself as an issuer of securities in
(among other functions): (1) tracking, recording, and maintaining the
official record of ownership of each issuer's securities; (2) canceling
old certificates, issuing new ones, and performing other processing and
recordkeeping functions that facilitate the issuance, cancellation, and
transfer of those securities; (3) facilitating communications between
issuers and registered securityholders; and (4) making dividend,
principal, interest, and other distributions to securityholders.\115\
To perform these functions, transfer agents maintain records and
information related to securityholders that may include names,
addresses, phone numbers, email addresses, employers, employment
history, bank and specific account information, credit card
information, transaction histories, securities holdings, and other
detailed and individualized information related to the transfer agents'
recordkeeping and transaction processing on behalf of issuers. With
advances in technology and the expansion of book-entry ownership of
securities, transfer agents today increasingly rely on technology and
automation to perform the core recordkeeping, processing, and transfer
services described above, including the use of computer systems to
store, access, and process the information related to securityholders
they maintain on behalf of issuers. A significant cybersecurity
incident that impacts these systems could cause harm to investors by,
for example, preventing the transfer agent from transferring ownership
of securities or preventing investors from receiving dividend,
interest, or principal payments.
---------------------------------------------------------------------------
\115\ See Transfer Agent Regulations, Exchange Act Release No.
76743 (Dec. 22, 2015) [80 FR 81948, 81949 (Dec. 31, 2015)].
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at a transfer agent
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. Moreover, the information systems
that link transfer agents to other Market Entities expose the transfer
agent to cybersecurity risk arising from threats that originate in
information systems outside the transfer agent's control. The records
stored by transfer agents on their information systems include
proprietary information about securities ownership and corporate
actions. A significant cybersecurity incident at a transfer agent could
lead to the improper use of this information to harm securities holders
(e.g., public exposure of their confidential financial information or
the use of that information to steal their identities) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).
B. Overview of the Proposed Cybersecurity Requirements
As discussed above, the U.S. securities markets are part of the
critical infrastructure of the United States.\116\ In this regard, they
play a central role in the U.S. economy in terms of facilitating the
flow of capital, including the savings of individual investors. The
fair, orderly, and efficient operation of the U.S. securities markets
depends on Market Entities being able to perform their critical
functions, and Market Entities are increasingly relying on information
systems and interconnected networks of information systems to perform
these functions. These information systems are targets of threat
actors. Moreover, Market Entities--as financial institutions--are
choice targets for threat actors seeking financial gain or to inflict
economic harm. Further, threat actors are using increasingly
sophisticated and constantly evolving tactics, techniques, and
procedures to attack information systems. In addition to threat actors,
cybersecurity risk also can be caused by the errors of employees,
service providers, or business partners. The interconnectedness of
Market Entities increases the risk that a significant cybersecurity
incident can simultaneously impact multiple Market Entities causing
harm to the U.S. securities markets.
---------------------------------------------------------------------------
\116\ See section I.A. of this release (discussing cybersecurity
risk and how critical operations of Market Entities are exposed to
cybersecurity risk).
---------------------------------------------------------------------------
For these reasons, it is critically important that Market Entities
take steps to protect their information systems and the information
residing on those systems from cybersecurity risk. A Market Entity that
fails to do so is more vulnerable to succumbing to a significant
cybersecurity incident. As discussed above, a significant cybersecurity
incident can cause serious harm not only to the Market Entity but also
to its customers, counterparties, members, registrants, or users, or to
any other market participants (including other Market Entities) that
interact with the Market Entity. Therefore, it is vital to the U.S.
securities markets and the participants in those markets that all
Market Entities address cybersecurity risk, which, as discussed above,
is increasingly threatening the financial sector.
Consequently, the Commission is proposing new Rule 10 and new Form
SCIR to require that Market Entities address cybersecurity risks, to
improve the Commission's ability to obtain information about
significant cybersecurity incidents impacting Market Entities, and to
improve transparency about the cybersecurity risks that can cause
adverse impacts to the U.S. securities markets.\117\ Under proposed
Rule 10, certain broker-dealers, the MSRB, and all clearing agencies,
national securities associations, national securities exchanges,
SBSDRs, SBS Entities, and transfer agents would be defined as a
``covered entity'' (collectively, ``Covered Entities'').\118\
---------------------------------------------------------------------------
\117\ In designing the requirements of proposed Rule 10, the
Commission considered several cybersecurity sources (which are cited
in the relevant sections below), including the NIST Framework, the
NIST Glossary, and CISA's Cyber Essentials Starter Kit (information
about CISA's Cyber Essentials Starter Kit is available at: https://www.cisa.gov/publication/cisa-cyber-essentials). The Commission also
considered definitions in relevant federal statutes including the
Federal Information Security Modernization Act of 2014, Public Law
113-283 (Dec. 18, 2014); 44 U.S.C. 3551 et seq. (``FISMA'') and the
Cyber Incident Reporting for Critical Infrastructure Act of 2022,
H.R. 2471, 117th Cong. (2021-2022); 6 U.S.C. 681 et seq.
(``CIRCIA'').
\118\ The following broker-dealers would be Covered Entities:
(1) broker-dealers that maintain custody of securities and cash for
customers or other broker-dealers (``carrying broker-dealers''); (2)
broker-dealers that introduce their customer accounts to a carrying
broker-dealer on a fully disclosed basis (``introducing broker-
dealers''); (3) broker-dealers with regulatory capital equal to or
exceeding $50 million; (4) broker-dealers with total assets equal to
or exceeding $1 billion; (5) broker-dealers that operate as market
makers; and (6) broker-dealers that operate an ATS (sometimes
collectively referred to as ``Covered Broker-Dealers''). Broker-
dealers that do not fall into one of these six categories (sometimes
collectively referred to as ``Non-Covered Entities'' or ``Non-
Covered Broker-Dealers'') would not be Covered Entities for the
purposes of proposed Rule 10. See also section II.A.1.b. of this
release (discussing the categories of broker-dealers that would be
``Covered Entities'' in greater detail).
---------------------------------------------------------------------------
[[Page 20227]]
Proposed Rule 10 would require all Market Entities (Covered
Entities and Non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\119\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\120\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of Non-Covered Entities) with respect to the annual
review. CISA states that organizations should ``approach cyber as
business risk.'' \121\ Like other business risks (e.g., market, credit,
or liquidity risk), cybersecurity risk can be addressed through
policies and procedures that are reasonably designed to manage the
risk. Finally, all Market Entities would need to give the Commission
immediate written electronic notice of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring.\122\
---------------------------------------------------------------------------
\119\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10 (setting forth the requirements for Market Entities that are not
Covered Entities (i.e., Non-Covered Broker-Dealers)). See also
sections II.B.1. and II.C. of this release (discussing these
proposed requirements in more detail). As discussed in sections
II.F. and IV.C.1.b. of this release, certain categories of Market
Entities are subject to existing requirements to address aspects of
cybersecurity risk or that may relate to cybersecurity. These other
requirements, however, do not address cybersecurity risk as
directly, broadly, or comprehensively as the requirements of
proposed Rule 10.
\120\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\121\ See CISA Cyber Essentials Starter Kit (``Ask yourself what
type of impact would be catastrophic to your operations? What
information if compromised or breached would cause damage to
employees, customers, or business partners? What is your level of
risk appetite and risk tolerance? Raising the level of awareness
helps reinforce the culture of making informed decisions and
understanding the level of risk to the organization.'').
\122\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10. See also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\123\ First, as discussed in more detail below, the written policies
and procedures that Covered Entities would need to establish, maintain,
and enforce would need to include the following elements:
---------------------------------------------------------------------------
\123\ Compare paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities), with
paragraph (e) of proposed Rule 10 (setting forth the requirements
for Non-Covered Entities).
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversee service providers that receive,
maintain, or process information, or are otherwise permitted to access
the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\124\
---------------------------------------------------------------------------
\124\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of Non-Covered Entities, as discussed in more detail below in
section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission.\125\ The form would elicit information about
the significant cybersecurity incident and the Covered Entity's efforts
to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\125\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to disclose publicly summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\126\ The form would
need to be filed with the Commission and posted on the Covered Entity's
business internet website. Covered Entities that are carrying or
introducing broker-dealers also would need to provide the form to
customers at account opening, when information on the form is updated,
and annually.
---------------------------------------------------------------------------
\126\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
pursuant to conditions in relevant exemption orders.\127\
---------------------------------------------------------------------------
\127\ See sections II.B.5. and II.C. of this release (discussing
these proposed requirements in more detail).
---------------------------------------------------------------------------
Finally, the Commission is proposing amendments to address the
potential availability of substituted compliance to non-U.S. SBS
Entities with respect to the proposed cybersecurity requirements.\128\
---------------------------------------------------------------------------
\128\ See sections II.D. of this release (discussing these
proposed amendments in more detail).
---------------------------------------------------------------------------
In developing the proposed requirements summarized above with
regard to SBSDRs and SBS Entities, the Commission consulted and
coordinated with the CFTC and the prudential regulators in accordance
with section 712(a)(2) of Title VII of the Dodd-Frank Act. In
accordance with section 752 of Title VII of the Dodd-Frank Act, the
Commission has consulted and coordinated with foreign regulatory
authorities through Commission staff participation in numerous
bilateral and multilateral discussions with foreign regulatory
authorities addressing the regulation of OTC derivatives markets.
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
Proposed Rule 10 would define a number of terms for the purposes of
its requirements.\129\ These definitions also would be used for the
purposes of Parts
[[Page 20228]]
I and II of proposed Form SCIR.\130\ The defined terms are intended to
tailor the risk management, notification, reporting, and disclosure
requirements of proposed Rule 10 to the distinctive aspects of
cybersecurity risk as compared with other risks Market Entities face
(e.g., market, credit, or liquidity risk).\131\
---------------------------------------------------------------------------
\129\ See paragraph (a) of proposed Rule 10.
\130\ See sections II.B.2. and II.B.3. of this release
(discussing Parts I and II of proposed Form SCIR in more detail).
\131\ See paragraphs (a)(2) through (9) of proposed Rule 10
(defining, respectively, the terms ``cybersecurity incident,''
``cybersecurity risk,'' ``cybersecurity threat,'' ``cybersecurity
vulnerability,'' ``information,'' ``information systems,''
``personal information,'' and ``significant cybersecurity
incident'').
---------------------------------------------------------------------------
1. ``Covered Entity''
a. Market Entities That Meet the Definition of ``Covered Entity'' Would
Be Subject to Additional Requirements
Proposed Rule 10 would define the term ``covered entity'' to
identify the types of Market Entities that would be subject to certain
additional requirements under the rule.\132\ As discussed above,
proposed Rule 10 would require all Market Entities to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address their cybersecurity risks.\133\ All
Market Entities also, at least annually, would be required to review
and assess the design and effectiveness of their cybersecurity risk
management policies and procedures, including whether the policies and
procedures reflect changes in cybersecurity risk over the time period
covered by the review.\134\ They also would be required to prepare a
report (in the case of Covered Entities) or a record (in the case of
Non-Covered Entities) with respect to the annual review. Further, all
Market Entities would need to give the Commission immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\135\ As discussed above, Market
Entities use information systems that expose them to cybersecurity risk
and that risk is increasing due to the interconnectedness of the
information systems and the sophistication of the tactics used by
threat actors. Therefore, regardless of their function,
interconnectedness, or size, all Market Entities would be subject to
these requirements designed to address cybersecurity risks.
---------------------------------------------------------------------------
\132\ See paragraphs (a)(1)(i) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities''). A Market
Entity that falls within the definition of ``covered entity'' for
purposes of proposed Rule 10 may not necessarily meet the definition
of a ``covered entity'' for purposes of certain federal statutes,
such as, but not limited to, CIRCIA and any regulations promulgated
thereunder. CIRCIA, among other things, requires the Director of
CISA to issue and implement regulations defining the term ``covered
entity'' and requiring covered entities to report covered cyber
incidents and ransom payments as the result of ransomware attacks to
CISA in certain instances.
\133\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(1) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity,'' which, as discussed above, would
be certain smaller broker-dealers).
\134\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10.
\135\ See paragraph (c)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(2) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Market Entities that are Covered Entities would be subject to
certain additional requirements under proposed Rule 10.\136\ In
particular, they would be required to: (1) include certain elements in
their cybersecurity risk management policies and procedures; \137\ (2)
file Part I of proposed Form SCIR with the Commission and, for some
Covered Entities, other regulators to report information about a
significant cybersecurity incident; \138\ and (3) make public
disclosures on Part II of proposed Form SCIR about their cybersecurity
risks and the significant cybersecurity incidents they experienced
during the current or previous calendar year.\139\
---------------------------------------------------------------------------
\136\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities); paragraph (e)
of proposed Rule 10 (setting forth the requirements for Non-Covered
Entities). As discussed above, Covered Entities would need to
prepare a report with respect to their review and assessment of the
policies and procedures. See paragraph (b)(2) of proposed Rule 10.
Non-Covered Entities would need to make a record with the respect to
the annual review and assessment of their policies and procedures.
See paragraph (e) of proposed Rule 10.
\137\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
\138\ See paragraph (c)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity risk'').
\139\ See paragraph (d) of proposed Rule 10.
---------------------------------------------------------------------------
In determining which Market Entities would be Covered Entities
subject to the additional requirements, the Commission considered: (1)
how the type of Market Entity supports the fair, orderly, and efficient
operation of the U.S. securities markets and the consequences if that
type of Market Entity's critical functions were disrupted or degraded
by a significant cybersecurity incident; (2) the harm that could befall
investors, including retail investors, if that type of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which that type of Market Entity poses
cybersecurity risk to other Market Entities through information system
connections, including the number of connections; (4) the extent to
which the that type of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the type of Market Entity and other persons
(e.g., investors) stored on the Market Entity's information systems and
the harm that could be caused if that information was accessed or used
by threat actors.
b. Broker-Dealers
The following broker-dealers registered with the Commission would
be Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customers' accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); \140\ (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS. Thus, under proposed Rule 10, these six categories of
broker-dealers would be subject to the additional requirements.\141\
All other types of
[[Page 20229]]
broker-dealers would not meet the definition of Covered Entity.\142\
---------------------------------------------------------------------------
\140\ When a broker-dealer introduces a customer to a carrying
broker-dealer on a fully disclosed basis, the carrying broker-dealer
knows the identity of the customer and holds cash and securities in
an account for the customer that identifies the customer as the
accountholder. This is distinguishable from a broker-dealer that
introduces its customers to another carrying broker-dealer on an
omnibus basis. In this scenario, the carrying broker-dealer does not
know the identities of the customers and holds their cash and
securities in an account that identifies the broker-dealer
introducing the customers on an omnibus basis as the accountholder.
A broker-dealer that introduces customers to another broker-dealer
on an omnibus basis is, itself, a carrying broker-dealer for
purposes of the Commission's financial responsibility rules,
including, the broker-dealer net capital and customer protection
rules. See, e.g., 17 CFR 240.15c3-1 and 17 CFR 240.15c3-3. This
category of broker-dealer would be a carrying broker-dealer for
purposes of proposed Rule 10 and therefore subject to the rule's
requirements for Covered Entities.
\141\ See paragraphs (a)(1)(i)(A) through (F) of proposed Rule
10. Certain of the definitions in proposed Rule 10 would be used for
the purposes of the requirements in the rule for broker-dealers that
are not Covered Entities. Specifically, paragraph (e)(1) of proposed
Rule 10 would require broker-dealers that are not Covered Entities
to establish, maintain, and enforce written policies and procedures
that are reasonably designed to address the cybersecurity risks of
the broker-dealer taking into account the size, business, and
operations of the broker-dealer. The term ``cybersecurity risk'' is
defined in paragraph (a)(3) of proposed Rule 10 and that definition
incorporates the terms ``cybersecurity incident,'' ``cybersecurity
threat,'' and ``cybersecurity vulnerability,'' which are defined,
respectively, in paragraphs (a)(2), (a)(4), and (a)(5) of proposed
Rule 10. In addition, paragraph (e)(2) of proposed Rule 10 would
require broker-dealers that are not Covered Entities to provide
immediate written electronic notice to the Commission and their
examining authority if they experience a ``significant cybersecurity
incident'' as that term is defined in the rule. Therefore, paragraph
(a)(8) of proposed Rule 10 would define the term ``market entity''
to mean a Covered Entity and a broker-dealer registered with the
Commission that is not a Covered Entity. Further, the definitions in
proposed Rule 10 would refer to ``market entities'' (rather than
``covered entities'') in order to not limit the application of these
definitions to paragraphs (b) through (d) of proposed Rule 10, which
set forth the requirements for Covered Entities (but not for Non-
Covered Entities).
\142\ As discussed below in section IV.C.2. of this release, of
the 3,510 broker-dealers registered with the Commission as of the
third quarter of 2022, 1,541 would meet the definition of ``covered
entity'' under proposed Rule 10, leaving 1,969 broker-dealers as
Non-Covered Entities.
---------------------------------------------------------------------------
The first category of broker-dealers included as Covered Entities
would be carrying broker-dealers. Specifically, proposed Rule 10 would
define ``covered entity'' to include any broker-dealer that maintains
custody of cash and securities for customers or other broker-dealers
and is not exempt from the requirements of Exchange Act Rule 15c3-3
(i.e., a carrying broker-dealer).\143\ Some carrying broker-dealers are
large in terms of their assets and dealing activities or the number of
their accountholders. For example, they may engage in a variety of
order handling, trading, and/or clearing activities, and thereby play a
significant role in U.S. securities markets, often through multiple
business lines and/or in multiple asset classes. Consequently, if their
critical functions were disrupted or degraded by a significant
cybersecurity incident it could have a potential negative impact on the
U.S. securities markets by, for example, reducing liquidity in the
markets or sectors of the markets due to the firm's inability to
continue dealing and trading activities. A broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the inability to execute a trade within a
reasonable amount of time. Further, some carrying broker-dealers hold
millions of accounts for investors. If a significant cybersecurity
incident prevented this investor-base from accessing the securities
markets, it could impact liquidity as well.
---------------------------------------------------------------------------
\143\ See paragraph (a)(1)(i)(A) of proposed Rule 10. See also
17 CFR 240.15c3-3 (``Rule 15c3-3''). Rule 15c3-3 sets forth
requirements for broker-dealers that maintain custody of customer
securities and cash that are designed to protect those assets and
ensure their prompt return to the customers.
---------------------------------------------------------------------------
Also, the dealing activities of carrying broker-dealers may make
them attractive targets for threat actors seeking to access proprietary
and confidential information about the broker-dealer's trading
positions and strategies to use for financial advantage. In addition,
the size and financial resources of carrying broker-dealers may make
them attractive targets for threat actors employing ransomware schemes.
Because carrying broker-dealers hold cash and securities for
customers and other broker-dealers, a significant cybersecurity
incident could put these assets in peril or make them unavailable. For
example, a significant cybersecurity incident could cause harm to the
investors that own these assets--including retail investors--if it
causes the investors to lose access to their securities accounts (and,
therefore, the ability to purchase or sell securities), causes the
failure of the carrying broker-dealer (which could tie up the assets in
a liquidation proceeding under the Securities Investor Protection Act),
or, in the worst case, results in the assets being stolen. The fact
that carrying broker-dealers hold cash and securities for investors
also may make them attractive targets for threat actors seeking to
steal those assets through hacking the accounts or using stolen
credentials and log-in information. In addition, carrying broker-
dealers with large numbers of customers might be attractive targets for
threat actors because of the volume of personal information they
maintain. Threat actors may seek to access and download this
information in order to sell it to other threat actors. If this
information is accessed or stolen by threat actors, it could result in
harm (e.g., identity theft or conversion of financial assets) to many
individuals, including retail investors. Carrying broker-dealers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges,
clearing agencies, and other broker-dealers (including introducing
broker-dealers).
The second category of broker-dealers included as Covered Entities
would be introducing broker-dealers.\144\ These broker-dealers
introduce customer accounts on a fully disclosed basis to a carrying
broker-dealer. In this arrangement, the carrying broker-dealer knows
the identities of the fully disclosed customers and maintains custody
of their securities and cash. The introducing broker-dealer typically
interacts directly with the customers by, for example, making
securities recommendations and accepting their orders to purchase or
sell securities. An introducing broker-dealer must enter into an
agreement with a carrying broker-dealer to which it introduces customer
accounts on a fully disclosed basis.\145\
---------------------------------------------------------------------------
\144\ See paragraph (a)(1)(i)(B) of proposed Rule 10.
\145\ See FINRA Rule 4311. Pursuant to FINRA requirements, the
carrying agreement must specify the responsibilities of the carrying
broker-dealer and the introducing broker-dealer, including, at a
minimum, the responsibilities for: (1) opening and approving
accounts; (2) accepting of orders; (3) transmitting of orders for
execution; (4) executing of orders; (5) extending credit; (6)
receiving and delivering of funds and securities; (7) preparing and
transmitting confirmations; (8) maintaining books and records; and
(9) monitoring of accounts. See FINRA Rule 4311(c)(1).
---------------------------------------------------------------------------
These broker-dealers would be included as Covered Entities because
they are a conduit to their customers' accounts at the carrying broker-
dealer and have access to information and trading systems of the
carrying broker-dealer. Consequently, a significant cybersecurity
incident could harm their customers to the extent it causes the
customers to lose access to their securities accounts at the carrying
broker-dealer. Further, a significant cybersecurity incident at an
introducing broker-dealer could spread to the carrying broker-dealer
given the information systems that connect the two firms. These
connections also may make introducing broker-dealers attractive targets
for threat actors seeking to access the information systems of the
carrying broker-dealer to which the introducing broker-dealer is
connected.
In addition, introducing broker-dealers may store personal
information about their customers on their information systems or be
able to access this information on the carrying broker-dealer's
information systems. The fact that they store this information also may
make them attractive targets for threat actors seeking to use the
information to steal identities or assets, or to sell the personal
information to other bad actors who will seek to use it for these
purposes.
The third category of broker-dealers included as Covered Entities
would be broker-dealers that have regulatory capital equal to or
exceeding $50 million.\146\ Regulatory capital is the total capital of
the broker-dealer plus allowable subordinated liabilities of the
broker-dealer and is reported on the FOCUS reports broker-dealers file
[[Page 20230]]
pursuant to Rule 17a-5.\147\ The fourth category would be a broker-
dealer with total assets equal to or exceeding $1 billion.\148\ The $50
million and $1 billion thresholds are modeled on the thresholds that
trigger enhanced recordkeeping and reporting requirements for certain
broker-dealers pursuant to Exchange Act Rules 17h-1T and 17h-2T.\149\
---------------------------------------------------------------------------
\146\ See paragraph (a)(1)(i)(C) of proposed Rule 10.
\147\ See 17 CFR 240.17a-5; Form X-17A-5, Line Item 3550.
\148\ See paragraph (a)(1)(i)(D) of proposed Rule 10.
\149\ See 17 CFR 240.17h-1T and 17h-1T. See also Order Under
Section 17(h)(4) of the Securities Exchange Act of 1934 Granting
Exemption from Rule 17h-1T and Rule 17h-2T for Certain Broker-
Dealers Maintaining Capital, Including Subordinated Debt of Greater
Than $20 Million But Less Than $50 Million, Exchange Act Release No.
89184 (June 29, 2020) [85 FR 40356 (July 6, 2020)] (``17h Release'')
(setting forth the $50 million and $1 billion thresholds).
---------------------------------------------------------------------------
These thresholds are designed to include as Covered Entities
broker-dealers that are large in terms of their assets and dealing
activities (and that would not otherwise be Covered Broker-Dealers
under the definitions in proposed Rule 10).\150\ For example, larger
broker-dealers that exceed these thresholds often engage in proprietary
trading (including high frequency trading) and are sources of liquidity
in certain securities. Consequently, if their critical functions were
disrupted or degraded by a significant cybersecurity incident it could
have a potential negative impact on those securities markets if it
reduces liquidity in the markets through the inability to continue
dealing and trading activities. For example, a broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the ability to execute a trade within a
reasonable amount of time.
---------------------------------------------------------------------------
\150\ Size has been recognized as a proxy for substantial market
activity relative to other registrants of the same type and
therefore a firm's relative risk to the financial markets. See 17h
Release (noting that broker-dealers that have less than $50 million
in regulatory capital and less than $1 billion in total assets are
``relatively small in size,'' and ``because of their relative size''
and to the extent they are not carrying firms, these entities
``present less risk to the financial markets,'' while stating that
with respect to broker-dealers with at least $50 million in
regulatory capital or at least $1 billion in total assets ``the
Commission believes . . . those broker-dealers . . . pose greater
risk to the financial markets, investors, and other market
participants'').
---------------------------------------------------------------------------
In addition, the size and dealing activities of these broker-
dealers could make them attractive targets for threat actors seeking to
access proprietary and confidential information about the broker-
dealer's trading positions and strategies to use for financial
advantage. This also may make them attractive targets for threat actors
employing ransomware schemes. Further, given their size and trading
activities, these broker-dealers may be connected to a number of
different Market Entities through information systems, including
national securities exchanges, clearing agencies, other broker-dealers,
and ATSs.
The fifth category of broker-dealers included as Covered Entities
would be broker-dealers that operate as market makers. Specifically,
proposed Rule 10 would define ``covered entity'' to include a broker-
dealer that operates as a market maker under the Exchange Act or the
rules thereunder (which includes a broker-dealer that operates pursuant
to Exchange Act Rule 15c3-1(a)(6)) or is a market maker under the rules
of an SRO of which the broker-dealer is a member.\151\ The proposed
rule's definition of ``market maker'' is tied to securities laws that
confer benefits or impose requirements on market makers and,
consequently, covers broker-dealers that take advantage of those
benefits or are subject to those requirements. The objective is to rely
on these other securities laws to define a market maker rather than set
forth a new definition of ``market maker'' in proposed Rule 10, which
could conflict with these other laws.
---------------------------------------------------------------------------
\151\ See paragraph (a)(1)(i)(E) of proposed Rule 10. See also
17 CFR 240.15c3-1 (``Rule 15c3-1''). Paragraph (a)(6) of Rule 15c3-1
permits a market maker to avoid taking capital charges for its
proprietary positions provided, among other things, its carrying
firm takes the capital charges instead. See also, e.g., Rule 103 of
the New York Stock Exchange (setting forth requirements for
Designated Market Makers and Designated Market Maker Units).
---------------------------------------------------------------------------
Market makers would be included as Covered Entities because
disruptions to their operations caused by a significant cybersecurity
incident could have a material impact on the fair, orderly, and
efficient functioning of the U.S. securities markets. For example, a
significant cybersecurity incident could imperil a market maker's
operations and ability to facilitate transactions in particular
securities between buyers and sellers. In addition, market makers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges
and other broker-dealers.
The sixth category of broker-dealers included as Covered Entities
would be broker-dealers that operate an ATS.\152\ Since Regulation ATS
was adopted in 1998, ATSs have become increasingly important venues for
trading securities in a fast and automated manner. ATSs perform
exchange-like functions such as offering limit order books and other
order types. These developments have made ATSs significant sources of
orders and trading interest for securities. ATSs use data feeds,
algorithms, and connectivity to perform these functions. ATSs rely
heavily on information systems to perform these functions, including to
connect to other Market Entities such as broker-dealers and principal
trading firms.
---------------------------------------------------------------------------
\152\ See paragraph (a)(1)(i)(F) of proposed Rule 10.
---------------------------------------------------------------------------
A significant cybersecurity incident that disrupts an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent it provides liquidity to the market for those
securities. Further, a significant cybersecurity incident at an ATS
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. In addition, ATSs are connected to
a number of different Market Entities through information systems,
including national securities exchanges and other broker-dealers.
Finally, the records stored by ATSs on their information systems
include proprietary information about the Market Entities that use
their services, including confidential business information (e.g.,
information about their trading activities).
For the foregoing reasons, the categories of broker-dealers
discussed above would be Covered Entities under proposed Rule 10. All
other categories of broker-dealers would be Non-Covered Entities.
Generally, the types of broker-dealers that would be Non-Covered
Entities under proposed Rule 10 are smaller firms whose functions do
not play as significant a role in promoting the fair, orderly, and
efficient operation of the U.S. securities markets, as compared to
broker-dealers that would be Covered Entities.\153\ For example, they
tend to offer a more focused and limited set of services such as
facilitating private placements of securities, selling mutual funds and
variable contracts, underwriting securities, and participating in
direct investment
[[Page 20231]]
offerings.\154\ Further, they do not act as custodians for customer
securities and cash or serve as a conduit (i.e., an introducing broker-
dealer) for customers to access their accounts at a carrying broker-
dealer that does maintain custody of securities and cash. Therefore,
they do not pose the risk that a significant cybersecurity incident
could lead to investors losing access to their securities or cash or
having those assets stolen. In addition, Non-Covered Broker-Dealers
likely are less connected to other Market Participants through
information systems than Covered Broker-Dealers. For these reasons, the
additional policies and procedures, reporting, and disclosure
requirements would not apply to Non-Covered Broker-Dealers.
---------------------------------------------------------------------------
\153\ For example, as discussed below in section IV.C.2. of this
release, the 1,541 broker-dealers that would be Covered Entities had
average total assets of $3.5 billion and average regulatory equity
of $325 million; whereas the 1,969 that would be Non-Covered
Entities had average total assets of $4.7 million and average
regulatory equity of $3 million. This means that Non-Covered Broker-
Dealers under proposed Rule 10 accounted for about 0.2% of the total
assets of all broker-dealers and 0.1% of total capital for all
broker-dealers.
\154\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10).
---------------------------------------------------------------------------
At the same time, Non-Covered Broker-Dealers are part of the
financial sector and exposed to cybersecurity risk. Further, certain
Non-Covered Broker-Dealers maintain personal information about their
customers that if accessed by threat actors or mistakenly exposed to
unauthorized users could result in harm to the customers. For these
reasons, Non-Covered Broker-Dealers--among other things--would be
required under proposed Rule 10 to: (1) establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks taking into account their size,
business, and operations; (2) review and assess the design and
effectiveness of their cybersecurity policies and procedures annually,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review; (3) make
a written record that documents the steps taken in performing the
annual review and the conclusions of the annual review; and (4) give
the Commission and their examining authority immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\155\ The Commission's objective
in proposing Rule 10 is to address the cybersecurity risks faced by all
Market Entities but apply a more limited set of requirements to Non-
Covered Broker-Dealers commensurate with the level of risk they pose to
investors, the U.S. securities markets, and the U.S. financial sector
more generally.
---------------------------------------------------------------------------
\155\ See section II.C. of this release (discussing the
requirements for these broker-dealers in more detail).
---------------------------------------------------------------------------
c. Market Entities Other Than Broker-Dealers
The MSRB and all clearing agencies, national securities
associations, national securities exchanges, SBSDRs, SBS Entities,\156\
and transfer agents would be Covered Entities and, therefore, subject
to the additional requirements regarding the minimum elements that must
be included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\157\ In particular,
proposed Rule 10 would define Covered Entity to include: (1) a clearing
agency (registered or exempt) under section 3(a)(23)(A) of the Exchange
Act; \158\ (2) an MSBSP that is registered pursuant to section 15F(b)
of the Exchange Act; \159\ (3) the Municipal Securities Rulemaking
Board; \160\ (4) a national securities association under section 15A of
the Exchange Act; \161\ (5) a national securities exchange under
section 6 of the Exchange Act; \162\ (6) a security-based swap data
repository under section 3(a)(75) of the Exchange Act; \163\ (7) a
security-based swap dealer that is registered pursuant to section
15F(b) of the Exchange Act; \164\ and (8) a transfer agent as defined
in section 3(a)(25) of the Exchange Act that is registered or required
to be registered with an appropriate regulatory agency (``ARA'') as
defined in section 3(a)(34)(B) of the Exchange Act.\165\
---------------------------------------------------------------------------
\156\ In addition to the requirements proposed in Rule 10
itself, the scope of certain existing regulations applicable to SBS
Entities would include proposed Rule 10 if adopted; see, e.g., 17
CFR 240.15Fk-1(b)(2)(i) (which establishes the scope of specified
chief compliance officer duties by reference to Section 15F of the
Exchange Act (15 U.S.C. 78o-10) and the rules and regulations
thereunder); 17 CFR 240.15Fh-3(h)(2)(iii)(I) (which establishes the
scope of specified supervisory requirements by reference to Section
15F(j) of the Exchange Act (15 U.S.C. 78o-10(j)).
\157\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
\158\ See paragraph (a)(1)(ii) of proposed Rule 10. See also 15
U.S.C. 78c(a)(23)(A) (defining the term ``clearing agency'').
\159\ See paragraph (a)(1)(iii) of proposed Rule 10. See also 15
U.S.C. 78o-10(b). Registered MSBSPs include both MSBSPs that are
conditionally registered pursuant to paragraph (d) of Exchange Act
Rule 15Fb2-1 (``Rule 15Fb2-1'') (17 CFR 240.15Fb2-1) and MSBSPs that
have been granted ongoing registration pursuant to paragraph (e) of
Rule 15Fb2-1.
\160\ See paragraph (a)(1)(iv) of proposed Rule 10.
\161\ See paragraph (a)(1)(v) of proposed Rule 10. See also 15
U.S.C. 78o-3.
\162\ See paragraph (a)(1)(vi) of proposed Rule 10. See also 15
U.S.C. 78f.
\163\ See paragraph (a)(1)(vii) of proposed Rule 10.
\164\ See paragraph (a)(1)(viii) of proposed Rule 10. See also
15 U.S.C. 78o-10(b). Registered SBSDs include both SBSDs that are
conditionally registered pursuant to paragraph (d) of Rule 15Fb2-1
and SBSDs that have been granted ongoing registration pursuant to
paragraph (e) of Rule 15Fb2-1.
\165\ See paragraph (a)(1)(ix) of proposed Rule 10. See also 15
U.S.C. 78q-1(c)(1) (registration requirements for transfer agents);
15 U.S.C. 78c(a)(25) (definition of transfer agent) and (a)(34)(B)
(definition of appropriate regulatory agency).
---------------------------------------------------------------------------
SROs play a critical role in setting and enforcing rules for their
members or registrants that govern trading, fair access, transparency,
operations, and business conduct, among other things. SROs and SBSDRs
also play a critical role in ensuring fairness in the securities
markets through the transparency they provide about securities
transactions and pricing, and the information about securities
transactions they can provide to regulators. National securities
exchanges play a critical role in ensuring the orderly and efficient
operation of the U.S. securities markets through the marketplaces they
operate. Clearing agencies are critical to the orderly and efficient
operation of the U.S. securities markets through the centralized
clearing and settlement services they provide as well as their role as
securities depositories, with exempt clearing agencies serving an
important role as part of this process. Market liquidity is critical to
the orderly and efficient operation of the U.S. securities markets. In
this regard, SBS Entities play a critical role in providing liquidity
to the security-based swap market.
The disruption or degradation of the functions of an SRO (including
functions that support securities marketplaces and the oversight of
market participants) could cause harm to investors to the extent it
negatively impacted the fair, orderly, and efficient operations of the
U.S. securities markets. For example, it could prevent investors from
purchasing or selling securities or doing so at fair or reasonable
prices. Investors also would face harm if a transfer agent's functions
were disrupted or degraded by a significant cybersecurity incident.
Transfer agents provide services such as stockholder recordkeeping,
processing of securities transactions and corporate actions, and paying
agent activities. Their core recordkeeping systems provide a direct
conduit to their issuer clients' master records that document and, in
many instances provide the legal underpinning for, registered
securityholders' ownership of the issuer's securities. If these
functions were disrupted, investors might not be able to transfer
ownership of their securities or receive dividends and
[[Page 20232]]
interest due on their securities positions.
SROs, exempt clearing agencies, and SBSDRs connect to multiple
members, registrants, users, or others though networks of information
systems. The interconnectedness of these Market Entities with other
Market Entities through information systems creates the potential that
a significant cybersecurity incident at one Market Entity (e.g., one
caused by malware) could spread to other Market Entities in a cascading
process that could cause widespread disruptions threatening the fair,
orderly, and efficient operation of the U.S. securities markets.\166\
Additionally, the disruption of a Market Entity that provides critical
services to other Market Entities through information system
connections could disrupt the activities of these other Market Entities
if they cannot obtain the services from another source.
---------------------------------------------------------------------------
\166\ See, e.g., Implications of Cyber Risk for Financial
Stability (``[T]he interconnectedness of the financial system means
that an event at one or more firms may spread to others (the domino
effect).'').
---------------------------------------------------------------------------
SROs, exempt clearing agencies, SBSDRs, SBS Entities, and transfer
agents could be prime targets of threat actors because of the central
roles they play in the securities markets. For example, threat actors
could seek to disrupt their functions for geopolitical purposes. Threat
actors also could seek to gain unauthorized access to their information
systems to conduct espionage operations on their internal non-public
activities. Moreover, because they hold financial assets (e.g.,
clearing deposits in the case of clearing agencies) and/or store
substantial confidential and proprietary information about other Market
Entities or financial transactions, they may be choice targets for
threat actors seeking to steal the assets or use the financial
information to their advantage.
SROs, exempt clearing agencies, and SBSDRs store confidential and
proprietary information about their members, registrants, and users,
including confidential business information, and personal information.
A significant cybersecurity incident at any of these types of Market
Entities could lead to the improper use of this information to harm the
members, registrants, and users or provide the unauthorized user with
an unfair advantage over other market participants and, in the case of
personal information, to steal identities. Moreover, given the volume
of information stored by these Market Entities about different persons,
the harm caused by a cybersecurity incident could be widespread,
negatively impacting many victims.
SBS Entities also store proprietary and confidential information
about their counterparties on their information systems, including
financial information they use to perform credit analysis. A
significant cybersecurity incident at an SBS Entity could lead to the
improper use of this information to harm the counterparties or provide
the unauthorized user with an unfair advantage over other market
participants. Transfer agents store proprietary information about
securities ownership and corporate actions. A significant cybersecurity
incident at a transfer agent could lead to the improper use of this
information to harm securities holders. Transfer agents also may store
personal information including names, addresses, phone numbers, email
addresses, employers, employment history, bank and specific account
information, credit card information, transaction histories, securities
holdings, and other detailed and individualized information related to
the transfer agents' recordkeeping and transaction processing on behalf
of issuers. Threat actors breaching the transfer agent's information
systems could use this information to steal identities or financial
assets of the persons to whom this information pertains. They also
could sell it to other threat actors.
In light of these considerations, the MSRB and all clearing
agencies, national securities associations, national securities
exchanges, SBSDRs, SBS Entities, and transfer agents would be Covered
Entities under proposed Rule 10 and, therefore, subject to the
additional requirements regarding the minimum elements that must be
included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\167\
---------------------------------------------------------------------------
\167\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
---------------------------------------------------------------------------
2. ``Cybersecurity Incident''
Proposed Rule 10 would define the term ``cybersecurity incident''
to mean an unauthorized occurrence on or conducted through a Market
Entity's information systems that jeopardizes the confidentiality,
integrity, or availability of the information systems or any
information residing on those systems.\168\ The objective is to use a
term that is broad enough to encompass within the definition of
``cybersecurity incident'' the various categories of unauthorized
occurrences that can impact an information system (e.g., unauthorized
access, use, disclosure, downloading, disruption, modification, or
destruction). As discussed earlier, the sources of cybersecurity risk
are myriad as are the tactics, techniques, and procedures employed by
threat actors.\169\
---------------------------------------------------------------------------
\168\ See paragraph (a)(2) of proposed Rule 10. See generally,
NIST Glossary (defining ``cybersecurity risk'' as ``an effect of
uncertainty on or within information and technology'' and defining
``incident'' as ``an occurrence that actually or potentially
jeopardizes the confidentiality, integrity, or availability of an
information system or the information the system processes, stores,
or transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable
use policies''); FISMA (defining ``incident'' as an ``occurrence''
that: (1) actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or availability of
information or an information system; or (2) constitutes a violation
or imminent threat of violation of law, security policies, security
procedures, or acceptable use policies. 44 U.S.C. 3552(b)(2).
\169\ See section I.A.1. of this release (discussing the sources
of the cybersecurity risk).
---------------------------------------------------------------------------
The definition of ``cybersecurity incident'' in proposed Rule 10 is
designed to include any unauthorized incident impacting an information
system or the information residing on the system. An information system
can experience an unauthorized occurrence without a threat actor itself
directly obtaining unauthorized access to the system. For example, a
social engineering tactic could cause an employee to upload ransomware
unintentionally that encrypts the information residing on the system or
a DoS attack could cause the information system to shut down. In either
case, the threat actor did not need to access the information system to
cause harm.
While the definition is intended to be broad, the occurrence must
be one that jeopardizes (i.e., places at risk) the confidentiality,
integrity, or availability of the information systems or any
information residing on those systems. Confidentiality would be
jeopardized if the unauthorized occurrence resulted in or could result
in persons accessing an information system or the information residing
on the system who are not permitted or entitled to do so or resulted in
or could result in the disclosure of the information residing on the
information system to the public or to any person not permitted or
entitled to view it.\170\ Integrity would be jeopardized if the
unauthorized occurrence resulted in or could result in: (1) an
unpermitted or unintended modification or destruction of the
[[Page 20233]]
information system or the information residing on the system; or (2)
otherwise resulted in or could result in a compromise of the
authenticity of the information system (including its operations and
output) and the information residing on the system.\171\ Availability
would be jeopardized if the unauthorized occurrence resulted in or
could result in the Market Entity or other authorized users being
unable to access or use the information system or information residing
on the system or being unable access or use the information system or
information residing on the system in a timely or reliable manner.\172\
---------------------------------------------------------------------------
\170\ See generally NIST Glossary (defining ``confidentiality''
as ``preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and
proprietary information'').
\171\ See generally NIST Glossary (defining ``integrity'' as
``guarding against improper information modification or destruction,
and includes ensuring information non-repudiation and
authenticity'').
\172\ See generally NIST Glossary (defining ``availability'' as
``ensuring timely and reliable access to and use of information'').
---------------------------------------------------------------------------
3. ``Significant Cybersecurity Incident''
Proposed Rule 10 would have a two-pronged definition of
``significant cybersecurity incident.'' \173\ The first prong of the
definition would be a cybersecurity incident, or a group of related
cybersecurity incidents, that significantly disrupts or degrades the
ability of the Market Entity to maintain critical operations.\174\ As
discussed earlier, significant cybersecurity incidents can negatively
impact information systems and the information residing on information
systems in two fundamental ways. First, they can disrupt or degrade the
information system or the information residing on the information
system in a manner that prevents the Market Entity from performing
functions that rely on the system operating as designed (e.g., an order
routing system of an national securities exchange or a margin
calculation and collection system of a clearing agency) or that rely on
the Market Entity being able to process or access information on the
system (e.g., a general ledger of a broker-dealer or SBS Entity that
tracks and records securities transactions).\175\ This type of harm can
be caused by, for example, a ransomware attack that encrypts the
information stored on the system, a DoS attack that overwhelms the
information system, or hackers taking control of a the system or
shutting it down. Generally, critical operations would be activities,
processes, and services that if disrupted could prevent the Market
Entity from continuing to operate or prevent it from performing a
service that supports the fair, orderly, and efficient functioning of
the U.S. securities markets.\176\
---------------------------------------------------------------------------
\173\ See paragraphs (a)(10)(i) and (ii) of proposed Rule 10.
\174\ See paragraph (a)(10)(i) of proposed Rule 10.
\175\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of these types of information system degradations
and disruptions). This type of impact would compromise the integrity
or availability of the information system. See generally NIST
Glossary (defining ``integrity'' as ``guarding against improper
information modification or destruction, and includes ensuring
information non-repudiation and authenticity'' and ``availability''
as ``ensuring timely and reliable access to and use of
information'').
\176\ See, e.g., Basel Committee on Banking Supervision,
Principles for Operational Resilience (Mar. 2021) (``The term
critical operations is based on the Joint Forum's 2006 high-level
principles for business continuity. It encompasses critical
functions as defined by the FSB and is expanded to include
activities, processes, services and their relevant supporting assets
the disruption of which would be material to the continued operation
of the bank or its role in the financial system.'') (footnotes
omitted).
---------------------------------------------------------------------------
The second fundamental way that a significant cybersecurity
incident can negatively impact an information system or the information
residing on the information system is when unauthorized persons are
able to access and use the information stored on the information system
(e.g., proprietary business information or personal information).\177\
Therefore, the second prong of the definition would be a cybersecurity
incident, or a group of related cybersecurity incidents, that leads to
the unauthorized access or use of the information or information
systems of the Market Entity, where the unauthorized access or use of
such information or information systems results in or is reasonably
likely to result in: (1) substantial harm to the Market Entity; or (2)
substantial harm to a customer, counterparty, member, registrant, or
user of the Market Entity, or to any other person that interacts with
the Market Entity.\178\ As discussed earlier, this kind of significant
cybersecurity incident could lead to the improper use of this
information to harm persons to whom it pertains (e.g., public exposure
of their confidential financial information or the use of that
information to steal their identities) or provide the unauthorized user
with an unfair advantage over other market participants (e.g., trading
based on confidential business information).\179\
---------------------------------------------------------------------------
\177\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of this type of compromise of an information
system). This type of impact would compromise the confidentiality of
the information system. See generally NIST Glossary (defining
``confidentiality'' as ``preserving authorized restrictions on
information access and disclosure, including means for protecting
personal privacy and proprietary information'').
\178\ See paragraph (a)(10)(ii) of proposed Rule 10. There could
be instances where a significant cybersecurity incident meets both
prongs. For example, an unauthorized user that is able to access the
Market Entity's internal computer systems could shut down critical
operations of the Market Entity and use information on the systems
to steal assets of the Market Entity or assets or identities of the
Market Entity's customers.
\179\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of this type of compromise of an information
system).
---------------------------------------------------------------------------
4. ``Cybersecurity Threat''
Proposed Rule 10 would define the term ``cybersecurity threat'' to
mean any potential occurrence that may result in an unauthorized effort
to affect adversely the confidentiality, integrity, or availability of
a Market Entity's information systems or any information residing on
those systems.\180\ As discussed earlier, threat actors use a number of
different tactics, techniques, and procedures (e.g., malware, social
engineering, hacking, DoS attacks) to commit cyber-related crime.\181\
These threat actors may be nation states, individuals (acting alone or
as part of organized syndicates) seeking financial gain, or individuals
seeking to cause harm for a variety of reasons. Further, the threat
actors may be external or internal actors. Also, as discussed earlier,
errors can pose a cybersecurity threat (e.g., accidentally providing
access to confidential information to individuals that are not
authorized to view or use it). The definition of ``cybersecurity
threat'' in proposed Rule 10 is designed to include the potential
actions of threat actors (e.g., seeking to install malware on or hack
into an information system or engaging in social engineering tactics)
and potential errors (e.g., an employee failing to secure confidential,
proprietary, and personal information) that may result in an
unauthorized effort to affect adversely the confidentiality, integrity,
or availability of a Market Entity's information systems or any
information residing on those systems.
---------------------------------------------------------------------------
\180\ See paragraph (a)(4) of proposed Rule 10. See generally
NIST Glossary (defining ``threat'' as any circumstance or event with
the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational
assets, or individuals through an information system via
unauthorized access, destruction, disclosure, modification of
information, and/or denial of service and also the potential for a
threat-source to successfully exploit a particular information
system vulnerability).
\181\ See section I.A.1. of this release (discussing the various
tactics, techniques, and procedures used by threat actors).
---------------------------------------------------------------------------
5. ``Cybersecurity Vulnerability''
Proposed Rule 10 would define the term ``cybersecurity
vulnerability'' to mean a vulnerability in a Market Entity's
information systems, information system security procedures, or
internal controls, including, for example, vulnerabilities in their
design,
[[Page 20234]]
configuration, maintenance, or implementation that, if exploited, could
result in a cybersecurity incident.\182\ Cybersecurity vulnerabilities
are weaknesses in the Covered Entity's information systems that threat
actors could exploit, for example, to hack into the system or install
malware.\183\ One example would be an information system that uses
outdated software that is no longer updated to address known flaws that
could be exploited by threat actors to access the system. Cybersecurity
vulnerabilities also are weaknesses in the procedures and controls the
Market Entity uses to protect its information systems and the
information residing on them such as procedures and controls that do
not require outdated software to be replaced or that do not adequately
restrict access to the system. Cybersecurity vulnerabilities can also
include lack of training opportunities for employees to increase their
cybersecurity awareness, such as how to properly secure sensitive data
and recognize harmful files. The definition of ``cybersecurity
vulnerability'' in proposed Rule 10 is designed to include weaknesses
in the information systems themselves and weaknesses in the measures
the Covered Entity takes to protect the systems and the information
residing on the systems.
---------------------------------------------------------------------------
\182\ See paragraph (a)(5) of proposed Rule 10. See generally
NIST Glossary (defining ``vulnerability'' as a weakness in an
information system, system security procedures, internal controls,
or implementation that could be exploited or triggered by a threat
source'').
\183\ See section I.A.1. of this release (discussing information
system vulnerabilities). See generally CISA 2021 Vulnerability
Report (``Globally, in 2021, malicious cyber actors targeted
internet-facing systems, such as email servers and virtual private
network (VPN) servers, with exploits of newly disclosed
vulnerabilities.'').
---------------------------------------------------------------------------
6. ``Cybersecurity Risk''
Proposed Rule 10 would define the term ``cybersecurity risk'' to
mean financial, operational, legal, reputational, and other adverse
consequences that could stem from cybersecurity incidents,
cybersecurity threats, and cybersecurity vulnerabilities.\184\ As
discussed earlier, cybersecurity incidents have the potential to cause
harm to Market Entities and others who use their services or are
connected to them through information systems and, if severe enough,
negatively impact the fair, orderly, and efficient operations of the
U.S. securities markets.\185\ The definition of ``cybersecurity risk''
in proposed Rule 10 is designed to encompass the types of harm and
damage that can befall a Market Entity that experiences a cybersecurity
incident.
---------------------------------------------------------------------------
\184\ See paragraph (a)(3) of proposed Rule 10. See also
paragraphs (a)(4) and (5) of proposed Rule 10 (defining,
respectively, ``cybersecurity threat'' to mean ``any potential
occurrence that may result in an unauthorized effort to affect
adversely the confidentiality, integrity, or availability of a
Market Entity's information systems or any information residing on
those systems'' and ``cybersecurity vulnerability'' to mean ``a
vulnerability in a Market Entity's information systems, information
system security procedures, or internal controls, including, for
example, vulnerabilities in their design, configuration,
maintenance, or implementation that, if exploited, could result in a
cybersecurity incident'').
\185\ See sections I.A.1. and I.A.2. of this release
(discussing, respectively, the harms that can be caused by
significant cybersecurity incidents generally and with respect to
each category of Market Entity).
---------------------------------------------------------------------------
7. ``Information''
As discussed in more detail below, a Market Entity would be
required under proposed Rule 10 to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
the Market Entity's cybersecurity risks.\186\ Cybersecurity risks--as
discussed above--would be financial, operational, legal, reputational,
and other adverse consequences that could result from cybersecurity
incidents, cybersecurity threats, and cybersecurity
vulnerabilities.\187\ Cybersecurity incidents would be unauthorized
occurrences on or conducted through a market entity's information
systems that jeopardize the confidentiality, integrity, or availability
of the information systems or any information residing on those
systems.\188\ Cybersecurity threats would be any potential occurrences
that may result in an unauthorized effort to affect adversely the
confidentiality, integrity, or availability of a market entity's
information systems or any information residing on those systems.\189\
Finally, cybersecurity vulnerabilities would be a vulnerability in a
Market Entity's information systems, information system security
procedures, or internal controls, including, for example,
vulnerabilities in their design, configuration, maintenance, or
implementation that, if exploited, could result in a cybersecurity
incident.\190\ Consequently, the policies and procedures required under
proposed Rule 10 would need to cover all of the Market Entity's
information systems and information residing on those systems in order
to address the Market Entity's cybersecurity risks.
---------------------------------------------------------------------------
\186\ See paragraphs (b)(1) and (e) of proposed Rule 10
(requiring Covered Entities and Non-Covered Entities, respectively,
to have policies and procedures to address their cybersecurity
risks); sections II.B.1. and II.C. of this release (discussing the
requirements of paragraphs (b)(1) and (e) of proposed Rule 10,
respectively, in more detail).
\187\ See paragraph (a)(3) of proposed Rule 10 (defining
``cybersecurity risk'').
\188\ See paragraph (a)(2) of proposed Rule 10 (defining
``cybersecurity incident'').
\189\ See paragraph (a)(4) of proposed Rule 10 (defining
``cybersecurity threat'').
\190\ See paragraph (a)(5) of proposed Rule 10 (defining
``cybersecurity vulnerability'').
---------------------------------------------------------------------------
Proposed Rule 10 would define the term ``information'' to mean any
records or data related to the Market Entity's business residing on the
Market Entity's information systems, including, for example, personal
information received, maintained, created, or processed by the Market
Entity.\191\ The definition is designed to cover the full range of
information stored by Market Entities on their information systems
regardless of the digital format in which the information is
stored.\192\ As discussed earlier, Market Entities create and maintain
a wide range of information on their information systems.\193\ This
includes information used to manage and conduct their operations,
manage and mitigate their risks, monitor the progress of their
business, track their financial condition, prepare financial
statements, prepare regulatory filings, and prepare tax returns. They
also store personal, confidential, and proprietary business information
about their customers, counterparties, members, registrants or users.
This includes information maintained by clearing agencies, the MSRB,
the national securities exchanges, and SBSDRs about market activity and
about their members, registrants, and users.
---------------------------------------------------------------------------
\191\ See paragraph (a)(6) of proposed Rule 10.
\192\ See generally NIST Glossary (defining ``information'' as
any communication or representation of knowledge such as facts,
data, or opinions in any medium or form, including textual,
numerical, graphic, cartographic, narrative, or audiovisual. Id.
(defining ``data'' (among other things) as: (1) pieces of
information from which ``understandable information'' is derived;
(2) distinct pieces of digital information that have been formatted
in a specific way; and (3) a subset of information in an electronic
format that allows it to be retrieved or transmitted. Id. (defining
``records'' (among other things) as units of related data fields
(i.e., groups of data fields that can be accessed by a program and
that contain the complete set of information on particular items).
\193\ See section I.A.2. of this release.
---------------------------------------------------------------------------
The information maintained by Market Entities on their information
systems is an attractive target for threat actors, particularly
confidential, proprietary, and personal information.\194\ Also, it also
can be
[[Page 20235]]
critical to performing their various functions, and the inability to
access and use their information could disrupt or degrade their ability
to operate in support of the fair, orderly, and efficient operation of
the U.S. securities markets.\195\ Consequently, protecting the
confidentiality, integrity, and availability of information residing on
a Market Entity's information systems is critical to avoiding the harms
that can be caused by cybersecurity risk. The definition of
``information'' in proposed Rule 10 is designed to encompass this
information and, therefore, to extend the proposed protections of the
rule to it.
---------------------------------------------------------------------------
\194\ See sections I.A.1. and I.A.2 of this release (discussing
how threat actors seek unauthorized access to and use of
confidential, proprietary, and personal information to, among other
reasons, conduct espionage operations, steal identities, use it for
business advantage, hold it hostage (in effect) through a ransomware
attack, or sell it to other threat actors).
\195\ Id.
---------------------------------------------------------------------------
8. ``Information Systems''
The policies and procedures required under proposed Rule 10 also
would need to cover the Market Entity's information systems in order to
address the Market Entity's cybersecurity risks. Proposed Rule 10 would
define the term ``information systems'' to mean the information
resources owned or used by the Market Entity, including, for example,
physical or virtual infrastructure controlled by the information
resources, or components thereof, organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition of
the Market Entity's information to maintain or support the Market
Entity's operations.\196\
---------------------------------------------------------------------------
\196\ See paragraph (a)(7) of proposed Rule 10.
---------------------------------------------------------------------------
As discussed earlier, Market Entities use information systems to
perform a wide range of functions.\197\ For example, they use
information systems to maintain books and records to manage and conduct
their operations, manage and mitigate their risks, monitor the progress
of their business, track their financial condition, prepare financial
statements, prepare regulatory filings, and prepare tax returns. Market
Entities also use information systems so that their employees can
communicate with each other and with external persons. These include
email, text messaging, and virtual meeting applications. They also use
internet websites to communicate information to their customers,
counterparties, members, registrants, or users. They use information
systems to perform the functions associated with their status and
obligations as a broker-dealer, registered or exempt clearing agency,
national securities association, national securities exchange, SBSDR,
SBS Entity, SRO, or transfer agent.
---------------------------------------------------------------------------
\197\ See section I.A.2. of this release.
---------------------------------------------------------------------------
Information systems are targets that threat actors attack to access
and use information maintained by Market Entities related to their
business (particularly confidential, proprietary, and personal
information).\198\ In addition, the interconnectedness of Market
Entities through information systems creates channels through which
malware, viruses, and other destructive cybersecurity threats can
spread throughout the financial system. Moreover, the disruption or
degradation of a Market Entity's information systems could negatively
impact the entity's ability to operate in support of the U.S.
securities markets.\199\ Consequently, protecting the confidentiality,
integrity, and availability of a Market Entity's information systems is
critical to avoiding the harms that can be caused by cybersecurity
risk. The definition of the term ``information systems'' in proposed
Rule 10 is designed to be broad enough to encompass all the electronic
information resources owned or used by a Market Entity to carry out its
various operations. Accordingly, the definition of ``information
systems'' would require a Market Entity's policies and procedures to
address cybersecurity risks to cover all of its information systems.
---------------------------------------------------------------------------
\198\ See sections I.A.1. and I.A.2. of this release.
\199\ Id.
---------------------------------------------------------------------------
9. ``Personal Information''
Proposed Rule 10 would define the term ``personal information'' to
mean any information that can be used, alone or in conjunction with any
other information, to identify a person, including, but not limited to,
name, date of birth, place of birth, telephone number, street address,
mother's maiden name, Social Security number, government passport
number, driver's license number, electronic mail address, account
number, account password, biometric records, or other non-public
authentication information.\200\ The definition of ``personal
information'' was guided by a number of established sources and aims to
capture a broad array of information that can reside on a Market
Entity's information systems that may be used alone, or with other
information, to identify an individual. The definition is designed to
encompass information that if compromised could cause harm to the
individuals to whom the information pertains (e.g., identity theft or
theft of assets).
---------------------------------------------------------------------------
\200\ See paragraph (a)(9) of proposed Rule 10. See generally
NIST Glossary (defining ``personal information'' as information that
can be used to distinguish or trace an individual's identity, either
alone or when combined with other information that is linked or
linkable to a specific individual and defining ``personally
identifying information'' (among other things) as information that
can be used to distinguish or trace an individual's identity--such
as name, social security number, biometric data records--either
alone or when combined with other personal or identifying
information that is linked or linkable to a specific individual
(e.g., date and place of birth, mother's maiden name, etc.)); 17 CFR
248.201(b)(8) ((defining ``identifying information'' as any name or
number that may be used, alone or in conjunction with any other
information, to identify a specific person, including any: (1) name,
Social Security number, date of birth, official State or government
issued driver's license or identification number, alien registration
number, government passport number, employer or taxpayer
identification number; (2) unique biometric data, such as
fingerprint, voice print, retina or iris image, or other unique
physical representation; (3) unique electronic identification
number, address, or routing code; or (4) telecommunication
identifying information or access device (as defined in 18 U.S.C.
1029(e))).
---------------------------------------------------------------------------
Personal information is an attractive target for threat actors
because they can use it to steal a person's identity and then use the
stolen identity to appropriate the person's assets through unauthorized
transactions or to make unlawful purchases on credit or to effect other
unlawful transactions in the name of the person.\201\ They also can
sell personal information they obtain through unauthorized access to an
information system to criminals who will seek to use the information
for these purposes. Moreover, the victims of identity theft can be the
more vulnerable members of society (e.g., individuals on fixed-incomes,
including retirees). Consequently, proposed Rule 10 would have a
provision that specifically addresses protecting personal
information.\202\
---------------------------------------------------------------------------
\201\ See sections I.A.1. and I.A.2. of this release.
\202\ See paragraph (b)(1)(iii)(A)(2) of proposed Rule 10. See
also proposed Form SCIR, which would elicit information about
whether personal information was compromised in a significant
cybersecurity incident.
---------------------------------------------------------------------------
10. Request for Comment
The Commission requests comment on all aspects of the proposed
definitions. In addition, the Commission is requesting comment on the
following specific aspects of the proposals:
1. In designing the definitions of proposed Rule 10, the Commission
considered a number of sources cited in the sections above, including,
in particular, the NIST Glossary and certain Federal statutes and
regulations. Are these appropriate sources to consider? If so, explain
why. If not, explain why not. Are there other sources the Commission
should use? If so, identify them and explain why they should be
considered and how they
[[Page 20236]]
could inform potential modifications to the definitions.
2. In determining which categories of Market Entities would be
Covered Entities subject to the additional requirements of proposed
Rule 10, the Commission considered: (1) how the category of Market
Entity supports the fair, orderly, and efficient operation of the U.S.
securities markets and the consequences if that type of broker-dealer's
critical functions were disrupted or degraded by a significant
cybersecurity incident; (2) the harm that could befall investors,
including retail investors, if that category of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which the category of Market Entity poses
cybersecurity risk to other Market Entities though information system
connections, including the number of connections; (4) the extent to
which the category of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the category of Market Entity and other
persons (e.g., investors) stored on the Market Entity's information
systems and the harm that could be caused if that information was
accessed or used by threat actors through a cybersecurity breach. Are
these appropriate factors to consider? If so, explain why. If not,
explain why not. Are there other factors the Commission should take
into account? If so, identify them and explain why they should be
considered.
3. Should proposed Rule 10 be modified to include other categories
of broker-dealers as Covered Entities? If so, identify the category of
broker-dealers and explain how to define broker-dealers within that
category and why it would be appropriate to apply the additional
policies and procedures, reporting, and disclosure requirements of the
proposed rule to that category of broker-dealers. For example, should
the $50 million regulatory capital threshold be lowered (e.g., to $25
million or some other amount) or should the $1 billion total assets
threshold be lowered (e.g., to $500 million or some other amount) to
include more broker-dealers as Covered Entities? If so, identify the
threshold and explain why it would be appropriate to apply the
additional requirements to broker-dealers that fall within that
threshold.
4. Should proposed Rule 10 be modified to include as a Covered
Entity any broker-dealer that is an SCI entity for the purposes of
Regulation SCI? Currently, under Regulation SCI, an ATS that trades
certain stocks exceeding specific volume thresholds is an SCI entity?
\203\ As discussed above, a broker-dealer that operates an ATS would be
a Covered Entity under proposed Rule 10 and, therefore, subject to the
additional policies and procedures, reporting, and disclosure
requirements of the proposed rule. However, the Commission is proposing
to amend Regulation SCI to broaden the definition of ``SCI entity'' to
include, among other Commission registrants, a broker-dealer that
exceeds an asset-based size threshold or a volume-based trading
threshold in NMS stocks, exchange-listed options, agency securities, or
U.S. treasury securities.\204\ A broker-dealer that exceeds the asset-
based size threshold under the proposed amendments to Regulation SCI
(which would be several hundred billion dollars) would be subject to
the requirements of proposed Rule 10 applicable to Covered Entities, as
it would exceed the $1 billion total assets threshold in the broker-
dealer definition of ``covered entity.'' \205\ Further, a broker-dealer
that exceeds one or more of the volume-based trading thresholds under
the proposed amendments to Regulation SCI likely would meet one of the
broker-dealer definitions of ``covered entity'' in proposed Rule 10
given its size and activities. For example, it may be carrying broker-
dealer, have regulatory capital equal to or exceeding $50 million, have
total assets equal to or exceeding $1 billion, or operate as a market
maker.\206\ Nonetheless, should the definition of ``covered entity'' in
proposed Rule 10 be modified to include any broker-dealer that is an
SCI entity under Regulation SCI? If so, explain why. If not, explain
why not.
---------------------------------------------------------------------------
\203\ See 17 CFR 242.1000 (defining the term ``SCI alternative
trading system'' and including that defined term in the definition
of ``SCI Entity'').
\204\ Regulation SCI 2023 Proposing Release.
\205\ See paragraph (a)(1)(i)(D) of proposed Rule 10. See also
section II.F.1.c. of this release (discussing why this type of
broker-dealer would be a Covered Entity).
\206\ See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10 (defining these categories of broker-dealers as ``covered
entities''). See also section II.F.1.c. of this release (discussing
why this type of broker-dealer likely would be a Covered Entity).
---------------------------------------------------------------------------
5. Should proposed Rule 10 be modified to narrow the categories of
broker-dealers that would be Covered Entities? If so, explain how the
category should be narrowed and why it would be appropriate not to
apply the additional requirements to broker-dealers that would no
longer be included as Covered Entities. For example, are there certain
types of carrying broker-dealers, introducing broker-dealers, market
makers, or ATSs that should not be included as Covered Entities? If so,
identify the type of broker-dealer and explain why it would be
appropriate not to impose the additional policies and procedures,
reporting, and disclosure requirements of the proposed rule on that
type of broker-dealer. Similarly, should the proposed $50 million
regulatory capital threshold be increased (e.g., to $100 million or
some other amount) or should the $1 billion total assets threshold be
increased (e.g., to $5 billion or some other amount) to exclude more
broker-dealers from the definition of ``covered entity''? If so,
identify the threshold and explain why it would be appropriate not to
apply the additional requirements on the broker-dealers that would not
be Covered Entities under the narrower definition.
6. Should proposed Rule 10 be modified to divide other categories
of Market Entities into Covered Entities and Non-Covered Entities? If
so, identify the category of Market Entity and explain how to define
Covered Entity and Non-Covered Entity within that category and explain
why it would be appropriate not to impose the additional policies and
procedures, reporting, and disclosure requirements on the Market
Entities that would be Non-Covered Entities. For example, are there
types of clearing agencies (registered or exempt), MSBSPs, national
securities exchanges, SBSDRs, SBSDs, or transfer agents that pose a
level of cybersecurity risk to the U.S. securities markets and the
participants in those markets that is no greater than the cybersecurity
risk posed by the categories of broker-dealers that would be Non-
Covered Entities? If so, explain why it would be appropriate not to
apply the additional requirements of proposed Rule 10 to these types of
Market Entities.
7. Should proposed Rule 10 be modified so that it applies to other
participants in the U.S. securities markets that are registered with
the Commission? If so, identify the registrant type and explain why it
should be subject to the requirements of proposed Rule 10. For example,
should competing consolidators or plan processors be subject to the
requirements of proposed Rule 10? \207\ If so, explain why. If not,
explain why not. If competing consolidators or plan processors should
be subject to proposed Rule 10, should they be treated as Covered
Entities or Non-Covered Entities? If Covered Entities,
[[Page 20237]]
explain why. If Non-Covered Entities, explain why. Should certain
competing consolidators or plan processors be treated as Covered
Entities and others be treated as Non-Covered Entities? If so, explain
how to define Covered Entity and Non-Covered Entity within that
category and explain why it would be appropriate not to apply the
additional policies and procedures, reporting, and disclosure
requirements of the proposed rule to the competing consolidators or
plan processors in that category that would not be Covered Entities.
---------------------------------------------------------------------------
\207\ See 17 CFR 242.600(16) and (67) (defining the terms
``competing consolidator'' and ``plan processor,'' respectively).
See also 17 CFR 242.1000 (defining ``SCI competing consolidator''
and defining ``SCI entity'' to include SCI competing consolidator).
---------------------------------------------------------------------------
8. Should proposed Rule 10 be modified to revise the broker-dealer
definitions of ``covered entity''? For example, in order to include
carrying broker-dealers as Covered Entities, paragraph (a)(1)(i)(A) of
proposed Rule 10 would define the term ``covered entity'' to include a
broker-dealer that maintains custody of cash and securities for
customers or other brokers-dealers and is not exempt from the
requirements of Rule 15c3-3. In addition, in order to include
introducing broker-dealers as Covered Entities, paragraph (a)(1)(i)(B)
of proposed Rule 10 would define the term ``covered entity'' to include
a broker-dealer that introduces customer accounts on a fully disclosed
basis to another broker-dealer that is a carrying broker-dealer under
paragraph (a)(1)(i)(A) of the proposed rule. Would these broker-dealer
definitions of ``covered entity'' work as designed? If not, explain why
and suggest modifications to improve their design.
9. In order to include market makers as Covered Entities, paragraph
(a)(1)(i)(E) of proposed Rule 10 would define the term ``covered
entity'' to include a broker-dealer that is a market maker under the
Exchange Act or the rules thereunder (which includes a broker-dealer
that operates pursuant to paragraph (a)(6) of Rule 15c3-1) or is a
market maker under the rules of an SRO of which the broker-dealer is a
member. Would the definition work as designed? If not, explain why and
suggest modifications to improve its design. For example, should the
definition be based on a list of the functions and activities of a
market maker as distinct from the functions and activities of other
categories of broker-dealers? If so, identify the relevant functions
and activities and explain how they could be incorporated into a
definition.
10. Should paragraph (a)(2) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity incident''? For example, as
discussed above, the definition is designed to include any unauthorized
occurrence that impacts an information system or the information
residing on the system. Would the definition work as designed? If not,
explain why and suggest modifications to improve its design. Is this
design objective appropriate? If not, explain why and suggest an
alternative design objective for the definition. Is the definition of
``cybersecurity incident'' overly broad in that it refers to an
incident that jeopardizes the confidentiality, integrity, or
availability of the information systems or any information residing on
those systems? If so, explain why and suggest modifications to
appropriately narrow its scope without undermining the objective of the
rule to address cybersecurity risks facing Market Entities. Is the
definition of ``cybersecurity incident'' too narrow? If so, how should
it be broadened?
11. Should paragraph (a)(3) of proposed Rule 10 be modified to
revise definition of ``cybersecurity risk''? For example, the NIST
definition of ``cybersecurity risk'' focuses on how this risk can cause
harm: it can adversely impact organizational operations (i.e., mission,
functions, image, or reputation) and assets, individuals, other
organizations, and the Nation. The definition of ``cybersecurity risk''
in proposed Rule 10 was guided by this aspect of cybersecurity risk.
Does the definition appropriately incorporate this aspect of
cybersecurity risk? If not, explain why and suggest modifications to
improve its design. Is this design objective appropriate? If not,
explain why and suggest an alternative design objective for the
definition.
12. Should paragraph (a)(4) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity threat''? For example, as
discussed above, the definition is designed to include the potential
actions of threat actors and errors that may result in an unauthorized
effort to affect adversely the confidentiality, integrity, or
availability of a Market Entity's information systems or any
information residing on those systems. Would the definition work as
designed? If not, explain why and suggest modifications to improve its
design. Is the definition of ``cybersecurity threat'' overly broad in
that it includes any ``potential occurrence''? If so, explain why and
suggest modifications to appropriately narrow its scope without
undermining the objective of the rule to address cybersecurity risks
facing Market Entities. Is the definition of ``cybersecurity threat''
too narrow? If so, how should it be broadened?
13. Should paragraph (a)(5) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity vulnerability''? For example,
as discussed above, the definition is designed to include weaknesses in
the information systems themselves and weaknesses in the measures the
Covered Entity takes to protect the systems and the information
residing on the systems. Would the definition work as designed? If not,
explain why and suggest modifications to improve its design. Is this
design objective appropriate? If not, explain why and suggest an
alternative design objective for the definition. Is the definition of
``cybersecurity vulnerability'' overly broad? If so, explain why and
suggest modifications to appropriately narrow its scope without
undermining the objective of the rule to address cybersecurity risks
facing Market Entities. Is the definition of ``cybersecurity
vulnerability'' too narrow? If so, how should it be broadened?
14. Should paragraph (a)(6) of proposed Rule 10 be modified to
revise the definition of ``information''? For example, as discussed
above, the definition is designed to be broad enough to encompass the
wide range of information that resides on the information systems of
Market Entities. Would the definition work as designed? If not, explain
why and suggest modifications to improve its design. Is this design
objective appropriate? If not, explain why and suggest an alternative
design objective for the definition. For example, should the definition
focus on information that, if compromised, could cause harm to the
Market Entity or others and exclude information that, if compromised,
would not cause harm? If so, explain why and suggest rule text to
implement this modification.
15. Should paragraph (a)(7) of proposed Rule 10 be modified to
revise the definition of ``information systems''? For example, as
discussed above, the definition is designed to be broad enough to
encompass all the electronic information resources owned or used by a
Market Entity to carry out its various operations. Would the definition
work as designed? If not, explain why and suggest modifications to
improve its design. Is this design objective appropriate? If not,
explain why and suggest an alternative design objective for the
definition. Is the definition of ``information systems'' overly broad
in that it includes any information resource ``used by'' the Market
Entity, which may include information resources developed and
maintained by a third party (other than a service provider that that
receives, maintains, or processes information, or is otherwise
permitted to access the Market Entity's information systems and any of
the
[[Page 20238]]
Market Entity's information residing on those systems)? If so, explain
why and suggest modifications to improve its design. Is this design
objective appropriate? If not, explain why and suggest an alternative
design objective for the definition. Is the definition of ``information
system'' overly narrow? If so, how should it be broadened?
16. Should paragraph (a)(9) of proposed Rule 10 be modified to
revise the definition of ``personal information''? For example, as
discussed above, the definition is designed to encompass information
that if compromised could cause harm to the individuals to whom the
information pertains (e.g., identity theft or theft of assets). Would
the definition work as designed? If not, explain why and suggest
modifications to improve its design. Is this design objective
appropriate? If not, explain why and suggest an alternative design
objective for the definition.
17. Should paragraph (a)(10) of proposed Rule 10 be modified to
revise the definition of ``significant cybersecurity incident''? For
example, as discussed above, the definition would have two prongs: the
first relating to incidents that significantly disrupt or degrade the
ability of the Market Entity to maintain critical operations and the
second relating to the unauthorized access or use of the information or
information systems of the Market Entity. Are these the fundamental
ways that significant cybersecurity incidents can negatively impact
information systems and the information residing on information
systems? If not, explain why and identify other fundamental ways that
information and information systems can be negatively impacted by
significant cybersecurity incidents that should be incorporated into
the definition of ``significant cybersecurity incident.'' Should the
term ``significant'' be defined separately? If so, explain why and
suggest potential definitions for this term. Instead, of
``significant'' should the definition use the word ``material.'' If so,
explain why and how that would change the meaning of the definition.
18. Should paragraph (a)(10)(i) of proposed Rule 10 be modified to
revise the first prong of the definition of ``significant cybersecurity
incident''? For example, as explained above, the first prong is
designed to address how a ``significant cybersecurity incident'' can
disrupt or degrade the information system or the information residing
on the system in a manner that prevents the Market Entity from
performing functions that rely on the system operating as designed or
that rely on the Market Entity being able to process or access
information on the system. Would the first prong of the definition work
as designed? If not, explain why and suggest modifications to improve
its design. Is this design objective appropriate? If not, explain why
and suggest an alternative design objective for the first prong of the
definition. For example, should the first prong of the definition be
limited to cybersecurity incidents that ``disrupt'' the ability of the
Market Entity to maintain critical operations (i.e., not include
incidents that ``degrade'' that ability)? If so, explain why and also
explain how to distinguish between an incident that degrades the
ability of the Market Entity to maintain critical operations and an
incident that disrupts that ability. Also, explain why reporting to the
Commission and other regulators (as applicable) and publicly disclosing
incidents that degrade the ability of the Market Entity to maintain
critical operations would not be necessary because they would no longer
be significant cybersecurity incidents.\208\
---------------------------------------------------------------------------
\208\ See paragraphs (c) and (d) of proposed Rule 10 (requiring,
respectively, immediate notification and subsequent reporting of
significant cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
---------------------------------------------------------------------------
19. Should paragraph (a)(10)(ii) of proposed Rule 10 be modified be
to revise the second prong of the definition of ``significant
cybersecurity incident''? For example, as explained above, the second
prong is designed to address how a ``significant cybersecurity
incident'' can cause harm if unauthorized persons are able to access
and use the information system or the information residing on the
system. Would the definition work as designed? If not, explain why and
suggest modifications to improve its design. Is this design objective
appropriate? If not, explain why and suggest an alternative design
objective for the second prong of the definition. For example, should
the second prong of the definition be limited to cybersecurity
incidents that ``result'' in substantial harm to the Market Entity or
substantial harm to a customer, counterparty, member, registrant, or
user of the Market entity, or to any other person that interacts with
the Market Entity (i.e., not include incidents that are ``reasonably
likely'' to result in these consequences)? If so, explain why and also
explain why reporting to the Commission and other regulators (as
applicable) and publicly disclosing incidents that are reasonably
likely to result in these consequences would not be necessary because
they would no longer be significant cybersecurity incidents.\209\
Alternatively, should the second prong of the definition be limited to
an incident of unauthorized access or use that leads to ``substantial
harm'' to a customer, counterparty, member, registrant or user of the
Covered Entity, or should ``inconvenience'' to a customer,
counterparty, member, registrant or user be enough? If yes, explain
why. Should the second prong of the definition be modified so that it
is limited to cybersecurity incidents that result in or are reasonably
likely to result in substantial harm to more than one customer,
counterparty, member, registrant, or user of the Market Entity, or to
any other market participant that interacts with the Market Entity? If
so, explain why.
---------------------------------------------------------------------------
\209\ See paragraphs (c) and (d) of proposed Rule 10 (requiring,
respectively, immediate notification and subsequent reporting of
significant cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
---------------------------------------------------------------------------
20. Should proposed Rule 10 be modified to define additional terms
for the purposes of the rule and Parts I and II of proposed Form SCIR?
If so, identify the term, suggest a definition, and explain why
including the definition would be appropriate. For example, would
including additional defined terms improve the clarity of the
requirements of proposed Rule 10 and Parts I and II of proposed Form
SCIR? If so, explain why. Should proposed Rule 10 be modified to define
the terms ``confidentiality,'' ``integrity'', and ``availability''? If
so, explain why and suggest definitions.
B. Proposed Requirements for Covered Entities
1. Cybersecurity Risk Management Policies and Procedures
Risk management is the ongoing process of identifying, assessing,
and responding to risk.\210\ To manage risk generally, Market Entities
should understand the likelihood that an event will occur and the
potential resulting impacts.\211\ Cybersecurity risk--like other
business risks (e.g., market, credit, or liquidity risk)--can be
addressed through policies and procedures that are reasonably designed
to manage the risk.\212\
---------------------------------------------------------------------------
\210\ See generally NIST Framework.
\211\ Id.
\212\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should ``approach cyber as business risk'').
---------------------------------------------------------------------------
Accordingly, proposed Rule 10 would require Covered Entities to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address the Covered Entity's
[[Page 20239]]
cybersecurity risks.\213\ Further, proposed Rule 10 would set forth
minimum elements that would need to be included in the policies and
procedures.\214\ In particular, the policies and procedures would need
to address: (1) risk assessment; (2) user security and access; (3)
information protection; (4) cybersecurity threat and vulnerability
management; and (5) cybersecurity incident response and recovery. As
discussed in more detail below, the inclusion of these elements is
designed to enumerate the core areas that Covered Entities would need
to address when designing, implementing, and assessing their policies
and procedures. Proposed Rule 10 also would require Covered Entities to
review annually and assess their policies and procedures and prepare a
written report describing the review and other related matters. Taken
together, these requirements are designed to position Covered Entities
to be better prepared to protect themselves against cybersecurity
risks, to mitigate cybersecurity threats and vulnerabilities, and to
recover from cybersecurity incidents. They are also designed to help
ensure that Covered Entities focus their efforts and resources on the
cybersecurity risks associated with their operations and business
practices.
---------------------------------------------------------------------------
\213\ See paragraph (b)(1) of proposed Rule 10.
\214\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
Covered Entities may wish to consult a number of resources in
connection with these elements. See generally NIST Framework; CISA
Cyber Essentials Starter Kit.
---------------------------------------------------------------------------
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
a. Risk Assessment
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
policies and procedures that require periodic assessments of
cybersecurity risks associated with the Covered Entity's information
systems and information residing on those systems.\215\ Further, with
respect to the periodic assessments, the policies and procedures would
need to include two components.
---------------------------------------------------------------------------
\215\ See paragraph (b)(1)(i)(A) of proposed Rule 10. See
generally NIST Framework (providing that the first core element of
the framework is ``identify''--meaning develop an organizational
understanding to manage cybersecurity risk to systems, people,
assets, data, and capabilities); IOSCO Cybersecurity Report (``A key
component of the risk management program is the identification of
critical assets, information and systems, including order routing
systems, risk management systems, execution systems, data
dissemination systems, and surveillance systems. Practices
supporting the identification function include the establishment and
maintenance of an inventory of all hardware and software. This risk
management program should also typically include third-party and
technology providers' security assessments. Finally, accessing
information about the evolving threat landscape is important in
identifying the changing nature of cyber risk.'').
---------------------------------------------------------------------------
First, the policies and procedures would need to provide that the
Covered Entity will categorize and prioritize cybersecurity risks based
on an inventory of the components of the Covered Entity's information
systems and information residing on those systems and the potential
effect of a cybersecurity incident on the Covered Entity.\216\ As
discussed earlier, proposed Rule 10 would define the term
``cybersecurity risk'' to mean financial, operational, legal,
reputational, and other adverse consequences that could result from
cybersecurity incidents, cybersecurity threats, and cybersecurity
vulnerabilities.\217\ For example, Covered Entities may be subject to
different cybersecurity risks as a result of, among other things: (1)
the functions they perform and the extent to which they use information
systems to perform those functions; (2) the criticality of the
functions they perform that rely on information systems; (3) the
interconnectedness of their information systems with third-party
information systems; (4) the software that operates on their
information systems, including whether it is proprietary or vender-
supplied software; (5) the nature and volume of the information they
store on information systems (e.g., personal, confidential, and/or
proprietary information); (6) the complexity and scale of their
information systems (i.e., the size of their IT footprint); (7) the
location of their information systems; (8) the number of users
authorized to access their information systems; (9) the types of
devices permitted to access their information systems (e.g., company-
owned or personal desktop computers, laptop computers, or smart
phones); (10) the extent to which they conduct international operations
and allow access to their information systems from international
locations; and (11) the extent to which employees access their
information systems from remote locations, including international
locations. In categorizing and prioritizing cybersecurity risks, the
Covered Entity generally should consider consulting with, among others,
personnel familiar with the Covered Entity's operations, its business
partners, and third-party cybersecurity experts.\218\ In addition, a
Covered Entity could consider an escalation protocol in its risk
assessment plan to ensure that its senior officers, including
appropriate legal and compliance personnel, receive necessary
information regarding cybersecurity risks on a timely basis.\219\ Only
after assessing, categorizing, and prioritizing its cybersecurity risks
can a Covered Entity establish, maintain, and enforce reasonably
designed cybersecurity policies and procedures under proposed Rule 10
to address those risks.
---------------------------------------------------------------------------
\216\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10. See
generally CISA Cyber Essentials Starter Kit (``Consider how much
your organization relies on information technology to conduct
business and make it a part of your culture to plan for
contingencies in the event of a cyber incident. Identify and
prioritize your organization's critical assets and the associated
impacts to operations if an incident were to occur. Ask the
questions that are necessary to understanding your security
planning, operations, and security-related goals. Develop an
understanding of how long it would take to restore normal
operations. Resist the ``it can't happen here'' pattern of thinking.
Instead, focus cyber risk discussions on ``what-if'' scenarios and
develop an incident response plan to prepare for various cyber
events and scenarios.'').
\217\ See paragraph (a)(3) of proposed Rule 10; see also
paragraphs (a)(2), (a)(4), and (a)(5) of proposed Rule 10 (defining,
respectively, the terms ``cybersecurity incident,'' cybersecurity
threat,'' and ``cybersecurity vulnerability,'' which are used in the
definition of ``cybersecurity risk'').
\218\ See generally CISA Cyber Essentials Starter Kit (``[H]ave
conversations with your staff, business partners, vendors, managed
service providers, and others within your supply chain. . . .
Maintain situational awareness of cybersecurity threats and explore
available communities of interest. These may include sector-specific
Information Sharing and Analysis Centers, government agencies, law
enforcement, associations, vendors, etc.'').
\219\ See generally id. (stating that organizational leaders
drive cybersecurity strategy, investment, and culture, and that
leaders should, among other things: (1) use risk assessments to
identify and prioritize allocation of resources and cyber
investments; (2) perform a review of all current cybersecurity and
risk policies and identify gaps or weaknesses; and (3) develop a
policy roadmap, prioritize policy creation and updates based on the
risk to the organization as determined by business leaders and
technical staff).
---------------------------------------------------------------------------
A Covered Entity also would need to reassess and re-prioritize its
cybersecurity risks periodically. The Covered Entity would need to
determine the frequency of these assessments and the types of
developments in
[[Page 20240]]
cybersecurity risk that would trigger an assessment based on its
particular circumstances. Consequently, the Covered Entity generally
should consider whether to reassess its cybersecurity risks to reflect
internal changes as they arise, such as changes to its business, online
presence, or customer website access, or external changes, such as
changes in the evolving technology and cybersecurity threat
landscape.\220\ The Covered Entity generally should also consider
raising any material changes in its risk assessment plan to senior
officers, as appropriate. In assessing ongoing and emerging
cybersecurity threats, a Covered Entity could monitor and consider
updates and guidance from private sector and governmental resources,
such as the FS-ISAC and CISA.\221\
---------------------------------------------------------------------------
\220\ See generally id. (``Maintain awareness of current events
related to cybersecurity. Be proactive; alert staff to hazards that
the organization may encounter. Maintain vigilance by asking
yourself: what types of cyber attack[s] are hitting my peers or
others in my industry? What tactics were successful in helping my
peers limit damage? What does my staff need to know to help protect
the organization and each other? On a national-level, are there any
urgent cyber threats my staff need to know about?'').
\221\ The FS-ISAC is a global private industry cyber
intelligence sharing community solely focused on financial services.
Additional information about FS-ISAC is available at https://www.fsisac.com. Often, private industry groups maintain
relationships and information sharing agreements with government
cybersecurity organizations, such as CISA. Private sector companies,
such as information technology and cybersecurity consulting
companies, may have insights on cybersecurity (given the access
their contractual status gives them to customer networks) that the
government initially does not. See, e.g., Verizon DBIR; Microsoft
Report. For example, private-sector cybersecurity firms may often be
in the position to spot new malicious cybersecurity trends before
they become more widespread and common.
---------------------------------------------------------------------------
Second, the policies and procedures would need to require the
Covered Entity to identify its service providers that receive,
maintain, or process information, or are otherwise permitted to access
its information systems and the information residing on those systems,
and assess the cybersecurity risks associated with its use of these
service providers.\222\ Covered Entities are exposed to cybersecurity
risks through the technology of their service providers.\223\ Having
identified the relevant service providers, the Covered Entity would
need to assess how they expose it to cybersecurity risks. In
identifying these cybersecurity risks, the service provider's
cybersecurity practices would be relevant, including: (1) how the
service provider protects itself against cybersecurity risk; and (2)
its ability to respond to and recover from cybersecurity incidents.
---------------------------------------------------------------------------
\222\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems''). Oversight of third-party service provider or vendor risk
is a component of many cybersecurity frameworks. See, e.g., NIST
Framework (discussing supply chain risks associated with products
and services an organization uses).
\223\ See GAO Cyber Security Report (``Increased connectivity
with third-party providers and the potential for increased cyber
risk is a concern in the financial industry as core systems and
critical data are moved offsite to third parties.''). For purposes
of proposed Rule 10, the Covered Entity's assessment of service
providers should not be limited to only certain service providers,
such as those that provide core functions or services for the
Covered Entity. Rather, the cybersecurity risk of any service
provider that receives, maintains, or processes information, or is
otherwise permitted to access the information systems of the Covered
Entity and the information residing on those systems should be
evaluated. Furthermore, it is possible that a service provider for a
Covered Entity may itself be a Covered Entity under proposed Rule
10. For example, a carrying broker-dealer may be a service provider
for a number of introducing broker-dealers.
---------------------------------------------------------------------------
A Covered Entity generally should take into account whether a
cybersecurity incident at a service provider could lead to process
failures or the unauthorized access to or use of information or
information systems. For example, a Covered Entity may use a cloud
service provider to maintain required books and records. If all of the
Covered Entity's books and records were concentrated at this cloud
service provider and a cybersecurity incident disrupts or degrades the
cloud service provider's information systems, there could potentially
be detrimental data loss affecting the ability of the Covered Entity to
provide services and comply with regulatory obligations. Accordingly,
as part of identifying the cybersecurity risks associated with using a
cloud service provider, a Covered Entity should consider how the
service provider will secure and maintain data and whether the service
provider has response and recovery procedures in place such that any
compromised or lost data in the event of a cybersecurity incident can
be recovered and restored.
Finally, the Covered Entity's risk assessment policies and
procedures would need to require written documentation of these risk
assessments.\224\ This documentation would be relevant to the reviews
performed by the Covered Entity to analyze whether the policies and
procedures need to be updated, to inform the Covered Entity of risks
specific to it, and to support responses to cybersecurity risks by
identifying cybersecurity threats to information systems that, if
compromised, could result in significant cybersecurity incidents.\225\
It also could be used by Commission and SRO staff and possibly internal
auditors of the Covered Entity to examine for adherence to the risk
assessment policies and procedures.
---------------------------------------------------------------------------
\224\ See paragraph (b)(1)(i)(B) of proposed Rule 10.
\225\ See paragraph (b)(2) of proposed Rule 10 (which would
require a Covered Entity to review and assess the design and
effectiveness of the cybersecurity policies and procedures,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review). See
also section II.B.1.f. of this release (discussing the review
proposal in more detail).
---------------------------------------------------------------------------
b. User Security and Access
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
controls designed to minimize user-related risks and prevent
unauthorized access to the Covered Entity's information systems and the
information residing on those systems.\226\ Further, the rule would
require that these policies and procedures include controls addressing
five specific aspects relating to user security and access.
---------------------------------------------------------------------------
\226\ See paragraph (b)(1)(ii) of proposed Rule 10; paragraphs
(a)(6) and (7) of proposed Rule 10 (defining, respectively, the
terms ``information'' and ``information systems''). See generally
NIST Framework (providing that the second core element of the
framework is ``protect''--meaning develop and implement appropriate
safeguards to ensure delivery of critical services); CISA Cyber
Essentials Starter Kit (stating with respect to user security and
access that (among other things): (1) the authority and access
granted employees, managers, and customers into an organization's
digital environment needs limits; (2) setting approved access
privileges requires knowing who operates on an organization's
systems and with what level of authorization and accountability; and
(3) organizations should ensure only those who belong on their
``digital workplace have access''); IOSCO Cybersecurity Report
(stating that network access controls are one of the types of
controls trading venues use as the protection function).
---------------------------------------------------------------------------
First, there would need to be controls requiring standards of
behavior for individuals authorized to access the Covered Entity's
information systems and the information residing on those systems, such
as an acceptable use policy.\227\ Second, there would need to be
controls for identifying and authenticating individual users, including
but not limited to implementing authentication measures that require
users to present a combination of two or more credentials for access
verification.\228\ Third, there would need to be controls for
establishing procedures for the timely distribution, replacement, and
revocation of passwords or methods of
[[Page 20241]]
authentication.\229\ Fourth, there would need to be controls for
restricting access to specific information systems of the Covered
Entity or components thereof and the information residing on those
systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity.\230\ Fifth, there would
need to be controls for securing remote access technologies.\231\
---------------------------------------------------------------------------
\227\ See paragraph (b)(1)(ii)(A) of proposed Rule 10.
\228\ See paragraph (b)(1)(ii)(B) of proposed Rule 10.
\229\ See paragraph (b)(1)(ii)(C) of proposed Rule 10.
\230\ See paragraph (b)(1)(ii)(D) of proposed Rule 10.
\231\ See paragraph (b)(1)(ii)(E) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems'').
---------------------------------------------------------------------------
The objective of these policies, procedures, and controls would be
to protect the Covered Entity's information systems from unauthorized
access and improper use. There are a variety of controls that a Covered
Entity, based on its particular circumstances, could include in these
policies and procedures to make them reasonably designed to achieve
this objective. For example, access to information systems could be
controlled through the issuance of user credentials, digital rights
management with respect to proprietary hardware and copyrighted
software, authentication and authorization methods (e.g., multi-factor
authentication and geolocation), and tiered access to personal,
confidential, and proprietary information and data and network
resources.\232\ Covered Entities may wish to consider multi-factor
authentication methods that are not based solely on SMS-delivery (e.g.,
text message delivery) of authentication codes, because SMS-delivery
methods may provide less security than other non-SMS based multi-factor
authentication methods. Furthermore, Covered Entities could require
employees to attend cybersecurity training on how to secure sensitive
data and recognize harmful files prior to obtaining access to certain
information systems. The training generally could address best
practices in creating new passwords, filtering through suspicious
emails, or browsing the internet.\233\
---------------------------------------------------------------------------
\232\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should (among other things): (1) learn who is on
their networks and maintain inventories of network connections
(e.g., user accounts, vendors, and business partners); (2) leverage
multi-factor authentication for all users, starting with privileged,
administrative and remote access users; (3) grant access and
administrative permissions based on need-to-know basis; (4) leverage
unique passwords for all user accounts; and (5) develop IT policies
and procedures addressing changes in user status (e.g., transfers
and terminations).
\233\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should (among other things) leverage basic
cybersecurity training to improve exposure to cybersecurity
concepts, terminology, and activates associated with implementing
cybersecurity best practices).
---------------------------------------------------------------------------
Further, a Covered Entity could use controls to monitor user access
regularly in order to remove users that are no longer authorized. These
controls generally should address the Covered Entity's employees (e.g.,
removing access for employees that leave the firm) and external users
of the Covered Entity's information systems (e.g., customers that no
longer use the firm's services or external service providers that no
longer are under contract with the firm to provide it with any
services). In addition, controls to monitor for unauthorized login
attempts and account lockouts, and the handling of customer requests,
including for user name and password changes, could be a part of
reasonably designed policies and procedures. Similarly, controls to
assess the need to authenticate or investigate any unusual customer,
member, or user requests (e.g., wire transfer or withdrawal requests)
could be a part of reasonably designed policies and procedures.
A Covered Entity also generally should take into account the types
of technology through which its users access the Covered Entity's
information systems. For example, mobile devices (whether firm-issued
or personal devices) that allow employees to access information systems
and personal, confidential, or proprietary information residing on
these systems may create additional and unique vulnerabilities,
including when such devices are used internationally. Consequently,
controls limiting mobile or other devices approved for remote access to
those issued by the firm or enrolled through a mobile device manager
could be part of reasonably designed policies and procedures.
In addition, a Covered Entity could consider controls with respect
to its network perimeter such as securing remote network access used by
teleworking and traveling employees. This could include controls to
identify threats on a network's endpoints. For example, Covered
Entities could consider using software that monitors and inspects all
files on an endpoint, such as a mobile phone or remote laptop, and
identifies and blocks incoming unauthorized communications. Covered
Entities generally would need to consider potential user-related and
access risks relating to the remote access technologies used at their
remote work and telework locations to include controls designed to
secure such technologies. For example, a Covered Entity's personnel
working remotely from home or a co-working space may create unique
cybersecurity risks--such as unsecured or less secure Wi-Fi--that
threat actors could exploit to access the Covered Entity's information
systems and the information residing on those systems. Accordingly, a
Covered Entity could consider whether its user security and access
policies, procedures, and controls should have controls requiring
approval of mobile or other devices for remote access, and whether
training on device policies would be appropriate. The training for
remote workers in particular could focus on phishing, social
engineering, compromised passwords, and the consequences of weak
network security.
c. Information Protection
Information protection is a key aspect of managing cybersecurity
risk.\234\ Therefore, proposed Rule 10 would specify that the Covered
Entity's cybersecurity risk management policies and procedures would
need to address information protection in two ways.\235\ First, the
policies and procedures would need to include measures designed to
protect the Covered Entity's information systems and protect the
information residing on those systems from unauthorized access or use,
based on a periodic assessment of the Covered
[[Page 20242]]
Entity's information systems and the information that resides on the
systems.\236\ The periodic assessment would need to take into account:
(1) the sensitivity level and importance of the information to the
Covered Entity's business operations; (2) whether any of the
information is personal information; \237\ (3) where and how the
information is accessed, stored and transmitted, including the
monitoring of information in transmission; (4) the information systems'
access controls and malware protection; \238\ and (5) the potential
effect a cybersecurity incident involving the information could have on
the Covered Entity and its customers, counterparties, members,
registrants, or users, including the potential to cause a significant
cybersecurity incident.\239\
---------------------------------------------------------------------------
\234\ See generally NIST Framework (``The Protect Function
supports the ability to limit or contain the impact of a potential
cybersecurity event. Examples of outcome Categories within this
Function include: Identity Management and Access Control; Awareness
and Training; Data Security; Information Protection Processes and
Procedures; Maintenance; and Protective Technology.''); IOSCO
Cybersecurity Report (``There are numerous controls and protection
measures that regulated entities may wish to consider in enhancing
their cyber security. Such measures can be organizational (like the
establishment of security operations centers) or technical (like
anti-virus and intrusion prevention systems). Risk assessments help
determine the minimum level of controls to be implemented within a
project, an application or a database. In addition, employee
training and awareness initiatives are critical parts of any cyber
security program, including induction programs for newcomers,
general training, as well as more specific training (for instance,
social engineering awareness). Proficiency tests could be conducted
to demonstrate staff understanding and third party training could
also be organized. Other initiatives which contribute to raising
employees' awareness of cyber security threats include monthly
security bulletins emailed to all employees, regular communications
regarding new issues and discovered vulnerabilities, use of posters
and screen savers, and regular reminders sent to employees. Mock
tests can also be conducted to assess employees' preparedness.
Employees are also often encouraged to report possible attacks.'').
\235\ See paragraph (b)(1)(iii) of proposed Rule 10.
\236\ See paragraph (b)(1)(iii)(A) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems''). See generally CISA Cyber Essentials Starter Kit (``Learn
what information resides on your network. Inventory critical or
sensitive information. An inventory of information assets provides
an understanding of what you are protecting, where that information
resides, and who has access. The inventory can be tracked in a
spreadsheet, updated quickly and frequently'').
\237\ See paragraph (a)(9) of proposed Rule 10 (defining the
term ``personal information'').
\238\ See generally CISA Cyber Essentials Starter Kit
(``Leverage malware protection capabilities. Malware is designed to
spread quickly. A lack of defense against it can completely corrupt,
destroy or render your data inaccessible.'').
\239\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10. See generally CISA Cyber Essentials Starter Kit (``Learn
how your data is protected. Data should be handled based on its
importance to maintaining critical operations in order to understand
what your business needs to operate at a basic level. For example,
proprietary research, financial information, or development data
need protection from exposure in order to maintain operations.
Understand the means by which your data is currently protected;
focus on where the protection might be insufficient. Guidance from
the Cyber Essentials Toolkits, including authentication, encryption,
and data protection help identify methods and resources for how to
best secure your business information and devices.'').
---------------------------------------------------------------------------
By performing these assessments, a Covered Entity should be able to
determine the measures it would need to implement to prevent the
unauthorized access or use of information residing on its information
systems. Measures that could be used for this purpose include
encryption, network segmentation, and access controls to ensure that
only authorized users have access to personal, confidential, and
proprietary information and data or critical systems. Measures to
identify suspicious behavior also could be used for this purpose. These
measures could include consistent monitoring of systems and personnel,
such as the generation and review of activity logs, identification of
potential anomalous activity, and escalation of issues to senior
officers, as appropriate. Further data loss prevention measures could
include processes to identify personal, confidential, or proprietary
information and data (e.g., account numbers, Social Security numbers,
trade information, and source code) and block its transmission to
external parties. Additional measures could include testing of systems,
including penetration tests. A Covered Entity also could consider
measures to track the actions taken in response to findings from
testing and monitoring, material changes to business operations or
technology, or any other significant events. Appropriate measures for
preventing the unauthorized use of information may differ depending on
the circumstances of a Covered Entity, such as the systems used by the
Covered Entity, the Covered Entity's relationship with service
providers, or the level of access granted by the Covered Entity to
employees or contractors. Appropriate measures generally should evolve
with changes in technology and the increased sophistication of
cybersecurity attacks.
Second, the policies and procedures for protecting information
would need to require oversight of service providers that receive,
maintain, or process the Covered Entity's information, or are otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider.\240\ Further,
pursuant to that written contract, the service provider would be
required to implement and maintain appropriate measures, including the
practices described in paragraphs (b)(1)(i) through (v) of proposed
Rule 10, that are designed to protect the Covered Entity's information
systems and information residing on those systems. These policies and
procedures could include measures to perform due diligence on a service
provider's cybersecurity risk management prior to using the service
provider and periodically thereafter during the relationship with the
service provider. Covered Entities also could consider including
periodic contract review processes that allow them to assess whether,
and help to ensure that, their agreements with service providers
contain provisions that require service providers to implement and
maintain appropriate measures designed to protect the Covered Entity's
information systems and information residing on those systems.
---------------------------------------------------------------------------
\240\ See paragraph (b)(1)(iii)(B) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems'').
---------------------------------------------------------------------------
d. Cybersecurity Threat and Vulnerability Management
Rule 10 would specify that the Covered Entity's cybersecurity risk
management policies and procedures must include measures designed to
detect, mitigate, and remediate any cybersecurity threats and
vulnerabilities with respect to the Covered Entity's information
systems and information residing on those systems.\241\ Because Covered
Entities depend on information systems to process, store, and transmit
personal, confidential, and proprietary information and data and to
conduct critical business functions, it is essential that they manage
cybersecurity threats and vulnerabilities effectively.\242\ Moreover,
detecting, mitigating, and remediating threats and vulnerabilities is
essential to preventing significant cybersecurity incidents.
---------------------------------------------------------------------------
\241\ See paragraph (b)(1)(iv) of proposed Rule 10; paragraphs
(a)(4) through (7) of proposed Rule 10 (defining, respectively, the
terms ``cybersecurity threat,'' ``cybersecurity vulnerability,''
``information,'' and ``information systems''). See generally NIST
Framework (providing that the third core element of the framework is
``detect''--meaning develop and implement appropriate activities to
identify the occurrence of a cybersecurity event); CISA Cyber
Essentials Starter Kit (stating regarding detection that
organizations should (among other things): (1) learn what is
happening on their networks; (2) manage network and perimeter
components, host and device components, data at rest and in transit,
and user behavior and activities: and (3) actively maintain
information as it will provide a baseline for security testing,
continuous monitoring, and making security-based decisions); IOSCO
Cybersecurity Report (``External and internal monitoring of traffic
and logs generally should be used to detect abnormal patterns of
access (e.g., abnormal user activity, odd connection durations, and
unexpected connection sources) and other anomalies. Such detection
is crucial as attackers can use the period of presence in the
target's systems to expand their footprint and their access gaining
elevated privileges and control over critical systems. Many
regulated entities have dedicated cyber threat teams and engage in
file servers integrity and database activity monitoring to prevent
unauthorized modification of critical servers within their
organization's enterprise network. Different alarm categories and
severity may be defined.'').
\242\ See section I.A.2. of this release (discussing how Covered
Entities use information systems).
---------------------------------------------------------------------------
Measures to detect cybersecurity threats and vulnerabilities could
include ongoing monitoring (e.g., comprehensive examinations and risk
management processes), including, for example, conducting network,
system, and application vulnerability assessments. This could include
scans or reviews of internal systems, externally facing systems, new
systems, and systems used by service providers. Further, measures could
include monitoring industry and government
[[Page 20243]]
sources for new threat and vulnerability information that may assist in
detecting cybersecurity threats and vulnerabilities.\243\
---------------------------------------------------------------------------
\243\ See generally CISA, National Cyber Awareness System--
Alerts, available at https://us-cert.cisa.gov/ncas/alerts (providing
information about current security issues, vulnerabilities, and
exploits).
---------------------------------------------------------------------------
Measures to mitigate and remediate an identified threat or
vulnerability are more effective if they minimize the window of
opportunity for attackers to exploit vulnerable hardware and software.
These measures could include, for example, implementing a patch
management program to ensure timely patching of hardware and software
vulnerabilities and maintaining a process to track and address reports
of vulnerabilities.\244\ Covered Entities also generally should
consider the vulnerabilities associated with ``end of life systems''
(i.e., systems in which software is no longer supported by the
particular vendor and for which security patches are no longer issued).
These measures also could establish accountability for handling
vulnerability reports by, for example, establishing processes for their
intake, assignment, escalation, remediation, and remediation testing.
For example, a Covered Entity could use a vulnerability tracking system
that includes severity ratings, and metrics for measuring the time it
takes to identify, analyze, and remediate vulnerabilities.
---------------------------------------------------------------------------
\244\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should: (1) enable automatic updates whenever
possible; (2) replace unsupported operating systems, applications
and hardware; and (3) test and deploy patches quickly).
---------------------------------------------------------------------------
Covered Entities also could consider role-specific cybersecurity
threat and vulnerability response training.\245\ For example, training
could include secure system administration courses for IT
professionals, vulnerability awareness and prevention training for web
application developers, and social engineering awareness training for
employees and executives. Covered Entities that do not proactively
address threats and discovered vulnerabilities face an increased
likelihood of having their information systems--including the Covered
Entity's information residing on those systems--accessed or disrupted
by threat actors or otherwise compromised. The requirement for Covered
Entities to include cybersecurity threats and vulnerabilities measures
in their cybersecurity policies and procedures is designed to address
this risk and help ensure threats and vulnerabilities are adequately
and proactively addressed by Covered Entities.
---------------------------------------------------------------------------
\245\ See generally CISA Cyber Essentials Starter Kit
(``Leverage basic cybersecurity training. Your staff needs a basic
understanding of the threats they encounter online in order to
effectively protect your organization. Regular training helps
employees understand their role in cybersecurity, regardless of
technical expertise, and the actions they take help keep your
organization and customers secure. Training should focus on threats
employees encounter, like phishing emails, suspicious events to
watch for, and simple best practices individual employees can adopt
to reduce risk. Each aware employee strengthens your network against
attack, and is another `sensor' to identify an attack.'').
---------------------------------------------------------------------------
e. Cybersecurity Incident Response and Recovery
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
measures designed to detect, respond to, and recover from a
cybersecurity incident.\246\ Further, the rule would require that these
measures include policies and procedures that are reasonably designed
to ensure: (1) the continued operations of the Covered Entity; (2) the
protection of the Covered Entity's information systems and the
information residing on those systems; \247\ (3) external and internal
cybersecurity incident information sharing and communications; and (4)
the reporting of significant cybersecurity incidents pursuant to the
requirements of paragraph (c) of proposed Rule 10 discussed below.\248\
---------------------------------------------------------------------------
\246\ See paragraph (b)(1)(v) of proposed Rule 10; paragraph
(c)(2) of proposed Rule 10 (defining the term ``cybersecurity
incident''). See generally NIST Framework (providing that the fourth
core element of the framework is ``respond''--meaning develop and
implement appropriate activities to take action regarding a detected
cybersecurity incident; and providing that the fifth core element of
the framework is ``recover''--meaning develop and implement
appropriate activities to maintain plans for resilience and to
restore any capabilities or services that were impaired due to a
cybersecurity incident).
\247\ See paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ``information'' and ``information
systems'').
\248\ See section II.B.2. of this release (discussing the
requirements to report significant cybersecurity incidents);
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident''). See generally CISA Cyber
Essentials Starter Kit (stating regarding response and recovery that
the objective is to limit damage and accelerate restoration of
normal operations and, to this end, organizations (among other
things) can: (1) leverage business impact assessments to prioritize
resources and identify which systems must be recovered first; (2)
``learn who to call for help (e.g., outside partners, vendors,
government/industry responders, technical advisors and law
enforcement);'' (3) develop an internal reporting structure to
detect, communicate and contain attacks; and (4) develop in-house
containment measures to limit the impact of cyber incidents when
they occur); IOSCO Cybersecurity Report (``Regulated entities
generally should consider developing response plans for those types
of incidents to which the organization is most likely to be subject.
Elements associated with response plans may include: preparing
communication/notification plans to inform relevant stakeholders;
conducting forensic analysis to understand the anatomy of a breach
or an attack; maintaining a database recording cyber attacks; and
conducting cyber drills, firm specific simulation exercises as well
as industry-wide scenario exercises.'').
---------------------------------------------------------------------------
Cybersecurity incidents can lead to significant business
disruptions, including losing the ability to send internal or external
communications, transmit information, or connect to internal or
external systems necessary to carry out the Covered Entity's critical
functions and provide services to customers, counterparties, members,
registrants, or users.\249\ They also can lead to the inability to
access accounts holding cash or other financial assets of the Covered
Entity or its customers, counterparties, members, registrants, or
users.\250\ Therefore, the proposed incident response and recovery
policies and procedures are designed to place the Covered Entity in a
position to respond to a cybersecurity incident, which should help to
reduce business disruptions and other harms the incident may cause the
Covered Entity or its customers, counterparties, members, registrants,
or users. A cybersecurity program with a clear incident response plan
designed to ensure continued operational capability, and the protection
of, and access to, personal, confidential, or proprietary information
and data, even if a Covered Entity loses access to its systems, would
assist in mitigating the effects of a cybersecurity incident.\251\ A
Covered Entity, therefore, may wish to consider maintaining physical
copies of its incident response plan--and other cybersecurity policies
and procedures--to help ensure they can be accessed and implemented
during a cybersecurity incident.
---------------------------------------------------------------------------
\249\ See sections I.A.1. and I.A.2. of this release (discussing
these consequences).
\250\ Id.
\251\ See generally CISA Cyber Essentials Starter Kit (``Plan,
prepare, and conduct drills for cyber-attacks and incidents as you
would a fire or robbery. Make your reaction to cyber incidents or
system outages an extension of your other business contingency
plans. This involves having incident response plans and procedures,
trained staff, assigned roles and responsibilities, and incident
communications plans.'').
---------------------------------------------------------------------------
Covered Entities generally should focus on operational capability
in creating reasonably designed policies and procedures to ensure their
continued operations in the event of a cybersecurity incident (e.g.,
the ability to withstand a DoS attack). The objective is to place
Covered Entities in a position to be able to continue providing
services to other Market Entities and other participants in the U.S.
securities markets (including investors) and, thereby, continue to
support the fair, orderly, and efficient
[[Page 20244]]
operation of the U.S. securities markets. For example, this requirement
is designed to place Covered Entities in a position to be able to
continue to perform market and member surveillance and oversight in the
case of SROs, clearance and settlement in the case of clearing
agencies, and brokerage or dealing activities in the case of broker-
dealers and SBSDs.
The ability of Covered Entities to recover from a cybersecurity
incident in a timeframe that minimizes disruptions to their business or
regulatory activities is critically important to the fair, orderly, and
efficient operations of the U.S. securities markets and, therefore, to
the U.S. economy, investors, and capital formation. A Covered Entity
generally should consider implementing safeguards, such as backing up
data, which can help facilitate a prompt recovery that allows the
Covered Entity to resume operations following a cybersecurity
incident.\252\ A Covered Entity also generally should consider whether
to designate personnel to perform specific roles in the case of a
cybersecurity incident. This could entail identifying and/or hiring
personnel or third parties who have the requisite cybersecurity and
recovery expertise (or are able to coordinate effectively with outside
experts) as well as identifying personnel who should be kept informed
throughout the response and recovery process. In addition, a Covered
Entity could consider an escalation protocol in its incident response
plan to ensure that its senior officers, including appropriate legal
and compliance personnel, receive necessary information regarding
cybersecurity incidents on a timely basis.\253\
---------------------------------------------------------------------------
\252\ See generally CISA Cyber Essentials Starter Kit
(``Leverage protections for backups, including physical security,
encryption and offline copies. Ensure the backed-up data is stored
securely offsite or in the cloud and allows for at least seven days
of incremental rollback. Backups should be stored in a secure
location, especially if you are prone to natural disasters.
Periodically test your ability to recover data from backups. Online
and cloud storage backup services can help protect against data loss
and provide encryption as an added level of security. Identify key
files you need access to if online backups are unavailable to access
your files when you do not have an internet connection.'').
\253\ See generally CISA Cyber Essentials Starter Kit (stating
that: (1) organizations should develop an internal reporting
structure to detect, communicate, and contain attacks and that
effective communication plans focus on issues unique to security
breaches; (2) a standard reporting procedure will reduce confusion
and conflicting information between leadership, the workforce, and
stakeholders; and (3) communication should be continuous, since most
data breaches occur over a long period of time and not instantly and
that it should come from top leadership to show commitment to action
and knowledge of the situation).
---------------------------------------------------------------------------
Moreover, as discussed in further detail below, under proposed Rule
10, a Covered Entity would need to give the Commission immediate
written electronic notice of a significant cybersecurity incident after
having a reasonable basis to conclude that the incident has occurred or
is occurring.\254\ Further, the Covered Entity would need to report
information about the significant cybersecurity incident promptly, but
no later than 48 hours, after having a reasonable basis to conclude
that the incident has occurred or is occurring by filing Part I of
proposed Form SCIR with the Commission.\255\ Thereafter, the Covered
Entity would need to file an amended Part I of proposed Form SCIR with
the Commission under certain circumstances.\256\ Accordingly, proposed
Rule 10 would require the Covered Entity to include in its incident
response and recovery policies and procedures measures designed to
ensure compliance with these notification and reporting
requirements.\257\ The Covered Entity also may wish to implement a
process to determine promptly whether and how to contact local and
Federal law enforcement authorities, such as the FBI, about an
incident.\258\
---------------------------------------------------------------------------
\254\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2. of this release (discussing this proposed notification
requirement in more detail).
\255\ See paragraph (c)(2) of proposed Rule 10. See also section
II.B.2. of this release (discussing this proposed reporting
requirement in more detail).
\256\ The circumstances under which an amended Part I of
proposed Form SCIR would need to be filed are discussed below in
section II.B.2. of this release.
\257\ See paragraph (b)(1)(v)(A)(4) of proposed Rule 10.
\258\ For example, the FBI has instructed individuals and
organizations to contact their nearest FBI field office to report
cybersecurity incidents or to report them online at https://www.ic3.gov/Home/FileComplaint. See FBI, What We Investigate, Cyber
Crime, available at https://www.fbi.gov/investigate/cyber. See also
CISA Cyber Essentials Starter Kit (``As part of your incident
response, disaster recovery, and business continuity planning
efforts, identify and document partners you will call on to help.
Consider building these relationships in advance and understand what
is required to obtain support. CISA and the Federal Bureau of
Investigation (FBI) provide dedicated hubs for helping respond to
cyber and critical infrastructure attacks. Both have resources and
guidelines on when, how, and to whom an incident is to be reported
in order to receive assistance. You should also file a report with
local law enforcement, so they have an official record of the
incident.'').
---------------------------------------------------------------------------
A Covered Entity also could consider including periodic testing
requirements in its incident response and recovery policies and
procedures.\259\ These tests could assess the efficacy of the policies
and procedures to determine whether any changes are necessary, for
example, through tabletop or full-scale exercises. Relatedly, proposed
Rule 10 would require that the incident response and recovery policies
and procedures include written documentation of a cybersecurity
incident, including the Covered Entity's response to and recovery from
the incident.\260\ This record could be used by the Covered Entity to
assess the efficacy of, and adherence to, its incident response and
recovery policies and procedures. It further could be used as a
``lessons-learned'' document to help the Covered Entity respond more
effectively the next time it experiences a cybersecurity incident. The
Commission staff and SRO staff also would use the records to review
compliance with this aspect of proposed Rule 10.
---------------------------------------------------------------------------
\259\ See generally CISA Cyber Essentials Starter Kit (``Lead
development of an incident response and disaster recovery plan
outlining roles and responsibilities. Test it often. Incident
response plans and disaster recovery plans are crucial to
information security, but they are separate plans. Incident response
mainly focuses on information asset protection, while disaster
recovery plans focus on business continuity. Once you develop a
plan, test the plan using realistic simulations (known as ``war-
gaming''), where roles and responsibilities are assigned to the
people who manage cyber incident responses. This ensures that your
plan is effective and that you have the appropriate people involved
in the plan. Disaster recovery plans minimize recovery time by
efficiently recovering critical systems.'').
\260\ See paragraph (b)(1)(v)(B) of proposed Rule 10.
---------------------------------------------------------------------------
f. Annual Review and Required Written Reports
In addition to requiring a Covered Entity to establish, maintain,
and enforce written policies and procedures to address cybersecurity
risk, proposed Rule 10 would require the Covered Entity, at least
annually, to: (1) review and assess the design and effectiveness of the
cybersecurity policies and procedures, including whether the policies
and procedures reflect changes in cybersecurity risk over the time
period covered by the review; and (2) prepare a written report that
describes the review, the assessment, and any control tests performed,
explains their results, documents any cybersecurity incident that
occurred since the date of the last report, and discusses any material
changes to the policies and procedures since the date of the last
report.\261\ The annual review requirement is designed to require the
Covered Entity to evaluate whether its cybersecurity policies and
procedures continue to work as designed. In making this assessment,
Covered Entities generally should consider whether changes are needed
to ensure their continued effectiveness, including oversight of any
delegated responsibilities. As discussed earlier, the sophistication of
the tactics,
[[Page 20245]]
techniques, and procedures employed by threat actors is
increasing.\262\ The review requirement is designed to impose a
discipline on Covered Entities to be vigilant in assessing whether
their cybersecurity risk management policies and procedures continue to
be reasonably designed to address this risk.
---------------------------------------------------------------------------
\261\ See paragraph (b)(2) of proposed Rule 10.
\262\ See section I.A.1. of this release (discussing, for
example, how cybersecurity threats are evolving); see also Bank of
England CBEST Report (stating that ``[t]he threat actor community,
once dominated by amateur hackers, has expanded to include a broad
range of professional threat actors, all of whom are strongly
motivated, organised and funded'').
---------------------------------------------------------------------------
The review would need to be conducted no less frequently than
annually. As discussed above, one of the required elements that would
need to be included in the policies and procedures is the requirement
to perform periodic assessments of cybersecurity risks associated with
the covered entity's information systems and information residing on
those systems.\263\ Based on the findings of those risk assessments, a
Covered Entity could consider whether to perform a review prior to the
one-year anniversary of the last review. In addition, the occurrence of
a cybersecurity incident or significant cybersecurity incident
impacting the Covered Entity or other entities could cause the Covered
Entity to consider performing a review before the next annual review is
required.
---------------------------------------------------------------------------
\263\ See paragraph (b)(1)(i) of proposed Rule 10. See also
section II.B.1.a. of this release (discussing the assessment
proposal in more detail).
---------------------------------------------------------------------------
The Covered Entity would need to document the review in a written
report.\264\ The required written report generally should be prepared
or overseen by the persons who administer the Covered Entity's
cybersecurity program. This report requirement is designed to assist
the Covered Entity in evaluating the efficacy of organization's
cybersecurity risk management policies and procedures. Additionally,
the requirement to review and assess the design and effectiveness of
the cybersecurity policies and procedures includes whether they reflect
changes in cybersecurity risk over the time period covered by the
review. Therefore, the Covered Entity generally would need to take into
account the periodic assessments of cybersecurity risks performed
pursuant to the requirements of paragraphs (b)(1)(i)(A) and
(b)(1)(iii)(A) of proposed Rule. This could provide Covered Entities
with valuable insights into potential enhancements to the policies and
procedures to keep them up-to-date (i.e., reasonably designed to
address emerging cybersecurity threats). For example, incorporating the
cybersecurity risk assessments into the required written report could
provide senior officers who review the report with information on the
specific risks identified in the assessments. This could lead them to
ask questions and seek relevant information regarding the effectiveness
of the Covered Entity's cybersecurity risk management policies and
procedures and its implementation in light of those risks. This could
include questions as to whether the Covered Entity has adequate
resources with respect to cybersecurity matters, including access to
cybersecurity expertise.
---------------------------------------------------------------------------
\264\ See paragraph (b)(2)(ii) of proposed Rule 10.
---------------------------------------------------------------------------
g. Request for Comment
The Commission requests comment on all aspects of the requirements
that Covered Entities establish, maintain, and enforce written policies
and procedures to address their cybersecurity risks, the elements that
would need to be included in the cybersecurity risk management policies
and procedures, and the required (at least) annual review of the
cybersecurity risk management policies and procedure under paragraph
(b) of proposed Rule 10. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
21. In designing the cybersecurity risk management policies and
procedures requirements of proposed Rule 10, the Commission considered
a number of sources cited in the sections above, including, in
particular, the NIST Framework and the CISA Cyber Essentials Starter
Kit. Are there other sources the Commission should use? If so, identify
them and explain why they should be considered and how they could
inform potential modifications to the cybersecurity risk management
policies and procedures requirements.
22. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified? For example, are there other
elements that should be included in cybersecurity risk management
policies and procedures? If so, identify them and explain why they
should be included. Should any of the minimum required elements be
eliminated? If so, identify them and explain why it would be
appropriate to eliminate them from the rule.
23. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to provide more flexibility in
how a Covered Entity implements them? If so, identify the requirements
that are too prescriptive and explain why and suggest ways to make them
more flexible without undermining the objective of having Covered
Entities adequately address cybersecurity risks.
24. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to provide less flexibility in
how a Covered Entity had to implement them? If so, identify the
requirements that should be more prescriptive and explain why and
suggest ways to make them more prescriptive without undermining the
objective of having Covered Entities implement cybersecurity risk
management policies and procedures that address their particular
circumstances.
25. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be deemed to be reasonably designed if they
are consistent with industry standards comprised of cybersecurity risk
management practices that are widely available to cybersecurity
professionals in the financial sector and issued by an authoritative
body that is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized organization?
If so, identify the standard or standards and explain why it would be
appropriate to deem the policies and procedures requirements of
paragraph (b)(1) of proposed Rule 10 reasonably designed if they are
consistent with the standard or standards.
26. The policies and procedures requirements of paragraph (b)(1) of
proposed Rule 10 would require Covered Entities to cover
``information'' and ``information systems'' as defined, respectively,
in paragraphs (a)(6) and (7) of proposed Rule 10 without limitation.
Should the proposed policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to address a narrower set of
information and information systems? If so, describe how the narrower
set of information and information systems should be defined and why it
would be appropriate to limit the policies and procedures requirements
to this set of information and information systems. For example, should
the policies and procedures requirements of paragraph (b)(1) of
proposed Rule 10 be limited to information and information systems
that, if compromised, would result in, or would be reasonably likely to
result in, harm to the Covered Entity or others? If so, explain why. If
not, explain why not. Is there another way to limit the application of
the policies and procedures requirements to certain information and
information systems that would not undermine the objective
[[Page 20246]]
that Covered Entities implement policies and procedures that adequately
address their cybersecurity risks? If so, explain how.
27. Should the requirements of paragraph (b)(1)(i) of proposed Rule
10 relating to periodic assessments of the cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems be modified? If so, explain why.
If not, explain why not.
28. Should the requirements of paragraph (b)(1)(i)(A)(1) of
proposed Rule 10 relating to categorizing and prioritizing
cybersecurity risks based on an inventory of the components of the
Covered Entity's information systems and information residing on those
systems and the potential effect of a cybersecurity incident on the
Covered Entity be modified? If so, explain why. If not, explain why
not.
29. Should the requirements of paragraph (b)(1)(i)(A)(2) of
proposed Rule 10 relating to identifying the Covered Entity's service
providers that receive, maintain, or process information, or are
otherwise permitted to access the Covered Entity's information systems
and any of the Covered Entity's information residing on those systems,
and assess the cybersecurity risks associated with the Covered Entity's
use of these service providers be modified? If so, explain why. If not,
explain why not. Certain Covered Entities may use data feeds from
third-party providers that do not receive, maintain, or process
information for the Covered Entity but that could nonetheless cause
significant disruption for the Covered Entity if they were the subject
of a cybersecurity incident. For example, broker-dealers may subscribe
to third-party data feeds to satisfy their obligations for best
execution under the federal securities laws. If a third-party provider
of data feeds experienced a cybersecurity breach, it could lead to
faulty market information being shared with the broker-dealer, which
could in turn impact the broker-dealer's ability to operate and execute
trades for its customers. Likewise, SBS Entities might rely on data
from counterparties. Should the Commission require the risk assessment
to include service providers that provide data feeds to Covered
Entities but do not otherwise have access to the Covered Entities'
information systems? If so, should the risk assessment be limited to
only those third parties who provide data critical to the Covered
Entity's business operations? Are there other cybersecurity risks
associated with utilizing a third party who provides data feeds that
should be addressed? If so, identify the risks and explain how they
could be addressed.
30. Should the requirements of paragraph (b)(1)(i)(B) of proposed
Rule 10 relating to requiring written documentation of the risk
assessments required by paragraph (b)(1)(i)(A) of proposed Rule 10 be
modified? If so, explain why. If not, explain why not.
31. Should the requirements of paragraph (b)(1)(ii) of proposed
Rule 10 relating to controls designed to minimize user-related risks
and prevent unauthorized access to the Covered Entity's information
systems and the information residing on those systems? If so, explain
why. If not, explain why not. Should requirements of paragraph
(b)(1)(ii) of proposed Rule 10 be modified to revise the requirement to
include the following identified controls: (1) controls requiring
standards of behavior for individuals authorized to access the Covered
Entity's information systems and the information residing on those
systems, such as an acceptable use policy; (2) controls identifying and
authenticating individual users, including but not limited to
implementing authentication measures that require users to present a
combination of two or more credentials for access verification; (3)
controls establishing procedures for the timely distribution,
replacement, and revocation of passwords or methods of authentication;
(4) controls restricting access to specific information systems of the
Covered Entity or components thereof and the information residing on
those systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity; and (5) securing remote
access technologies? If so, explain why. If not, explain why not. For
example, should this paragraph of the proposed rule be modified to
include any additional type of controls? If so, identify the controls
and explain why they should be included. Should the text of the
proposed controls be modified? For example, should the control
pertaining to the timely distribution, replacement, and revocation of
passwords or methods of authentication use a word other than
``distribution''? If so, explain why and suggest an alternative word
that would be more appropriate. Would ``establishment'' or ``setting
up'' be more appropriate in this context? Should this paragraph of the
proposed rule be modified to eliminate any of the identified controls?
If so, identify the control and explain why it should be eliminated.
For example, could the control pertaining to implementing
authentication measures requiring users to present a combination of two
or more credentials for access verification potentially become
obsolete? If so, explain why and suggest an alternative control that
could incorporate this requirement as well as other authentication
controls that may develop in the future.
32. CISA has developed a catalog of cyber ``bad practices'' that
are exceptionally risky and can increase risk to an organization's
critical infrastructure.\265\ These bad practices include the use of
unsupported (or end-of-life) software, use of known or default
passwords and credentials, and the use of single-factor authentication.
In addition, the Federal Financial Institutions Examination Council
(``FFIEC'') has issued guidance on authentication and access to
financial institution services and systems, and suggests that the use
of single-factor authentication as a control mechanism has shown to be
inadequate against certain cyber threats and adverse impacts from
ransomware, customer account fraud, and identity theft.\266\ Instead,
the FFIEC guidance suggests the use of multi-factor authentication and
other measures, such as specific authentication solutions, password
controls, and access and transaction controls. Should paragraph
(b)(1)(ii) of proposed Rule 10 be modified to specifically require
controls that users provide multi-factor authentication before they can
access an information system of the Covered Entity? If so, explain why.
If not, explain why not. Would it be appropriate to require multi-
factor authentication for all of the Covered Entity's information
systems or for a more limited set of information systems? For example,
should multi-factor authentication be required for public-facing
information systems such as applications that provide users access to
their accounts at the Covered Entity and not required for internal
information systems used by the Covered Entity's employees? If so,
explain why. If not, explain why not.
[[Page 20247]]
Should multi-factor authentication be required regardless of whether
the information system is public facing if personal, confidential, or
proprietary information resides on the information system? If so,
explain why. If not, explain why not. Should the rule require phishing-
resistant multi-factor authentication? If so, explain why. If not,
explain why not.
---------------------------------------------------------------------------
\265\ See CISA, Bad Practices, available at https://www.cisa.gov/BadPractices.
\266\ See FFIEC, Authentication and Access to Financial
Institution Services and Systems (Aug. 2021), available at https://www.ffiec.gov/guidance/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf. See also FDIC and the Office
of the Comptroller of the Currency (``OCC''), Joint Statement on
Heightened Cybersecurity Risk (Jan. 16, 2020), available at https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-5a.pdf
(noting that identity and access management controls include
multifactor authentication to segment and safeguard access to
critical systems and data on an organization's network).
---------------------------------------------------------------------------
33. Should the requirements of paragraph (b)(1)(iii)(A) of proposed
Rule 10 relating to measures designed to monitor the Covered Entity's
information systems and protect the information residing on those
systems from unauthorized access or use be modified? For example,
should the requirements of paragraph (b)(1)(iii)(A) of proposed Rule 10
specifically require encryption of certain information residing on the
Covered Entity's information systems? If so, explain why. If not,
explain why not.
34. The measures discussed in paragraph (b)(1)(iii)(A) of proposed
Rule 10 designed to monitor the Covered Entity's information systems
and protect the information residing on those systems from unauthorized
access or use would need to be based on a periodic assessment of the
Covered Entity's information systems and the information that resides
on the systems that takes into account: (1) the sensitivity level and
importance of the information to Covered Entity's business operations;
(2) whether any of the information is personal information; (3) where
and how the information is accessed, stored and transmitted, including
the monitoring of information in transmission; (4) the information
systems' access controls and malware protection; and (5) the potential
effect a cybersecurity incident involving the information could have on
the Covered Entity and its customers, counterparties, members, or
users, including the potential to cause a significant cybersecurity
incident. Should this paragraph of the proposed rule be modified to
include any additional factors that would need to be taken into
account? If so, identify the factors and explain why they should be
taken into account. Should this paragraph of the proposed rule be
modified to eliminate any of the identified factors that should be
taken into account? If so, identify the factors and explain why they
should be eliminated.
35. Should the requirements of paragraph (b)(1)(iii)(A) of proposed
Rule 10 relating periodic assessments of the Covered Entity's
information systems and information residing of the systems be modified
to specifically require periodic (e.g., semi-annual or annual)
penetration tests? If so, explain why. If not, explain why not. If
proposed Rule 10 should be modified to require periodic penetration
tests, should the rule specify the information systems and information
to be tested? If so, explain why. If not, explain why not. For example,
should the penetration tests be performed on all information systems
and information of the Covered Entity? Alternatively, should the
penetration tests be performed: (1) on a random selection of
information systems and information; (2) on a prioritized selection of
the information systems and information residing on them that are most
critical to the Covered Entity's functions or that maintain information
that if accessed by or disclosed to persons not authorized to view it
could cause the most harm to the Covered Entity or others; and/or (3)
on information systems for which the Covered Entity has identified
vulnerabilities pursuant to the requirements of paragraph (b)(1)(iv) of
proposed Rule 10? Please explain the advantages and disadvantages of
each potential approach to requiring penetration tests.
36. Should the requirements of paragraph (b)(1)(iii)(B) of proposed
Rule 10 relating to the oversight of service providers that receive,
maintain, or process the Covered Entity's information, or are otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider, through which the
service providers are required to implement and maintain appropriate
measures, including the practices described in paragraphs (b)(1)(i)
through (v) of proposed Rule 10, that are designed to protect the
Covered Entity's information systems and information residing on those
systems be modified? If so, explain why. If not, explain why not. For
example, would there be practical difficulties with implementing the
requirement to oversee the service providers through a written
contract? If so, explain why. If not, explain why not. Are there
alternative approaches to addressing the cybersecurity risk that arises
when Covered Entities use service providers? If so, describe them and
explain why they would be appropriate in terms of addressing this risk.
For example, rather than addressing this risk through written contract,
could it be addressed through policies and procedures to obtain written
assurances or certifications from service providers that the service
provider manages cybersecurity risk in a manner that would be
consistent with how the Covered Entity would need to manage this risk
under paragraph (b) of proposed Rule 10? If so, explain why and
describe the type of assurances or certifications Covered Entities
could reasonably obtain to ensure that their service providers are
taking appropriate measures to manage cybersecurity risk? In
responding, please explain how assurances or certifications would be an
appropriate alternative to written contracts in terms of addressing the
cybersecurity risk caused by the use of service providers.
37. Should the requirements of paragraph (b)(1)(iv) of proposed
Rule 10 relating to measures designed to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems and the information residing
on those systems be modified? If so, explain why. If not, explain why
not.
38. Should the requirements of paragraph (b)(1)(v)(A) of proposed
Rule 10 relating to measures designed to detect, respond to, and
recover from a cybersecurity incident be modified? If so, explain why.
If not, explain why not. For example, these measures would need to
include policies and procedures that are reasonably designed to ensure:
(1) the continued operations of the covered entity; (2) the protection
of the Covered Entity's information systems and the information
residing on those systems; (3) external and internal cybersecurity
incident information sharing and communications; and (4) the reporting
of significant cybersecurity incidents pursuant to paragraph (c) of
proposed Rule 10. Would these four specific design objectives required
of the policies and procedures place the Covered Entity in a position
to effectively detect, respond to, and recover from a cybersecurity
incident? If so, explain why. If not, explain why not. Should this
paragraph of the proposed rule be modified to include any additional
design objectives for these policies and procedures? If so, identify
the design objectives and explain why they should be included. For
example, should the rule require policies and procedures that are
designed to recover from a cybersecurity incident within a specific
timeframe such as 24, 48, or 72 hours or some other period? If so,
identify the recovery period and explain why it would be appropriate.
Should this paragraph of the proposed rule be modified to eliminate any
of the specified design objectives? If so, identify the design
objectives and explain why they should be eliminated.
[[Page 20248]]
39. Should the requirements of paragraph (b)(1)(v)(B) of proposed
Rule 10 relating to written documentation of any cybersecurity
incidents be modified? If so, explain why. If not, explain why not. For
example, should the written documentation requirements apply to a
narrower set of incidents than those that would meet the definition of
``cybersecurity incident'' under proposed Rule 10? If so, describe the
narrower set of incidents and explain why it would be appropriate to
limit the written documentation requirements to them.
40. Should the requirements of paragraph (b)(2) of proposed Rule 10
relating to the review and assessment of the policies and procedures
and a written report of the review by modified? If so, explain why. If
not, explain why not. For example, this paragraph would require: (1) a
review and assessment of the design and effectiveness of the
cybersecurity risk management policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review; and (2) the
preparation of a written report that describes the review, the
assessment, and any control tests performed, explains their results,
documents any cybersecurity incident that occurred since the date of
the last report, and discusses any material changes to the policies and
procedures since the date of the last report. Should the review
requirement be modified to provide greater flexibility based on the
Covered Entity's assessment of what it believes would be most effective
in light of its cybersecurity risks? If so, explain why. If not,
explain why not. Should the review, assessment, and report be required
on a more frequent basis such as quarterly? If so, explain why. If not,
explain why not. Should the review, assessment, and report requirement
be triggered after certain events regardless of when the previous
review was conducted? If so, explain why. If not, explain why not. For
example, should the requirement be triggered if the Covered Entity
experiences a significant cybersecurity incident or undergoes a
significant business event such as a merger, acquisition, or the
commencement of a new business line that relies on information systems?
If so, explain why and suggest how a ``significant business event''
should be defined for the purposes of the review and assessment
requirement. If not, explain why not. Should the rule require that
persons with a minimum level of cybersecurity expertise or experience
must perform the review and assessment or that the review and
assessment must be performed by a senior officer of the Covered Entity?
If so, explain why. If not, explain why not. Should the rule require
that the review and assessment be performed by personnel who are not
involved in designing and implementing the cybersecurity policies and
procedures? If so, explain why. If not, explain why not. Should the
rule require that the annual report be subject to periodic third-party
audits or reviews? If so, explain why. If not, explain why not. Should
the Commission provide guidance to clarify how the review and report
requirements of paragraph (b)(2) proposed Rule 10 interact with the
requirements that SBS Entities perform assessments under 17 CFR
240.15Fk-1 or reviews under 17 CFR 250.15c3-4(c)(3)? If so, explain
why. If not, explain why not.
2. Notification and Reporting of Significant Cybersecurity Incidents
a. Timing and Manner of Notification and Reporting
FSOC observed that ``[s]haring timely and actionable cybersecurity
information can reduce the risk that cybersecurity incidents occur and
can mitigate the impacts of those that do occur.'' \267\ The Commission
is proposing to require that Covered Entities provide immediate notice
and subsequent reports about significant cybersecurity incidents to the
Commission and, in the case of certain Covered Entities, other
regulators. The objective is to improve the Commission's ability to
monitor and evaluate the effects of a significant cybersecurity
incident on Covered Entities and their customers, counterparties,
members, registrants, or users, as well as assess the potential risks
affecting financial markets more broadly.
---------------------------------------------------------------------------
\267\ FSOC 2021 Annual Report.
---------------------------------------------------------------------------
For these reasons, proposed Rule 10 would require a Covered Entity
to provide immediate written electronic notice to the Commission of a
significant cybersecurity incident upon having a reasonable basis to
conclude that the incident has occurred or is occurring.\268\ The
Commission would keep the notices nonpublic to the extent permitted by
law. The notice would need to identify the Covered Entity, state that
the notice is being given to alert the Commission of a significant
cybersecurity incident impacting the Covered Entity, and provide the
name and contact information of an employee of the Covered Entity who
can provide further details about the nature and scope of the
significant cybersecurity incident.
---------------------------------------------------------------------------
\268\ See paragraph (c)(1) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident''). As discussed below in
section II.C. of this release, Non-Covered Broker-Dealers would be
subject to an identical immediate written electronic notice
requirement. See paragraph (e)(2) of proposed Rule 10. If proposed
Rule 10 is adopted, it is anticipated that a dedicated email address
would be set up to receive the notices from Covered Entities and
Non-Covered Broker-Dealers. See, e.g., Staff Guidance for Filing
Broker-Dealer Notices, Statements and Reports, available at https://www.sec.gov/divisions/marketreg/bdnotices; Staff Statement on
Submitting Notices, Statements, Applications, and Reports for
Security-Based Swap Dealers and Major Security-Based Swap
Participants Pursuant to the Financial Responsibility Rules
(Exchange Act Rules 18a-1 through 18a-10), available at https://www.sec.gov/tm/staff-statement-on-submissions.
---------------------------------------------------------------------------
The immediate notice would need to be submitted by the Covered
Entity electronically in written form (as opposed to permitting the
notice to made telephonically).\269\ The Commission is proposing a
written notification requirement because of the number of Market
Entities that would be subject to the requirement and because of the
different types of Market Entities.\270\ A written notification would
also facilitate the Commission in identifying patterns and trends
across Market Entities experiencing significant cybersecurity
incidents.
---------------------------------------------------------------------------
\269\ See paragraph (c)(1) of proposed Rule 10. But see 17 CFR
242.1002(b)(1) (requiring an SCI entity to provide the Commission
with immediate notice after having a reasonable basis to conclude
that an SCI event has occurred without specifying that the notice be
written); OCC, Federal Reserve Board, FDIC, Computer-Security
Incident Notification Requirements for Banking Organizations and
Their Bank Service Providers, 86 FR 66424 (Nov. 23, 2021) (requiring
a banking organization to provide notice to a designated point of
contact of a computer-security incident through telephone, email, or
similar methods).
\270\ Non-Covered Broker-Dealers also would be subject to an
immediate written electronic notice requirement under paragraph
(e)(2) of proposed Rule 10 and, therefore, the Commission
potentially could receive notices from all types of Market Entities.
As discussed in section V.C. of this release, it is estimated that
1,989 Market Entities would be Covered Entities and 1,969 broker-
dealers would be Non-Covered Entities resulting in a 3,958 total
Market Entities. This is a far larger number of entities than the 47
entities that currently are SCI entities.
---------------------------------------------------------------------------
The notice requirement would be triggered when the Covered Entity
has a reasonable basis to conclude that a significant cybersecurity
incident has occurred or is occurring.\271\ This does not mean that the
Covered Entity can wait until it definitively concludes that
[[Page 20249]]
a significant cybersecurity incident has occurred or is occurring. In
the early stages of discovering the existence of a cybersecurity
incident, it may not be possible for the Covered Entity to conclude
definitively that it is a significant cybersecurity incident. For
example, the Covered Entity may need to assess which information
systems have been subject to the cybersecurity incident and the impact
that the incident has had on those systems before definitively
concluding that it is a significant cybersecurity incident.\272\ The
objective of the notification requirement is to alert the Commission
staff as soon as the Covered Entity detects the existence of a
cybersecurity incident that it has a reasonable basis to conclude is a
significant cybersecurity incident and not to wait until the Covered
Entity definitively concludes it is a significant cybersecurity
incident. This would provide the Commission staff with the ability to
begin to assess the situation at an earlier stage of the cybersecurity
incident.
---------------------------------------------------------------------------
\271\ The notice requirement for Non-Covered Broker-Dealers also
would be triggered when the broker-dealer has a reasonable basis to
conclude that a significant cybersecurity incident has occurred or
is occurring. See paragraph (e)(2) of proposed Rule 10.
\272\ See paragraph (a)(2) of proposed Rule 10 (defining
``cybersecurity incident'' to mean an unauthorized occurrence on or
conducted through a Market Entity's information systems that
jeopardizes the confidentiality, integrity, or availability of the
information systems or any information residing on those systems).
---------------------------------------------------------------------------
This proposed immediate written notification requirement is
modelled on other notification requirements that apply to broker-
dealers and SBSDs pursuant to other Exchange Act rules. Under these
existing requirements, broker-dealers and certain SBSDs must provide
the Commission with same-day written notification if they undergo
certain adverse events, including falling below their minimum net
capital requirements or failing to make and keep current required books
and records.\273\ The objective of these requirements is to provide the
Commission staff with the opportunity to respond when a broker-dealer
or SBSD is in financial or operational difficulty.\274\ Similarly, the
written notification requirements of proposed Rule 10 are designed to
provide the Commission staff with the opportunity to begin assessing
the situation promptly when a Covered Entity is experiencing a
significant cybersecurity incident by, for example, assessing the
Covered Entity's operating status and engaging in discussions with the
Covered Entity to understand better what steps it is taking to protect
its customers, counterparties, members, registrants, or users. In
addition, a Covered Entity that is a broker-dealer would need to
provide the written notice to its examining authority, and a transfer
agent would need to provide the written notice to its ARA.\275\ The
objective is to notify other supervisory authorities to allow them the
opportunity to respond to the significant cybersecurity incident
impacting the Covered Entity.
---------------------------------------------------------------------------
\273\ See 17 CFR 240.17a-11 (notification rule for broker-
dealers); 17 CFR 240.18a-8 (notification rule for SBS Entities).
\274\ See Recordkeeping and Reporting Requirements for Security-
Based Swap Dealers, Major Security-Based Swap Participants, and
Broker-Dealers; Capital Rule for Certain Security-Based Swap
Dealers, Exchange Act Release No. 71958 (Apr. 17, 2014) [79 FR
25194, 25247 (May 2, 2014)] (``SBS Entity Recordkeeping and
Reporting Proposing Release'').
\275\ See paragraphs (c)(1)(i) and (ii) of proposed Rule 10.
Non-Covered Broker-Dealers also would be required to provide the
written notice to their examining authority. See paragraph (e)(2) of
proposed Rule 10.
---------------------------------------------------------------------------
As discussed above, the immediate written electronic notice is
designed to alert the Commission on a confidential basis to the
existence of a significant cybersecurity incident impacting a Covered
Entity so the Commission staff can begin to assess the event. It is not
intended as a means to report written information about the significant
cybersecurity incident. Therefore, in addition to the immediate written
electronic notice, a Covered Entity would be required to report
detailed information about the significant cybersecurity incident by
filing, on a confidential basis, Part I of proposed Form SCIR with the
Commission through the Electronic Data Gathering, Analysis, and
Retrieval System (``EDGAR'' or ``EDGAR system'').\276\ Because of the
sensitive nature of the information and the fact that threat actors
could potentially use it to cause more harm, the Commission would not
make the filings available to the public to the extent permitted by
law.
---------------------------------------------------------------------------
\276\ See paragraph (c)(2) of proposed Rule 10. As discussed
below, Part II of proposed Form SCIR would be used by Covered
Entities to make public disclosures about the cybersecurity risks
they face and the significant cybersecurity incidents they
experienced during the current or previous calendar year. See
sections II.B.2. and II.B.4. of this release (discussing these
proposed requirements). Non-Covered Broker-Dealers would not be
subject to the requirements to file Part I and Part II of proposed
Form SCIR.
---------------------------------------------------------------------------
As with the notice, the requirement to file Part I of proposed Form
SCIR would be triggered when the Covered Entity has a reasonable basis
to conclude that a significant cybersecurity incident has occurred or
is occurring. Therefore, the notification and reporting requirements
would be triggered at the same time. However, in order to provide the
Covered Entity time to gather the information that would be elicited by
Part I of proposed Form SCIR, the Covered Entity would need to file the
form promptly, but no later than 48 hours, upon having a reasonable
basis to conclude that a significant cybersecurity incident has
occurred or is occurring.
Proposed Rule 10 also would require the Covered Entity to file an
amended Part I of proposed Form SCIR with updated information about the
significant cybersecurity incident in four circumstances.\277\ In each
case, the amended Part I of proposed Form SCIR would need to be filed
promptly, but no later than 48 hours, after the update requirement is
triggered. First, the Covered Entity would need to file an amended Part
I of proposed Form SCIR if any information previously reported to the
Commission on the form pertaining to the significant cybersecurity
incident becomes materially inaccurate.\278\ Second, the Covered Entity
would need to file an amended Part I of proposed Form SCIR if any new
material information pertaining to the significant cybersecurity
incident previously reported to the Commission on the form is
discovered.\279\ The Commission staff generally would use the
information reported on Part I of proposed Form SCIR to assess the
operating status of the Covered Entity and assess the impact that the
significant cybersecurity incident could have on other participants in
the U.S. securities markets. The requirement to file an amended Part I
of proposed Form SCIR under the first and second circumstances is
designed to ensure the Commission and Commission staff have reasonably
accurate and complete information when undertaking these activities.
---------------------------------------------------------------------------
\277\ See paragraphs (c)(2)(ii)(A) through (D) of proposed Rule
10.
\278\ See paragraph (c)(2)(ii)(A) of proposed Rule 10.
\279\ See paragraph (c)(2)(ii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
Third, the Covered Entity would need to file an amended Part I of
proposed Form SCIR after the significant cybersecurity incident is
resolved.\280\ A significant cybersecurity incident impacting a Covered
Entity would be resolved when the situation no longer meets the
definition of ``significant cybersecurity incident.'' \281\ The
resolution of a significant cybersecurity incident would be a material
development in the situation and, therefore, would be a reporting
trigger under proposed Rule 10.
---------------------------------------------------------------------------
\280\ See paragraph (c)(2)(ii)(C) of proposed Rule 10.
\281\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
---------------------------------------------------------------------------
[[Page 20250]]
Finally, if the Covered Entity conducted an internal investigation
pertaining to the significant cybersecurity incident, it would need to
file an amended Part I of proposed Form SCIR after the investigation is
closed.\282\ This would be an investigation of the significant
cybersecurity incident that seeks to determine the cause of the
incident or to examine whether there was a failure to adhere to the
Covered Entity's policies and procedures to address cybersecurity risk
or whether those policies and procedures are effective. An internal
investigation could be conducted by the Covered Entity's own personnel
(e.g., internal auditors) or by external consultants hired by the
Covered Entity. The closure of an internal investigation would be a
reporting trigger under proposed Rule 10 because it could yield
material new information about the incident that had not been reported
in a previously filed Part I of proposed Form SCIR.
---------------------------------------------------------------------------
\282\ See paragraph (c)(2)(ii)(D) of proposed Rule 10.
---------------------------------------------------------------------------
As with the immediate written electronic notice, a Covered Broker-
Dealer would need to promptly transmit a copy of each Part I of
proposed Form SCIR it files with the Commission to its examining
authority, and a transfer agent would need to promptly transmit a copy
of each Part I of proposed Form SCIR it files with the Commission to
its ARA.\283\ The objective is to provide these other supervisory
authorities with the same information about the significant
cybersecurity incident that the Commission receives.
---------------------------------------------------------------------------
\283\ See paragraphs (c)(2)(iii)(A) and (B) of proposed Rule 10.
---------------------------------------------------------------------------
In this regard, the reporting requirements under proposed Rule 10
would provide the Commission and its staff with information to
understand better the nature and extent of a particular significant
cybersecurity incident and the efficacy of the Covered Entity's
response to mitigate the disruption and harm caused by the incident.
The Commission staff could use the reports to focus on the Covered
Entity's operating status and to facilitate their outreach to, and
discussions with, personnel at the Covered Entity who are addressing
the significant cybersecurity incident. For example, certain
information provided in a report may be sufficient to address any
questions the staff has about the incident; and in other instances
staff may want to ask follow-up questions to get a better understanding
of the matter. In addition, the reporting would provide the staff with
a view into the Covered Entity's understanding of the scope and impact
of the significant cybersecurity incident. All of this information
would be used by the Commission and its staff in assessing the impact
of the significant cybersecurity incident on the Covered Entity.
The information provided to the Commission under the proposed
reporting requirements also would be used to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be useful in assessing other and future
significant cybersecurity incidents. For example, these reports could
assist the Commission in identifying patterns and trends across Covered
Entities, including widespread cybersecurity incidents affecting
multiple Covered Entities at the same time. Further, the reports could
be used to evaluate the effectiveness of various approaches to respond
to and recover from a significant cybersecurity incident.
b. Part I of Proposed Form SCIR
Proposed Rule 10 would require a Covered Entity to report
information about a significant cybersecurity incident confidentially
on Part I of proposed Form SCIR.\284\ The form would elicit certain
information about the significant cybersecurity incident through check
boxes, date fields, and narrative fields. Covered Entities would file
Part I of proposed Form SCIR electronically with the Commission using
the EDGAR system in accordance with the EDGAR Filer Manual, as defined
in Rule 11 of Regulation S-T,\285\ and in accordance with the
requirements of Regulation S-T.\286\
---------------------------------------------------------------------------
\284\ See paragraph (c)(2) of proposed Rule 10.
\285\ See 17 CFR 232.11.
\286\ See paragraphs (c)(2)(i) and (ii) of proposed Rule 10. As
discussed below in section II.B.4. of this release, the Covered
Entity would need to file Part I of proposed Form SCIR using a
structured data language.
---------------------------------------------------------------------------
A Covered Entity would need to indicate on Part I of proposed Form
SCIR whether the form is being filed with respect to a significant
cybersecurity incident as an initial report, amended report, or final
amended report by checking the appropriate box. As discussed above,
proposed Rule 10 would require a Covered Entity to file Part I of
proposed Form SCIR upon having a reasonable basis to conclude that a
significant cybersecurity incident has occurred or is occurring.\287\
This would be the initial Part I of proposed Form SCIR with respect to
the significant cybersecurity incident.\288\ Thereafter, a Covered
Entity would be required to file an amended Part I of proposed Form
SCIR with respect to the significant cybersecurity incident after: (1)
any information previously reported to the Commission on Part I of
proposed Form SCIR pertaining to the significant cybersecurity incident
becomes materially inaccurate; (2) any new material information
pertaining to the significant cybersecurity incident previously
reported to the Commission on Part I of proposed Form SCIR is
discovered; (3) the significant cybersecurity incident is resolved; or
(4) an internal investigation pertaining to a significant cybersecurity
incident is closed.\289\ If a Covered Entity checks the box indicating
that the filing is a final Part I of proposed Form SCIR, the firm also
would need to check the appropriate box to indicate why a final form
was being filed: either the significant cybersecurity incident was
resolved or an internal investigation pertaining to the incident was
closed.
---------------------------------------------------------------------------
\287\ See paragraph (c)(2)(i) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the proposed filing
requirements in more detail).
\288\ See Instruction B.1. of proposed Form SCIR.
\289\ See paragraphs (c)(2)(ii)(A) through (D) of proposed Rule
10.
---------------------------------------------------------------------------
Part I of proposed Form SCIR would elicit information about the
Covered Entity that would be used to identify the filer.\290\ In
particular, the Covered Entity would need to provide its full legal
name and business name (if different from its legal name), tax
identification number, unique identification code (``UIC'') (if the
filer has a UIC), central index key (``CIK number''),\291\ and main
address.\292\ The instructions to proposed Form SCIR (which would be
applicable to Parts I and II) would provide that a UIC is an
identification number that has been issued by an internationally
recognized standards-setting system (``IRSS'') that has been recognized
by the Commission pursuant to Rule 903(a) of Regulation SBSR.\293\
Currently, the Commission has recognized only the Global Legal Entity
Identifier Foundation (``GLEIF'')--which is responsible for overseeing
the Global Legal Entity Identifier System (``GLEIS'')--as an IRSS.\294\
Part I of
[[Page 20251]]
proposed Form SCIR also would elicit the name, phone number, and email
address of the contact employee of the Covered Entity.\295\ The contact
employee would need to be an individual authorized by the Covered
Entity to provide the Commission with information about the significant
cybersecurity incident (i.e., information the individual can provide
directly) and make information about the incident available to the
Commission (e.g., information the individual can provide by, for
example, making other employees of the Covered Entity available to
answer questions of the Commission staff).\296\ The Covered Entity also
would need to indicate the type of Market Entity it is by checking the
appropriate box or boxes.\297\ For example, if the Covered Entity is
dually registered as a broker-dealer and SBSD, it would need to check
the box for each of those entity types.
---------------------------------------------------------------------------
\290\ See Line Items 1.A. through 1.E. of Part I of proposed
Form SCIR.
\291\ A CIK number is used on the Commission's computer systems
to identify persons who have filed disclosures with the Commission.
\292\ See Line Items 1.A. through 1.C. of Part I of proposed
Form SCIR.
\293\ See Instruction A.5.g. of proposed Form SCIR. See also,
e.g., Form SBSE available at https://www.sec.gov/files/form-sbse.pdf
(providing a similar definition of UIC).
\294\ See Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Exchange Act Release No. 74244
(Feb. 11, 2015), 80 FR 14563, 14632 (Mar. 19, 2015) (``Regulation
SBSR Release''). LEIs are unique alphanumeric codes that identify
legal entities in financial transactions in international markets.
See Financial Stability Board (``FSB''), Options to Improve Adoption
of the LEI, in Particular for Use in Cross-Border Payments (July 7,
2022). Information associated with the LEI, which is a globally-
recognized digital identifier that is not specific to the
Commission, includes the ``official name of the legal entity as
recorded in the official registers[,]'' the entity's address,
country of incorporation, and the ``legal form of the entity.'' Id.
Accordingly, in proposing to require each Covered Entity to provide
its UIC if it has a UIC, the Commission is proposing to require each
Covered Entity identify itself with an LEI if it has an LEI.
\295\ See Line Item 1.D. of Part I of proposed Form SCIR.
\296\ See Instruction B.4. of proposed Form SCIR.
\297\ See Line Item 1.E. of Part I of proposed Form SCIR
(setting forth check boxes to indicate whether the Covered Entity is
a broker-dealer, clearing agency, MSBSP, the MRSB, a national
securities association, a national securities exchange, SBSD, SBSDR,
or transfer agent).
---------------------------------------------------------------------------
Page 1 of Part I of proposed Form SCIR also would contain fields
for the individual executing the form to sign and date the form. By
signing the form, the individual would: (1) certify that the form was
executed on behalf of, and with the authority of, the Covered Entity;
(2) represent individually, and on behalf of the Covered Entity, that
the information and statements contained in the form are current, true
and complete; and (3) represent individually, and on behalf of the
Covered Entity, that to the extent any information previously submitted
is not amended such information is current, true, and complete. The
form of the certification is designed to ensure that the Covered
Entity, through the individual executing the form, provides information
that the Commission and Commission staff can rely on to evaluate the
operating status of the Covered Entity, assess the impact the
significant cybersecurity incident may have on other participants in
the U.S. securities markets, and formulate an appropriate response to
the incident.
Line Items 2 through 14 of Part I of proposed Form SCIR would
elicit information about the significant cybersecurity incident and the
Covered Entity's response to the incident. After discovering the
existence of a significant cybersecurity incident, a Covered Entity may
need time to determine the scope and impact of the incident in order to
provide meaningful responses to these questions. For example, the
Covered Entity may be working diligently to investigate and resolve the
significant cybersecurity incident at the same time it would be
required to complete and file Part I of proposed Form SCIR. The Covered
Entity's priorities in the early stages after detecting the significant
cybersecurity incident may be to devote its staff resources to
mitigating the harms caused by the incident or that could be caused by
the incident if necessary corrective actions are not promptly
implemented. Moreover, during this period, the Covered Entity may not
have a complete understanding of the cause of the significant
cybersecurity incident, all the information systems impacted by the
incident, the harm caused by the incident, or how to best resolve and
recover from the incident (among other relevant information).
Therefore, the first form filed with respect to a given significant
cybersecurity incident should include information that is known to the
Covered Entity at the time of filing and not include speculative
information. If information is unknown at the time of filing, the
Covered Entity should indicate that on the form. Understanding the
aspects of the significant cybersecurity incident that are not yet
known would inform the Commission's assessment. The process of filing
an amended Part I of proposed Form SCIR is designed to update earlier
filings as information becomes known to the Covered Entity. In
particular, proposed Rule 10 would require the Covered Entity to file
an amended Part I of proposed Form SCIR if information reported on a
previously filed form pertaining to the significant cybersecurity
incident becomes materially incomplete because new information is
discovered.\298\ Therefore, as the Covered Entity reasonably concludes
that additional information about the significant cybersecurity
incident is necessary to make its filing not materially inaccurate, it
would need to file amended forms. In this way, the reporting
requirements of proposed Rule 10 are designed to provide the Commission
and Commission staff with current known information and provide a means
for the Covered Entity to report information as it becomes known.
---------------------------------------------------------------------------
\298\ See paragraph (c)(2)(ii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
This does not mean that the Covered Entity can refrain from
providing known information in Part I of proposed Form SCIR. As
discussed above, the Covered Entity must certify through the individual
executing the form that the information and statements in the form are
current, true, and complete, among other things. A failure to provide
current, true, and complete information that is known to the Covered
Entity would be inconsistent with this required certification. In
addition, failing to investigate the significant cybersecurity incident
would be inconsistent with the policies and procedures required by
proposed Rule 10. As discussed above, the cybersecurity incident
response and recovery policies and procedures that would be required by
proposed Rule 10 would need to include policies and procedures that are
reasonably designed to ensure the reporting of significant
cybersecurity incidents as required by the rule.\299\ The failure to
diligently investigate the significant cybersecurity incident could
indicate that the Covered Entity's incident response and recovery
policies and procedures are not reasonably designed or are not being
enforced by the Covered Entity as required by proposed Rule 10.\300\
Moreover, reasonably designed policies and procedures to detect,
respond to, and recover from a cybersecurity incident, as required by
proposed Rule 10 generally should require diligent investigation of the
significant cybersecurity incident.\301\ Further, diligently
investigating the significant cybersecurity incident would be in the
interest of the Covered Entity as it could lead to a quicker resolution
of the incident by revealing--for example--its cause and impact.
---------------------------------------------------------------------------
\299\ See paragraph (b)(1)(v)(A)(4) of proposed Rule 10. See
also section II.B.1.e. of this release (discussing these proposed
required policies and procedures in more detail).
\300\ See paragraph (b)(1) of proposed Rule 10 (requiring that
the Covered Entity establish, maintain, and enforce written policies
and procedures that are reasonably designed to address the covered
entity's cybersecurity risks).
\301\ See paragraph (b)(1)(v)(A) of proposed Rule 10. See also
section II.B.1.e. of this release (discussing these proposed
required policies and procedures in more detail).
---------------------------------------------------------------------------
In terms of the information about the significant cybersecurity
incident elicited in Part I of proposed Form SCIR, the Covered Entity
first would be required to provide the approximate
[[Page 20252]]
date that it discovered the significant cybersecurity incident.\302\ As
discussed above, a Covered Entity would be required to provide the
Commission with immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the incident has occurred or is occurring.\303\ This can be based on,
for example, the Covered Entity reviewing or receiving a record, alert,
log, or notice about the incident. In addition, reaching this
conclusion would trigger the requirement to file promptly (but within
48 hours) an initial Part I of proposed Form SCIR with the Commission
to first report the significant cybersecurity incident using the
form.\304\ The date that would need to be reported on proposed Part I
of Form SCIR is the date the Covered Entity has a reasonable basis to
conclude that the incident has occurred or is occurring.\305\
---------------------------------------------------------------------------
\302\ See Line Item 2 of Part I of proposed Form SCIR.
\303\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing the proposed notification
requirement in more detail).
\304\ See paragraph (c)(2)(i) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the proposed reporting
trigger in more detail).
\305\ See Instruction B.5.a. of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 3 of Part I of proposed Form SCIR would elicit
information about the approximate duration of the significant
cybersecurity incident.\306\ First, the Covered Entity would need to
indicate whether the significant cybersecurity incident is
ongoing.\307\ The form would provide the option of answering yes, no,
or unknown. Second, the Covered Entity would need to provide the
approximate start date of the cybersecurity incident or indicate that
it does not know the start date.\308\ The start date may be well before
the date the Covered Entity discovered the significant cybersecurity
incident. Therefore, the start date of the incident reported on Line
Item 3 may be different than the discovery date reported on Line Item
2. Third, the Covered Entity would need to provide the approximate date
the significant cybersecurity incident is resolved.\309\ This would be
the date the Covered Entity was no longer undergoing a significant
cybersecurity incident.\310\ As discussed above, the resolution of the
significant cybersecurity incident triggers the requirement to file an
amended Part I of proposed Form SCIR under proposed Rule 10.\311\
---------------------------------------------------------------------------
\306\ See Line Items 3.A. through 3.C. of Part I of proposed
Form SCIR.
\307\ See Line Item 3.A. of Part I of proposed Form SCIR.
\308\ See Line Item 3.B. of Part I of proposed Form SCIR.
\309\ See Line Item 3.C. of Part I of proposed Form SCIR.
\310\ See Instruction B.5.b. of proposed Form SCIR. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident'').
\311\ See paragraph (c)(2)(ii)(C) of proposed Rule 10. See
section II.B.2.a. of this release (discussing the notification
requirements in more detail).
---------------------------------------------------------------------------
Line Item 4 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether an internal investigation pertaining
to the significant cybersecurity incident was being conducted. An
``internal investigation'' would be defined as a formal investigation
of the significant cybersecurity incident by internal personnel of the
Covered Entity or external personnel hired by the Covered Entity that
seeks to determine any of the following: the cause of the significant
cybersecurity incident; whether there was a failure to adhere to the
Covered Entity's policies and procedures to address cybersecurity risk;
or whether the Covered Entity's policies and procedures to address
cybersecurity are effective.\312\ If an internal investigation is
conducted, the Covered Entity also would need to provide the date the
investigation was closed. As discussed above, the closure of an
internal investigation pertaining to the significant cybersecurity
incident triggers the requirement to file an amended Part I of Form
SCIR under proposed Rule 10.\313\
---------------------------------------------------------------------------
\312\ See Instruction A.5.d. of proposed Form SCIR.
\313\ See paragraph (c)(2)(ii)(D) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the notification
requirement in more detail).
---------------------------------------------------------------------------
Line Item 5 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether a law enforcement or government
agency (other than the Commission) had been notified of the significant
cybersecurity incident.\314\ If so, the Covered Entity would need to
identify each law enforcement or government agency. The Commission and
Commission staff could use this information to coordinate with other
law enforcement and government agencies if needed both to assess the
incident and to share information as appropriate to understand the
impact of the incident better.
---------------------------------------------------------------------------
\314\ See Line Item 5 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 6 of Part I of proposed Form SCIR would require the
Covered Entity to describe the nature and scope of the significant
cybersecurity incident, including the information systems affected by
the incident and any effect on the Covered Entity's critical
operations.\315\ This item would enable the Commission to obtain
information about the incident to understand better how it is impacting
the Covered Entity's operating status and whether the Covered Entity
can continue to provide services to its customers, counterparties,
members, registrants, or users. This would include understanding which
services and systems have been impacted and whether the incident was
the result of a cybersecurity incident that occurred at a service
provider.
---------------------------------------------------------------------------
\315\ See Line Item 6 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 7 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether the threat actor(s) causing the
significant cybersecurity incident has been identified.\316\ If so, the
Covered Entity would be required to identify the threat actor(s). In
addition, the Covered Entity would need to indicate in Line Item 7
whether there has been communication(s) from or with the threat
actor(s) that caused or claims to have caused the significant cyber
security incident.\317\ The Covered Entity would need to answer the
question even if the threat actor(s) has not been identified. If there
had been communications, the Covered Entity would need to describe
them. This information would help the Commission staff to assess
whether the same threat actor(s) had sought to access information
systems of other Commission registrants and to warn other registrants
(as appropriate) about the threat posed by the actor(s). It also could
help in developing measures to protect against the risk to Commission
registrants posed by the threat actor. In addition, the information
would help the Commission assess the impact on the Covered Entity
experiencing the significant cybersecurity incident to the extent other
Commission registrants has been attacked by the same threat actor(s)
using similar tactics, techniques, and procedures.
---------------------------------------------------------------------------
\316\ See Line Item 7.A. of Part I of proposed Form SCIR.
\317\ See Line Item 7.B. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 8 of Part I of proposed Form SCIR would require the
Covered Entity to describe the actions taken or planned to respond to
and recover from the significant cybersecurity incident.\318\ The
objective is to obtain information to assess the Covered Entity's
operating status, including its critical operations. This information
also could assist the Commission and Commission staff in considering if
the response measures are effective or ineffective in addressing the
Covered Entity's significant cybersecurity incident.
---------------------------------------------------------------------------
\318\ See Line Item 8 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 9 of Part I of proposed Form SCIR would require the
Covered Entity
[[Page 20253]]
to indicate whether any data was stolen, altered, or accessed or used
for any other unauthorized purpose.\319\ The Covered Entity would have
the option of checking yes, no, or unknown. If yes, the Covered Entity
would need to describe the nature and scope of the data. This
information would help the Commission and its staff understand the
potential harm to the Covered Entity and its customers, counterparties,
members, registrants, or users that could result from the compromise of
the data. It also would provide insight into how the significant
cybersecurity incident could impact other Market Entities.
---------------------------------------------------------------------------
\319\ See Line Item 9 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 10 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any personal information was lost,
stolen, modified, deleted, destroyed, or accessed without authorization
as a result of the significant cybersecurity incident.\320\ The Covered
Entity would have the option of checking yes, no, or unknown. If yes,
the Covered Entity would need to describe the nature and scope of the
information. Additionally, if the Covered Entity answered yes, it would
need to indicate whether notification has been provided to persons
whose personal information was lost, stolen, damaged, or accessed
without authorization.\321\ If the answer is no, the Covered Entity
would need to indicate whether this notification is planned.\322\ For
the purposes of proposed Form SCIR, the term ``personal information''
would have the same meaning as that term is defined in proposed Rule
10.\323\ The compromise of personal information can have severe
consequences on the persons to whom the information relates. For
example, it potentially can be used to steal their identities or access
their accounts at financial institutions to steal assets held in those
accounts. Consequently, this information would help the Commission
assess the extent to which the significant cybersecurity incident has
created this risk and the potential harm that could result from the
compromise of personal data.
---------------------------------------------------------------------------
\320\ See Line Item 10.A. of Part I of proposed Form SCIR.
\321\ See Line Item 10.B.i. of Part I of proposed Form SCIR.
\322\ See Line Item 10.B.ii. of Part I of proposed Form SCIR.
\323\ See Instruction A.5.e. of proposed Form SCIR. See also
paragraph (a)(9) of proposed Rule 10 (defining ``personal
information'' to mean any information that can be used, alone or in
conjunction with any other information, to identify a person, such
as name, date of birth, place of birth, telephone number, street
address, mother's maiden name, government passport number, Social
Security number, driver's license number, electronic mail address,
account number, account password, biometric records, or other non-
public authentication information).
---------------------------------------------------------------------------
Line Item 11 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any of its assets were lost or
stolen as a result of the significant cybersecurity incident.\324\ The
Covered Entity would have the option of checking yes, no, or unknown.
If yes, the Covered Entity would need to describe the types of assets
that were lost or stolen and include an approximate estimate of their
value, if known. This question is not limited to particular types of
assets and, therefore, the Covered Entity would need to respond
affirmatively if, among other types of assets, financial assets such as
cash and securities were lost or stolen or intellectual property was
lost or stolen. The loss or theft of the Covered Entity's assets could
potentially cause the entity to fail financially or put a strain on its
liquidity. Further, to the extent counterparties become aware of the
loss or theft, it could cause them to withdraw assets from the entity
or stop transacting with the entity further straining its financial
condition. Consequently, the objective is to understand whether the
significant cybersecurity incident has created this risk and whether
there may be other spillover effects or consequences to the U.S.
securities markets.
---------------------------------------------------------------------------
\324\ See Line Item 11 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 12 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any assets of the Covered Entity's
customers, counterparties, clients, members, registrants, or users were
lost or stolen as a result of the significant cybersecurity
incident.\325\ The Covered Entity would have the option of checking
yes, no, or unknown. If yes, the Covered Entity would need to describe
the types of assets that were lost or stolen and include an approximate
estimate of their value, if known. Additionally, if the Covered Entity
answered yes, it would need to indicate whether notification has been
provided to persons whose assets were lost or stolen.\326\ If the
answer is no, the Covered Entity would need to indicate whether this
notification is planned.\327\
---------------------------------------------------------------------------
\325\ See Line Item 12.A. Part I of proposed Form SCIR.
\326\ See Line Item 11.B.i. of Part I of proposed Form SCIR.
\327\ See Line Item 12.B.ii. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Certain types of Covered Entities hold assets belonging to other
persons or maintain ownership records of the assets of other
persons.\328\ For example, certain broker-dealers maintain custody of
securities and cash for other persons and clearing agencies hold
clearing deposits of their members. A significant cybersecurity
incident impacting a Covered Entity that results in the loss or theft
of assets can cause severe financial hardship to the owners of those
assets. It also can impact the financial condition of the Covered
Entity if it is liable for the loss or theft. Consequently, the
objective is to understand whether the significant cybersecurity
incident has created this risk.
---------------------------------------------------------------------------
\328\ See Section I.A.2. of this release (discussing the
functions of Market Entities).
---------------------------------------------------------------------------
As discussed in more detail below, proposed Rule 10 would require a
Covered Entity to make a public disclosure that generally describes
each significant cybersecurity incident that has occurred during the
current or previous calendar year and promptly update this disclosure
after the occurrence of a new significant cybersecurity incident or
when information about a previously disclosed significant cybersecurity
incident materially changes.\329\ The Covered Entity would be required
to make the disclosure on the Covered Entity's business internet
website and by filing Part II of proposed Form SCIR through the EDGAR
system.\330\ In addition, if the Covered Entity is a carrying or
introducing broker-dealer, it would need to make the disclosure to its
customers using the same means that a customer elects to receive
account statements.\331\
---------------------------------------------------------------------------
\329\ See paragraph (d)(1)(ii) of proposed Rule 10. See also
sections II.B.3. and II.B.4. of this release (discussing these
proposed disclosure requirements in more detail).
\330\ See paragraphs (d)(2)(i) and (ii) of proposed Rule 10.
\331\ See paragraph (d)(3) of proposed Rule 10. See section
II.B.3.b. of this release (discussing the broker-dealer disclosure
requirement in more detail).
---------------------------------------------------------------------------
Line Item 13 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether the significant cybersecurity
incident has been disclosed pursuant to the requirements of proposed
Rule 10.\332\ The Covered Entity also would need to indicate whether it
made the required disclosures of Part II of proposed Form SCIR on its
website and through EDGAR and, if it had made the disclosure, it would
need to indicate the date of the disclosure.\333\ A Covered Entity that
is a carrying or introducing broker-dealer would need to indicate
separately
[[Page 20254]]
whether it made the required disclosure of Part II of proposed Form
SCIR to its customers.\334\ The Covered Entity would not need to
indicate a date for the customer disclosure because it could be made in
a number of ways (e.g., by email or mail) and that process could span a
number of days. If the Covered Entity has not disclosed the significant
cybersecurity incident as required by proposed Rule 10, it would need
to explain why. The requirement to report this information is designed
to promote compliance with the disclosure requirements of proposed Rule
10.
---------------------------------------------------------------------------
\332\ See Line Items 13.A. through C. of proposed Form SCIR.
\333\ See Line Items 13.A. through B. of proposed Part I of Form
SCIR.
\334\ See Line Item 13.C. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 14 of Part I of proposed Form SCIR would elicit
information about any insurance coverage the Covered Entity may have
with respect to the significant cybersecurity incident.\335\ First, the
Covered Entity would need to indicate whether the significant
cybersecurity incident is covered by an insurance policy of the Covered
Entity.\336\ The Covered Entity would have the option of checking yes,
no, or unknown. If yes, the Covered Entity would need to indicate
whether the insurance company has been contacted. The existence of
insurance coverage to cover losses could be relevant to Commission
staff in assessing the potential magnitude of harm to the Covered
Entity's customers, counterparties, members, registrants, or users and
to the Covered Entity's financial condition. For example, the existence
of insurance coverage, to the extent the significant cybersecurity
incident is covered by the policy, could indicate a greater possibility
that the Covered Entity and/or any of its customers, counterparties,
members, registrants, or users affected by the incident are made whole.
---------------------------------------------------------------------------
\335\ See Line Items 14.A. and B. of Part I of proposed Form
SCIR.
\336\ See Line Item 14.A. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Finally, Line Item 15 of Part I of proposed Form SCIR would permit
the Covered Entity to include in the form any additional information
the entity would want the Commission and Commission staff to know as
well as provide any comments about the information included in the
report.\337\
---------------------------------------------------------------------------
\337\ See Line Item 15 of proposed Part I of Form SCIR.
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements to report significant cybersecurity incidents on Part I of
proposed Form SCIR. In addition, the Commission is requesting comment
on the following specific aspects of the proposals:
41. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the immediate notification requirement? For example, should the
requirement permit the notice to be made by telephone or email? If so,
explain why. If not, explain why not. If telephone or email notice is
permitted, should the rule specify the Commission staff, Division, or
Office to phone or email?
42. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the requirement to provide immediate written electronic notice
to specify how the notice must be transmitted to the Commission? For
example, should the rule specify an email address or other type of
electronic portal to be used to transmit the notice? If so, explain
why. If not, explain why not. Should the rule be modified to require
that the notice be transmitted to the Commission through the EDGAR
system? If so, explain why. If not, explain why not. Should the rule be
modified to require that the notice be transmitted to the Commission
through the EDGAR system using a structured data language other than
custom XML format?
43. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the requirement to provide immediate written electronic notice
to require the notice to be provided within a specific timeframe such
as on the same day the requirement was triggered or within 24 hours? If
so, explain why. If not, explain why not.
44. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the trigger for the immediate notification and reporting
requirements? If so, explain why. If not, explain why not. For example,
should the trigger be when the Covered Entity ``detects'' a significant
cybersecurity incident (rather than when it has a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring)? If so, explain why. If not, explain why not. For example,
would a detection standard be a less subjective standard? If so,
explain why. If not, explain why not. Is there another trigger standard
that would be more appropriate? If so, identify it and explain why it
would be more appropriate.
45. If the immediate notification requirement of paragraph (c)(1)
is adopted as proposed, it is anticipated that a dedicated email
address would be established to receive these notices. Are there other
methods the Commission should use for receiving these notices? If so,
identity them and explain why they would be more appropriate than
email. For example, should the notices be received through the EDGAR
system? If so, explain why. If not, explain why not.
46. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to incorporate the cybersecurity
reporting program that CISA will implement under recently adopted
legislation (``CISA Reporting Program'') to the extent it will be
applicable to Covered Entities? \338\ If so, explain why and suggest
modifications to the proposed reporting requirements for Covered
Entities to incorporate the CISA Reporting Program. For example, if a
Covered Entity would be required to file a report under the CISA
Reporting Program, should that report satisfy the obligations to report
to the Commission a significant cybersecurity incident under paragraph
(c) of proposed Rule 10? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\338\ See CIRCIA.
---------------------------------------------------------------------------
47. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial Part I of proposed Form
SCIR? If so, explain why. If not, explain why not. For example, should
the reporting requirements be revised to permit Covered Entities more
than 48 hours to file an initial Part I of proposed Form SCIR with the
Commission? If yes, explain how long they should have to file the
initial Part I of proposed Form SCIR and why that timeframe would be
appropriate. For example, should Covered Entities have 72 or 96 hours
to file the initial Part I of proposed Form SCIR? If so, explain why.
If not, explain why not. Would providing more time to file the initial
Part I of proposed Form SCIR make the filing more useful insomuch as
the Covered Entity would have more time to investigate the significant
cybersecurity incident? If so, explain why and how to balance that
benefit against the delay in providing this information to the
Commission within 48 hours. Would the immediate notification
requirement of paragraph (c) of proposed Rule 10 make it appropriate to
lengthen the timeframe for when the Covered Entity would need to file
the initial Part I of proposed Form SCIR? If so, explain why. If not,
explain why not. For example, could the immediate notification
requirement and the ability of the Commission staff to follow-up with
the contact person identified on the notification serve as an
appropriate alternative to receiving the initial Part I of proposed
Form SCIR within 48 hours. If so, explain why. If not, explain why not.
Conversely,
[[Page 20255]]
should the timeframe for filing an initial Part I of proposed Form SCIR
be shortened to 24 hours or some other period of time that is less than
48 hours? If so, explain why. If not, explain why not.
48. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial or amended Part I of
proposed Form SCIR so the timeframes are expressed in business days or
calendar days instead of hours? If so, explain why. If not, explain why
not. For example, should Covered Entities have two, five, or some other
number business or calendar days to file an initial or amended Part I
of proposed Form SCIR? Would business or calendar days be more
appropriate given that Part I of proposed Form SCIR would be filed
through the EDGAR system? \339\ If so, explain why. If not, explain why
not.
---------------------------------------------------------------------------
\339\ The Commission accepts electronic submissions through the
EDGAR system Monday through Friday, except federal holidays, from
6:00 a.m. to 10:00 p.m. Eastern Time. See Chapter 2 of the EDGAR
Filer Manual (Volume I), version 41 (Dec. 2022). Further, filings
submitted by direct transmission commencing on or before 5:30 p.m.
Eastern Standard Time or Eastern Daylight Saving Time, whichever is
currently in effect, shall be deemed filed on the same business day,
and all filings submitted by direct transmission commencing after
5:30 p.m. Eastern Standard Time or Eastern Daylight Saving Time,
whichever is currently in effect, shall be deemed filed as of the
next business day. 17 CFR 232.13.
---------------------------------------------------------------------------
49. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial or amended Part I of
proposed Form SCIR so that it must be filed promptly after the filing
requirement is triggered without specifying the 48 hour limit? If so,
explain why and describe how ``promptly'' should be interpreted for
purposes of the reporting requirements of paragraph (c) of proposed
Rule 10. If not, explain why not.
50. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to include the filing of an initial
Part I of proposed Form SCIR and a final Part I of proposed Form SCIR
but not require the filing of interim amended forms? If so, explain
why. If not, explain why not. For example, could informal
communications between the Commission staff and the Covered Entity
facilitated by the contact employee identified in the immediate notice
that would be required under paragraph (c)(1) of proposed Rule 10 be an
appropriate alternative to requiring the filing of interim amended
forms? If so, explain why. If not, explain why not.
51. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to include the filing of interim
amended forms on a pre-set schedule? If so, explain why. If not,
explain why not. For example, should Covered Entities be required to
file an initial Part I of proposed Form SCIR and a final Part I of
proposed Form SCIR pursuant to the requirements of paragraph (c) of
proposed Rule 10 but file interim amended forms on a pre-set schedule?
If so, explain why this would be appropriate, including why a pre-set
reporting requirement would not undermine the objectives of the
proposed reporting requirements, and how often the interim reporting
should be required (e.g., weekly, bi-weekly, monthly, quarterly). Would
a pre-set reporting cadence (e.g., weekly, bi-weekly, monthly,
quarterly) undermine the objectives of the proposed reporting
requirements by inappropriately delaying the Commission's receipt of
important information about a significant cybersecurity incident? If
so, explain why. If not, explain why not. Would the immediate
notification requirement and the ability of the Commission staff to
follow-up with the contact person identified on the notification
mitigate this potential consequence? If so, explain why. If not,
explain why not.
52. Should paragraph (c)(2)(ii)(D) of proposed Rule 10 and Part I
of proposed Form SCIR be modified to revise the reporting requirements
relating to internal investigations? If so, explain why. If not,
explain why not. For example, would these reporting requirements create
a disincentive for Covered Entities to perform internal investigations
in response to significant cybersecurity incidents? If so, explain why.
If not, explain why not.
53. Should Part I of proposed Form SCIR be modified? If so, explain
why. If not, explain why not. For example, does the form strike an
appropriate balance of providing enough detail to the Commission to be
helpful while also not being unduly burdensome to Covered Entities? If
so, explain why. If not, explain why not. Is certain information that
would be elicited in Part I of Form SCIR unnecessary? If so, identify
the information and explain why it would be unnecessary. Is there
additional information that should be required to be included in Part I
of proposed Form SCIR? If so, identify the information and explain why
it would be appropriate to require a Covered Entity to report it in the
form.
54. Should Part I of proposed Form SCIR be modified to require that
Covered Entities provide a UIC--such as an LEI \340\ (which would
require each Covered Entity without a UIC (such as an LEI) to obtain
one to comply with the rule)? If so, explain why. If not, explain why
not. For example, would a requirement to provide a UIC allow the
Commission staff to better evaluate cyber-threats to Covered Entities?
If so, explain why. If not, explain why not. Should the form be
modified to require Covered Entities to provide another type of
standard identifier other than a CIK number and UIC (if they have a
UIC)? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\340\ The Commission approved a UIC (namely, the LEI) in a
previous rulemaking. See section II.B.2.b. of this release; see also
Regulation SBSR Release, 80 FR at 14632. The Commission is aware
that additional identifiers could be recognized as UICs in the
future, but for the purposes of this release, the Commission is
equating the UIC with the LEI.
---------------------------------------------------------------------------
3. Disclosure of Cybersecurity Risks and Incidents
a. Cybersecurity Risks and Incidents Disclosure
Proposed Rule 10 would require a Covered Entity to make two types
of public disclosures relating to cybersecurity on Part II of proposed
Form SCIR.\341\ First, the Covered Entity would need to, in plain
English, provide a summary description of the cybersecurity risks that
could materially affect its business and operations and how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity
risks.\342\ A cybersecurity risk would be material to a Covered Entity
if there is a substantial likelihood that a reasonable person would
consider the information important based on the total mix of facts and
information.\343\ The facts and circumstances relevant to determining
materiality in this context may include, among other things, the
likelihood and extent to which the cybersecurity risk or resulting
incident: (1) could disrupt or degrade the Covered Entity's ability to
maintain critical operations; (2) could adversely affect the
confidentiality, integrity, or availability of information residing on
the Covered Entity's information systems, including whether the
information is personal, confidential, or proprietary information; and/
or (3) could harm the Covered Entity or its customers, counterparties,
members, registrants, users, or other persons.
---------------------------------------------------------------------------
\341\ See paragraph (d)(1) of proposed Rule 10.
\342\ See paragraph (d)(1)(i) of proposed Rule 10; Line Item 2
of Part II proposed of Form SCIR.
\343\ See, e.g., SEC. v. Steadman, 967 F.2d 636, 643 (D.C. Cir.
1992); cf. Basic Inc. v. Levinson, 485 U.S. 224, 231-232 (1988); TSC
Industries v. Northway, Inc., 426 U.S. 438, 445, 449 (1976).
---------------------------------------------------------------------------
The second element of the disclosure would be a summary description
of each
[[Page 20256]]
significant cybersecurity incident that occurred during the current or
previous calendar year, if applicable.\344\ The look-back period of the
current and previous calendar years is designed to make the disclosure
period consistent across all Covered Entities. The look-back period
also is designed to provide a short history of significant
cybersecurity incidents affecting the Covered Entity while not
overburdening the firm with a longer disclosure period. The summary
description of each significant cybersecurity incident would need to
include: (1) the person or persons affected; \345\ (2) the date the
incident was discovered and whether it is ongoing; (3) whether any data
was stolen, altered, or accessed or used for any other unauthorized
purpose; (4) the effect of the incident on the Covered Entity's
operations; and (5) whether the Covered Entity, or service provider,
has remediated or is currently remediating the incident.\346\ This
disclosure--because it addresses actual significant cybersecurity
incidents--would serve as another way for market participants to
evaluate the Covered Entity's cybersecurity risks and vulnerabilities
apart from the general disclosure of its cybersecurity risk. For
example, a Covered Entity's disclosure of multiple significant
cybersecurity incidents during the current or previous calendar year
(particularly, if they did not impact other Covered Entities) would be
useful in assessing whether the Covered Entity is adequately addressing
cybersecurity risk or is more vulnerable to that risk as compared with
other Covered Entities.
---------------------------------------------------------------------------
\344\ See paragraph (d)(1)(ii) of proposed Rule 10; Line Item 3
of Part II proposed of Form SCIR. See also paragraph (a)(10) of
proposed Rule 10 (defining the term ``significant cybersecurity
incident'').
\345\ This element of the disclosure would not need to include
the identities of the persons affected or personal information about
those persons. Instead, the disclosure could use generic terms to
identify the person or persons affected. For example, the disclosure
could state that ``customers of the broker-dealer,''
``counterparties of the SBSD,'' or ``members of the SRO'' are
affected (as applicable).
\346\ See paragraphs (d)(1)(ii)(A) through (E) of proposed Rule
10; Line Item 3 of Part II proposed of Form SCIR.
---------------------------------------------------------------------------
The objective of these disclosures is to provide greater
transparency to customers, counterparties, registrants, or members of
the Covered Entity, or to users of its services, about the Covered
Entity's exposure to material harm as a result of a cybersecurity
incident, which, in turn, could cause harm to customers,
counterparties, members, registrants, or users. This information could
be used by these persons to manage their own cybersecurity risk and, to
the extent they have choice, select a Covered Entity with which to
transact or otherwise conduct business. Information about prior attacks
and their degree of success is immensely valuable in mounting effective
countermeasures.\347\
---------------------------------------------------------------------------
\347\ See Peter W. Singer and Allan Friedman. Cybersecurity and
Cyberwar: What Everyone Needs to Know. Oxford University Press 222
(2014).
---------------------------------------------------------------------------
However, the intent of the disclosure on Part II of proposed Form
SCIR is to avoid overly detailed disclosures that could increase
cybersecurity risk for the Covered Entity and other persons. Revealing
too much information could assist future attackers as well as lead to
loss of customers, reputational harm, litigation, or regulatory
scrutiny, which would be a cost associated with public disclosure.\348\
Therefore, under proposed Rule 10, the Covered Entity would be required
to provide only a summary description of its cybersecurity risk and
significant cybersecurity incidents.\349\ The requirement that the
disclosures contain summary descriptions only is designed to produce
meaningful disclosures but not disclosures that would reveal
information (e.g., proprietary or confidential methods of addressing
cybersecurity risk or known cybersecurity vulnerabilities) that could
be used by threat actors to cause harm to the Covered Entity or its
customers, counterparties, members, users, or other persons. This
requirement is also designed to produce high-level disclosures about
the Covered Entity's cybersecurity risks and significant cybersecurity
incidents that can be easily reviewed by interested parties in order to
give them a general understanding of the Covered Entity's risk profile.
---------------------------------------------------------------------------
\348\ See, e.g., Federal Trade Commission v. Equifax, Inc., FTC
Matter/File Number: 172 3203, Civil Action Number: 1:19-cv-03297-TWT
(2019), available at https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc (``FTC Equifax Civil Action'').
\349\ See paragraphs (d)(1)(i) and (ii) of proposed Rule 10.
---------------------------------------------------------------------------
b. Disclosure Methods and Updates
Proposed Rule 10 would require a Covered Entity to make the public
disclosures discussed above (i.e., the information about cybersecurity
risks and significant cybersecurity incidents) on Part II of proposed
Form SCIR.\350\ Part II of proposed Form SCIR would elicit information
about the Covered Entity that would be used to identify the filer.\351\
In particular, the Covered Entity would need to provide its full legal
name and business name (if different from its legal name), UIC (if the
filer has a UIC),\352\ CIK number, and main address.\353\ The Covered
Entity also would need to indicate the type of Market Entity it is by
checking the appropriate box or boxes.\354\ For example, if the Covered
Entity is dually registered as a broker-dealer and SBSD, it would need
to check the box for each of those entity types.
---------------------------------------------------------------------------
\350\ See paragraph (d) of proposed Rule 10.
\351\ See Line Items 1.A. through 1.D. of Part II of proposed
Form SCIR.
\352\ As mentioned previously, the Commission approved a UIC--
namely, the LEI--in a prior rulemaking. See section II.B.2.b. of
this release. Therefore, for the purposes of this release, the
Commission is proposing to require those Covered Entities that
already have LEIs to identify themselves with LEIs on Part II of
Form SCIR.
\353\ See Line Items 1.A. through 1.C. of Part I of proposed
Form SCIR. See also section II.B.2.b. of this release (discussing
UIC and CIK numbers in more detail with respect to Part I of
proposed Form SCIR).
\354\ See Line Item 1.D. of Part II of proposed Form SCIR
(setting forth check boxes to indicate whether the Covered Entity is
a broker-dealer, clearing agency, MSBSP, the MRSB, a national
securities association, a national securities exchange, SBSD, SBSDR,
or transfer agent).
---------------------------------------------------------------------------
Page 1 of Part II of proposed Form SCIR also would contain fields
for the individual executing the form to sign and date the form. By
signing the form, the individual would: (1) certify that the form was
executed on behalf of, and with the authority of, the Covered Entity;
and (2) represent individually, and on behalf of the Covered Entity,
that the information and statements contained in the form are current,
true and complete. The form of the certification is designed to ensure
that the Covered Entity, through the individual executing the form,
discloses information that can be used by the Covered Entity's
customers, counterparties, members, registrants, or users, or by other
interested persons to assess the Covered Entity's cybersecurity risk
profile and compare it with the risk profiles of other Covered
Entities.
As discussed above, proposed Rule 10 would require the Covered
Entity to publicly disclose a summary description of the cybersecurity
risks that could materially affect the Covered Entity's business and
operations and how the Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks.\355\ Line Item 2 of Part II of
proposed Form SCIR would contain a narrative field in which the Covered
Entity would provide this summary description.\356\ In order to provide
context to the meaning of the disclosure, the beginning of Line Item 2
would set forth the definition of ``cybersecurity risk'' in proposed
Rule 10 as well as the definitions of ``cybersecurity incident,''
``cybersecurity
[[Page 20257]]
threat,'' and ``cybersecurity vulnerability'' because these three terms
are used in the definition of ``cybersecurity risk.'' \357\
---------------------------------------------------------------------------
\355\ See paragraph (d)(1)(i) of proposed Rule 10.
\356\ See Line Item 2 of Part II of proposed Form SCIR.
\357\ Id. See also paragraphs (a)(2) through (5) of proposed
Rule 10 (defining, respectively, ``cybersecurity incident,''
``cybersecurity risk,'' ``cybersecurity threat,'' and
``cybersecurity vulnerability'').
---------------------------------------------------------------------------
Line Item 3 of Part II of proposed Form SCIR would be used to make
the disclosure about each significant cybersecurity incident that
occurred during the current and previous calendar year.\358\ The
definition of ``significant cybersecurity incident'' would be set forth
at beginning of Line Item 3 in order to provide context to the meaning
of the disclosure. To complete the line item, the Covered Entity first
would need to indicate by checking ``yes'' or ``no'' whether it had
experienced one or more significant cybersecurity incidents during the
current or previous calendar year. If the answer is yes, the Covered
Entity would need to provide in a narrative field on Line Item 3 the
summary description of each significant cybersecurity incident.\359\
---------------------------------------------------------------------------
\358\ See Line Item 3 of Part II of proposed Form SCIR.
\359\ See paragraph (d)(1)(ii) of proposed Rule 10.
---------------------------------------------------------------------------
As discussed next, there would be two methods of making the
disclosure, which would be required of all Covered Entities under
proposed Rule 10, and an additional third method that would be required
of Covered Entities that are carrying or introducing broker-dealers.
First, Covered Entities would be required to file Part II of Form SCIR
with the Commission electronically through the EDGAR system in
accordance with the EDGAR Filer Manual, as defined in Rule 11 of
Regulation S-T,\360\ and in accordance with the requirements of
Regulation S-T.\361\ The Commission would make these filings available
to the public. The objective of requiring centralized EDGAR-filing of
Part II of proposed Form SCIR is to facilitate the ability to compare
disclosures across different Covered Entities or categories of Covered
Entities in the same manner that EDGAR filing facilitates comparison of
financial statements, annual reports, and other disclosures across
Commission registrants. By creating a single location for all of the
disclosures, Commission staff, investors, market participants, and
analysts as well as Covered Entities' customers, counterparties,
members, registrants, or users would be able to run search queries to
compare the disclosures of multiple Covered Entities. Centralized EDGAR
filing could make it easier for Commission staff and others to assess
the cybersecurity risk profiles of different types of Covered Entities
and could facilitate trend analysis of significant cybersecurity
incidents. Thus, by providing a central location for the cybersecurity
disclosures, filing Part II of proposed Form SCIR through EDGAR could
lead to greater transparency of the cybersecurity risks in the U.S.
securities markets.
---------------------------------------------------------------------------
\360\ See 17 CFR 232.11.
\361\ See paragraph (d)(2)(i) of proposed Rule 10.
---------------------------------------------------------------------------
Second, proposed Rule 10 would require the Covered Entity to post a
copy of the Part II of proposed Form SCIR most recently filed on EDGAR
on an easily accessible portion of its business internet website that
can be viewed by the public without the need of entering a password or
making any type of payment or providing any other consideration.\362\
Consequently, the disclosures could not be located behind a ``paywall''
or otherwise require a person to pay a registration fee or provide any
other consideration to access them. The purpose of requiring the form
to be posted on the Covered Entity's business internet website is that
individuals naturally may visit a company's business internet website
when seeking timely and updated information about the company,
particularly if the company is experiencing an incident that disrupts
or degrades the services it provides. Therefore, requiring the form to
be posted on the website is designed to make it available through this
commonly used method of obtaining information. Additionally,
individuals may naturally visit a company's business internet website
as part of their due diligence process in determining whether to use
its services. Therefore, posting the form on the Covered Entity's
business internet website could provide individuals with information
about the Covered Entity's cybersecurity risks before they elect to
enter into an arrangement with the firm. It could serve a similar
purpose for individuals considering whether to maintain an ongoing
business relationship with the Covered Entity.
---------------------------------------------------------------------------
\362\ See paragraph (d)(2)(ii) of proposed Rule 10. In addition
to the disclosure to be made available to security-based swap
counterparties as required by paragraph (d)(2)(ii) of proposed Rule
10, current Commission rules require that SBS Entities' trading
relationship documentation between certain counterparties address
cybersecurity. Specifically, an SBS Entity's trading relationship
documentation must include valuation methodologies for purposes of
complying with specified risk management requirements, which would
include the risk management requirements of proposed Rule 10 (if it
is adopted). See 17 CFR 250.15Fi-5(b)(4). This documentation would
include a dispute resolution process or alternative methods for
determining value in the event of a relevant cybersecurity incident.
See also section IV.C.1.b.iii. of this release (discussing
disclosure requirements of Rule 15Fh-3(b)).
---------------------------------------------------------------------------
In addition to those two disclosure methods, a Covered Entity that
is either a carrying or introducing broker-dealer would be required to
provide a copy of the Part II of proposed Form SCIR most recently filed
on EDGAR to a customer as part of the account opening process.\363\
Thereafter, the Covered Entity would need to provide the customer with
the most recently posted form annually and when it is updated. The
broker-dealer would need to deliver the form using the same means that
the customer elects to receive account statements (e.g., by email or
through the postal service).\364\ This additional method of disclosure
is designed to make the information readily available to the broker-
dealer's customers (many of whom may be retail investors) through the
same processes that other important information (i.e., information
about their securities accounts) is communicated to them. Requiring a
broker-dealer to deliver copies of the form is designed to enhance
investor protection by enabling customers to take protective or
remedial measures to the extent appropriate. It would also assist
customers in determining whether their engagement of that particular
broker-dealer remains appropriate and consistent with their investment
objectives.
---------------------------------------------------------------------------
\363\ See paragraph (d)(3) of proposed Rule 10.
\364\ If the disclosure requirements of proposed Rule 10 are
adopted, the Commission would establish a compliance date by which a
Covered Entity would need to make its first public disclosure on
Part II of proposed Form SCIR. At a minimum, the initial disclosure
would need to include a summary description of the cybersecurity
risks that could materially affect the Covered Entity's business and
operations and how the Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks. In setting an initial
compliance date, the Commission could take a bifurcated approach in
which each method of disclosure has a different compliance date. For
example, the compliance date for making the website disclosure could
come before the compliance date for making the EDGAR disclosure and
the additional disclosure required of carrying and introducing
broker-dealers. The Commission seeks comment below on a potential
compliance date or compliance dates for the disclosure requirements.
---------------------------------------------------------------------------
Finally, a Covered Entity would be required to file on EDGAR an
updated Part II of proposed Form SCIR promptly if the information
required to be disclosed about cybersecurity risks or significant
cybersecurity incidents materially changes, including, in the case of
the disclosure about significant cybersecurity incidents, after the
occurrence of a new significant cybersecurity incident or when
[[Page 20258]]
information about a previously disclosed significant cybersecurity
incident materially changes.\365\ The Covered Entity also would need to
post a copy of the updated Part II of proposed Form SCIR promptly on
its business internet website and, if it is a carrying broker-dealer or
introducing broker-dealer, deliver copies of the form to its customers.
Given the potential effect that significant cybersecurity incidents
could have on a Covered Entity's customers, counterparties, members,
registrants, or users--such as exposing their personal or other
confidential information or resulting in a loss of cash or securities
from their accounts--time is of the essence, and requiring a Covered
Entity to update the disclosures promptly would enhance investor
protection by enabling customers, counterparties, members, registrants,
or users to take proactive or remedial measures to the extent
appropriate. Accordingly, the timing of the filing of an updated
disclosure should take into account the exigent nature of significant
cybersecurity incidents which would generally militate toward swiftly
filing the update. Furthermore, requiring Covered Entities to update
their disclosures following the occurrence of a new significant
cybersecurity incident would assist market participants in determining
whether their business relationship with that particular Covered Entity
remains appropriate and consistent with their goals.
---------------------------------------------------------------------------
\365\ See paragraph (d)(4) of proposed Rule 10. See also
Instruction C.2. of proposed Form SCIR. As discussed earlier, a
Covered Entity would be required to file Part I of proposed Form
SCIR with the Commission promptly, but no later than 48 hours, upon
having a reasonable basis to conclude that a significant
cybersecurity incident has occurred or is occurring. See paragraph
(c)(2)(i) of proposed Rule 10; see also section II.B.2.a. of this
release (discussing this requirement in more detail). Therefore, the
Covered Entity would need to file a Part I and an updated Part II of
proposed Form SCIR with the Commission relatively contemporaneously.
Depending on the facts and circumstances, the Part I and updated
Part II could be filed at the same time or one could proceed the
other if the Covered Entity, for example, has the information to
complete Part II first but needs more time to gather the information
to complete Part I (which elicits substantially more information
than Part II). However, as discussed above, Part I must be filed no
later than 48 hours after the Covered Entity has a reasonable basis
to conclude that a significant cybersecurity incident has occurred
or is occurring and the Covered Entity must include in the initial
filing the information that is known at that time and file an
updated Part I as more information becomes known to the Covered
Entity.
---------------------------------------------------------------------------
A Covered Entity also would need to file an updated Part II of
proposed Form SCIR if the information in the summary description of a
significant cybersecurity incident included on the form is no longer
within the look-back period (i.e., the current or previous calendar
year). For example, the information that would need to be included in
the summary description includes whether the significant cybersecurity
incident is ongoing and whether the Covered Entity had remediated it.
The Covered Entity would need to file an updated Part II of proposed
Form SCIR if the significant cybersecurity incident was remediated and
ended on a date that was beyond the look-back period. The updated Part
II of proposed Form SCIR would no longer include a summary description
of that specific significant cybersecurity incident. The objective is
to focus the most recently filed disclosure on events within the
relative near term. The history of the Covered Entity's significant
cybersecurity incidents would be available in previous filings.
c. Request for Comment
The Commission requests comment on all aspects of the proposed
disclosure requirements. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
55. Should paragraph (d)(1)(i) of proposed Rule 10 be modified to
revise the requirements that Covered Entities publicly disclose the
cybersecurity risks that could materially affect their business and
operations and to publicly disclose a description of how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity risks?
If so, explain why. If not, explain why not. For example, would the
public disclosures required by paragraph (d)(1)(i) of proposed Rule 10
be useful or provide meaningful information to a Covered Entity's
customers, counterparties, members, registrants, or users? If so,
explain why. If not, explain why not. Could the proposed disclosure
requirement be modified to make it more useful? If so, explain how.
Could the public disclosures required by paragraph (d)(1)(i) of
proposed Rule 10 assist threat actors in engaging in cyber crime? If
so, explain why. If not, explain why not. Could the proposed disclosure
requirements be modified to eliminate this risk without negatively
impacting the usefulness of the disclosures? If so, explain how.
56. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
revise the requirements that Covered Entities publicly disclose
information about each significant cybersecurity incident that has
occurred during the current or previous calendar year? If so, explain
why. If not, explain why not. For example, would the public disclosures
required by paragraph (d)(1)(ii) of proposed Rule 10 be useful or
provide meaningful information to a Covered Entity's customers,
counterparties, members, registrants, or users? If so, explain why. If
not, explain why not. Could the proposed disclosure requirement be
modified to make it more useful? If so, explain how. Could the public
disclosures required by paragraph (d)(1)(ii) of proposed Rule 10 assist
threat actors in engaging in cyber crime? If so, explain why. If not,
explain why not. Could the proposed disclosure requirements be modified
to eliminate this risk without negatively impacting the usefulness of
the disclosures? If so, explain how.
57. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
revise the required current and previous year look-back period for the
disclosure of significant cybersecurity incidents? If so, explain why.
If not, explain why not. For example, should the look-back period be a
shorter period of time (e.g., only the current calendar year)? If so,
explain why. If not, explain why not. Alternatively, should the look-
back period be longer (e.g., the current calendar year and previous two
calendar years)? If so, explain why. If not, explain why not. Should
the look-back period be expressed in months rather than calendar years?
For example, should the look-back period be 12, 18, 24, 30, or 36
months? If so, explain why. If not, explain why not.
58. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
provide that the requirement to include a summary description of each
significant cybersecurity incident that occurred during the current or
previous calendar year in Part II of proposed Form SCIR be prospective
and, therefore, limited to significant cybersecurity incidents that
occur on or after the compliance date of the disclosure requirement? If
so, explain why. If not, explain why not.
59. Should the public disclosure requirements of paragraphs
(d)(1)(i) and (ii) of proposed Rule 10 be modified to require the
disclosure of additional or different information? If so, identify the
additional or different information and explain why it would be
appropriate to require its public disclosure by Covered Entities.
60. Should 17 CFR 240.15Fh-3(b) be amended to specify that required
counterparty disclosure includes the information that would be required
by paragraph (d)(1) of proposed Rule 10 and publicly disclosed on Part
II of proposed Form SCIR? If so, explain why. If not explain why not.
61. Should paragraph (d)(2) of proposed Rule 10 be modified to
revise
[[Page 20259]]
the methods of making the public disclosures? If so, explain why. If
not, explain why not. For example, should Covered Entities be required
to file Part II of proposed Form SCIR on EDGAR but not be required to
post a copy of the form on their business internet websites? If so,
explain why. If not, explain why not. Would requiring the public
cybersecurity disclosures to be filed in a centralized electronic
system, such as EDGAR, make it easier for investors, analysts, and
others to access and gather information from the cybersecurity
disclosures than if those disclosures were only posted on Covered
Entity websites? Alternatively, should Covered Entities be required to
post an executed copy of Part II of proposed Form SCIR on their
business internet websites but not be required to file the form on
EDGAR? If so, explain why. If not, explain why not. Why or why not?
62. Should paragraph (d)(2) of proposed Rule 10 be modified to
revise the requirement to post a copy of Part II of proposed Form SCIR
on business internet website of the Covered Entity to permit the
Covered Entity to post a link to the EDGAR filing? If so, explain why.
If not, explain why not.
63. Should paragraph (d)(3) of proposed Rule 10 be modified to
revise the additional methods of making the public disclosures required
of carrying and introducing broker-dealers? If so, explain why. If not,
explain why not. For example, would filing Part II of proposed Form
SCIR on EDGAR and posting a copy of the form on the Covered Entity's
business internet website be sufficient to meet the objectives of the
disclosure requirements discussed above and, therefore, obviate the
need for a carrying broker-dealer or introducing broker-dealer to
additionally send copies of the form to customers? If so, explain why.
If not, explain why not. Rather than requiring the broker-dealer or
introducing broker-dealer to send a copy of the Part II of proposed
Form SCIR most recently filed on EDGAR to each customer, would it be
sufficient that the most recently filed form as of the end of each
quarter or the calendar year be sent to the customers? If so, explain
why. If not, explain why not.
64. Should paragraph (d)(3) of proposed Rule 10 be modified to
permit the Covered Entity to send a website link to the EDGAR filing to
customers instead of a copy of the EDGAR filing? If so, explain why. If
not, explain why not.
65. Should paragraph (d)(3) of proposed Rule 10 be modified to
require other types of Covered Entities to send a copy of the most
recently filed Part II of proposed Form SCIR to their customers,
counterparties, members, registrants, or users? If so, explain why. If
not, explain why not. For example, should transfer agents be required
to send the most recently filed Part II of proposed Form SCIR to their
securityholders? If so, explain why. If not, explain why not.
66. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to provide
that the Commission shall allow registrants to delay publicly
disclosing a significant cybersecurity incident where the Attorney
General requests such a delay from the Commission based on the Attorney
General's written determination that the delay is in the interest of
national security?
67. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to specify a
timeframe within which the updated filing must be promptly made? If so,
explain why. If not, explain why not. For example, should the rule be
modified to require that the updated disclosure must be made within 24,
36, 48, or 60 hours of the information on the previous disclosure
materially changing? If so, explain why. If not, explain why not.
Should the timeframe for making the updated disclosure be expressed in
business days? If so, explain why. If not, explain why not. For
example, should the updated disclosure be required to be made within
two, three, four, or five business days (or some other number of days)
of the information on the previous disclosure materially changing? If
so, explain why. If not, explain why not.
68. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to require
the update to be made within 30 days (similar to the requirement for
updating Form CRS)? \366\ If so, explain why. If not, explain why not.
For example, would this approach appropriately balance the objective of
requiring timely disclosure with the objective of providing accurate
and complete disclosure? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\366\ See Form CRS Instructions, available at https://www.sec.gov/files/formcrs.pdf.
---------------------------------------------------------------------------
69. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirements that trigger when an updated Part II of
proposed Form SCIR must be filed on EDGAR, posted on the Covered
Entity's business internet website, and, if applicable, sent to
customers? If so, explain why. If not, explain why not. For example,
should the rule require that an updated form must be publically
disclosed through these methods on a quarterly, semi-annual, or annual
basis if the information on the previously filed form has materially
changed? If so, explain why. If not, explain why not.
70. Should Part II of proposed Form SCIR be modified to require
that Covered Entities provide a UIC--such as an LEI (which would
require Covered Entities without a UIC (such as an LEI) to obtain one
to comply with the rule)? \367\ If so, explain why. If not, explain why
not. For example, would requiring Covered Entities to provide a UIC
better allow investors, analysts, and third-party data aggregators to
evaluate the cyber security risk profiles of Covered Entities? If so,
explain why. If not, explain why not. Should the form be modified to
require Covered Entities to provide another type of standard identifier
other than a CIK number and UIC (if they have a UIC)? If so, explain
why. If not, explain why not.
---------------------------------------------------------------------------
\367\ As mentioned previously in section II.B.2.b. of this
release, the Commission approved a UIC (namely, the LEI) in a
previous rulemaking. The Commission is aware that additional
identifiers could be recognized as UICs in the future, but for the
purposes of this release, the Commission is equating the UIC with
the LEI.
---------------------------------------------------------------------------
71. If the disclosure requirements of proposed Rule 10 are adopted,
what would be an appropriate compliance date for the disclosure
requirements? For example, should the compliance date be three, six,
nine, or twelve months after the effective date of the rule (or some
other period of months)? Please suggest a compliance period and explain
why it would be appropriate. Should the compliance date for the website
disclosure be sooner than the compliance date for the EDGAR disclosure
or vice versa? If so, explain why. If not, explain why not. Should the
compliance date for the additional disclosure methods that would be
required of carrying and introducing broker-dealers be different than
the compliance dates for the website disclosure and the EDGAR
disclosure? If so, explain why. If not, explain why not. If the
requirement to provide a summary description of each significant
cybersecurity incident that occurred
[[Page 20260]]
during the current and previous calendar year is prospective (i.e.,
does not apply to incidents that occurred before the compliance date),
should the compliance period be shorter than if the requirement was
retrospective, given that the initial disclosure, in most cases, would
limited to a summary description of the cybersecurity risks that could
materially affect the Covered Entity's business and operations and how
the Covered Entity assesses, prioritizes, and addresses those
cybersecurity risks? If so, explain why. If not, explain why not.
4. Filing Parts I and II of Proposed Form SCIR in EDGAR Using a
Structured Data Language
a. Discussion
Proposed Rule 10 would require Covered Entities would file Parts I
and II of proposed Form SCIR electronically with the Commission using
the EDGAR system in accordance with the EDGAR Filer Manual, as defined
in Rule 11 of Regulation S-T,\368\ and in accordance with the
requirements of Regulation S-T.\369\ In addition, under the proposed
requirements, Covered Entities would file Parts I and II of Form SCIR
in a structured (i.e., machine-readable) data language.\370\
Specifically, Covered Entities would file Parts I and II of proposed
Form SCIR in an eXtensible Markup Language (``XML'')-based data
language specific to the form (``custom XML,'' and in this release
``SCIR-specific XML''). While the majority of filings through the EDGAR
system are submitted in unstructured HTML or ASCII formats, certain
EDGAR-system filings are submitted using custom XML languages that are
each specific to the particular form being submitted.\371\ For such
filings, filers are typically provided the option to either submit the
filing directly to the EDGAR system in the relevant custom XML data
language, or to manually input the information into a fillable web-
based form developed by the Commission that converts the completed form
into a custom XML document.\372\
---------------------------------------------------------------------------
\368\ See 17 CFR 232.11.
\369\ See paragraphs (c) and (d) of proposed Rule 10.
\370\ Requirements related to custom-XML filings are generally
covered in the EDGAR Filer Manual, which is incorporated in
Commission regulations by reference via Regulation S-T. See 17 CFR
232.11; 17 CFR 232.101.
\371\ See Commission, Current EDGAR Technical Specifications
(Dec. 5, 2022), available at https://www.sec.gov/edgar/filer-information/current-edgar-technical-specifications.
\372\ See Chapters 8 and 9 of the EDGAR Filer Manual (Volume
II), version 64 (Dec. 2022).
---------------------------------------------------------------------------
Requiring Covered Entities to file Parts I and II of proposed Form
SCIR through the EDGAR system would allow the Commission to download
Form SCIR information directly from a central location, thus
facilitating efficient access, organization, and evaluation of the
information contained in the forms. Use of the EDGAR system also would
enable technical validation of the information reported on Form SCIR,
which could potentially reduce the incidence of non-discretionary
errors (e.g., leaving required fields blank). Thus, the proposed
requirement to file Parts I and II of proposed Form SCIR through the
EDGAR system would allow the Commission and, in the case of Part II,
the public to more effectively examine and analyze the reported
information. In this regard, the proposed requirement to file Parts I
and II of proposed Form SCIR through the EDGAR system using SCIR-
specific XML, a machine-readable data language, is designed to
facilitate more thorough review and analysis of the reported
information.
b. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements to file Parts I and II of Form SCIR in EDGAR using a
structured data language. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
72. Should the Commission modify the structured data language
requirement for both Parts I and II of Form SCIR in accordance with the
alternatives discussed in Section IV.F. below? \373\ Should Covered
Entities be required to file the cybersecurity risk and incident
disclosures on Part II of Form SCIR in the EDGAR system in a structured
data language? Why or why not? Would custom XML or Inline eXtensible
Business Reporting Language (``iXBRL'') be the most suitable data
language for this information? Or would another data language be more
appropriate?
---------------------------------------------------------------------------
\373\ See section IV.F. of this release.
---------------------------------------------------------------------------
5. Recordkeeping
a. Amendments to Covered Entity Recordkeeping Rules
As discussed above, proposed Rule 10 would require a Covered Entity
to: (1) establish, maintain, and enforce reasonably designed policies
and procedures to address cybersecurity risks; \374\ (2) create written
documentation of risk assessments; \375\ (3) create written
documentation of any cybersecurity incident, including its response to
and recovery from the incident; \376\ (4) prepare a written report each
year describing its annual review of its policies and procedures to
address cybersecurity risks; \377\ (5) provide immediate electronic
written notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring; \378\
(6) report, not later than 48 hours, upon having a reasonable basis to
conclude that a significant cybersecurity incident has occurred or is
occurring on Part I of proposed Form SCIR; \379\ and (7) provide a
written summary disclosure about its cybersecurity risks that could
materially affect its business and operations, and how the Covered
Entity assesses, prioritizes, and addresses those risks, and
significant cybersecurity incidents that occurred during the current or
previous calendar year on Part II of proposed Form SCIR.\380\
Consequently, proposed Rule 10 would require a Covered Entity to make
several different types of records (collectively, the ``Rule 10
Records''). The proposed cybersecurity rule would not include
requirements specifying how long these records would need to be
preserved and the manner in which they would need to be maintained.
Instead, as discussed below, preservation and maintenance requirements
applicable to Rule 10 Records would be imposed through amendments, as
necessary, to the existing record preservation and maintenance rules
applicable to the Covered Entities.
---------------------------------------------------------------------------
\374\ See paragraph (b)(1) of proposed Rule 10. See also
sections II.B.1.a. through II.B.1.e. of this release (discussing
this proposed requirement in more detail).
\375\ See paragraph (b)(1)(i)(B) of proposed Rule 10. See also
section II.B.1.a. of this release (discussing this proposed
requirement in more detail).
\376\ See paragraph (b)(1)(v)(B) of proposed Rule 10. See also
section II.B.1.e. of this release (discussing this proposed
requirement in more detail).
\377\ See paragraph (b)(2)(ii) of proposed Rule 10. See also
section II.B.1.f. of this release (discussing this proposed
requirement in more detail).
\378\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing this proposed requirement in
more detail).
\379\ See paragraph (c)(2) of proposed Rule 10. See also Section
II.B.2.b. of this release (discussing this proposed requirement in
more detail).
\380\ See paragraph (d) of proposed Rule 10. See also Section
II.B.3. of this release (discussing this proposed requirement in
more detail).
---------------------------------------------------------------------------
In particular, broker-dealers, transfer agents, and SBS Entities
are subject to existing requirements that specify how long the records
they are required to make must be preserved (e.g., three or six years)
and how the records must be maintained (e.g., maintenance
[[Page 20261]]
requirements for electronic records).\381\ The Commission is proposing
to amend these record preservation and maintenance requirements to
identify Rule 10 Records specifically as records that would need to be
preserved and maintained pursuant to these existing requirements. In
particular, the Commission is proposing to amend the record
preservation and maintenance rules for: (1) broker-dealers; \382\ (2)
transfer agents; \383\ and (3) SBS entities.\384\ The proposed
amendments would specify that the Rule 10 Records must be retained for
three years. In the case of the written policies and procedures to
address cybersecurity risks, the record would need to be maintained
until three years after the termination of the use of the policies and
procedures. These amendments would subject the Rule 10 Records to the
record maintenance requirements of Rules 17a-4, 17ad-7, and 18a-6,
including the requirements governing electronic records.\385\
---------------------------------------------------------------------------
\381\ See 17 CFR 240.17a-4 (``Rule 17a-4'') (setting forth
record preservation and maintenance requirements for broker-
dealers); 17 CFR 240.17Ad-7 (``Rule 17ad-7'') (setting forth record
preservation and maintenance requirements for transfer agents); 17
CFR 240.18a-6 (``Rule 18a-6'') (setting forth record preservation
and maintenance requirements for SBS Entities). The Commission's
proposal includes an amendment to a CFR designation in order to
ensure regulatory text conforms more consistently with section 2.13
of the Document Drafting Handbook. See Office of the Federal
Register, Document Drafting Handbook (Aug. 2018 Edition, Revision
1.4, dated January 7, 2022), available at https://www.archives.gov/files/federal-register/write/handbook/ddh.pdf. In particular, the
proposal is to amend the CFR section designation for Rule 17Ad-7 (17
CFR 240.17Ad-7) to replace the uppercase letter with the
corresponding lowercase letter, such that the rule would be
redesignated as Rule 17ad-7 (17 CFR 240.17ad-7).
\382\ This amendment would add a new paragraph (e)(13) to Rule
17a-4.
\383\ This amendment would add a new paragraph (j) to Rule 17ad-
7.
\384\ This amendment would add a new paragraph (d)(6) to Rule
18a-6 .
\385\ See paragraphs (f) of Rule 17a-4, (f) of Rule 17ad-7, and
(e) of Rule 18a-6 (setting forth requirements for electronic records
applicable to broker-dealers, transfer agents, and SBS Entities,
respectively).
---------------------------------------------------------------------------
Exchange Act Rule 17a-1 (``Rule 17a-1'')--the record maintenance
and preservation rule applicable to registered clearing agencies, the
MSRB, national securities associations, and national securities
exchanges--as it exists today would require the preservation of the
Rule 10 Records.\386\ In particular, Rule 17a-1 requires these types of
Covered Entities to keep and preserve at least one copy of all
documents, including all correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by the Covered Entity in the course of its business as such and in the
conduct of its self-regulatory activity.\387\ Furthermore, Rule 17a-1
provides that the Covered Entity must keep the documents for a period
of not less than five years, the first two years in an easily
accessible place, subject to the destruction and disposition provisions
of Exchange Act Rule 17a-6.\388\ Consequently, under the existing
provisions of Rule 17a-1, registered clearing agencies, the MSRB,
national securities associations, and national securities exchanges
would be required to preserve at least one copy of the Rule 10 Records
for at least five years, the first two years in an easily accessible
place. In the case of the written policies and procedures to address
cybersecurity risks, pursuant to Rule 17a-1 the record would need to be
maintained until five years after the termination of the use of the
policies and procedures.\389\
---------------------------------------------------------------------------
\386\ See 17 CFR 240.17a-1.
\387\ See paragraph (a) of Rule 17a-1.
\388\ See paragraph (b) of Rule 17a-1; 17 CFR 240.17a-6 (``Rule
17a-6''). Rule 17a-6 of the Exchange Act provides that an SRO may
destroy such records at the end of the five year period or at an
earlier date as is specified in a plan for the destruction or
disposition of any such documents if such plan has been filed with
the Commission by SRO and has been declared effective by the
Commission.
\389\ See, e.g., Nationally Recognized Statistical Rating
Organizations, Exchange Act Release No. 72936 (Aug. 27, 2014) [79 FR
55078, 55099-100 (Sept. 15, 2014)] (explaining why preservation
periods for written policies and procedures are based on when a
version of the policies and procedures is updated or replaced).
---------------------------------------------------------------------------
Similarly, Exchange Act Rule 13n-7 (``Rule 13n-7'')--the record
maintenance and preservation rule applicable to SBSDRs--as it exists
today would require the preservation of the Rule 10 Records.\390\ In
particular, Rule 13n-7 requires SBSDRs to, among other things, keep and
preserve at least one copy of all documents, including all documents
and policies and procedures required by the Exchange Act and the rules
and regulations thereunder, correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by it in the course of its business as such.\391\ Furthermore, Rule
13n-7 provides that the SBSDR must keep the documents for a period of
not less than five years, the first two years in a place that is
immediately available to representatives of the Commission for
inspection and examination.\392\ Consequently, under the existing
provisions of Rule 13n-7, SBSDRs would be required to preserve at least
one copy of the Rule 10 Records for at least five years, the first two
years in a place that is immediately available to representatives of
the Commission for inspection and examination. In the case of the
written policies and procedures to address cybersecurity risks, the
Commission interprets this provision of Rule 13n-7 to require that the
record would need to be maintained until five years after the
termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\390\ See 17 CFR 240.13n-7.
\391\ See paragraph (b)(1) of Rule 13n-7.
\392\ See paragraph (b)(2) of Rule 13n-7.
---------------------------------------------------------------------------
Clearing agencies that are exempt from registration would be
Covered Entities under proposed Rule 10.\393\ Exempt clearing agencies
are not subject to Rule 17a-1. However, while exempt clearing
agencies--as entities that have limited their clearing agency
functions--might not be subject to the full range of clearing agency
regulation, the Commission has stated that, for example, an entity
seeking an exemption from clearing agency registration for matching
services would be required to, among other things, allow the Commission
to inspect its facilities and records.\394\ In this regard, exempt
clearing agencies are subject to conditions that mirror certain of the
recordkeeping requirements in Rule 17a-1,\395\ as set forth in the
respective Commission orders exempting each exempt clearing agency from
the requirement to register as a clearing agency (the ``clearing agency
exemption orders'').\396\ Pursuant to the terms and conditions of the
clearing agency exemption orders, the Commission may modify by order
the terms, scope, or conditions if the Commission determines that such
modification is necessary or appropriate in the public interest, for
the protection of investors, or otherwise in furtherance of the
[[Page 20262]]
purposes of the Exchange Act.\397\ In support of the public interest
and the protection of investors, the Commission is proposing to amend
the clearing agency exemption orders to add a condition that each
exempt clearing agency must retain the Rule 10 Records for a period of
at least five years after the record is made or, in the case of the
written policies and procedures to address cybersecurity risks, for at
least five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
\393\ See paragraph (a)(1)(ii) of proposed Rule 10 (defining as
a ``covered entity'' a clearing agency (registered or exempt) under
section 3(a)(23)(A) of the Exchange Act). See also section I.A.2.c.
of this release (discussing the clearing agency exemptions provided
by the Commission).
\394\ See Confirmation and Affirmation of Securities Trades;
Matching, Exchange Act Release No. 39829 (Apr. 6, 1998) [63 FR 17943
(Apr. 13, 1998)] (providing interpretive guidance and requesting
comment on the confirmation and affirmation of securities trades and
matching).
\395\ See, e.g., BSTP SS&C Order, 80 FR at 75411 (conditioning
BSTP's exemption by requiring BSTP to, among other things, preserve
a copy or record of all trade details, allocation instructions,
central trade matching results, reports and notices sent to
customers, service agreements, reports regarding affirmation rates
that are sent to the Commission or its designee, and any complaint
received from a customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall retain these
records for a period of not less than five years, the first two
years in an easily accessible place.).
\396\ See DTCC ITP Matching Order, 66 FR 20494; BSTP SS&C Order,
80 FR 75388; Euroclear Bank Order, 81 FR 93994.
\397\ See Clearstream Banking Order, 62 FR 9225.
---------------------------------------------------------------------------
b. Request for Comment
The Commission requests comment on all aspects of the proposed
recordkeeping requirements. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
73. Should the proposed amendments to Rules 17a-4, 18a-6, and/or
17ad-7 be modified? If so, describe how they should be modified and
explain why the modification would be appropriate. For example, should
the retention periods for the records be five years (consistent with
Rule 17a-1) or some other period of years as opposed to three years? If
so, explain why. If not, explain why not.
74. As discussed above, the Commission is proposing to amend the
clearing agency exemption orders to specifically require the exempt
clearing agencies to retain the Rule 10 Records. Should the ordering
language be consistent with the proposed amendments to Rules 17a-4,
17ad-7, and18a-6? For example, should the ordering language provide
that the exempt clearing agency must maintain and preserve: (1) the
written policies and procedures required to be adopted and implemented
pursuant to paragraph (b)(1) of proposed Rule 10 until five years after
the termination of the use of the policies and procedures; (2) the
written documentation of any risk assessment pursuant to paragraph
(b)(1)(i)(B) of proposed Rule 10 for five years; (3) the written
documentation of the occurrence of a cybersecurity incident pursuant to
paragraph (b)(1)(v)(B) of proposed Rule 10, including any documentation
related to any response and recovery from such an incident, for five
years; (4) the written report of the annual review required to be
prepared pursuant to paragraph (b)(2)(ii) of proposed Rule 10 for five
years; (5) a copy of any notice transmitted to the Commission pursuant
to paragraph (c)(1) of proposed Rule 10 or any Part I of proposed Form
SCIR filed with the Commission pursuant to paragraph (c)(2) of proposed
Rule 10 for five years; and (6) a copy of any Part II of proposed Form
SCIR filed with the Commission pursuant to paragraph (d) of proposed
Rule 10 for five years? Additionally, should the ordering language
provide that the exempt clearing agency must allow the Commission to
inspect its facilities and records? If so, explain why. If not, explain
why not.
C. Proposed Requirements for Non-Covered Broker-Dealers
1. Cybersecurity Policies and Procedures, Annual Review, Notification,
and Recordkeeping
As discussed earlier, not all broker-dealers would be Covered
Entities under proposed Rule 10.\398\ Consequently, these Non-Covered
Broker-Dealers would not be subject to the requirements of proposed
Rule 10 to: (1) include certain elements in their cybersecurity risk
management policies and procedures; \399\ (2) file confidential reports
that provide information about the significant cybersecurity incident
with the Commission and, for some Covered Entities, other regulators;
\400\ and (3) make public disclosures about their cybersecurity risks
and the significant cybersecurity incidents they experienced during the
current or previous calendar year.\401\
---------------------------------------------------------------------------
\398\ See section II.A.1. of this release (discussing the
definition of ``covered entity'' and why certain broker-dealers
would not be included within the definition).
\399\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
\400\ See paragraph (c)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity risk'').
\401\ See paragraph (d) of proposed Rule 10.
---------------------------------------------------------------------------
In light of their limited business activities, Non-Covered Broker-
Dealers would not be subject to the same requirements as would Covered
Entities. Instead, Non-Covered Broker-Dealers would be required to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address their cybersecurity risks taking
into account the size, business, and operations of the firm.\402\ They
also would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review. They also would be
required to make a record with respect to the annual review. In
addition, they would be required to provide the Commission and their
examining authority with immediate written electronic notice of a
significant cybersecurity incident affecting them.\403\ Finally, they
would be required to maintain and preserve versions of their policies
and procedures and the record of the annual review.
---------------------------------------------------------------------------
\402\ See paragraph (e)(1) of proposed Rule 10.
\403\ See paragraph (e)(2) of proposed Rule 10.
---------------------------------------------------------------------------
A Non-Covered Broker-Dealer could be a firm that limits its
business to selling mutual funds on a subscription-way basis or a
broker-dealer that limits its business to engaging in private
placements for clients. Alternatively, it could be a broker-dealer that
limits its business to effecting securities transactions in order to
facilitate mergers, acquisitions, business sales, and business
combinations or a broker-dealer that limits its business to engaging in
underwritings for issuers. Moreover, a Non-Covered Broker-Dealer--
because it does not meet the definition of ``covered entity''--would
not a be a broker-dealer that: maintains custody of customer securities
and cash; \404\ connects to a broker-dealer that maintains custody of
customer securities through an introducing relationship; \405\ is a
large proprietary trading firm; \406\ operates as a market maker; \407\
or operates an ATS.\408\
---------------------------------------------------------------------------
\404\ See paragraph (a)(1)(i)(A) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that maintains custody
of cash and securities for customers or other broker-dealers and is
not exempt from the requirements of Rule 15c3-3).
\405\ See paragraph (a)(1)(i)(B) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that introduces
customer accounts on a fully disclosed basis to another broker-
dealer that maintains custody of cash and securities for customers
or other broker-dealers and is not exempt from the requirements of
Rule 15c3-3).
\406\ See paragraphs (a)(1)(i)(C) and (D) of proposed Rule 10
(defining ``covered entity'' to include a broker-dealer with
regulatory capital equal to or exceeding $50 million or total assets
equal to or exceeding $1 billion).
\407\ See paragraph (a)(1)(i)(E) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that is a market maker
under the Exchange Act or the rules thereunder (which includes a
broker-dealer that operates pursuant to Rule 15c3-1(a)(6)) or is a
market maker under the rules of an SRO of which the broker-dealer is
a member).
\408\ See paragraph (a)(1)(i)(F) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that is an ATS).
---------------------------------------------------------------------------
A broker-dealer that limits its business to one of the activities
described above and that does not engage in functions that would make
it a Covered Entity under proposed Rule 10 generally does not use
information systems to carry out its operations to the same degree as a
broker-dealer that is a Covered Entity. For example, the information
systems used by a Non-Covered Broker-Dealer could be limited to smart
phones and personal computers with internet and email access. Moreover,
this type of firm may have a small staff of employees using these
information systems. Therefore, the
[[Page 20263]]
overall footprint of the information systems used by a Non-Covered
Broker-Dealer may be materially smaller in scale and complexity than
the footprint of the information systems used by a broker-dealer that
is a Covered Entity. In addition, the amount of data stored on these
information systems relating to the Non-Covered Broker-Dealer's
business may be substantially less than the amount of data stored on a
Covered Entity's information systems. This means the information system
perimeter of these firms that needs to be protected from cybersecurity
threats and vulnerabilities is significantly smaller than that of a
Covered Broker-Dealer. For these reasons, proposed Rule 10 would
provide that the written policies and procedures required of a Non-
Covered Broker-Dealer must be reasonably designed to address the
cybersecurity risks of the firm taking into account the size, business,
and operations of the firm.
Therefore, unlike the requirements for a Covered Entity, proposed
Rule 10 does not specify minimum elements that would need to be
included in a Non-Covered Broker-Dealer's policies and procedures.\409\
Nonetheless, a Non-Covered Broker-Dealer may want to consider whether
any of those required elements would be appropriate components of it
policies and procedures for addressing cybersecurity risk.\410\
---------------------------------------------------------------------------
\409\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the elements that would need to be included in a Covered Entity's
policies and procedures).
\410\ As discussed earlier, the elements are consistent with
industry standards for addressing cybersecurity risk. See section
II.B.1. of this release (discussing the policies and procedures
requirements for Covered Entities).
---------------------------------------------------------------------------
Proposed Rule 10 also would require that the Non-Covered Broker-
Dealer annually review and assess the design and effectiveness of its
cybersecurity policies and procedures, including whether the policies
and procedures reflect changes in cybersecurity risk over the time
period covered by the review.\411\ The annual review and assessment
requirement is designed to require Non-Covered Broker-Dealers to
evaluate whether their cybersecurity policies and procedures continue
to work as designed. Non-Covered Broker-Dealers could consider using
this information to determine whether changes are needed to assure
their continued effectiveness (i.e., to make sure their policies and
procedures continue to be reasonably designed to address their
cybersecurity risks as required by the rule).
---------------------------------------------------------------------------
\411\ See paragraph (e)(1) of proposed Rule 10.
---------------------------------------------------------------------------
The rule also would require the Non-Covered Broker-Dealer to make a
written record that documents the steps taken in performing the annual
review and the conclusions of the annual review. Therefore, Non-Covered
Broker-Dealers would need to make a record of the review rather than
documenting the review in a written report, as would be required of
Covered Entities.\412\ A report is a means to communicate information
within an organization. The personnel that prepare the report for the
Covered Entity would be able to use it to communicate their assessment
of the firm's policies and procedures to others within the organization
such as senior managers. For purposes of proposed Rule 10, a record,
among other things, is a means to document that an activity took place,
for example, to demonstrate compliance with a requirement. As discussed
above, Non-Covered Broker-Dealers generally would be smaller and less
complex organizations than Covered Entities. A record of the annual
review could be used by Commission examination staff to review the Non-
Covered Broker-Dealer's compliance with the annual review requirement
without imposing the additional process involved in creating an
internal report.
---------------------------------------------------------------------------
\412\ See section II.B.1.f. of this release (discussing in more
detail the annual report that would be required of Covered
Entities).
---------------------------------------------------------------------------
As discussed earlier, Covered Entities would be subject to a
requirement to give the Commission immediate written electronic notice
of a significant cybersecurity incident upon having a reasonable basis
to conclude that the significant cybersecurity incident has occurred or
is occurring.\413\ Non-Covered Broker-Dealers would be subject to the
same immediate written electronic notice requirement. In particular,
they would be required to give immediate written electronic notice to
the Commission of a significant cybersecurity incident upon having a
reasonable basis to conclude that the incident has occurred or is
occurring.\414\ The Commission would keep the notices nonpublic to the
extent permitted by law. The notice would need to identify the Non-
Covered Broker-Dealer, state that the notice is being given to alert
the Commission of a significant cybersecurity incident impacting the
Non-Covered Broker-Dealer, and provide the name and contact information
of an employee of the Non-Covered Broker-Dealer who can provide further
details about the nature and scope of the significant cybersecurity
incident. In addition, Non-Covered Broker-Dealers--like Covered Broker-
Dealers--would need to give the notice to their examining
authority.\415\ The immediate written electronic notice is designed to
alert the Commission on a confidential basis to the existence of a
significant cybersecurity incident impacting a Non-Covered Broker-
Dealer so the Commission staff can quickly begin to assess the event.
---------------------------------------------------------------------------
\413\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing the immediate notification
requirement for Covered Entities in more detail).
\414\ See paragraph (e)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident'').
\415\ See paragraph (e)(2) of proposed Rule 10. See also
paragraph (c)(1)(i) of proposed Rule 10 (requiring Covered Broker-
Dealers to provide the notice to their examining authority).
---------------------------------------------------------------------------
Finally, as discussed above, proposed Rule 10 would require the
Non-Covered Broker-Dealer to: (1) establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
the cybersecurity risks of the firm; (2) make a written record that
documents its annual review; and (3) provide immediate electronic
written notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring.\416\
The Commission is proposing to amend the broker-dealer record
preservation and maintenance rule to identify these records
specifically as being subject to the rule's requirements.\417\ Under
the amendments, the written policies and procedures would need to be
maintained until three years after the termination of the use of the
policies and procedures and all other records would need to be
maintained for three years.
---------------------------------------------------------------------------
\416\ See paragraph (e) of proposed Rule 10.
\417\ This amendment would add a new paragraph (e)(13) to Rule
17a-4.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements for non-covered broker-dealers. In addition, the
Commission is requesting comment on the following specific aspects of
the proposals:
75. Should paragraph (e)(1) of proposed Rule 10 be modified to
specify certain minimum elements that would need to be included in the
policies and procedures of Non-Covered Broker-Dealers? If so, identify
the elements and explain why they should be included. For example,
should paragraph (e) of proposed Rule 10 specify that the policies and
procedures must include policies and procedures to address any
[[Page 20264]]
or all of the following: (1) risk assessment; (2) user security and
access; (3) information protection; (4) cybersecurity threat and
vulnerability management; and (5) cybersecurity incident response and
recovery? If so, explain why. If not, explain why not.
76. Should paragraph (e)(2) of proposed Rule 10 be modified to
require the notice to be given within a specific timeframe such as on
the same day the requirement was triggered or within 24 hours? If so,
explain why. If not, explain why not.
77. Should paragraph (e)(2) of proposed Rule 10 be modified to
revise the trigger for the immediate notification requirement? If so,
explain why. If not, explain why not. For example, should the trigger
be when the Non-Covered Broker-Dealer ``detects'' a significant
cybersecurity incident (rather than when it has a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring)? If so, explain why. If not, explain why not. For example,
would a detection standard be a less subjective standard? If so,
explain why. If not, explain why not. Is there another trigger standard
that would be more appropriate? If so, identify it and explain why it
would be more appropriate.
78. Should paragraph (e)(2) of proposed Rule 10 be modified to
eliminate the requirement that a Non-Covered Broker-Dealer give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is occurring? If
so, explain why. If not, explain why not. For example, would this
requirement be unduly burdensome on Non-Covered Broker-Dealers? Please
explain.
79. If the immediate notification requirement of paragraph (e)(2)
is adopted as proposed, it is anticipated that a dedicated email
address would be established to receive these notices. Are there other
methods the Commission should use for receiving these notices? If so,
identity them and explain why they would be more appropriate than
email. For example, should the notices be received through the EDGAR
system? If so, explain why. If not, explain why not.
80. Should paragraph (e) of proposed Rule 10 be modified to include
any other requirements that would be applicable to Covered Entities
under proposed Rule 10 that also should be required of Non-Covered
Broker-Dealers? If so, identify them and explain why they should apply
to Non-Covered Broker-Dealers. For example, should the paragraph be
modified to require Non-Covered Broker-Dealers to report information
about a significant cybersecurity incident confidentially on Part I of
proposed Form SCIR? If so, explain why. If not, explain why not. Should
the timeframe for filing Part I of Proposed Form SCIR be longer for
Non-Covered Broker-Dealers? For example, should the reporting timeframe
be within 72 or 96 hours instead of 48 hours? Please explain. If Non-
Covered Broker-Dealers were required to file Part I of Form SCIR,
should they be permitted to provide more limited information about the
significant cybersecurity incident than Covered Entities? If so,
identify the more limited set of information and explain why it would
be appropriate to permit Non-Covered Broker-Dealers omit the additional
information that Covered Entities would need to report.
81. Should Non-Covered Broker-Dealers be required to make and
preserve for three years in accordance with Rule 17a-4 a record of any
significant cybersecurity incident that impacts them containing some or
all of the information that would be reported by Covered Entities on
Part I of proposed Form SCIR? If so, explain why. If not, explain why
not.
82. Should paragraph (e) of proposed Rule 10 be modified to require
a Non-Covered Broker-Dealer to prepare a written report of the annual
review (rather than a record, as proposed)? If so, explain why. If not,
explain why not.
D. Cross-Border Application of the Proposed Cybersecurity Requirements
to SBS Entities
1. Background on the Cross-Border Application of Title VII Requirements
Security-based swap transactions take place across national
borders, with agreements negotiated and executed between counterparties
in different jurisdictions (which might then be booked and risk-managed
in still other jurisdictions).\418\ Mindful that this global market
developed prior to the enactment of the Dodd-Frank Act and the fact
that the application of Title VII \419\ to cross-border activities
raises issues of potential conflict or overlap with foreign regulatory
regimes,\420\ the Commission has adopted a taxonomy to classify
requirements under section 15F of the Exchange Act as applying at
either the transaction-level or at the entity-level.\421\ Transaction-
level requirements under section 15F of the Exchange Act are those that
primarily focus on protecting counterparties to security-based swap
transactions by requiring SBSDs to, among other things, provide certain
disclosures to counterparties, adhere to certain standards of business
conduct, and segregate customer funds, securities, and other
assets.\422\ In contrast to transaction-level requirements, entity-
level requirements under section 15F of the Exchange Act are those that
are expected to play a role in ensuring the safety and soundness of the
SBS Entity and thus relate to the entity as a whole.\423\ Entity-level
requirements include capital and margin requirements, as well as other
requirements relating to a firm's identification and management of its
risk exposure, including the risk management procedures required under
section 15F(j) of the Exchange Act, a statutory basis for rules
applicable to SBS Entities that the Commission is proposing in this
release.\424\ Because these requirements relate to the entire entity,
they apply to SBS Entities on a firm-wide basis, without
exception.\425\
---------------------------------------------------------------------------
\418\ See Cross-Border Proposing Release, 78 FR at 30976, n. 48.
\419\ Unless otherwise indicated, references to ``Title VII'' in
this section of this release are to Subtitle B of Title VII of the
Dodd-Frank Act.
\420\ See Cross-Border Proposing Release, 78 FR at 30975.
\421\ See id. at 31008-25. See also Business Conduct Standards
for Security-Based Swap Dealers and Major Security-Based Swap
Participants, Exchange Act Release No. 77617 (Apr. 14, 2016) [81 FR
29959, 30061-69 (May 13, 2016)] (``Business Conduct Standards
Adopting Release'').
\422\ Cross-Border Proposing Release, 78 FR at 31010.
\423\ See id. at 31011, 31035.
\424\ See id. at 31011-16 (addressing the classification of
capital and margin requirements, as well as of the risk management
requirements of section 15F(j) of the Exchange Act and other entity-
level requirements applicable to SBSDs).
\425\ See id. at 31011, 31024-25. See also id. at 31035
(applying the analysis to MSBSPs). In reaching this conclusion, the
Commission explained that it ``preliminarily believes that entity-
level requirements are core requirements of the Commission's
responsibility to ensure the safety and soundness of registered
security based swap dealers,'' and that ``it would not be consistent
with this mandate to provide a blanket exclusion to foreign
security-based swap dealers from entity-level requirements
applicable to such entities.'' Id. at 31024 (footnotes omitted). The
Commission further expressed the preliminary view that concerns
regarding the application of entity-level requirements to foreign
SBSDs would largely be addressed through the proposed approach to
substituted compliance. See id.
---------------------------------------------------------------------------
The Commission applied this taxonomy in 2016 when it adopted rules
to implement business conduct standards for SBS Entities. At that time,
the Commission also stated that the rules and regulations prescribed
under section 15F(j) should be treated as entity-level
requirements.\426\ The
[[Page 20265]]
Commission has not, however, expressly addressed the entity-level
treatment of the cybersecurity requirements under proposed Rule 10,
except with regard to recordkeeping and reporting.\427\
---------------------------------------------------------------------------
\426\ See Business Conduct Standards Adopting Release, 81 FR at
30064-65.
\427\ The Commission has previously stated that recordkeeping
and reporting requirements are entity-level requirements. See
Recordkeeping and Reporting Requirements for Security-Based Swap
Dealers, Major Security-Based Swap Participants, and Broker-Dealers,
Exchange Act Release No. 87005 (Sept. 19, 2019), 84 FR 68550, 68596-
97 (Dec. 16, 2019) (``SBS Entity Recordkeeping and Reporting
Adopting Release'').
---------------------------------------------------------------------------
2. Proposed Entity-Level Treatment
a. Proposal
Consistent with its approach to the obligations described in
Section 15F(j) and to capital,\428\ margin,\429\ risk mitigation,\430\
and recordkeeping,\431\ the Commission is proposing to apply the
requirements of proposed Rule 10 to an SBS Entity's entire security-
based swap business without exception, including in connection with any
security-based swap business it conducts with foreign
counterparties.\432\
---------------------------------------------------------------------------
\428\ See Capital, Margin, and Segregation Requirements for
Security-Based Swap Dealers and Major Security-Based Swap
Participants and Capital and Segregation Requirements for Broker-
Dealers. Exchange Act Release No. 86175 (Jun. 21, 2019), 84 FR
43872, 43879 (Aug, 22, 2019) (``Capital, Margin, and Segregation
Requirements Adopting Release'').
\429\ Id.
\430\ See Risk Mitigation Techniques for Uncleared Security-
Based Swaps, Exchange Act Release No. 87782 (Dec. 18, 2019) [85 FR
6359, 6378 (Feb. 4, 2020)] (``SBS Entity Risk Mitigation Adopting
Release'').
\431\ See SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68596-97.
\432\ As entity-level requirements, transaction-level exceptions
such as in 17 CFR 3a71-3(c) and 17 CFR 3a67-10(d), would not be
available for the proposed cybersecurity requirements.
---------------------------------------------------------------------------
Cybersecurity policies and procedures and the related requirements
of proposed Rule 10 serve as an important mechanism for allowing SBS
Entities and their counterparties to manage risks associated with their
operations, including risks related to the entity's safety and
soundness.\433\ An alternative approach that does not require an SBS
Entity to take steps to manage cybersecurity risk throughout the firm's
entire business could contribute to operational risk affecting the
entity's security-based swap business as a whole, and not merely
specific security-based swap transactions. Moreover, to the extent that
these risks affect the safety and soundness of the SBS Entity, they
also may affect the firm's counterparties and the functioning of the
broader security-based swap market. Accordingly, the Commission
proposes to apply the requirements to the entirety of an SBS Entity's
business.\434\ However, as described below, the Commission is proposing
that foreign SBS Entities have the potential to avail themselves of
substituted compliance to satisfy the cybersecurity requirements under
proposed Rule 10.
---------------------------------------------------------------------------
\433\ See sections I.A. and II.B.1. of this release (discussing,
respectively, cybersecurity risks and how those risks can be managed
by certain policies, procedures, and controls). See also sections
II.B.2-5 of this release.
\434\ The Commission has expressed the view that an entity that
has registered with the Commission subjects itself to the entire
regulatory system governing such registered entities. Cross-Border
Proposing Release, 78 FR at 30986. See also Business Conduct
Standards Adopting Release, 81 FR at n.1306 (determining that the
requirements described in section 15F(j) of the Exchange Act should
be treated as entity-level requirements, and stating that such
treatment would not be tantamount to applying Title VII to persons
that are ``transact[ing] a business in security-based swaps without
the jurisdiction of the United States,'' within the meaning of
section 30(c) of the Exchange Act). That treatment of section 15F(j)
of the Exchange Act was also deemed necessary or appropriate as a
prophylactic measure to help prevent the evasion of the provisions
of the Exchange Act that were added by the Dodd-Frank Act, and thus
help prevent the relevant purposes of the Dodd-Frank Act from being
undermined. Id. (citing Application of ``Security-Based Swap
Dealer'' and ``Major Security-Based Swap Participant'' Definitions
to Cross-Border Security-Based Swap Activities; Republication,
Exchange Act Release No. 72472 (June 25, 2014) [79 FR 47277, 47291-
92 (Aug. 12, 2014)] (``SBS Entity Definitions Adopting Release'')
(interpreting anti-evasion provisions of the Exchange Act, section
30(c)). A different approach in connection with proposed Rule 10
would not be consistent with the purposes of Title VII of the Dodd-
Frank Act and could allow SBS Entities to avoid compliance with
these proposed rules for portions of their business in a manner that
could increase the risk to the registered entity.
---------------------------------------------------------------------------
b. Request for Comment
The Commission generally requests comments on the proposed entity-
level application of proposed Rule 10. In addition, the Commission
requests comments on the following specific issues:
83. Does the proposed approach appropriately treat the proposed
requirements as entity-level requirements applicable to the entire
business conducted by foreign SBS Entities? If not, please identify any
particular aspects of proposed Rule 10 that should not be applied to a
foreign SBS Entity, or applied only to specific transactions, and
explain how such an approach would be consistent with the goals of
Title VII of the Dodd-Frank Act.
84. Should the Commission apply the same cross-border approach to
the application of proposed Rule 10 for both SBSDs and MSBSPs? If not,
please describe how the cross-border approach for SBSDs should differ
from the cross-border approach for MSBSPs, and explain the reason(s)
for any potential differences in approach.
85. What types of conflicts might a foreign SBS Entity face if it
had to comply with proposed Rule 10 in more than one jurisdiction? In
what situations would compliance with more than one of these
requirements be difficult or impossible? For Market Entities that are
U.S. persons, could compliance with the proposed rules create
compliance challenges with requirements in a foreign jurisdiction?
86. As an alternative to treating the proposed requirements as
entity-level requirements, should the Commission instead treat the
proposed requirements as transaction-level requirements? If so, to
which cross-border security-based swap transactions should these
requirements apply and why? Please describe how these requirements
would apply differently if classified as transaction-level requirements
instead of as entity-level requirements.
3. Availability of Substituted Compliance
a. Existing Substituted Compliance Rule
In 2016,\435\ the Commission adopted Exchange Act Rule 3a71-6
(``Rule 3a71-6'') \436\ to provide that the Commission may, by order,
make a determination that compliance with specified requirements under
a foreign financial regulatory system by non-U.S. SBS Entities \437\
may satisfy certain business conduct requirements under Exchange Act
section 15F, subject to certain conditions. The rule in part provides
that the Commission shall not make a determination providing for
substituted compliance unless the Commission determines, among other
things, that the foreign regulatory requirements are
[[Page 20266]]
comparable to otherwise applicable requirements.\438\
---------------------------------------------------------------------------
\435\ See Business Conduct Standards Adopting Release, 81 FR at
30070-81. Separately, in 2015, the Commission adopted a rule making
substituted compliance potentially available in connection with
certain regulatory reporting and public dissemination requirements
related to security-based swaps. See Regulation SBSR-Reporting and
Dissemination of Security-Based Swap Information, Exchange Act
Release No. 74244 (Feb. 11, 2015) [80 FR 14563 (Mar. 19, 2015)]
(adopting 17 CFR 242.908 (``Rule 908'')). Paragraph (c) of Rule 908
does not contemplate substituted compliance for the rules being
proposing today.
\436\ See 17 CFR 240.3a71-6.
\437\ If the Commission makes a substituted compliance
determination under paragraph (a)(1) of Rule 3a71-6, SBS Entities
that are not U.S. persons (as defined in 17 CFR 240.3a71-3(a)(4)
(``Rule 3a71-3(a)(4)'')), but not SBS Entities that are U.S.
persons, may satisfy specified requirements by complying with
comparable foreign requirements and any conditions set forth in the
substituted compliance determination made by the Commission. See
paragraphs (b) and (d) of Rule 3a71-6.
\438\ See paragraph (a)(2) of 3a71-6. See also Business Conduct
Standards Adopting Release, 81 FR at 30074.
---------------------------------------------------------------------------
When the Commission adopted this substituted compliance rule that
addressed the specified business conduct requirements, the Commission
also noted that Exchange Act section 15F(j)(7) authorizes the
Commission to prescribe rules governing the duties of SBS
Entities.\439\ The Commission stated that it was not excluding that
provision from the potential availability of substituted compliance,
and that it expected to separately consider whether substituted
compliance may be available in connection with any future rules
promulgated pursuant to that provision.\440\ Further, the Commission
stated that it expected to assess the potential availability of
substituted compliance in connection with other requirements when the
Commission considers final rules to implement those requirements.\441\
Consistent with these statements, the Commission subsequently amended
Rule 3a71-6 to provide SBS Entities that are non U.S. persons with the
potential to avail themselves of substituted compliance with respect to
the following Title VII requirements: (1) trade acknowledgment and
verification,\442\ (2) capital and margin requirements,\443\ (3)
recordkeeping and reporting,\444\ and (4) portfolio reconciliation,
portfolio compression, and trading relationship documentation.\445\
---------------------------------------------------------------------------
\439\ Business Conduct Standards Adopting Release, 81 FR at n.
1438.
\440\ Id.
\441\ See Business Conduct Standards Adopting Release, 81 FR at
30074.
\442\ See Trade Acknowledgment and Verification of Security-
Based Swap Transactions, Exchange Act Release No. 78011 (Jun. 8,
2016) [81 FR 39807, 39827-28 (Jun. 17, 2016)] (``SBS Entity Trade
Acknowledgment and Verification Adopting Release'').
\443\ See Capital, Margin, and Segregation Requirements Adopting
Release, 84 FR at 43948-50.
\444\ See SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68597-99.
\445\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6379-80.
---------------------------------------------------------------------------
b. Proposed Amendment to Rule 3a71-6
The Commission is proposing to further amend Rule 3a71-6 to provide
SBS Entities that are not U.S. persons (as defined in Rule 3a71-3(a)(4)
of the Exchange Act) with the potential to avail themselves of
substituted compliance to satisfy the cybersecurity requirements of
proposed Rule 10 and Form SCIR as applicable to SBS Entities.\446\ In
proposing to amend the rule, the Commission preliminarily believes that
the principles associated with substituted compliance, as previously
adopted in connection with both the business conduct requirements and
the recordkeeping and reporting requirements, in large part should
similarly apply to the cyber security risk management requirements
being proposing today. The discussions in the Business Conduct
Standards Adopting Release, including for example those regarding
consideration of supervisory and enforcement practices,\447\ certain
multi-jurisdictional issues,\448\ and application procedures \449\ are
applicable to the proposed cybersecurity requirements. Accordingly, the
proposed substituted compliance rule would apply to the cybersecurity
risk management requirements in the same manner as it already applies
to existing business conduct requirements and the recordkeeping and
reporting requirements.
---------------------------------------------------------------------------
\446\ Substituted compliance would only be available to eligible
SBS Entities. For example, substituted compliance would not be
available to a Market Entity registered as both an SBS Entity and a
broker-dealer with respect to the broker-dealer's obligations under
the proposed rules.
\447\ Business Conduct Standards Adopting Release, 81 FR at
30079.
\448\ Business Conduct Standards Adopting Release, 81 FR at
30079-80.
\449\ Business Conduct Standards Adopting Release, 81 FR at
30080-81.
---------------------------------------------------------------------------
Making substituted compliance available for the cybersecurity risk
management requirements would be consistent with the approach the
Commission has taken with other rules applicable to SBS Entities. This
approach takes into consideration the global nature of the security-
based swap market and the prevalence of cross-border transactions
within that market.\450\ The application of the cybersecurity risk
management requirements may lead to requirements that are duplicative
of, or in conflict with, applicable foreign requirements, even when the
two sets of requirements implement similar goals and lead to similar
results. Those results have the potential to disrupt existing business
relationships and, more generally, to reduce competition and market
efficiency. To address those effects, under certain circumstances it
may be appropriate to allow the possibility of substituted compliance,
whereby non-U.S. market participants may satisfy the cybersecurity risk
management requirements by complying with comparable foreign
requirements. Allowing for the possibility of substituted compliance in
this manner would help achieve the benefits of those particular
requirements in a way that helps avoid regulatory conflict and
minimizes duplication, thereby promoting market efficiency, enhancing
competition, and contributing to the overall functioning of the global
security-based swap market.
---------------------------------------------------------------------------
\450\ See generally Business Conduct Standards Adopting Release,
81 FR at 30073-74 (addressing the basis for making substituted
compliance available in the context of the business conduct
requirements).
---------------------------------------------------------------------------
Accordingly, the Commission is proposing to amend paragraph (d)(1)
of Rule 3a71-6 to make substituted compliance available for proposed
Rule 10 and Form SCIR if the Commission determines with respect to a
foreign financial regulatory system that compliance with specified
requirements under such foreign financial regulatory system by a
registered SBS Entity, or class thereof, satisfies the corresponding
requirements of proposed Rule 10 and Form SCIR.\451\ However, the
proposal would not amend Rule 3a71-6 in connection with the proposed
amendments to Rule 18a-6 regarding records to be preserved by certain
SBS Entities. Rule 3a71-6 currently permits eligible applicants to seek
a substituted compliance determination from the Commission with regard
to the requirements of Rule 18a-6.\452\
---------------------------------------------------------------------------
\451\ Paragraph (a)(1) of Rule 3a71-6 provides that the
Commission may, conditionally or unconditionally, by order, make a
determination with respect to a foreign financial regulatory system
that compliance with specified requirements under the foreign
financial system by an SBS Entity, or class thereof, may satisfy the
corresponding requirements identified in paragraph (d) of the rule
that would otherwise apply. See section II.D.3.c. of this release.
\452\ See paragraph (d)(6) of Rule 3a71-6.
---------------------------------------------------------------------------
c. Comparability Criteria, and Consideration of Related Requirements
If adopted, the proposed amendment to paragraph (d)(1) of Rule
3a71-6 would provide that eligible applicants may request that the
Commission make a substituted compliance determination with respect to
one or more of the requirements Rule 10 and Form SCIR.\453\ Further,
existing paragraph (d)(6) of Rule 3a71-6 would permit eligible
applicants to request that the Commission make a substituted compliance
determination with respect to one or more of the requirements of the
proposed amendments to Rule 18a-6, if adopted. A positive substituted
compliance determination with respect to requirements existing before
adoption of the proposed Rule 10, Form SCIR, and the related record
preservation requirements would not automatically result in a positive
substituted compliance determination with respect
[[Page 20267]]
to proposed Rule 10, Form SCIR or the proposed amendments to Rule 18a-
6. Before making a substituted compliance determination, the substance
of each foreign regulatory system to which substituted compliance would
apply should be evaluated for comparability to such newly adopted
requirements. As such, if the Commission adopts the proposed amendment
to Rule 3a71-6, eligible applicants \454\ seeking a Commission
determination permitting SBS Entities that are not U.S. persons to
satisfy the requirements of proposed Rule 10, Form SCIR, or the
proposed amendments to Rule 18a-6 by complying with comparable foreign
requirements would be required to file an application, pursuant to the
procedures set forth in 17 CFR 240.0-13, requesting that the Commission
make a such a determination pursuant to 17 CFR 3a71-6(a)(1).\455\
---------------------------------------------------------------------------
\453\ See paragraph (c) of Rule 3a71-6.
\454\ See 17 CFR 3a71-6(c).
\455\ Existing Commission substituted compliance determinations
do not address the requirements of the proposed new rules or the
proposed amendments. If the Commission adopts the requirements in
the proposed new or amended rules, SBS Entities (or the relevant
foreign financial regulatory authority or authorities) seeking a
substituted compliance determination with respect to those
requirements would be required to file an application requesting
that the Commission make the determination. Applicants may not
request that the Commission make a substituted compliance
determination related to the new requirements by amending a
previously filed application that requested a substituted compliance
determination related to other Commission requirements. However, new
applications may incorporate relevant information from the
applicant's previously filed requests for substituted compliance
determinations if the information remains accurate.
---------------------------------------------------------------------------
The Commission has taken a holistic approach in determining the
comparability of foreign requirements for substituted compliance
purposes, focusing on regulatory outcomes as a whole, rather than on a
requirement-by-requirement comparison.\456\ The Commission
preliminarily believes that such a holistic approach would be
appropriate for determining comparability for substituted compliance
purposes in connection with the requirements of proposed Rule 10, Form
SCIR, and the proposed amendments to Rule 18a-6. Under the proposed
amendment to Rule 3a71-6, the Commission's comparability assessments
associated with the proposed cybersecurity risk management requirements
accordingly would consider whether, in the Commission's view, the
foreign regulatory system achieves regulatory outcomes that are
comparable to the regulatory outcomes associated with those
requirements. Rule 3a71-6 provides that the Commission's substituted
compliance determination will take into account factors that the
Commission determines appropriate, such as, for example, the scope and
objectives of the relevant foreign regulatory requirements (taking into
account the applicable criteria set forth in paragraph (d) of the
rule), as well as the effectiveness of the supervisory compliance
program administered, and the enforcement authority exercised, by a
foreign financial regulatory authority or authorities in such foreign
financial regulatory system to support its oversight of the SBS Entity
(or class thereof) or of the activities of such SBS Entity (or class
thereof).\457\
---------------------------------------------------------------------------
\456\ See Business Conduct Standards Adopting Release, 81 FR at
30078-79. See also SBS Entity Trade Acknowledgment and Verification
Adopting Release, 81 FR at 39828; SBS Entity Recordkeeping and
Reporting Adopting Release, 84 FR at 68598-99.
\457\ See 17 CFR 240.3a71-6(a)(2)(i).
---------------------------------------------------------------------------
The Commission may determine to conduct its comparability analyses
regarding Rule 10, Form SCIR, and the related record preservation
requirements in conjunction with comparability analyses regarding other
Exchange Act requirements that, like the requirements being proposed
today, relate to risk management, recordkeeping, reporting, and
notification requirements of SBS Entities. If the Commission adopts the
proposed amendment to Rule 3a71-6, substituted compliance requests
related to Rule 10, Form SCIR, and the related record preservation
requirements may be filed by (i) applicants filing a request for a
substituted compliance determination solely in connection with Rule 10,
Form SCIR, and the related record preservation requirements,\458\ and
(ii) applicants filing a request for a substituted compliance
determination in connection with Rule 10, Form SCIR, and the related
record preservation requirements combined with a request for a
substituted compliance determination related to other eligible
requirements. In either event, depending on the applicable facts and
circumstances, the Commission's comparability assessment associated
with the Rule 10, Form SCIR, or the related record preservation
requirements may constitute part of a broader assessment of Exchange
Act risk management, recordkeeping, reporting, and notification
requirements for SBS Entities, and the applicable comparability
decisions may be made at the level of those risk management,
recordkeeping, reporting, and notification requirements for SBS
Entities as a whole.
---------------------------------------------------------------------------
\458\ This category of applicants would include those who
previously filed requests for the Commission to make substituted
compliance determinations related to other requirements eligible for
substituted compliance determinations under Rule 3a71-6.
---------------------------------------------------------------------------
d. Request for Comment
The Commission generally requests comments on all aspects of the
proposed amendment to Rule 3a71-6 and proposed availability of
substituted compliance. In addition, the Commission requests comments
on the following specific issues:
87. Should the Commission make substituted compliance available
with respect to proposed Rule 10, Form SCIR, and the related record
preservation requirements? Why or why not? If you believe that
substituted compliance should not be available with respect to these
requirements, how would you distinguish this policy decision from the
Commission's previous determination to make substituted compliance
potentially available with respect to other Title VII requirements
(i.e., the business conduct, trade acknowledgment and verification,
capital and margin, recordkeeping and reporting, and portfolio
reconciliation, portfolio compression, and trading relationship
documentation rules)?
88. Are there other aspects of the scope of the substituted
compliance rule for which the Commission should amend or provide
additional guidance in light of proposed Rule 10, Form SCIR, and the
proposed amendment to Rule 18a-6? If so, what other amendments or
additional guidance would be appropriate and why?
89. Are the items identified in Rule 3a71-6 as factors the
Commission will consider prior to making a substituted compliance
determination in connection with proposed Rule 10, Form SCIR, and the
related record preservation requirements appropriate? If so, explain
why. If not, explain why not. Should any of those items be modified or
deleted? Should additional considerations be added? If so, please
explain.
E. Amendments to Rule 18a-10
1. Proposal
Exchange Act Rule 18a-10 (``Rule 18a-10'') permits an SBSD that is
registered as a swap dealer and predominantly engages in a swaps
business to elect to comply with the capital, margin, segregation,
recordkeeping, and reporting requirements of the Commodity Exchange Act
and the CFTC's rules in lieu of complying with the capital, margin,
segregation, recordkeeping, and reporting requirements of Exchange Act
Rules 18a-1, 18a-3, 18a-4, 18a-5, 18a-
[[Page 20268]]
6, 18a-7, 18a-8, and 18a-9.\459\ An SBSD may elect to operate pursuant
to Rule 18a-10 if it meets certain conditions.\460\ First, the firm
must be registered with the Commission as a stand-alone SBSD (i.e., not
also registered as a broker-dealer or an OTC derivatives dealer) and
registered with the CFTC as a swap dealer. Second, the firm must be
exempt from the segregation requirements of Rule 18a-4. Third, the
aggregate gross notional amount of the firm's outstanding security-
based swap positions must not exceed the lesser of two thresholds as of
the most recently ended quarter of the firm's fiscal year.\461\ The
thresholds are: (1) a maximum fixed-dollar gross notional amount of
open security-based swaps of $250 billion; \462\ and (2) 10% of the
combined aggregate gross notional amount of the firm's open security-
based swap and swap positions.
---------------------------------------------------------------------------
\459\ See 17 CFR 240.18a-10.
\460\ See Capital, Margin, and Segregation Requirements Adopting
Release, 84 at 43944-46 (discussing the conditions and the reasons
for them). See also SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68549.
\461\ The gross notional amount is based on the notional amounts
of the firm's security-based swaps and swaps that are outstanding as
of the quarter end. It is not based on transaction volume during the
quarter.
\462\ The maximum fixed-dollar threshold of $250 billion is set
for a transition period of 3 years from the compliance date of the
rule. Three years after that date it will drop to $50 billion
(unless the Commission issues an order retaining the $250 billion
threshold or lesser amount that is greater than $50 billion).
---------------------------------------------------------------------------
As discussed above, Rule 18a-6 is proposed to be amended to require
SBSDs to maintain and preserve the records required to be made pursuant
to proposed Rule 10.\463\ However, because Rule 18a-6 is within the
scope of Rule 18a-10, an SBSD operating pursuant to Rule 18a-10 would
not be subject to the maintenance and preservation requirements of Rule
18a-6 with respect to the records required to be made pursuant to
proposed Rule 10. Therefore, while an SBSD would be subject to proposed
Rule 10 and need to make these records, the firm would not need to
maintain or preserve them in accordance with Rule 18a-6. For these
reasons, the Commission is proposing to amend Rule 18a-10 to exclude
from its scope the record maintenance and preservation requirements of
Rule 18a-6 as they pertain to the records required to be made pursuant
to proposed Rule 10.\464\ Therefore, the records required to be made
pursuant to proposed Rule 10 would need to be preserved and maintained
in accordance with Rule 18a-6, as it is proposed to be amended.
---------------------------------------------------------------------------
\463\ See section II.B.5. of this release (discussing these
proposals in more detail).
\464\ See proposed paragraph (g) of Rule 18a-10.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on all aspects of the proposed
amendments relating to Rule 18a-10. In addition, the Commission is
requesting comment on the following specific aspects of the proposals:
90. Should the proposed amendments to Rule 18a-10 be modified? If
so, describe how and explain why the modification would be appropriate.
For example, would the records required to be made pursuant to proposed
Rule 10 be subject to CFTC record preservation and maintenance rules?
If so, identify the rules and explain the preservation and maintenance
requirements they would impose on the records required to be made
pursuant to proposed Rule 10. In addition, explain whether it would be
appropriate to permit an SBSD operating pursuant to Rule 18a-10 to
comply with these CFTC rules in terms of preserving and maintaining the
records required to be made pursuant to proposed Rule 10 in lieu of the
complying with the preservation and maintenance requirements that would
apply to the records under the proposed amendments to Rule 18a-6.
F. Market Entities Subject to Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID
1. Discussion
a. Introduction
As discussed in more detail below, certain types of Market Entities
are subject to Regulation SCI and Regulation S-P.\465\ The Commission
separately is proposing to amend Regulation SCI and Regulation S-
P.\466\ Regulation SCI and Regulation S-P (currently and as they would
be amended) have or would have provisions requiring policies and
procedures that address certain types of cybersecurity risks.\467\
Regulation SCI (currently and as it would be amended) also requires
immediate written or telephonic notice and subsequent reporting to the
Commission on Form SCI of certain types of incidents.\468\ These
notification and subsequent reporting requirements of Regulation SCI
could be triggered by a ``significant cybersecurity incident'' as that
term would be defined in proposed Rule 10.\469\ Finally, Regulation SCI
and Regulation S-P (currently and as they would be amended) have or
would have provisions requiring disclosures to persons affected by
certain incidents.\470\ These current or proposed disclosure
requirements of Regulation SCI and Regulation S-P could be triggered by
a cybersecurity-related event that also would be a ``significant
cybersecurity incident'' as that term would be defined in proposed Rule
10.\471\ Consequently, if proposed Rule 10 is adopted (as proposed),
Market Entities could be subject to requirements in that rule and in
Regulation SCI and Regulation S-P that pertain to cybersecurity. While
the Commission preliminarily believes that these requirements are
nonetheless appropriate, it is seeking comment on the proposed
amendments, given the following: (1) each proposal has a different
scope and purpose; (2) the policies and procedures related to
cybersecurity that would be required under each of the proposed rules
would be consistent; (3) the public disclosures or notifications
required by the proposed rules would require different types of
information to be disclosed, largely to different audiences at
different times; and (4) it should be appropriate for entities to
comply with the proposed requirements.
---------------------------------------------------------------------------
\465\ See 17 CFR 242.1000 through 1007 (Regulation SCI); 17 CFR
248.1 through 248.30 (Regulation S-P). See also section II.F.1.b. of
this release (discussing the types of Market Entities that are or
would be subject to Regulation SCI and/or Regulation S-P).
\466\ See Regulation SCI 2023 Proposing Release; Regulation S-P
2023 Proposing Release.
\467\ See section II.F.1.c. of this release (discussing the
existing and proposed requirements of Regulation SCI and Regulation
S-P to have policies and procedures that address certain
cybersecurity risks).
\468\ See section II.F.1.d. of this release (discussing the
existing and proposed immediate notification and subsequent
reporting requirements of Regulation SCI).
\469\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
\470\ See section II.F.1.e. of this release (discussing the
existing and proposed disclosure requirements of Regulation SCI and
Regulation S-P).
\471\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
---------------------------------------------------------------------------
The Commission encourages interested persons to provide comments on
the discussion below, as well as on the potential related application
of proposed Rule 10, Regulation SCI, and Regulation S-P. More
specifically, the Commission encourages commenters: (1) to identify any
areas where they believe the requirements of proposed Rule 10 and the
existing or proposed requirements of Regulation SCI and Regulation S-P
would be particularly costly or create practical implementation
difficulties; (2) to provide details on what in particular about
implementation would be difficult; and (3) to make
[[Page 20269]]
recommendations on how to minimize these potential impacts. To assist
this effort, the Commission is seeking specific comment below on these
topics.\472\
---------------------------------------------------------------------------
\472\ See section II.F.2. of this release.
---------------------------------------------------------------------------
b. Market Entities That Are or Would Be Subject to Regulation SCI and
Regulation S-P
Certain Market Entities that would be subject to the requirements
of proposed Rule 10 applicable to Covered Entities are subject to the
existing requirements of Regulation SCI. In particular, SCI entities
include the following Covered Entities that also would be subject to
the requirements of proposed Rule 10: (1) ATSs that trade certain
stocks exceeding specific volume thresholds; (2) registered clearing
agencies; (3) certain exempt clearing agencies; (4) the MSRB; (5)
FINRA; and (6) national securities exchanges.\473\ Therefore, if
proposed Rule 10 is adopted (as proposed), these Covered Entities would
be subject to its requirements and the requirements of Regulation SCI
(currently and as it would be amended). The Commission is separately
proposing to revise Regulation SCI to expand the definition of ``SCI
entity'' to include the following Covered Entities that also would be
subject to the requirements of proposed Rule 10: (1) broker-dealers
that exceed an asset-based size threshold or a volume-based trading
threshold in NMS stocks, exchange-listed options, agency securities, or
U.S. treasury securities; (2) all exempt clearing agencies; and (3)
SBSDRs.\474\ Therefore, if these amendments to Regulation SCI are
adopted and proposed Rule 10 is adopted (as proposed), these additional
Covered Entities would be subject to the requirements of proposed Rule
10 and also to the requirements of Regulation SCI. Additionally,
broker-dealers and transfer agents that would be subject to proposed
Rule 10 also would be subject to some or all of the existing or
proposed requirements of Regulation S-P.\475\
---------------------------------------------------------------------------
\473\ See 17 CFR 242.1000 (defining the terms ``SCI alternative
trading system,'' ``SCI self-regulatory system,'' and ``Exempt
clearing agency subject to ARP,'' and including all of those defined
terms in the definition of ``SCI Entity''). The definition of ``SCI
entities'' includes additional Commission registrants that would not
be subject to the requirements of proposed Rule 10: plan processors
and SCI competing consolidators. However, the Commission is seeking
comment on whether these registrants should be subject to the
requirements of proposed Rule 10.
\474\ All exempt clearing agencies and SBSDRs would be subject
to the requirements of proposed Rule 10 applicable to Covered
Entities. See paragraphs (a)(1)(ii) and (vii) of proposed Rule 10
(defining these registrants as ``covered entities''). Broker-dealers
that exceed the asset-based size threshold under the proposed
amendments to Regulation SCI (which would be several hundred billion
dollars) also would be subject to the requirements of proposed Rule
10 applicable to Covered Entities, as they would exceed the $1
billion total assets threshold in the broker-dealer definition of
``covered entity.'' See paragraph (a)(1)(i)(D) of proposed Rule 10.
A broker-dealer that exceeds one or more of the volume-based trading
thresholds under the proposed amendments to Regulation SCI likely
would meet one of the broker-dealer definitions of ``covered
entity'' in proposed Rule 10 given their size and activities. For
example, it would either be a carrying broker-dealer, have
regulatory capital equal to or exceeding $50 million, have total
assets equal to or exceeding $1 billion, or operate as a market
maker. See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10. The Commission is seeking comment above on whether a
broker-dealer that is an SCI entity should be defined specifically
as a ``covered entity'' under proposed Rule 10.
\475\ Broadly, Regulation S-P's requirements apply to all
broker-dealers, except for ``notice-registered broker-dealers'' (as
defined in 17 CFR 248.30), who in most cases will be deemed to be in
compliance with Regulation S-P if they instead comply with the
financial privacy rules of the CFTC, and are otherwise explicitly
excluded from certain of Regulation S-P's obligations. See 17 CFR
248.2(c). For the purposes of this section II.F. of this release,
the term ``broker-dealer'' when used to refer to broker-dealers that
are subject to Regulation S-P (currently and as it would be amended)
excludes notice-registered broker-dealers. Currently, transfer
agents registered with the Commission (``SEC-registered transfer
agents'') (but not transfer agents registered with another
appropriate regulatory agency) are subject to Regulation S-P's
``disposal rule'' (``Regulation S-P Disposal Rule''). See 17 CFR
248.30(b). However, no transfer agent is currently subject to any
other portion of Regulation S-P, including the ``safeguards rule''
under Regulation S-P (``Regulation S-P Safeguards Rule''). See 17
CFR 248.30(a). Under the proposed amendments to Regulation S-P, SEC-
registered transfer agents and transfer agents registered with
another appropriate regulatory agency (as defined in 15 U.S.C.
78c(34)(B)) would be subject to the Regulation S-P Safeguards Rule
and the Regulation S-P Disposal Rule. Regulation S-P also applies to
additional financial institutions that would not be subject to
proposed Rule 10. See 17 CFR 248.3.
---------------------------------------------------------------------------
c. Policies and Procedures to Address Cybersecurity Risks
i. Different Scope and Purpose of the Policies and Procedures
Requirements
Each of the policies and procedures requirements has a different
scope and purpose. Regulation SCI (currently and as it would be
amended) limits the scope of its requirements to certain systems of the
SCI Entity that support securities market related functions.
Specifically, it does and would require an SCI Entity to have
reasonably designed policies and procedures applicable to its SCI
systems and, for purposes of security standards, its indirect SCI
systems.\476\ While certain aspects of the policies and procedures
required by Regulation SCI (as it exists today and as proposed to be
amended) are designed to address certain cybersecurity risks (among
other things),\477\ the policies and procedures required by Regulation
SCI focus on the SCI entities' operational capability and the
maintenance of fair and orderly markets.
---------------------------------------------------------------------------
\476\ See 17 CFR 242.1001(a)(1). ``SCI systems'' are defined as
electronic or similar systems of, or operated by or on behalf of, an
SCI entity that directly support at least one of six market
functions: (1) trading; (2) clearance and settlement; (3) order
routing; (4) market data; (5) market regulation; or (6) market
surveillance. 17 CFR 242.1000. ``Indirect SCI systems'' are defined
as those of, or operated by or on behalf of, an SCI entity that, if
breached, would be reasonably likely to pose a security threat to
SCI systems. 17 CFR 242.1000. The distinction between SCI systems
and indirect SCI systems seeks to encourage SCI Entities that their
SCI systems, which are core market-facing systems, should be
physically or logically separated from systems that perform other
functions (e.g., corporate email and general office systems for
member regulation and recordkeeping). See Regulation Systems
Compliance and Integrity, Release No. 34-73639 79 FR 72251 (Dec. 5,
2014), at 79 FR at 72279-81 (``Regulation SCI 2014 Adopting
Release''). Indirect SCI systems are subject to Regulation SCI's
requirements with respect to security standards. Further, ``critical
SCI systems'' (a subset of SCI systems) are defined as those that
directly support functionality relating to: (1) clearance and
settlement systems of clearing agencies; (2) openings, reopenings,
and closings on the primary listing market; (3) trading halts; (4)
initial public offerings; (5) the provision of market data by a plan
processor; or (6) exclusively-listed securities; and as a catchall,
systems that provide functionality to the securities markets for
which the availability of alternatives is significantly limited or
nonexistent and without which there would be a material impact on
fair and orderly markets. 17 CFR 242.1000.
\477\ See 17 CFR 242.1000 (defining ``indirect SCI systems'').
The distinction between SCI systems and indirect SCI systems seeks
to encourage SCI Entities that their SCI systems, which are core
market-facing systems, should be physically or logically separated
from systems that perform other functions (e.g., corporate email and
general office systems for member regulation and recordkeeping). See
Regulation SCI 2014 Adopting Release, 79 FR at 72279-81. Indirect
SCI systems are subject to Regulation SCI's requirements with
respect to security standards.
---------------------------------------------------------------------------
Similarly, Regulation S-P (currently and as it would be amended)
also has a distinct focus. The policies and procedures required under
Regulation S-P, both currently and as proposed to be amended, are
limited to protecting a certain type of information--customer records
or information and consumer report information \478\--and they apply to
such information even when stored outside of SCI systems or indirect
SCI systems. Furthermore, these policies and procedures need not
address other types of information stored on the systems of the broker-
dealer or transfer agent.
---------------------------------------------------------------------------
\478\ Or as proposed herein, ``customer information'' and
``consumer information.'' See proposed rules 248.30(e)(5) and
(e)(1), respectively.
---------------------------------------------------------------------------
Proposed Rule 10 would have a broader scope than Regulation SCI and
Regulation S-P (currently and as they would be amended) because it
would require Market Entities to establish, maintain, and enforce
written policies
[[Page 20270]]
and procedures that are reasonably designed to address their
cybersecurity risks.\479\ Unlike Regulation SCI, these requirements
would therefore cover SCI systems, indirect SCI systems, and
information systems that are not SCI systems or indirect SCI systems.
And, unlike Regulation S-P, the proposed requirements would also
encompass information beyond customer information and consumer
information.
---------------------------------------------------------------------------
\479\ See paragraphs (b) and (e) of proposed Rule 10 (setting
forth the requirements of Covered Entities and Non-Covered Entities,
respectively, to have policies and procedures to address their
cybersecurity risks).
---------------------------------------------------------------------------
To illustrate, a Market Entity could use one comprehensive set of
policies and procedures to satisfy the requirements of proposed Rule 10
and the existing and proposed cybersecurity-related requirements of
Regulation SCI and Regulation S-P, so long as: (1) the cybersecurity-
related policies and procedures required under Regulation S-P and
Regulation SCI fit within and are consistent with the scope of the
policies and procedures required under proposed Rule 10; and (2) and
the policies and procedures requirements of proposed Rule 10 also
address the more narrowly-focused existing and proposed cybersecurity-
related policies and procedures requirements under Regulation SCI and
Regulation S-P.
ii. Consistency of the Policies and Procedures Requirements
Covered Entities
As discussed above, the Market Entities that would be SCI Entities
under the existing and proposed requirements of Regulation SCI would be
subject the policies and procedures requirements of proposed Rule 10
applicable to Covered Entities. In addition, broker-dealers and
transfer agents are subject to the requirements of Regulation S-P
(currently and as it would be amended).\480\ Transfer agents would be
Covered Entities under proposed Rule 10 and, therefore, subject to the
policies and procedures requirements of that rule applicable to Covered
Entities.\481\ Further, the two categories of broker-dealers that
likely would have the largest volume of customer information and
consumer information subject to the existing or proposed requirements
of Regulation S-P would be Covered Entities under proposed Rule 10:
carrying broker-dealers and introducing broker-dealers.\482\ For these
reasons, the Commission first analyzes the potential overlap between
proposed Rule 10 and the current and proposed requirements of
Regulation SCI and Regulation S-P by taking into account the policies
and procedures requirements of proposed Rule 10 that would apply to
Covered Entities.
---------------------------------------------------------------------------
\480\ As discussed above, SEC-registered transfer agents are
subject to the Regulation S-P Disposal Rule but not to the
Regulation S-P Safeguards Rule. The proposed amendments to
Regulation S-P would apply the Regulation S-P Safeguards Rule and
the Regulation S-P Disposal Rule to all transfer agents.
\481\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the policies and procedures requirements for Covered Entities).
\482\ See paragraphs (a)(1)(i)(A) and (B) of proposed Rule 10
(defining, respectively, carrying broker-dealers and introducing
broker-dealers as Covered Entities).
---------------------------------------------------------------------------
Regulation SCI and Regulation S-P General Policies and Procedures
Requirements
Regulation SCI, Regulation S-P, and proposed Rule 10 all include
requirements that address certain cybersecurity-related risks.
Regulation SCI requires an SCI Entity to have reasonably designed
policies and procedures to ensure that its SCI systems and, for
purposes of security standards, indirect SCI systems, have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain the SCI entity's operational capability and promote the
maintenance of fair and orderly markets.\483\
---------------------------------------------------------------------------
\483\ See 17 CFR 242.1001(a)(1).
---------------------------------------------------------------------------
The Regulation S-P Safeguards Rule requires broker-dealers (but not
transfer agents) to adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection
of customer records and information.\484\ The Regulation S-P Safeguards
Rule further provides that these policies and procedures must: (1)
insure the security and confidentiality of customer records and
information; (2) protect against any anticipated threats or hazards to
the security or integrity of customer records and information; and (3)
protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to
any customer.\485\ Additionally, the Regulation S-P Disposal Rule
requires broker-dealers and SEC-registered transfer agents that
maintain or otherwise possess consumer report information for a
business purpose to properly dispose of the information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\486\
---------------------------------------------------------------------------
\484\ See 17 CFR 248.30(a).
\485\ See 17 CFR 248.30(a)(1) through (3).
\486\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
---------------------------------------------------------------------------
Proposed Rule 10 would require a Covered Entity to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address the Covered Entity's cybersecurity
risks. In addition, Covered Entities would be required to include the
following elements in their policies and procedures: (1) periodic
assessments of cybersecurity risks associated with the Covered Entity's
information systems and written documentation of the risk assessments;
(2) controls designed to minimize user-related risks and prevent
unauthorized access to the Covered Entity's information systems; (3)
measures designed to monitor the Covered Entity's information systems
and protect the Covered Entity's information from unauthorized access
or use, and oversight of service providers that receive, maintain, or
process information, or are otherwise permitted to access the Covered
Entity's information systems; (4) measures to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems; and (5) measures to detect,
respond to, and recover from a cybersecurity incident and written
documentation of any cybersecurity incident and the response to and
recovery from the incident.\487\
---------------------------------------------------------------------------
\487\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
As discussed earlier, the inclusion of these elements in proposed
Rule 10 is designed to enumerate the core areas that Covered Entities
would need to address when designing, implementing, and assessing their
policies and procedures.\488\ Taken together, these requirements are
designed to position Covered Entities to be better prepared to protect
themselves against cybersecurity risks, to mitigate cybersecurity
threats and vulnerabilities, and to recover from cybersecurity
incidents. They are also designed to help ensure that Covered Entities
focus their efforts and resources on the cybersecurity risks associated
with their operations and business practices.
---------------------------------------------------------------------------
\488\ See section II.B.1. of this release.
---------------------------------------------------------------------------
A Covered Entity that implements reasonably designed policies and
procedures in compliance with the requirements of proposed Rule 10
described above that cover its SCI systems and indirect SCI systems
should generally satisfy the existing general policies and procedures
[[Page 20271]]
requirements of Regulation SCI that pertain to cybersecurity.\489\
Similarly, policies and procedures implemented by a Covered Broker-
Dealer that are reasonably designed in compliance with the requirements
of proposed Rule 10 should generally satisfy the existing general
policies and procedures requirements of the Regulation S-P Safeguards
Rule discussed above that pertain to cybersecurity, to the extent that
such information is stored electronically and, therefore, falls within
the scope of proposed Rule 10. In addition, reasonably designed
policies and procedures implemented by a Covered Broker-Dealer or SEC-
registered transfer agent in compliance with the requirements of
proposed Rule 10 should generally satisfy the existing requirements of
the Regulation S-P Disposal Rule discussed above.
---------------------------------------------------------------------------
\489\ As noted above, the CAT System is a facility of each of
the Participants and an SCI system. See also CAT NMS Plan Approval
Order, 81 FR at 84758. It would also qualify as an ``information
system'' of each national securities exchange and each national
securities association under proposed Rule 10. The CAT NMS Plan
requires the CAT's Plan Processor to follow certain security
protocols and industry standards, including the NIST Cyber Security
Framework, subject to Participant oversight. See, e.g., CAT NMS Plan
at appendix D, section 4.2. For the reasons discussed above and
below with respect to SCI systems, the policies and procedures
requirements of proposed Rule 10 are not intended to be inconsistent
with the security protocols set forth in the CAT NMS Plan. Moreover,
to the extent the CAT NMS Plan requires security protocols beyond
those that would be required under proposed Rule 10, those
additional security protocols should generally fit within and be
consistent with the policies and procedures required under proposed
Rule 10 to address all cybersecurity risks.
---------------------------------------------------------------------------
Regulation SCI and Regulation S-P Requirements to Oversee Service
Providers. Under the amendments to Regulation SCI, the policies and
procedures required of SCI entities would need to include a program to
manage and oversee third party providers that provide functionality,
support or service, directly or indirectly, for SCI systems and
indirect SCI systems.\490\ In addition, proposed amendments to the
Regulation S-P Safeguards Rule would require broker-dealers and
transfer agents to include written policies and procedures within their
response programs that require their service providers, pursuant to a
written contract, to take appropriate measures that are designed to
protect against unauthorized access to or use of customer information,
including notification to the broker-dealer or transfer agent as soon
as possible, but no later than 48 hours after becoming aware of a
breach, in the event of any breach in security resulting in
unauthorized access to customer information maintained by the service
provider to enable the broker-dealer or transfer agent to implement its
response program expeditiously.\491\
---------------------------------------------------------------------------
\490\ See Regulation SCI 2023 Proposing Release. These policies
and procedures would need to include initial and periodic review of
contracts with such vendors for consistency with the SCI entity's
obligations under Regulation SCI; and a risk-based assessment of
each third party provider's criticality to the SCI entity, including
analyses of third party provider concentration, of key dependencies
if the third party provider's functionality, support, or service
were to become unavailable or materially impaired, and of any
potential security, including cybersecurity, risks posed. Id.
\491\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity risks
as these proposed amendments to Regulation SCI and Regulation S-P.
First, a Covered Entity's policies and procedures under proposed Rule
10 would need to require periodic assessments of cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems.\492\ This element of the
policies and procedures would need to include requirements that the
Covered Entity identify its service providers that receive, maintain,
or process information, or are otherwise permitted to access its
information systems and any of its information residing on those
systems, and assess the cybersecurity risks associated with its use of
these service providers.\493\ Second, under proposed Rule 10, a Covered
Entity's policies and procedures would need to require oversight of
service providers that receive, maintain, or process its information,
or are otherwise permitted to access its information systems and the
information residing on those systems, pursuant to a written contract
between the Covered Entity and the service provider, through which the
service providers would need to be required to implement and maintain
appropriate measures that are designed to protect the Covered Entity's
information systems and information residing on those systems.\494\
---------------------------------------------------------------------------
\492\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this requirement in
more detail).
\493\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\494\ See paragraphs (b)(1)(iii)(B) of proposed Rule 10; see
also section II.B.1.c. of this release (discussing this requirement
in more detail).
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the proposed requirements of Regulation SCI
that the SCI entity's policies and procedures include a program to
manage and oversee third party providers that provide functionality,
support or service, directly or indirectly, for SCI systems and
indirect SCI systems. Similarly, a broker-dealer or transfer agent that
implements these requirements of proposed Rule 10 generally would
comply with the proposed requirements of the Regulation S-P Safeguards
Rule relating to the oversight of service providers.
Regulation SCI and Regulation S-P Unauthorized Access Requirements.
Under the proposed amendments to Regulation SCI, SCI entities would be
required to have a program to prevent the unauthorized access to their
SCI systems and indirect SCI systems, and information residing
therein.\495\ The proposed amendments to the Regulation S-P Disposal
Rule would require broker-dealers and transfer agents that maintain or
otherwise possess consumer information or customer information for a
business purpose to properly dispose of this information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\496\ The broker-dealer
or transfer agent would be required to adopt and implement written
policies and procedures that address the proper disposal of consumer
information and customer information in accordance with this
standard.\497\
---------------------------------------------------------------------------
\495\ See Regulation SCI 2023 Proposing Release.
\496\ See Regulation S-P 2023 Proposing Release. As discussed
above, the general policies and procedures requirements of the
Regulation S-P Safeguards Rule require the policies and procedures--
among other things--to protect against unauthorized access to or use
of customer records or information that could result in substantial
harm or inconvenience to any customer. See 17 CFR 248.30(a)(3).
\497\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these proposed requirements of Regulation SCI and the
Regulation S-P Disposal Rule. First, a Covered Entity's policies and
procedures under proposed Rule 10 would need to require controls: (1)
requiring standards of behavior for individuals authorized to access
the Covered Entity's information systems and the information residing
on those systems, such as an acceptable use policy; (2) identifying and
authenticating individual users, including but not limited to
implementing authentication measures that require users to present a
combination of two or more credentials for access verification; (3)
establishing procedures for the timely distribution,
[[Page 20272]]
replacement, and revocation of passwords or methods of authentication;
(4) restricting access to specific information systems of the Covered
Entity or components thereof and the information residing on those
systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity; and (5) securing remote
access technologies.\498\
---------------------------------------------------------------------------
\498\ See paragraphs (b)(1)(ii)(A) through (E) of proposed Rule
10; see also section II.B.1.b. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Second, under proposed Rule 10, a Covered Entity's policies and
procedures would need to include measures designed to protect the
Covered Entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the Covered Entity's information systems and the
information that resides on the systems.\499\ The periodic assessment
would need to take into account: (1) the sensitivity level and
importance of the information to the Covered Entity's business
operations; (2) whether any of the information is personal information;
(3) where and how the information is accessed, stored and transmitted,
including the monitoring of information in transmission; (4) the
information systems' access controls and malware protection; and (5)
the potential effect a cybersecurity incident involving the information
could have on the Covered Entity and its customers, counterparties,
members, registrants, or users, including the potential to cause a
significant cybersecurity incident.\500\
---------------------------------------------------------------------------
\499\ See paragraph (b)(1)(iii)(A) of proposed Rule 10; see also
section II.B.1.c. of this release (discussing these requirements in
more detail).
\500\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10.
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the proposed requirements of Regulation SCI
that the SCI entity's policies and procedures include a program to
prevent the unauthorized access to their SCI systems and indirect SCI
systems, and information residing therein. Similarly, a broker-dealer
or transfer agent that implements these requirements of proposed Rule
10 should generally satisfy the proposed requirements of the Regulation
S-P Disposal Rule to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information.
Regulation SCI and Regulation S-P Response Programs. Regulation SCI
requires SCI entities to have policies and procedures to monitor its
SCI systems and indirect SCI systems for SCI events, which include
systems intrusions for unauthorized access, and also requires them to
have policies and procedures that include escalation procedures to
quickly inform responsible SCI personnel of potential SCI events.\501\
---------------------------------------------------------------------------
\501\ See 17 CFR 242.1001(a)(2)(vii) and (c)(1), respectively.
---------------------------------------------------------------------------
The amendments to Regulation S-P's safeguards provisions would
require the policies and procedures to include a response program for
unauthorized access to or use of customer information. Further, the
response program would need to be reasonably designed to detect,
respond to, and recover from unauthorized access to or use of customer
information, including procedures, among others: (1) to assess the
nature and scope of any incident involving unauthorized access to or
use of customer information and identify the customer information
systems and types of customer information that may have been accessed
or used without authorization; \502\ and (2) to take appropriate steps
to contain and control the incident to prevent further unauthorized
access to or use of customer information.\503\
---------------------------------------------------------------------------
\502\ Regulation SCI's obligation to take corrective action may
include a variety of actions, such as determining the scope of the
SCI event and its causes, among others. See Regulation SCI 2014
Adopting Release, 79 FR at 72251, 72317. See also 17 CFR
242.1002(a).
\503\ See Regulation S-P 2023 Proposing Release. The response
program also would need to have procedures to notify each affected
individual whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
The amendments to the Regulation S-P Safeguards Rule would require
the policies and procedures to include a response program for
unauthorized access to or use of customer information. Further, the
response program would need to be reasonably designed to detect,
respond to, and recover from unauthorized access to or use of customer
information, including procedures, among others: (1) to assess the
nature and scope of any incident involving unauthorized access to or
use of customer information and identify the customer information
systems and types of customer information that may have been accessed
or used without authorization; and (2) to take appropriate steps to
contain and control the incident to prevent further unauthorized access
to or use of customer information.\504\
---------------------------------------------------------------------------
\504\ See Regulation S-P 2023 Proposing Release. As discussed
below, the response program also would need to have procedures to
notify each affected individual whose sensitive customer information
was, or is reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these proposed requirements of the Regulation S-P Safeguards
Rule. First, under proposed Rule 10, a Covered Entity's policies and
procedures would need to require measures designed to detect, mitigate,
and remediate any cybersecurity threats and vulnerabilities with
respect to the Covered Entity's information systems and the information
residing on those systems.\505\ Second, under proposed Rule 10, a
Covered Entity's policies and procedures would need to have measures
designed to detect, respond to, and recover from a cybersecurity
incident, including policies and procedures that are reasonably
designed to ensure (among other things): (1) the continued operations
of the Covered Entity; (2) the protection of the Covered Entity's
information systems and the information residing on those systems; and
(3) external and internal cybersecurity incident information sharing
and communications.\506\
---------------------------------------------------------------------------
\505\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d. of this release (discussing this requirement in
more detail).
\506\ See paragraph (b)(1)(v) of proposed Rule 10; see also
section II.B.1.e. of this release (discussing this requirement in
more detail).
---------------------------------------------------------------------------
A Covered Entity that implements reasonably designed policies and
procedures in compliance with these requirements of proposed Rule 10
generally should satisfy the proposed requirements of the Regulation
SCI and Regulation S-P Safeguards Rule to have a response program
relating to response programs for unauthorized access.
Regulation SCI Review Requirements. Regulation SCI currently
prescribes certain elements that must be included in each SCI entity's
policies and procedures.\507\ These required elements include policies
and procedures that must provide for regular reviews and
[[Page 20273]]
testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats.\508\ In addition, Regulation SCI requires SCI entities to
conduct penetration tests as part of a review of their compliance with
Regulation SCI.\509\ While these reviews must be conducted not less
than once each calendar year, the penetration tests currently need to
be conducted not less than once every three years.\510\ The amendments
to Regulation SCI would increase the required frequency of the
penetration tests to not less than once each calendar year.\511\ The
amendments to Regulation SCI also would require that the penetration
tests include tests of any vulnerabilities of the SCI entity's SCI
systems and indirect SCI systems identified under the existing
requirement to perform regular reviews and testing of SCI systems and
indirect SCI systems, including backup systems, to identify
vulnerabilities from internal and external threats.\512\
---------------------------------------------------------------------------
\507\ See 17 CFR 242.1001(a)(2).
\508\ 17 CFR 242.1001(a)(2)(iv).
\509\ See 17 CFR 242.1003(b)(1)(i).
\510\ Id.
\511\ See Regulation SCI 2023 Proposing Release.
\512\ See Regulation SCI 2023 Proposing Release; 17 CFR
242.1001(a)(2)(iv).
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these existing and proposed requirements of Regulation SCI.
First, a Covered Entity's policies and procedures under proposed Rule
10 would need to require periodic assessments of cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems.\513\ Moreover, this element of
the policies and procedures would need to include requirements that the
Covered Entity categorize and prioritize cybersecurity risks based on
an inventory of the components of the Covered Entity's information
systems and information residing on those systems and the potential
effect of a cybersecurity incident on the Covered Entity.\514\ Second,
under proposed Rule 10, a Covered Entity's policies and procedures
would need to require measures designed to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems and the information residing
on those systems.\515\
---------------------------------------------------------------------------
\513\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this requirement in
more detail).
\514\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10.
\515\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d. of this release (discussing this requirement in
more detail).
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the current requirements of Regulation SCI
that the SCI entity's policies and procedures require regular reviews
and testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats.
Further, while proposed Rule 10 does not require penetration
testing, the proposed rule--as discussed above--requires measures
designed to protect the Covered Entity's information systems and
protect the information residing on those systems from unauthorized
access or use, based on a periodic assessment of the Covered Entity's
information systems and the information that resides on the
systems.\516\ As discussed earlier, penetration testing could be part
of these measures.\517\ Therefore, the existing and proposed
requirements of Regulation SCI requiring penetration testing could be
incorporated into and should fit within a Covered Entity's policies and
procedures to address cybersecurity risks under proposed Rule 10.
---------------------------------------------------------------------------
\516\ See paragraph (b)(1)(iii)(A) of proposed Rule 10.
\517\ See also section II.B.1.c. of this release. The Commission
also is requesting comment above on whether proposed Rule 10 should
be modified to specifically require penetration testing.
---------------------------------------------------------------------------
Non-Covered Broker-Dealers
Non-Covered Broker-Dealers--which would be subject to Regulation S-
P but not Regulation SCI--are smaller firms whose functions do not play
as significant a role in the U.S. securities markets, as compared to
Covered Broker-Dealers.\518\ For example, Non-Covered Broker-Dealers
tend to offer a more focused and limited set of services such as
facilitating private placements of securities, selling mutual funds and
variable contracts, underwriting securities, and participating in
direct investment offerings.\519\ Further, they do not hold customer
securities and cash or serve as a conduit (i.e., an introducing broker-
dealer) for customers to access their accounts at a carrying broker-
dealer that holds the customers' securities and cash. If these Non-
Covered Broker-Dealers do not possess or maintain any customer
information or consumer information for a business purpose in
connection with the services they provide, they would not be subject to
either the current or proposed requirements of Regulation S-P,
including those that pertain to cybersecurity.
---------------------------------------------------------------------------
\518\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10). As discussed below in
section IV.C.2. of this release, the 1,541 broker-dealers that would
meet the definition of ``covered entity'' in proposed Rule 10 had
average total assets of $3.5 billion and average regulatory equity
of $325 million; whereas the 1,969 that would not meet the
definition of ``covered entity'' had average total assets of $4.7
million and regulatory equity of $3 million. This means that broker-
dealers that would not meet the definition of ``covered entity'' in
proposed Rule 10 accounted for about 0.2% of the total assets of all
broker-dealers and 0.1% of total capital for all broker-dealers.
\519\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10).
---------------------------------------------------------------------------
However, Non-Covered Broker-Dealers under proposed Rule 10 that do
possess or maintain customer information or consumer information for a
business purpose would be subject to the current and proposed
requirements of Regulation S-P. Given their smaller size, some of these
Non-Covered Broker-Dealers may store and dispose of the information in
paper form and, therefore, under the existing and proposed requirements
of Regulation S-P would need to address the physical security aspects
of storing and disposing of this information. These paper records would
not be subject to proposed Rule 10.
Some Non-Covered Broker-Dealers likely would store customer
information and consumer information for a business purpose
electronically on an information system. Under the existing and
proposed requirements of Regulation S-P, these Non-Covered Broker-
Dealers would need to address the cybersecurity risks of storing this
information on an information system. These Non-Covered Broker-Dealers
would be subject the requirements of proposed Rule 10 to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address their cybersecurity risks taking into
account the size, business, and operations of the firm.\520\ Under
proposed Rule 10, they also would be required to review and assess the
design and effectiveness of their cybersecurity policies and
procedures, including whether the policies and procedures reflect
changes in cybersecurity risk over the time period covered by the
[[Page 20274]]
review. This means the Non-Covered Broker-Dealer would need to
comprehensively address all of its cybersecurity risks. The policies
and procedures to address cybersecurity risks required under proposed
Rule 10 would need to address cybersecurity risks involving information
systems on which customer information and consumer information is
stored. Therefore, complying with this requirement of proposed Rule 10
would be consistent with complying with the existing and proposed
requirements of Regulation S-P that relate to cybersecurity.
---------------------------------------------------------------------------
\520\ See paragraph (e) of proposed Rule 10 (setting forth the
policies and procedures requirements for Market Entities that are
not broker-dealers). See also section II.C. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
As discussed above, Regulation S-P (currently and as it would be
amended) sets forth certain specific requirements that pertain to
cybersecurity risk; whereas the requirements of proposed Rule 10
applicable to Non-Covered Broker-Dealers more generally require the
firm to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address its cybersecurity
risks taking into account the size, business, and operations of the
firm. As explained above, those more specific existing and proposed
requirements of Regulation S-P are consistent with certain of the
elements--which are based on industry standards for addressing
cybersecurity risk--that Covered Entities would be required to include
in their policies and procedures under proposed Rule 10.\521\ Further,
proposed Rule 10 would require a Non-Covered Broker-Dealer to take into
account its size, business, and operations when designing its policies
and procedures to address its cybersecurity risks. Storing customer
information and consumer information on an information system is the
type of operation a Non-Covered Broker-Dealer would need to take into
account. Consequently, the specific existing and proposed requirements
of Regulation S-P should fit within and be consistent with a Non-
Covered Broker-Dealer's reasonably designed policies and procedures to
address its cybersecurity risks under proposed Rule 10, including the
risks associated with storing customer information and consumer
information on an information system.
---------------------------------------------------------------------------
\521\ See section II.B.1. of this release (discussing the
policies and procedures requirements for Covered Entities).
---------------------------------------------------------------------------
iii. Regulation ATS and Regulation S-ID
Certain broker-dealers that operate an ATS are subject to
Regulation ATS and certain broker-dealers that offer and maintain
certain types of accounts for customers are subject to requirements of
Regulation S-ID to establish an identity theft program.\522\
Additionally, SBS Entities and transfer agents could be subject to
Regulation S-ID if they are ``financial institutions'' or
``creditors.'' \523\ As discussed below, Regulation ATS and Regulation
S-ID are more narrowly focused on certain cybersecurity risks as
compared to proposed Rule 10, which focuses on all cybersecurity risks
of a Market Entity. In addition, the current requirements of Regulation
ATS and Regulation S-ID should fit within and be consistent with the
broader policies and procedures required under proposed Rule 10 to
address all cybersecurity risks.
---------------------------------------------------------------------------
\522\ See 17 CFR 242.301 through 304 (conditions to the
Regulation ATS exemption); 17 CFR 248.201 and 202 (Regulation S-ID
identity theft program requirements).
\523\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
---------------------------------------------------------------------------
Regulation ATS requires certain broker-dealers that operate an ATS
to review the vulnerability of its systems and data center computer
operations to internal and external threats, physical hazards, and
natural disasters if during at least four of the preceding six calendar
months, such ATS had: (1) with respect to municipal securities, 20
percent or more of the average daily volume traded in the United
States; or (2) with respect to corporate debt securities, 20 percent or
more of the average daily volume traded in the United States.\524\
Therefore, in addition to other potential systems issues, the broker-
dealer would need to address cybersecurity risk of relating to its ATS
system. Further, this requirement applies to systems that support order
entry, order handling, execution, order routing, transaction reporting,
and trade comparison in the particular security.\525\ Therefore, it has
a narrower focus than proposed Rule 10.
---------------------------------------------------------------------------
\524\ See 17 CFR 242.301(b)(6). Currently, no ATS has crossed
the either of the volume-based thresholds and, therefore, no ATS is
subject to the requirements pertaining, in part, to cybersecurity.
See also Amendments Regarding the Definition of ``Exchange'' and
ATSs Release, 87 FR 15496.
\525\ See Regulation of Exchanges and Alternative Trading
Systems, Exchange Act Release No. 40760 (Dec. 8, 1998) [63 FR 70844,
70876 (Dec. 22, 1998)].
---------------------------------------------------------------------------
Regulation ATS also requires all broker-dealers that operate an ATS
to establish adequate written safeguards and written procedures to
protect subscribers' confidential trading information.\526\ The written
safeguards and procedures must include, among other things, limiting
access to the confidential trading information of subscribers to those
employees of the alternative trading system who are operating the
system or responsible for its compliance with these or any other
applicable rules.\527\ These requirements apply to all broker-dealers
that operate an ATS and, as indicated, apply to a narrow set of
information stored on their information systems: the confidential
trading information of the subscribers to the ATS.
---------------------------------------------------------------------------
\526\ See 17 CFR 242.301(b)(10).
\527\ See 17 CFR 242.301(b)(10)(i)(A).
---------------------------------------------------------------------------
As discussed above, Covered Entities under proposed Rule 10--which
would include broker-dealers that operate as an ATS--would be required
to establish, maintain, and enforce written policies and procedures
that are reasonably designed to address the Covered Entity's
cybersecurity risks. In addition, Covered Entities would be required to
include the following elements in their policies and procedures: (1)
periodic assessments of cybersecurity risks associated with the Covered
Entity's information systems and written documentation of the risk
assessments; (2) controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems; (3) measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems; (4) measures to
detect, mitigate, and remediate any cybersecurity threats and
vulnerabilities with respect to the Covered Entity's information
systems; and (5) measures to detect, respond to, and recover from a
cybersecurity incident and written documentation. Consequently, a
broker-dealer operates an ATS and that implements reasonably designed
policies and procedures in compliance with the requirements of proposed
Rule 10 should generally satisfy the current requirements of Regulation
ATS to review the vulnerability of its systems and data center computer
operations to internal and external threats and to protect subscribers'
confidential trading information to the extent these requirements
pertain to cybersecurity.
Regulation S-ID requires--among other things--a financial
institution or creditor within the scope of the regulation that offers
or maintains one or more covered accounts to develop and implement a
written identity theft prevention program that is designed to detect,
prevent, and mitigate identity theft in connection with the opening of
a covered account or any existing
[[Page 20275]]
covered account.\528\ Regulation S-ID defines the term ``covered
account''--in pertinent part--as an account that the financial
institution or creditor maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple
payments or transactions, such as a brokerage account with a broker-
dealer, and any other account that the financial institution or
creditor offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the
financial institution or creditor from identity theft, including
financial, operational, compliance, reputation, or litigation
risks.\529\ Therefore, Regulation S-ID is narrowly focused on one
cybersecurity risk--identity theft. Identity theft--as discussed
earlier--is one of the tactics threat actors use to cause harm after
obtaining unauthorized access to personal information.\530\ As a
cybersecurity risk, Market Entities would need to address it as part of
their policies and procedures under proposed Rule 10. Consequently, the
requirement of Regulation S-ID should fit within and be consistent with
a Market Entity's reasonably designed policies and procedures to
address its cybersecurity risks under proposed Rule 10, including the
risks associated with identity theft.
---------------------------------------------------------------------------
\528\ See 17 CFR 248.201(d)(1).
\529\ See 17 CFR 248.201(b)(3).
\530\ See section I.A. of this release.
---------------------------------------------------------------------------
d. Notification and Reporting to the Commission
Regulation SCI (currently and as it would be amended) provides the
framework for notifying the Commission of SCI events including, among
other things, to: immediately notify the Commission of the event;
provide a written notification on Form SCI within 24 hours that
includes a description of the SCI event and the system(s) affected,
with other information required to the extent available at the time;
provide regular updates regarding the SCI event until the event is
resolved; and submit a final detailed written report regarding the SCI
event.\531\ If proposed Rule 10 is adopted as proposed, it would
require Market Entities that are Covered Entities to provide the
Commission (and other regulators, if applicable) with immediate written
electronic notice of a significant cybersecurity incident affecting the
Covered Entity and, thereafter, report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission (and other regulators, if applicable).\532\
Part I of proposed of Form SCIR would elicit information about the
significant cybersecurity incident and the Covered Entity's efforts to
respond to, and recover from, the incident.
---------------------------------------------------------------------------
\531\ See 17 CFR 242.1002(b). An ``SCI event'' is an event at an
SCI entity that is: (1) a ``systems disruption,'' which is an event
in an SCI entity's SCI systems that disrupts, or significantly
degrades, the normal operation of an SCI system; (2) a ``systems
intrusion,'' which is any unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity; or (3) a ``systems compliance
issue,'' which is an event at an SCI entity that has caused any SCI
system of such entity to operate in a manner that does not comply
with the Exchange Act and the rules and regulations thereunder or
the entity's rules or governing documents, as applicable. See 17 CFR
242.1000 (defining the terms ``systems disruption,'' ``system
intrusion,'' and ``system compliance issue'' and including those
terms in the definition of ``SCI event''). The amendments to
Regulation SCI would broaden the definition of ``system intrusion''
to include a cybersecurity event that disrupts, or significantly
degrades, the normal operation of an SCI system, as well as a
material attempted unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity. Regulation SCI 2023 Proposing
Release.
\532\ See paragraphs (c)(1) and (2) of proposed Rule 10
(requiring Covered Entities to provide immediate written notice and
subsequent reporting on Part I of proposed Form SCIR of significant
cybersecurity incidents); sections II.B.2. and II.B.4. of this
release (discussing the requirements of paragraphs (c)(1) and (2) of
proposed Rule 10 and Part I of Form SCIR in more detail). Non-
Covered Broker-Dealers also would be subject to an immediate written
electronic notice requirement under paragraph (e)(2) of proposed
Rule 10. However, as discussed above, a Non-Covered Broker-Dealer
likely would not be an SCI Entity.
---------------------------------------------------------------------------
Consequently, a Covered Entity that is also an SCI entity that
experiences a significant cybersecurity incident under proposed Rule 10
that also is an SCI event would be required to make two filings for the
single incident: one on Part I of proposed Form SCIR and the other on
Form SCI. The Covered Entity also would be required to make additional
filings on Forms SCIR and SCI pertaining to the significant
cybersecurity incident (i.e., to provide updates and final reports).
The approach of having two separate notification and reporting
programs--one under proposed Rule 10 and the other under Regulation
SCI--would be appropriate for the following reasons.
As discussed earlier, certain broker-dealers and all transfer
agents would not be SCI entities under the current and proposed
requirements of Regulation SCI.\533\ Certain of the broker-dealers that
are not SCI entities (currently and as it would be amended) would be
Covered Entities and all transfer agents would be Covered
Entities.\534\ In addition, the current and proposed reporting
requirements of Regulation SCI are or would be triggered by events
impacting SCI systems and indirect SCI systems. The Covered Entities
that are or would be SCI entities use and rely on information systems
that are not SCI systems or indirect SCI systems under the current and
proposed amendments to Regulation SCI. For these reasons, Covered
Entities could be impacted by significant cybersecurity incidents that
do not trigger the current and proposed notification requirements of
Regulation SCI either because they do not meet the current or proposed
definitions of ``SCI entity'' or the significant cybersecurity incident
does not meet the current or proposed definitions of ``SCI event.''
---------------------------------------------------------------------------
\533\ See section II.F.1.b. of this release. Currently, broker-
dealers that operate as ATSs and trade certain stocks exceeding
specific volume thresholds are SCI entities. The proposed amendments
to Regulation SCI would expand the definition of ``SCI entity'' to
include broker-dealers that exceed an asset-based size threshold or
a volume-based trading threshold in NMS stocks, exchange-listed
options, agency securities, or U.S. treasury securities. See
Regulation SCI 2023 Proposing Release.
\534\ See paragraphs (a)(1)(i)(A) and (F) proposed Rule 10
(defining the categories of broker-dealers that would be Covered
Entities); paragraph (a)(1)(ix) proposed Rule 10 (defining transfer
agents as ``covered entities'').
---------------------------------------------------------------------------
As discussed earlier, the objective of the notification and
reporting requirements of proposed Rule 10 is to improve the
Commission's ability to monitor and evaluate the effects of a
significant cybersecurity incident on Covered Entities and their
customers, counterparties, members, registrants, or users, as well as
assess the potential risks affecting financial markets more
broadly.\535\ For this reason, Part I of proposed Form SCIR is tailored
to elicit information relating specifically to cybersecurity, such as
information relating to the threat actor, and the impact of the
incident on any data or personal information that may have been
accessed.\536\ The Commission and its staff could use the information
reported on Part I of Form SCIR to monitor the U.S. securities markets
and the Covered Entities that support those markets broadly from a
cybersecurity perspective, including identifying cybersecurity threats
and trends from a market-wide view. By requiring all Covered Entities
to report information about a significant cybersecurity incident on a
common form, the information obtained from these filings over time
would create a comprehensive set of data of all significant
cybersecurity incidents impacting Covered Entities that is based on
these entities responding to the same check boxes and questions on the
form. This would facilitate analysis of the data, including analysis
across different Covered Entities and significant cybersecurity
incidents. Eventually, this
[[Page 20276]]
set of data and the ability to analyze it by searching and sorting how
different Covered Entities responded to the same questions on the form
could be used to spot common trending risks and vulnerabilities as well
as best practices employed by Covered Entities to respond to and
recover from significant cybersecurity incidents.
---------------------------------------------------------------------------
\535\ See section II.B.2.a. of this release.
\536\ See section II.B.2.b. of this release.
---------------------------------------------------------------------------
The current and proposed definitions of ``SCI event'' include
events that are not related to significant cybersecurity
incidents.\537\ For example, under the current and proposed
requirements of Regulation SCI, the definition of ``SCI event''
includes an event in an SCI entity's SCI systems that disrupts, or
significantly degrades, the normal operation of an SCI system.\538\
Therefore, the definitions are not limited to events in an SCI entity's
SCI systems that disrupt, or significantly degrade, the normal
operation of an SCI system caused by a significant cybersecurity
incident. The information elicited in Form SCI reflects the broader
scope of the reporting requirements of Regulation SCI (as compared to
the narrower focus of proposed Rule 10 on reporting about significant
cybersecurity incidents). For example, the form requires the SCI entity
to identify the type of SCI event: systems compliance issue, systems
disruption, and/or systems intrusion. In addition, Form SCI is tailored
to elicit information specifically about SCI systems. For example, the
form requires the SCI entity to indicate whether the type of SCI system
impacted by the SCI event directly supports: (1) trading; (2) clearance
and settlement; (3) order routing; (4) market data; (5) market
regulation; and/or (6) market surveillance. If the impacted system is a
critical SCI system, the SCI entity must indicate whether it directly
supports functionality relating to: (1) clearance and settlement
systems of clearing agencies; (2) openings, reopenings, and closings on
the primary listing market; (3) trading halts; (4) initial public
offerings; (5) the provision of consolidated market data; and/or (6)
exclusively-listed securities. The form also requires the SCI entity to
indicate if the systems that provide functionality to the securities
markets for which the availability of alternatives is significantly
limited or nonexistent and without which there would be a material
impact on fair and orderly markets.
---------------------------------------------------------------------------
\537\ See 17 CFR 242.1000 (defining the term ``SCI event'');
Regulation SCI 2023 Proposing Release.
\538\ See 17 CFR 242.1000 (defining the term ``system
disruption'' and including that term in the definition of ``SCI
event''); Regulation SCI 2023 Proposing Release.
---------------------------------------------------------------------------
e. Disclosure
Proposed Rule 10 and the existing and proposed requirements of
Regulation SCI and the proposed requirements of Regulation S-P also
have similar, but distinct, requirements related to notification about
certain cybersecurity incidents. Regulation SCI requires that SCI
entities disseminate information to their members, participants, or
customers (as applicable) regarding SCI events.\539\ The proposed
amendments to Regulation S-P would require broker-dealers and transfer
agents to notify affected individuals whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization.\540\ Proposed Rule 10 would require a Covered
Entity to make two types of public disclosures relating to
cybersecurity on Part II of proposed Form SCIR.\541\ Covered Entities
would be required to make the disclosures by filing Part II of proposed
Form SCIR on EDGAR and posting a copy of the filing on their business
internet websites.\542\ In addition, a Covered Entity that is either a
carrying or introducing broker-dealer would be required to provide a
copy of the most recently filed Part II of Form SCIR to a customer as
part of the account opening process. Thereafter, the carrying or
introducing broker-dealer would need to provide the customer with the
most recently filed form annually. The copies of the form would need to
be provided to the customer using the same means that the customer
elects to receive account statements (e.g., by email or through the
postal service). Finally, a Covered Entity would be required to
promptly make updated disclosures through each of the methods described
above (as applicable) if the information required to be disclosed about
cybersecurity risk or significant cybersecurity incidents materially
changes, including, in the case of the disclosure about significant
cybersecurity incidents, after the occurrence of a new significant
cybersecurity incident or when information about a previously disclosed
significant cybersecurity incident materially changes.
---------------------------------------------------------------------------
\539\ See 17 CFR 242.1002(c).
\540\ See Regulation S-P 2023 Proposing Release. The proposed
amendments to Regulation S-P would define ``sensitive customer
information'' to mean any component of customer information alone or
in conjunction with any other information, the compromise of which
could create a reasonably likely risk of substantial harm or
inconvenience to an individual identified with the information. Id.
The proposed amendments would provide example of sensitive customer
information. Id.
\541\ See paragraph (d)(1) of proposed Rule 10.
\542\ See section II.B.3.b. of this release (discussing these
proposed requirements in more detail).
---------------------------------------------------------------------------
Consequently, a Covered Entity would--if it experiences a
``significant cybersecurity incident''--be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business internet
website, and, in the case of a carrying or introducing broker-dealer,
by sending the disclosure to its customers using the same means that
the customer elects to receive account statements. Moreover, if Covered
Entity is an SCI entity and the significant cybersecurity incident is
or would be an SCI event under the current or proposed requirements of
Regulation SCI, the Covered Entity also could be required to
disseminate certain information about the SCI event to certain of its
members, participants, or customers (as applicable). Further, if the
Covered Entity is a broker-dealer or transfer agent and, therefore,
subject to Regulation S-P (as it is proposed to be amended), the
broker-dealer or transfer agent also could be required to notify
individuals whose sensitive customer information was, or is reasonably
likely to have been, accessed or used without authorization.
However, despite these similarities, there are distinct
differences. First, proposed Rule 10, Regulation SCI, and Regulation S-
P (as proposed to be amended) require different types of information to
be disclosed. Second, the disclosures, for the most part, would be made
to different persons: (1) the public at large in the case of proposed
Rule 10; \543\ (2) affected members, participants, or customers (as
applicable) of the SCI entity in the case of Regulation SCI; \544\ and
(3) affected individuals whose sensitive customer information was, or
is reasonably likely to have been, accessed or used without
authorization or, in some cases, all individuals whose information
resides in the customer information system that was accessed or used
without authorization in the case of Regulation S-P (as proposed to be
amended).
---------------------------------------------------------------------------
\543\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
\544\ Information regarding major SCI events is and would be
required to be disseminated by an SCI entity to all of its members,
participants, or customers (as applicable) under the existing and
proposed requirements of Regulation SCI. See Regulation SCI 2023
Proposing Release.
---------------------------------------------------------------------------
Additionally, the disclosure or notification provided about certain
cybersecurity incidents is different
[[Page 20277]]
under proposed Rule 10 and the existing and/or proposed requirements of
Regulation SCI and Regulation S-P, given their distinct goals. For
example, the requirement to disclose summary descriptions of certain
cybersecurity incidents from the current or previous calendar year
publicly on EDGAR, among other methods, under proposed Rule 10 serves a
different purpose than: (1) the member, participant, or customer (as
applicable) dissemination of information regarding SCI events under
Regulation SCI; and (2) the customer notification obligation under the
proposed amendments to Regulation S-P, which would provide more
specific information to individuals affected by a security compromise
involving their sensitive customer information, so that those
individuals may take remedial actions if they so choose.
2. Request for Comment
The Commission requests comment on the potential duplication or
overlap between the requirements of proposed Rule 10, Regulation SCI
(as it currently exists and as it is proposed to be amended), and
Regulation S-P (as it currently exists and as it is proposed to be
amended). In addition, the Commission is requesting comment on the
following matters:
91. Should the policies and procedures requirements of proposed
Rule 10 be modified to address Market Entities that also would be
subject to the existing and proposed requirements of Regulation SCI
and/or Regulation S-P? For example, would it be particularly costly or
create practical implementation difficulties to apply the requirements
of proposed Rule 10 (if it is adopted) to have policies and procedures
to address cybersecurity risks to Market Entities even if they also
would be subject to requirements to have policies and procedures under
Regulation SCI and/or Regulation S P that address certain cybersecurity
risks (currently and as they would be amended)? If so, explain why. If
not, explain why not. Are there ways the policies and procedures
requirements of proposed Rule 10 could be modified to minimize these
potential impacts while achieving the separate goals of this proposal
to protect participants in the U.S. securities markets and the markets
themselves from cybersecurity risks? If so, explain how and suggest
specific modifications.
92. Would it be appropriate to modify proposed Rule 10 to exempt
SCI systems or indirect SCI systems from its policies and procedures
requirements and instead rely on the policies and procedures
requirements of Regulation SCI to address cybersecurity risks to these
information systems of Covered Entities? If so, explain why. If not,
explain why not. What would be the costs and benefits of this approach?
For example, if one set of policies and procedures generally would
satisfy the requirements of both rules, would this approach result in
incremental costs or benefits? Please explain. Would this approach
achieve the objectives of this rulemaking to address cybersecurity
risks to Covered Entities, given that Rule 10 is specifically designed
to address cybersecurity risks and Regulation SCI is designed to
address a broader range of risks to certain information systems? Please
explain. Would this approach create practical implementation and
compliance complexities insomuch as one set of the Covered Entity's
systems would be subject to Regulation SCI (i.e., SCI systems and
indirect SCI systems) and the other set would be subject to Rule 10?
Please explain. If it would create practical implementation and
compliance difficulties, would Covered Entities nonetheless apply
separate policies and procedures requirements to their information
systems based on whether they are or are not SCI systems and indirect
SCI Systems or would they develop a single set of policies and
procedures that comprehensively addresses the requirements of
Regulation SCI and Rule 10? Please explain. Would a comprehensive set
of policies and procedures result in stronger measures to protect SCI
systems and indirect SCI systems from cybersecurity risks? Please
explain. If so, would this be appropriate given the nature of SCI
systems and indirect SCI systems and the roles these systems play in
the U.S. securities markets? Please explain.
93. Should the policies and procedures requirements of proposed
Rule 10 be modified to address Market Entities that also would be
subject to the requirements of Regulation ATS? If so, explain why. If
not, explain why not.
94. Should the immediate notification and reporting requirements of
proposed Rule 10 be modified to address Covered Entities that also
would be subject to the existing and proposed requirements of
Regulation SCI? For example, would it be particularly costly or create
practical implementation difficulties to apply the immediate
notification and subsequent reporting requirements of proposed Rule 10
and Part I of proposed Form SCIR (if they are adopted) to Covered
Entities even if they also would be subject to immediate notification
and subsequent reporting requirements under Regulation SCI (as it
currently exists and would be amended)? If so, explain why. If not,
explain why not. Are there ways the notification and reporting
requirements of proposed Rule 10 and Part I of proposed Form SCIR could
be modified to minimize these potential impacts while achieving the
separate goals of this proposal to protect participants in the U.S.
securities markets and the markets themselves from cybersecurity risks?
If so, explain how and suggest specific modifications. For example,
should Part I of proposed Form SCIR be modified to include a section
that incorporates the check boxes and questions of Form SCI so that a
single form could be filed to meet the reporting requirements of
proposed Rule 10 and Regulation SCI? If so, explain why. If not,
explain why not. Are there other ways Part I of proposed Form SCIR
could be modified to combine the elements of Form SCI? If so, explain
how. Should Rule 10 be modified to require that the initial Part I of
Form SCIR must be filed within 24 hours (instead of promptly but not
later than 48 hours) to align the filing timeframe with Regulation SCI?
If so, explain why. If not, explain why not.
95. Should the public disclosure requirements of proposed Rule 10
be modified to address Covered Entities that also would be subject to
the existing and proposed requirements of Regulation SCI and/or
Regulation S-P? For example, would it be particularly costly or create
practical implementation difficulties to apply the public disclosure
requirements of proposed Rule 10 and Part II of proposed form SCIR (if
they are adopted) to Covered Entities even if they also would be
subject to the current and proposed disclosure requirements of
Regulation SCI and Regulation S-P? If so, explain why. If not, explain
why not. Are there ways the public disclosure requirements of proposed
Rule 10 could be modified to minimize these potential impacts while
achieving the separate goals of this proposal to protect participants
in the U.S. securities markets and the markets themselves from
cybersecurity risks? If so, explain how and suggest specific
modifications. For example, should proposed Rule 10 be modified to
permit the customer notification that would be required under the
amendments to Regulation S-P to satisfy the requirement of proposed
Rule 10 that a Covered Entity that is a carrying broker-dealer or
introducing broker-dealer send a copy of an updated Part II of proposed
Form SCIR to its customers? If so, explain why. If not, explain why
not. Would sending the notification required by proposed Rule 10 and
the
[[Page 20278]]
notification required by the proposed amendments to Regulation S-P to
the same customer be confusing to the customer? If so, explain why. If
not, explain why not.
G. Cybersecurity Risk Related to Crypto Assets
The creation, distribution, custody, and transfer of crypto assets
depends almost exclusively on the operations of information
systems.\545\ Crypto assets, therefore, are exposed to cybersecurity
risks.\546\ Further, crypto assets are attractive targets for threat
actors.\547\ Therefore, information systems that involve crypto assets
may be subject to heightened cybersecurity risks. If Market Entities
engage in business activities involving crypto assets, they could be
exposed to these heighted cybersecurity risks.\548\
---------------------------------------------------------------------------
\545\ The term ``digital asset'' or ``crypto asset'' refers to
an asset that is issued and/or transferred using distributed ledger
or blockchain technology (``distributed ledger technology''),
including, but not limited to, so-called ``virtual currencies,''
``coins,'' and ``tokens.'' See Custody of Digital Asset Securities
by Special Purpose Broker-Dealers, Exchange Act Release No. 90788
(Dec. 23, 2020) [86 FR 11627, 11627, n.1 (Feb. 26, 2021)]. To the
extent digital assets rely on cryptographic protocols, these types
of assets are commonly referred to as ``crypto assets.'' A crypto
asset may or may not meet the definition of a ``security'' under the
federal securities laws. See, e.g., Report of Investigation Pursuant
to Section 21(a) of the Securities Exchange Act of 1934: The DAO,
Securities Exchange Act Release No. 81207 (July 25, 2017), available
at https://www.sec.gov/litigation/investreport/34-81207.pdf. See
also SEC v. W.J. Howey Co., 328 U.S. 293 (1946). ``Digital asset
securities'' can be referred to as ``crypto asset securities'' and
for purposes of this release, the Commission does not distinguish
between the terms ``digital asset securities'' and ``crypto asset
securities.''
\546\ See KPMG, Assessing crypto and digital asset risks (May
2022), available at https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2022/assessing-crypto-and-digital-asset-risks.pdf
(``Properly securing digital assets[] is typically viewed as the
biggest risk that companies must address.'').
\547\ See U.S. Department of Treasury, Crypto-Assets:
Implications for Consumers, Investors, and Businesses (Sept. 2022),
available at https://home.treasury.gov/system/files/136/CryptoAsset_EO5.pdf (``Treasury Crypto Report'') (``Moreover, the
crypto-asset ecosystem has unique features that make it an
increasingly attractive target for unlawful activity, including the
ongoing evolution of the underlying technology, pseudonymity,
irreversibility of transactions, and the current asymmetry of
information between issuers of crypto-assets and consumers and
investors.'').
\548\ Moreover, if the Market Entity's activities involving
crypto asset securities involve its information systems, the
requirements being proposed in this release would be implicated.
---------------------------------------------------------------------------
Crypto assets are an attractive target for unlawful activity due,
in large part, to the unique nature of distributed ledger technology.
Possession or control of crypto assets on a distributed ledger is based
on ownership or knowledge of public and private cryptographic key
pairings. These key pairings are somewhat analogous to user names and
passwords and consist of strings of letters and numbers used to sign
transactions on a distributed ledger and to prove ownership of a
blockchain address, which is commonly known as a ``digital wallet.''
\549\ Digital wallets, in turn, generally require the use of internet-
connected hardware and software to receive and transmit information
about crypto asset holdings.
---------------------------------------------------------------------------
\549\ See, e.g., NIST Glossary (defining ``private key'').
---------------------------------------------------------------------------
A digital wallet can be obtained by anyone, including a potential
threat actor. If a victim's digital wallet is connected to the
internet, and a threat actor obtains access to the victim's private
key, the threat actor can transfer the contents of the wallet to
another blockchain address (such as the threat actor's own digital
wallet) without authorization from the true owner. It may be difficult
to subsequently track down the identity of the threat actor because the
owner of a digital wallet can remain anonymous (absent additional
attribution information) and because intermediaries involved in the
transfer of crypto assets, such as trading platforms, may not comply
with or may actively claim not to be subject to applicable ``know your
customer'' or related diligence requirements.\550\
---------------------------------------------------------------------------
\550\ See, e.g., Treasury Crypto Report (``Compared to
registered financial market intermediaries--which are subject to
rules and laws that promote market integrity and govern risks and
business conduct, including identifying, disclosing, and mitigating
conflicts of interest and adhering to AML/CFT requirements--many
crypto-asset platforms may either not yet be in compliance with, or
may actively claim not to be subject to, existing applicable U.S.
laws and regulations, including registration requirements. . . .
When the onboarding process used by platforms is limited or opaque,
the risk that the platform may be used for illegal activities
increases.'').
---------------------------------------------------------------------------
The current state of distributed ledger technology may present
other challenges to defending against cybercriminal activity. First,
there is no centralized information technology (``IT'') infrastructure
that can dynamically detect and prevent cyberattacks on wallets or
prevent the transfer of illegitimately obtained crypto assets by threat
actors.\551\ This is unlike traditional infrastructures, such as those
used by banks and broker-dealers, where behavioral and historic
transaction patterns can be used to detect and prevent account
takeovers in real-time. Furthermore, distributed ledger technology
often makes it difficult or impossible to reverse erroneous or
fraudulent crypto asset transactions, whereas processes and protocols
exist to reverse erroneous or fraudulent transactions when trading more
traditional assets.\552\ In addition, certain code that governs the
operation of a blockchain and that governs so-called ``smart
contracts'' are often transparent to the public. This provides threat
actors with visibility into potential vulnerabilities associated with
the code, though developers may have limited ability to patch those
vulnerabilities.\553\ These characteristics of distributed ledger
technology, and others, present cybersecurity vulnerabilities that, if
taken advantage of by a threat actor, could lead to financial harm
without meaningful recourse to reverse fraudulent transactions, recover
or replace lost crypto assets, or correct errors.
---------------------------------------------------------------------------
\551\ See CipherTrace, Cryptocurrency crime and anti-money
laundering report (June 2022), available at https://4345106.fs1.hubspotusercontent-na1.net/hubfs/4345106/CAML%20Reports/CipherTrace%20Cryptocurrency%20Crime%20and%20Anti-Money%20Laundering%20Report%2c%20June%202022.pdf?_hstc=56248308.2ea6daf13b00f00afe4d9acf0886eddf.1667865330143.1667865330143.1667917991763.2&_hssc=56248308.1.1667917991763&_hsfp=247897319 (``CipherTrace
2022 Report'').
\552\ For example, this is the case with Bitcoin and Ether, the
two crypto assets with the largest market values. See CoinMarketCap,
Today's Cryptocurrency Prices by Market Cap, available at https://coinmarketcap.com/ (``Crypto Asset Market Value Chart''). See also,
e.g., Kaili Wang, Qinchen Wang, and Dan Boneh, ERC-20R and ERC-721R:
Reversible Transactions on Ethereum (Oct. 11, 2022), available at
https://arxiv.org/pdf/2208.00543.pdf#page=16&zoom=100,96,233
(Stanford University proposal discussing the immutability of
Ethereum-based tokens, and proposing that reversible Ethereum
transactions may facilitate more wide-spread adoption of these
crypto assets). With respect to securities, the clearance and
settlement of securities that are not crypto assets are
characterized by infrastructure whereby intermediaries such as
clearing agencies and securities depositories serve as key
participants in the process. The clearance and settlement of crypto
asset securities, on the other hand, may rely on fewer, if any,
intermediaries and remain evolving areas of practices and
procedures.
\553\ See Treasury Crypto Report (``Smart contracts, which are
widely used by many permissionless blockchains, also present risks
as they combine the features of generally being immutable and
publicly viewable. Taken together, these attributes pose several
vulnerabilities that may be exploited by illicit actors to steal
customer funds: once an attacker finds a bug in a smart contract and
exploits it, immutable smart contract protocols limit developers'
ability to patch the exploited vulnerability, giving attackers more
time to exploit the vulnerability and steal assets.'').
---------------------------------------------------------------------------
The amount of crypto assets stolen by threat actors annually
continues to increase.\554\ Threat actors looking to
[[Page 20279]]
exploit the vulnerabilities associated with crypto assets often employ
social engineering techniques, such as phishing to acquire a user's
cryptographic key pairing information. Phishing tactics that have been
employed to reach and trick crypto asset users into disclosing their
private keys include: (1) monitoring social media for users reaching
out to wallet software support, intervening with direct messages, and
impersonating legitimate support staff who need the user's private key
to fix the problem; (2) distributing new crypto assets at no cost to a
set of wallets in an ``airdrop,'' and then failing transactions on
those assets with an error message to redirect the owner to a phishing
website or a website that installs plug-in software and steals the
user's credentials from a local device; and (3) impersonating a wallet
software provider and stealing private keys directly from the
user.\555\ To the extent that the activities of Market Entities involve
crypto assets, these types of phishing tactics could be used against
their employees.
---------------------------------------------------------------------------
\554\ See Treasury Crypto Report (noting that of the total
amount of crypto asset based crime in 2021, theft rose by over 500%
year-over-year to $3.2 billion in total); Chainalysis, The 2022
Crypto Crime Report (Feb. 2022), available at https://go.chainalysis.com/2022-Crypto-Crime-Report.html (``Chainalysis 2022
Report'') (predicting that illicit transaction activity will reach
an all-time high in terms of value in 2022, and noting that crypto
asset based crime hit a new all-time high in 2021, with illicit
addresses receiving $14 billion over the course of the year, up from
$7.8 billion in 2020).
\555\ See Microsoft 365 Defender Research Team, `Ice Phishing'
on the Blockchain (Feb. 16, 2022), available at https://www.microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain/.
---------------------------------------------------------------------------
Another related variation of a social engineering attack that is
similar to phishing, but does not involve stealing private keys
directly, is called ``ice phishing.'' In this scheme, the threat actor
tricks the user into signing a digital transaction that delegates
approval and control of the user's wallet to the attacker, allowing the
threat actor to become the so-called ``spender'' of the wallet. Once
the threat actor obtains control over the user's wallet, the threat
actor can transfer all of the crypto assets to a new wallet controlled
by the threat actor.\556\
---------------------------------------------------------------------------
\556\ See CipherTrace June 2022 Report. Delegating authority to
another user reportedly is a common transaction on decentralized
finance (``DeFi'') platforms, as the user may need to provide the
DeFi platform with approval to conduct transactions with the user's
tokens. In an ``ice phishing'' attack, the attacker modifies the
spender address to the attacker's address. Once the approval
transaction has been signed, submitted, and mined, the spender can
access the funds. The attacker can accumulate approvals over a
period of time and then drain the victim's wallets quickly.
---------------------------------------------------------------------------
Threat actors also target private keys and crypto assets through
other means, such as installing key logging software,\557\ exploiting
vulnerabilities in code used in connection with crypto assets (such as
smart contracts), and deploying flash loan attacks.\558\ Installing key
logging software, in particular, is an example of malware that threat
actors looking to exploit the vulnerabilities associated with crypto
assets often employ. Other common types of crypto asset-focused malware
techniques include info stealers, clippers, and cryptojackers.\559\
---------------------------------------------------------------------------
\557\ Key logging can involve a threat actor deploying a
software program designed to record which keys are pressed on a
computer keyboard to obtain passwords or other encryption keys,
therefore bypassing certain security measures. See NIST Glossary
(defining ``key logger''). Key logging software can be installed,
for example, when the victim clicks a link or downloads an
attachment in a phishing email, downloads a Trojan virus that is
disguised as a legitimate file or application, or is directed to a
phony website.
\558\ See Treasury Crypto Report (``In an innovation unique to
DeFi lending, some protocols may support `flash loans,' which enable
users to borrow, use, and repay crypto assets in a single
transaction that is recorded on the blockchain in the same data
block. Because there is no default risk associated with flash loans,
users can borrow without posting collateral and without risk of
being liquidated. A `flash loan attack' can occur when the temporary
surge of funds obtained in a flash loan is used to manipulate prices
of crypto-assets, often through the interaction of multiple DeFi
services, enabling attackers to take over the governance of a
protocol, change the code, and drain the treasury.''). In 2021, code
exploits and flash loan attacks accounted for 49.8% of all crypto
asset value stolen across all crypto asset services. See Chainalysis
2022 Report.
\559\ Specifically, ``info stealers'' collect saved credentials,
files, autocomplete history, and crypto asset wallets from
compromised computers. ``Clippers'' can insert new text into the
victim's clipboard, replacing text the user has copied. Hackers can
use clippers to replace crypto asset addresses copied into the
clipboard with their own, allowing them to reroute planned
transactions to their own wallets. ``Cryptojackers'' make
unauthorized use of the computing power of a victim's device to mine
crypto assets. See Chainalysis 2022 Report.
---------------------------------------------------------------------------
The size and growth of the crypto asset markets, along with the
fact that many participants in these markets (such as issuers,
intermediaries, trading platforms, and service providers) may be acting
in noncompliance with applicable law, continue to make them an
attractive target for threat actors looking for quick financial gain.
The crypto asset ecosystem has exhibited rapid growth in the past few
years. For example, industry reports have suggested that the total
crypto asset market value increased from approximately $135 billion on
January 1, 2019 to just under $2.1 trillion on March 31, 2022.\560\
According to these reports, the crypto asset market value peaked at
almost $3 trillion in November 2021.\561\ Various sources also report
that the market value remains over $1 trillion today.\562\
---------------------------------------------------------------------------
\560\ See CipherTrace June 2022 Report. The amount of total
activity in the crypto asset markets has increased as well.
According to the CipherTrace June 2022 Report, while the total
activity in 2020 was around $4.3 trillion, there was approximately
$16 trillion of total activity in the first half of 2021 alone. See
id.
\561\ See id.
\562\ See Crypto Asset Market Value Chart; see also Treasury
Crypto Report.
---------------------------------------------------------------------------
III. General Request for Comment
In addition to the specific requests for comment above, the
Commission is requesting comments from all members of the public on all
aspects of the proposed rule and amendments. Commenters are requested
to provide empirical data in support of any arguments or analyses. With
respect to any comments, the Commission notes that they are of the
greatest assistance to this rulemaking initiative if accompanied by
supporting data and analysis of the issues addressed in those comments
and by alternatives to the Commission's proposals where appropriate.
IV. Economic Analysis
A. Introduction
The Commission is mindful of the economic effects, including the
costs and benefits, of: (1) proposed Rule 10; (2) Parts I and II of
proposed Form SCIR; (3) the proposed amendments to Rules 17a-4, 17ad-7,
and 18a-6; (4) the proposed amendments to existing orders that exempt
certain clearing agencies from registering with the Commission; and (5)
the proposed amendments to paragraph (d)(1) of Rule 3a71-6 to add
proposed Rule 10 and Form SCIR to the list of Commission requirements
eligible for a substituted compliance determination. Section 3(f) of
the Exchange Act provides that when engaging in rulemaking that
requires the Commission to consider or determine whether an action is
necessary or appropriate in the public interest, to also consider, in
addition to the protection of investors, whether the action will
promote efficiency, competition, and capital formation.\563\ Section
23(a)(2) of the Exchange Act also requires the Commission to consider
the effect that the rules and rule amendments would have on
competition, and it prohibits the Commission from adopting any rule
that would impose a burden on competition not necessary or appropriate
in furtherance of the Exchange Act.\564\ The analysis below addresses
the likely economic effects of the proposed rule and form, the proposed
rule amendments, and the proposed amendments to the exemptive orders,
including the anticipated and estimated benefits and costs of these
proposals and their likely effects on efficiency, competition, and
capital formation. The Commission also discusses the potential economic
effects of certain alternatives
[[Page 20280]]
to the approaches taken with respect to these proposals.
---------------------------------------------------------------------------
\563\ See 15 U.S.C. 78c(f).
\564\ See 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------
As discussed above, Market Entities rely on information systems to
perform functions that support the fair, orderly, and efficient
operation of the U.S. securities markets.\565\ This exposes them and
the U.S. securities markets to cybersecurity risk. According to the
Bank for International Settlements, the financial sector has the
second-largest share of COVID-19-related cybersecurity events between
the end of February and June 2020.\566\ As is the case with other risks
(e.g., market, credit, or liquidity risk), cybersecurity risk can be
addressed through policies and procedures that are reasonably designed
to manage the risk. A second means to address cybersecurity risk to the
U.S. securities markets is through the Commission gathering and sharing
information about significant cybersecurity incidents. This risk also
can be addressed through greater transparency.\567\ For these reasons
(and the reasons discussed throughout the release), the Commission is
proposing Rule 10 and Form SCIR to require that Market Entities address
cybersecurity risks, to improve the Commission's ability to obtain
information about significant cybersecurity incidents impacting Covered
Entities and to require Covered Entities to disclose publicly summary
descriptions of their cybersecurity risks and significant cybersecurity
incidents (if applicable).
---------------------------------------------------------------------------
\565\ See section I.A. of this release (discussing cybersecurity
risks and the use of information systems by Market Entities).
\566\ Id. The health sector is ranked first in term of the
cyberattacks.
\567\ ``The Council recommends that regulators and market
participants continue to work together to improve the coverage,
quality, and accessibility of financial data, as well as improve
data sharing among relevant agencies.'' FSOC 2021 Annual Report, at
16.
---------------------------------------------------------------------------
It is important to note that the Market Entities serve different
functions in the U.S. securities markets and are subject to different
regulatory regimes. As a result, Market Entities today have varying
approaches to cybersecurity protections and would have different costs
and benefits associated with complying with proposed Rule 10 and for
Covered Entities to file Parts I and II of proposed Form SCIR. In
addition, Market Entities may have different costs and benefits
depending on the size and complexity of their businesses. For example,
because Non-Covered Broker-Dealers likely are materially smaller in
size than Covered Entities, use fewer and less complex information
systems, and have less data stored on information systems, the
obligations of Non-Covered Broker-Dealers under proposed Rule 10 are
more limited, and likely would have lower compliance costs. This could
be the case even though Non-Covered Broker-Dealers may still need to
invest in hardware and software, employ legal and compliance personnel,
or contract with a third party. Furthermore, in addition to the direct
benefits and costs realized by Market Entities, other market
participants, such as investors and third-party service providers would
realize indirect benefits and costs from the adoption of the proposed
rule. The direct and indirect benefits and costs realized by each type
of Market Entity and market participants are discussed below.\568\
---------------------------------------------------------------------------
\568\ See section IV.D. of this release (discussing these
benefits and costs).
---------------------------------------------------------------------------
Many of the benefits and costs discussed below are difficult to
quantify. For example, the effectiveness of cybersecurity strengthening
measures taken as a result of proposed Rule 10 depends on the extent to
which they reduce the likelihood of a cybersecurity incident and on the
expected cost of such an incident, including remediation costs in the
event that a cybersecurity incident causes harm. As a result, the
effectiveness of cybersecurity strengthening is subject to numerous
assumptions and unknowns, and thus is difficult to quantify.
Effectively, because cybersecurity infrastructure as well as policies
and procedures help to prevent successful cybersecurity intrusions, the
benefit of cybersecurity protection can be measured as the expected
loss from a cybersecurity incident. In 2020, the average loss in the
financial services industry was $18.3 million, per company per
incident. The average cost of a financial services data breach was
$5.85 million.\569\ Thus, those values would represent the benefit of
avoiding a cybersecurity incident.
---------------------------------------------------------------------------
\569\ Jennifer Rose Hale, The Soaring Risks of Financial
Services Cybercrime: By the Numbers, Diligent (Apr. 9, 2021),
available at https://www.diligent.com/insights/financial-services/cybersecurity/#.
---------------------------------------------------------------------------
The Commission has limited information on cybersecurity incidents
impacting Market Entities. For example, as discussed above, certain
Market Entities are SCI entities subject to the requirements of
Regulation SCI. \570\ SCI entities must report SCI events to the
Commission on Form SCI, which could include cybersecurity
incidents.\571\ However, only certain Market Entities are SCI entities
and the reporting requirements of Regulation SCI are limited to SCI
systems and indirect SCI systems, which are a subset of the information
systems used by SCI entities. To the extent that a cybersecurity
incident at a Market Entity that is also a SCI entity is an SCI event,
the Market Entity would be required to file Form SCI. However, only
certain SCI events are also considered to be cybersecurity incidents.
Consequently, the Commission currently has only partial knowledge of
the cybersecurity incidents that occur at Market Entities. The
Commission believes using the benefit and cost values related to SCI
Entities as a basis to estimate the benefits and costs of the proposed
rule for Covered Entities would be instructive but may be under
inclusive.
---------------------------------------------------------------------------
\570\ See section II.F.1.b. of this release (discussing the
Covered Entities that are subject to Regulation SCI).
\571\ See section II.F.1.d. of this release (discussing the
reporting requirements of Regulation SCI).
---------------------------------------------------------------------------
Similarly, the Commission has access to information contained in
confidential anti-money laundering (AML) suspicious activity reports
(``SARs'') that broker-dealers file with the Department of the
Treasury's Financial Crime Enforcement Network (``FinCEN''), which
includes known or suspected cybersecurity incidents.\572\ However, the
SARs filed by broker-dealers with FinCEN do not necessarily include all
of the details associated with an incident, such as whether the
incident was confirmed, the extent of the impact, and how the breach
was remediated. Furthermore, the SAR filing may not be timely, as a
broker-dealer has up to 30 days to file the SAR if a suspect is
identified, or up to 60 days if a suspect is not identified. Issues
that require immediate attention--such as terrorist financing or
ongoing money laundering schemes--must be reported to law
enforcement.\573\ If reporting is not otherwise required by the
Commission or an SRO, a broker-dealer ``may also, but is not required
to'' contact the Commission.\574\ Broker-dealers must make the
supporting documentation available to the Commission and registered
SROs (as well as to FinCEN, law enforcement agencies, and Federal
regulatory authorities that examine for Bank Secrecy Act compliance)
upon request.\575\ The benefits and costs of filing SARs with FinCEN
can serve as a basis to approximate the cost of filing Part I of
proposed Form SCIR. However, the proposed rule would require a
[[Page 20281]]
quicker reporting timeline, more information to be provided, and
multiple updates with regard to a given significant cybersecurity
event. Thus, the costs related to complying with SAR filings serves as
a floor for Covered Entities complying with the proposed rule.
---------------------------------------------------------------------------
\572\ See, e.g., Fergus Shiel and Ben Hallman, International
Consortium of Investigative Journalists, Suspicious Activity
Reports, Explained (Sept. 20, 2020), available at https://www.icij.org/investigations/fincen-files/suspicious-activity-reports-explained/ (stating that approximately 85% of SARs are filed
by a few large banks to report money laundering).
\573\ See 31 CFR 1023.320(b)(3).
\574\ See 31 CFR 1023.320(a)(1), (b)(3).
\575\ See 31 CFR 1023.320(d).
---------------------------------------------------------------------------
While the Commission has attempted to quantify economic effects
where possible, some of the discussion of economic effects is
qualitative in nature. The Commission seeks comment on all aspects of
the economic analysis, especially any data or information that would
enable the Commission to quantify the proposal's economic effects more
accurately.
B. Broad Economic Considerations
Market Entities generally have financial incentives to maintain
some level of cybersecurity protection because failure to safeguard
their operations from attacks on their information systems and protect
information about their customers, counterparties, members,
registrants, or users as well as their funds and assets could lead to
losses of funds, assets, and customer information, as well as damage
the Market Entity's reputation. As a result, Market Entities generally
have an incentive to invest some amount of money to address
cybersecurity risk.
Market Entities' reputational motives generally should encourage
them to invest in measures to protect their information systems from
cybersecurity risk.\576\ Moreover, the damage caused by a significant
cybersecurity incident, including the associated remediation costs, may
exceed that of implementing cybersecurity policies and procedures that
may have prevented the incident and its harmful impacts. As a result,
significant losses arising from a potential significant cybersecurity
incident can encourage Market Entities to invest in cybersecurity
protections today. However, such investments in cybersecurity
protections may not be sufficient. The Investment Company Institute
notes that the remediation costs of $252 million associated with the
2013 data breach experienced by Target Brands, Inc. (``Target'') far
exceeded the cost of the cybersecurity insurance the company purchased
($90 million), resulting in an out-of-pocket loss for Target of $162
million.\577\ PCH Technologies states that in 2020, small companies (1-
49 employees) lost an average of $24,000 per cybersecurity incident.
That loss increased to $50,000 per incident for medium-sized companies
(50-249 employees). Large companies (250-999 employees) and enterprise-
level firms (1,000 employees or more) lost an average of $133,000 and
$504,000 per cybersecurity incident, respectively.\578\
---------------------------------------------------------------------------
\576\ See Marc Dupuis and Karen Renaud, Scoping the Ethical
Principles of Cybersecurity Fear Appeals, 23 Ethics and Info. Tech.
265 (2021), available at https://doi.org/10.1007/s10676-020-09560-0.
\577\ See National Law Review, Target Data Breach Price Tag:
$252 Million and Counting (Feb. 26, 2015), available at https://www.natlawreview.com/article/target-data-breach-price-tag-252-million-and-counting.
\578\ Timothy Guim, Cost of Cyber Attacks vs. Cost of Cyber
Security in 2021, PCH Technologies (July 7, 2021), available at
https://pchtechnologies.com/cost-of-cyber-attacks-vs-cost-of-cyber-
security-in-2021/
#:~:text=1%20Large%20businesses%3A%20Between%20%242%20million%20and%2
0%245,%24500%2C000%20or%20less%20spent%20on%20cybersecurity%20per%20y
ear.
---------------------------------------------------------------------------
Having an annual penetration testing requirement can help Market
Entities reduce the likelihood of costly data breaches. For instance,
according to one industry source, RSI Security, a penetration test
``can measure [the entity's] system's strengths and weaknesses in a
controlled environment before [the entity has] to pay the cost of an
extremely damaging data breach.'' \579\ For example, RSI Security
explains that penetration testing ``can cost anywhere from $4,000-
$100,000,'' and ``[o]n average, a high quality, professional
[penetration testing] can cost from $10,000-$30,000.'' \580\ RSI
Security, however, was clear that the magnitudes of these costs can
vary with size, complexity, scope, methodology, types, experience, and
remediation measures.\581\ On the other hand, the same article cited
IBM's 2019 Cost of a Data Breach Study, which reported that the average
cost of a data breach is $3.92 million with an average loss of 25,575
records,\582\ which would more than justify ``the average $10,000-
$30,000 bill from a professional, rigorous [penetration testing].''
\583\ Another source estimates a ``high-quality, professional
[penetration testing to cost] between $15,000-$30,000,'' while
emphasizing that ``cost varies quite a bit based on a set of
variables.'' \584\ This is in line with a third source, which states
that ``[a] true penetration test will likely cost a minimum of
$25,000.'' \585\ It is the Commission's understanding that multi-cloud
architecture could introduce more complexity and accordingly,
cybersecurity risks into Market Entities back-up systems, to the extent
they have them.\586\
---------------------------------------------------------------------------
\579\ RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5,2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\580\ See RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5, 2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\581\ See id.
\582\ See IBM, Cost of a Data Breach Report (2019), available at
https://www.ibm.com/downloads/cas/RDEQK07R (``2019 Cost of Data
Breach Report'').
\583\ See RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5, 2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\584\ Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.), available at
https://www.securitymetrics.com/blog/how-much-does-pentest-cost.
\585\ Mitnick Security, What Should You Budget for a Penetration
Test? The True Cost, Mitnick Security Blog, (posted Jan. 29, 2021,
5:13 a.m.), available at https://www.mitnicksecurity.com/blog/what-should-you-budget-for-a-penetration-test-the-true-cost.
\586\ For example, security breach possibilities could increase
because of the interconnection of Market Entities through their
multi cloud providers.
---------------------------------------------------------------------------
Large Market Entities that have economies of scale are able to
implement cybersecurity policies and procedures in a more cost-
effective manner. Smaller Market Entities, on the other hand, generally
do not enjoy the same economies of scale or scope. The marginal cost
for smaller Market Entities when implementing cybersecurity policies
and procedures that are just as robust as those that would be needed by
large Market Entities likely would be relatively high for smaller
Market Entities. As a result, investment costs in cybersecurity
protection at small broker-dealers, for example, (most of which would
be Non-Covered Broker-Dealers under proposed Rule 10) likely will
account for a larger proportion of their revenue than at relatively
large broker-dealers (which likely would be Covered Entities that
realize economies of scale).
Having policies and procedures in place to address cybersecurity
risk would benefit the customers, counterparties, members, registrants,
or users with whom Market Entities interact. However, a cybersecurity
budget likely is tempered, in part, such that the total sum spent to
address cybersecurity risk provides some, but possibly not complete,
protection against cyberattacks.\587\ Ultimately,
[[Page 20282]]
those costs to address cybersecurity risks will be passed on, to the
extent possible, to the persons with whom the Market Entities do
business.\588\
---------------------------------------------------------------------------
\587\ See Martijn Wessels, Puck van den Brink, Thijmen Verburgh,
Beatrice Cadet, and Theo van Ruijven, Understanding Incentives for
Cybersecurity Investments: Development and Application of a
Typology, 1 Digit. Bus. 1-7 (Oct. 2021), available at https://doi.org/10.1016/j.digbus.2021.100014; Scott Dynes, Eric Goetz, and
Michael Freeman, Cyber Security: Are Economic Incentives Adequate?
(Intern. Conf. on Critical Infrastructure Protection, Conference
Paper, 2007), available at https://doi.org/10.1007/978-0-387-75462-8_2; Brent R. Rowe and Michael P. Gallaher, Private Sector Cyber
Security Investment Strategies: An Empirical Analysis, The Fifth
Workshop on the Economics of Information Security (Mar. 2006),
available at http://www.infosecon.net/workshop/downloads/2006/pdf/18.pdf (``Private Sector Cyber Security Investment Strategies
Analysis''); Nicole van der Meulen, RAND Europe, Investing in
Cybersecurity (Aug. 2015), available at https://repository.wodc.nl/bitstream/handle/20.500.12832/2173/2551-full-text_tcm28-73946.pdf?sequence=4&isAllowed=y.
\588\ See Derek Mohammed, Cybersecurity Compliance in the
Financial Sector, J. Internet Banking and Com. (2015), available at
https://www.icommercecentral.com/open-access/cybersecurity-compliance-in-the-financial-sector.php?aid=50498.
---------------------------------------------------------------------------
The level of cybersecurity protection instituted by Market Entities
may be inadequate from the perspective of overall economic
efficiency.\589\ In other words, the chosen level of cybersecurity
protection may, in fact, represent an underinvestment relative to the
optimal level of cybersecurity protection that should be maintained by
Market Entities from an overall economic perspective. Levels of
cybersecurity protection that are not optimal may exacerbate the
occurrence of harmful cybersecurity incidents. Cybersecurity events
have grown in both number and sophistication.\590\ These developments
in the market have significantly increased the negative externalities
that may flow from systems failures.
---------------------------------------------------------------------------
\589\ Low levels of investment in cybersecurity protection,
which are different from underinvestment in cybersecurity
protection, can be a function of a number of issues, such as firm
budget, available solutions, knowledge of the threat actors'
capabilities, and the performance of in-house or contracted
information technology teams.
\590\ See, e.g., Chuck Brooks, Alarming Cyber Statistics For
Mid-Year 2022 That You Need To Know (June 3, 2022), available at
https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2429c57e7864.
---------------------------------------------------------------------------
Underinvestment in cybersecurity may occur because a Market Entity
is aware that it would not bear the full cost of a cybersecurity
incident (i.e., some negative externalities may be borne by its
customers, counterparties, members, registrants, or users). As a
result, the Market Entity does not have to internalize the complete
cost of cybersecurity protection when deciding upon its level of
investment. This underinvestment by the Market Entity is considered to
be a moral hazard problem, because other market participants are harmed
by a significant cybersecurity incident and are forced to bear those
costs that spill over to them. At the same time, even though Market
Entities may not bear the full cost of a cybersecurity failure (e.g.,
loss of the personal information or the assets of their customers,
members, registrants, or users), they likely would incur some costs
themselves and therefore have incentives to avoid cybersecurity
failures. These incentives could cause them to implement policies and
procedures to address cybersecurity risk, which would likely result in
benefits that accrue in large part to their customers, counterparties,
members, registrants, or users. Market Entities could do this in order
to avoid the harms that could be caused by a significant cybersecurity
incident (e.g., loss of funds, assets, or personal, confidential, or
proprietary information; damage to or the holding hostage of their
information systems; or reputational damage). As a result, Market
Entities have a potential incentive to rely overly on reactive
solutions to cybersecurity threats and attacks instead of proactive
ones.\591\
---------------------------------------------------------------------------
\591\ See Private Sector Cyber Security Investment Strategies
Analysis.
---------------------------------------------------------------------------
1. In the context of cybersecurity, negative externalities arising
from the moral hazard problem can have significant negative
repercussions on the financial system more broadly, particularly due to
the interconnectedness of Market Entities.\592\ Borg notes that the
level of interconnectedness and complexity can have an influence on the
degree of damage that cybersecurity incidents impose on Market Entities
as well as their customers, counterparties, members, registrants, and
users.\593\ As for the availability of substitutes the negative effect
of a cybersecurity incident could be lessened to the extent that there
is one or more competing firms that can complete the task, such as
another broker-dealer or national securities exchange. On the flip
side, significant cybersecurity incidents may be the most damaging when
there are no substitutes available to execute the required task.
---------------------------------------------------------------------------
\592\ See Anil K. Kashyap and Anne Wetherilt, Some Principles
for Regulating Cyber Risk, 109 Amer. Econ. Assoc. Papers and Proc.
482 (May 2019).
\593\ See Scott Borg, Economically Complex Cyberattacks, IEEE
Computer Society (2005), available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1556539.
---------------------------------------------------------------------------
In addition to other firms being negatively affected by a
cybersecurity incident, investors can be negatively affected. For
example, a significant cybersecurity incident at a national securities
exchange could affect its ability to execute trades, causing orders to
go unfilled. Depending on how long it takes the national securities
exchange to resolve the issue, the prices of securities traded on the
exchange may be different from when the orders were originally
placed.\594\ A loss of confidence in an exchange due to a cybersecurity
incident could result in a longer-term reallocation of trading volume
to competing exchanges or other trading venues.\595\ A significant
cybersecurity incident could produce negative effects that spill over
and affect market participants outside of the national securities
exchange itself. It also may adversely affect market confidence, and
curtail economic activity through a reduction in securities trading
among market participants.\596\
---------------------------------------------------------------------------
\594\ National securities exchanges currently are subject to
certain obligations under Regulation SCI.
\595\ National securities exchanges may be required to meet
certain regulatory obligations in such circumstances.
\596\ See Electra Ferriello, Prof. Robert Shiller's U.S. Crash
Confidence Index, Yale School of Management, Intern. Ctr. for Fin.
(Nov. 3, 2020), available at https://som.yale.edu/blog/prof-robert-shillers-us-crash-confidence-index; Gregg E. Berman, Senior Advisor
to the Director, Division of Trading and Markets, Commission, Speech
by SEC Staff: Market Participants and the May 6 Flash Crash (Oct.
2010), available at https://www.sec.gov/news/speech/2010/spch101310geb.htm.
---------------------------------------------------------------------------
While the negative externalities that arise from the moral hazard
problem are usually depicted as being absorbed by other market
participants, the losses to other parties may be potentially covered in
part or in full by insurance policies.\597\ An even stronger incentive
to underinvest is the possibility that an outside party can make whole
or at least mitigate some of the losses incurred by the various market
participants. Market Entities may underinvest in their cybersecurity
measures due to the moral hazard that results from expectations of
government support.\598\ Most threat
[[Page 20283]]
actors primarily have a monetary incentive, and there is a large
monetary incentive to breach cybersecurity protections in the financial
sector. As a result, Covered Entities--such as clearing agencies, large
national securities exchanges, and large carrying broker-dealers--may
be attractive targets to sophisticated threat actors aiming to
compromise or disrupt the U.S. financial system because of the services
they perform to support the functioning of the U.S. securities markets;
the protection of confidential, proprietary, or personal information
they store; or the financial assets they hold. Protection against
``advanced persistent threats'' \599\ from sophisticated threat actors,
whatever their motives, is costly.\600\ The belief--no matter how
misplaced--that a widespread and crippling cybersecurity attack would
be met with government support, such as direct payments for recovery
and immediate cybersecurity investments, could lead to moral hazard
where certain Covered Entities underinvest in defenses aimed at
countering that threat.\601\
---------------------------------------------------------------------------
\597\ See Marsh, Underinvestment in Cyber Insurance Can Leave
Organizations Vulnerable (2022), available at https://www.marsh.com/pr/en/services/cyber-risk/insights/underinvestment-in-cyber-insurance.html.
\598\ It has long been noted that it is difficult for
governments to commit credibly to not providing support to entities
that are seen as critical to the functioning of the financial
system, resulting in problems of moral hazard. See, e.g., Walter
Bagehot, Lombard Street: A Description of the Money Market (Henry S.
King & Co., 1873). Historically, banking entities seen as ``too big
to fail'' or ``too interconnected to fail'' have been the principal
recipients of such government support. Since the financial crisis of
2007-2009, non-bank financial institutions (such as investment
banks), money market funds, and insurance companies, as well as
specific markets such as the repurchase market have also benefited.
See, e.g., Gary B. Gorton, Slapped by the Invisible Hand: The Panic
of 2007, Oxford Univ. Press (2010); see also Viral V. Acharya, Deniz
Anginer, and A. Joseph Warburton, The End of Market Discipline?
Investor Expectations of Implicit Government Guarantees, SSRN
Scholarly Paper, Rochester, NY: Social Science Research Network (May
1, 2016).
\599\ ``Advanced persistent threat'' refers to sophisticated
cyberattacks by hostile organizations with the goal of: gaining
access to defense, financial, and other targeted information from
governments, corporations and individuals; maintaining a foothold in
these environments to enable future use and control; and modifying
data to disrupt performance in their targets. See Michael K. Daly,
The Advanced Persistent Threat (or Informationized Force
Operations), Raytheon (Nov. 4, 2009), available at https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf.
\600\ See Nikos Virvilis and Dimitris Gritzalis, The Big Four--
What We Did Wrong in Advanced Persistent Threat Detection?, 2013
Int'l Conf. on Availability, Reliability and Security 248 (2013).
\601\ See Lawrence A. Gordon, Martin P. Loeb, and William
Lucyshyn, Cybersecurity Investments in the Private Sector: The Role
of Governments, 15 Geo. J. Int'l Aff. 79 (2014).
---------------------------------------------------------------------------
Suboptimal spending on cybersecurity also can be the result of
asymmetric information among Market Entities and market participants. A
Market Entity may not know what its optimal cybersecurity expenditures
should be because the nature and scope of future attacks are unknown.
In addition, a Market Entity may not know what its competitors do in
terms of cybersecurity planning, whether they have been subject to
unsuccessful cyberattacks, or have been a victim of one or more
significant cybersecurity incidents. Market Entities also may not be
able to signal credibly to their customers, counterparties, members,
registrants, or users that they are better at addressing cybersecurity
risks than their peers, thus reducing their incentive to bear such
cybersecurity investment costs.\602\ Lastly, Market Entities'
customers, counterparties, members, registrants, or users typically do
not have information about the Market Entities' cybersecurity spending,
the efficacy of the cybersecurity investments made, or their policies
and procedures. Therefore, those market participants cannot make
judgments about Market Entities' cybersecurity preparedness. Because of
this information asymmetry, Market Entities may not have as strong of
an incentive to have robust cybersecurity measures compared to a
scenario in which customers, counterparties, members, registrants, or
users had perfect information about the Market Entities' cybersecurity
practices and the risks that they face.
---------------------------------------------------------------------------
\602\ See Sanford J. Grossman, The Informational Role of
Warranties and Private Disclosure about Product Quality, 24 J. L.
Econ. 461 (Dec. 1981); see also Michael Spence, Competitive and
Optimal Responses to Signals: An Analysis of Efficiency and
Distribution, 7 J. Econ. Theory 296 (Mar. 1, 1974); George. A.
Akerlof, The Market for ``Lemons'': Quality Uncertainty and the
Market Mechanism, 84 Q. J. Econ. 488 (Aug. 1970).
---------------------------------------------------------------------------
Underinvestment in cybersecurity also may stem from the principal-
agent problem of divergent goals in economic theory. The relationship
between a Market Entity (i.e., the agent) and the principals (i.e., its
customers, counterparties, members, registrants, or users) can be
affected if the principal relies on the agent to perform services on
the principal's behalf.\603\ Because principals and their agents may
not have perfectly aligned preferences and goals, agents may take
actions that increase their well-being at the expense of principals,
thereby imposing ``agency costs'' on the principals.\604\ Although
private contracts between principals and agents may aim to minimize
such costs, they are limited in their ability to do so in that agents
can decide not enter into such agreements and ultimately not provide
the particular services to the principals. Furthermore, agents can
charge much higher fees that the principals choose not to bear. These
limitations provides one rationale for regulatory intervention.\605\
Market-based incentives alone are unlikely to result in optimal
provision of cybersecurity protection. In this context, having plans
and procedures in place to prepare for and respond to cybersecurity
incidents,\606\ and the rule would help ensure that the infrastructure
of the U.S. securities markets remains robust, resilient, and secure. A
well-functioning financial system is a public good.
---------------------------------------------------------------------------
\603\ See Michael C. Jensen and William H. Meckling, Theory of
the Firm: Managerial Behavior, Agency Costs and Ownership Structure,
3 J. Fin. Econ. 305 (1976).
\604\ Id.
\605\ Such limitations can arise from un-observability or un-
verifiability of actions, transactions costs associated with
including numerous contingencies in contracts, or bounded
rationality in the design of contracts. See, e.g., Jean Tirole,
Cognition and Incomplete Contracts, 99 a.m. Econ. Rev. 265 (Mar.
2009) (discussing a relatively modern treatment of these issues).
\606\ For example, according to an IBM report, in the context of
system issues arising from cybersecurity events, having an incident
response plan and ``testing that plan regularly can help [each firm]
proactively identify weaknesses in [its] cybersecurity and shore up
[its] defenses'' and ``save millions in data breach costs.'' See
2019 Cost of Data Breach Report; see also Alex Asen et al., Are You
Spending Enough on Cybersecurity (Feb. 19, 2020), available at
https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity (noting ``[a]s the world becomes ever more reliant on
technology, and as cybercriminals refine and intensify their
attacks, organizations will need to spend more on cybersecurity'').
---------------------------------------------------------------------------
Beyond reputational damage to the affected agent (Market Entity),
the principals (the Market Entity's customers, counterparties, members,
registrants, or users) can be negatively affected by a cybersecurity
breach as a result of loss in personal information and/or funds and
assets. Thus the principals and the agents may have different reasons
for needing cybersecurity protocols. Furthermore, the negative effects
of a cybersecurity incident also can spread among Market Entities due
to their interconnectedness.\607\ Those other Market Entities prefer
that the principals employ strong cybersecurity practices that reduce
the chances of a successful breach and its negative cascading effects
throughout the financial sector. All of the preceding negative
externalities are arguments for proposed Rule 10.
---------------------------------------------------------------------------
\607\ See sections I.A.1. and I.A.2. of this release (discussing
how the interconnectedness of Market Entities creates cybersecurity
risk).
---------------------------------------------------------------------------
In the production of cybersecurity defenses and controls, the main
input is information. In particular, information about prior attacks
and their degree of success, as well as prior human errors and their
degree of harm, is valuable in mounting effective countermeasures and
controls.\608\ However, Market Entities may be naturally reluctant to
share such information, as doing so could assist future attackers as
well as lead to loss of customers, reputational harm, litigation, or
regulatory scrutiny, which would be costs associated with public
disclosure.\609\ On the other hand, disclosure of such information
creates a positive information externality--the benefits of which
accrue to society at large and are not fully captured by the Market
Entity making the disclosure.
[[Page 20284]]
This situation can occur because the disclosure informs the Market
Entity's customers, counterparties, members, registrants, or users--as
well as the Market Entity's competitors--about the cybersecurity
incidents experienced by the Market Entity. As a result, information
disclosures intended to close the information asymmetry gap can have
both positive and negative consequences.
---------------------------------------------------------------------------
\608\ See Peter W. Singer and Allan Friedman, Cybersecurity:
What Everyone Needs to Know 222 (Oxford Univ. Press, 2014).
\609\ See, e.g., FTC Equifax Civil Action.
---------------------------------------------------------------------------
As discussed earlier, sources of market failure in cybersecurity
come from information asymmetries at two different levels: (1) between
Market Entities and their customers, counterparties, members,
registrants, or users; and (2) between Market Entities and threat
actors. These two failures, in turn, create distinct consequences for
each of these stakeholders.
At the first level, a Market Entity's customers, counterparties,
members, registrants, or users have incomplete information about their
own cybersecurity risks due to incomplete information about the Market
Entity's actual cybersecurity policies and procedures. To exacerbate
the first level of information asymmetry, Market Entities typically
interact with other market participants. For example, investors do
business with broker-dealers, introducing broker-dealers work with
carrying broker-dealers, FINRA supervises broker-dealers, broker-
dealers interact with national securities exchanges, and national
securities exchanges work with clearing agencies.
When utilizing the services of a Market Entity, other market
participants may not have full information regarding the Market
Entity's exposure to material harm as a result of a cybersecurity
incident. A cybersecurity incident that harms a Market Entity can harm
its customers, counterparties, members, registrants, or users.
Disclosure of information regarding significant cybersecurity incidents
by Market Entities could be used by their customers, counterparties,
members, registrants, or users to manage their own cybersecurity risk
by investing in additional cybersecurity protection, and, to the extent
they have a choice, selecting a different Market Entity with
satisfactory cybersecurity protection with whom to transact or
otherwise conduct business.\610\ That is, a Market Entity with strong
cybersecurity policies and procedures and a clean record in terms of
past significant cybersecurity incidents may be perceived by these
market participants as more desirable to interact with, or obtain
services from, than Market Entities of the same type that do not fit
that profile. Even general details about the cybersecurity incidents,
as well as the number of significant cybersecurity incidents during the
current or previous calendar year, could allow customers,
counterparties, members, registrants, and users to compare Market
Entities.
---------------------------------------------------------------------------
\610\ As discussed earlier, the public disclosure requirements
of proposed Rule 10 would apply to Market Entities that meet the
proposed rule's definition of ``covered entity.'' See paragraph (d)
of proposed Rule 10; section II.B.3. of this release (discussing the
public disclosure requirements of proposed Rule 10).
---------------------------------------------------------------------------
As a result, information from the disclosure may permit customers,
counterparties, members, registrants, and users to gauge the riskiness
of doing business with a certain Market Entity when they would not have
been able to without that knowledge, and the disclosures may encourage
those market participants to move their business to competing Market
Entities that would have to disclose information under proposed Rule 10
and are perceived to be more prepared for cybersecurity attacks.\611\
The information disclosed by competitors also can incentivize Market
Entities to increase their investment in cybersecurity protections and
allow them to adjust their defenses when they would not have done so
otherwise, thus increasing overall market stability by further limiting
harmful cybersecurity incidents.
---------------------------------------------------------------------------
\611\ The firms making the disclosure may be incentivized to
invest more in cybersecurity protection, potentially to the point of
overinvestment in order not to lose customers, counterparties,
members, registrants, and users.
---------------------------------------------------------------------------
At the second level, there are differences in the capabilities of
threat actors that are external to Market Entities and the assumed
level of cybersecurity preparations needed by Market Entities to
protect against significant cybersecurity incidents. Specifically,
Market Entities cannot fully anticipate the type, method, and
complexity of all types of cyberattacks that may materialize. Moreover,
cyberattacks evolve over time, becoming more complex and using new
avenues to circumvent Market Entities' cybersecurity protections.\612\
Furthermore, Market Entities cannot predict the timing or the target of
a given cyberattack. Though this information asymmetry is impossible to
eradicate fully given the inherent secretive nature of threat actors,
regulation may help to prevent an expansion of information asymmetry by
requiring Market Entities to gather and assess information about
cybersecurity risks and vulnerabilities more often. Doing so would not
only help to contain the negative effects of successful cybersecurity
attacks on any one Market Entity going forward, but it also would aid
in minimizing the growth in negative externalities as the effects of
successful cyberattacks spillover to other Market Entities as well as
to their customers, counterparties, members, registrants, or users.
---------------------------------------------------------------------------
\612\ See, e.g., Verizon DBIR.
---------------------------------------------------------------------------
Cybersecurity defenses must constantly evolve in order to keep up
with the threat actors who are exogenous to the Market Entity, and its
ability to anticipate specific attacks on itself is difficult at best.
Within the reasonable scenario of an interconnected market with
multiple points of entry for a potential threat actor, it may be more
costly for Market Entities that are the victims of cascading
cybersecurity breaches than for the initial target itself, as the other
Market Entities within the network ultimately would need to prepare for
a multitude of attacks originating from many different initial
targets.\613\ A strong cybersecurity program can also help Market
Entities to protect themselves from cybersecurity attacks that could
possibly come from one of multiple entry points. Having comprehensive
cybersecurity policies and procedures will aid Market Entities
identifying the source of a breach, which can result in lower detection
costs and the identification of the threat actor in a more expeditious
manner.
---------------------------------------------------------------------------
\613\ See Cybersecurity and its Cascading Effect on Societal
Systems.
---------------------------------------------------------------------------
C. Baseline
Each type of Market Entity that would be subject to proposed Rule
10 has a distinct business model and role in the U.S. financial
markets. As a result, the risks and practices, regulation, and market
structure for each Market Entity will form the baseline for the
economic analysis.
1. Cybersecurity Risks and Current Relevant Regulations
a. Cybersecurity Risks
With the widespread adoption of internet-based products and
services over the last two decades, all businesses have had to address
cybersecurity issues.\614\ For financial services firms, the stakes are
particularly high because they transact, hold custody of, and maintain
ownership records of wealth in the form of cash, securities, or other
liquid assets that cyber threat actors might strive to obtain
illegally. Such entities also represent attack vectors for threat
actors. In addition, Market Entities have linkages with each other as
[[Page 20285]]
a result of the business they conduct together. A breach at one Market
Entity may be exploited and serve as a means of compromising other
Market Entities. Cybersecurity threat intelligence surveys consistently
find the financial sector to be one of the most--if not the most--
attacked industries,\615\ and remediation costs for an incident can be
substantial.\616\ As a result, firms in the financial sector need to
invest in cybersecurity to protect their business operations along with
the accompanying assets and data stored on information systems.
---------------------------------------------------------------------------
\614\ See section I.A.1. of this release (discussing
cybersecurity risks to the U.S. securities markets).
\615\ See, e.g., IBM, X-Force Threat Intelligence Index 2022
(2022), available at https://www.ibm.com/security/data-breach/threat-intelligence.
\616\ See, e.g., 2019 Cost of Data Breach Report (noting the
average cost of a data breach in the financial industry in the
United States is $5.97 million).
---------------------------------------------------------------------------
Further, as discussed earlier, the custody and transfer of crypto
assets depends almost exclusively on the operations of information
systems.\617\ Crypto assets, therefore, are exposed to cybersecurity
risks and they are attractive targets for threat actors. Information
systems that involve crypto assets may be subject to heightened
cybersecurity risks. To the extent that Market Entities engage in
business activities involving crypto assets, they could be exposed to
these heighted cybersecurity risks.
---------------------------------------------------------------------------
\617\ See section II.G. of this release (discussing
cybersecurity risks related to crypto assets).
---------------------------------------------------------------------------
The ubiquity and rising costs of cybercrime,\618\ along with
financial services firms' increasingly costly efforts to prevent
it,\619\ have been the motivation behind the growth in the
cybersecurity industry.\620\ Many Market Entities cite the NIST
Framework as the main standard for implementing strong cybersecurity
measures.\621\ The focus that has been placed on cybersecurity also has
led to the development of numerous technologies and standards by
private sector firms aimed at mitigating cybersecurity threats. Many of
these developments, such as multi-factor authentication, secure
hypertext transfer protocol,\622\ and user-access control, are now
commonplace. Practitioners--chief technology officers (``CTOs''), chief
compliance officers (``CCOs''), chief information officers (``CIOs''),
chief information security officers (``CISOs''), and their staffs--
frequently utilize industry standard frameworks \623\ and similar
offerings from cybersecurity consultants and product vendors to assess
and address institutional cybersecurity preparedness. Such frameworks
include information technology asset management, controls, change
management, vulnerability management, incident management, continuity
of operations, risk management, dependencies on third parties,
training, and information sharing. In recent years, companies' boards
of directors and executive management teams have focused on these
areas.
---------------------------------------------------------------------------
\618\ See FBI internet Crime Report (noting that cybercrime
victims lost approximately $6.9 billion in 2021).
\619\ See Office of Financial Research, Annual Report to
Congress 2021, available at https://www.financialresearch.gov/annual-reports/files/OFR-Annual-Report-2021.pdf.
\620\ Sage Lazzaro, The Cybersecurity Industry Is Burning--But
VCs Don't Care, VentureBeat (Sept. 2, 2021), available at https://venturebeat.com/2021/09/02/the-cybersecurity-industry-is-burning-and-vcs-dont-care/ (``VentureBeat'').
\621\ FCI, Top 5 Ways the Financial Services Industry Can
Leverage NIST for Cybersecurity Compliance, available at https://fcicyber.com/top-5-ways-the-financial-services-industry-can-leverage-nist-for-cybersecurity-compliance/.
\622\ Hypertext transfer protocol, HTTP, is the primary set of
rules that allow a web browser to communicate with (i.e., send data
to) a website.
\623\ CISA, Cyber Resilience Review (CRR): Method Description
and Self-Assessment User Guide (Apr. 2020), available at https://www.cisa.gov/sites/default/files/publications/2_CRR%204.0_Self-Assessment_User_Guide_April_2020.pdf.
---------------------------------------------------------------------------
Unaddressed cybersecurity risks, particularly at Market Entities,
impose negative externalities on the broader financial system. Actions
taken to implement, maintain, and upgrade cybersecurity protections
likely reduce overall risk in the economy. In addition, due to the
potential for large-scale losses with respect to funds, securities, and
customer information, Market Entities have a vested interest in
installing, maintaining, and upgrading cybersecurity-related software
and hardware. Based on staff discussions with market participants,
cybersecurity-related activities can be performed in-house or
contracted out to third parties with expertise in those areas.
Financial services firms may employ a mix of in-house and outsourced
staff and resources to meet their cybersecurity needs and goals.
b. Current Relevant Regulations
i. Broker-Dealers
Broker-dealers are subject to Regulation S-P \624\ and Regulation
S-ID.\625\ In addition, ATSs that trade certain stocks exceeding
specific volume thresholds are subject to Regulation SCI.\626\ Further,
an ATS is subject to Regulation ATS.\627\ As discussed earlier,
Regulation SCI, Regulation S-P, Regulation ATS, and Regulation S-ID
have provisions requiring policies and procedures to address certain
types of cybersecurity risks.\628\ Regulation SCI also requires
immediate written or telephonic notice and subsequent reporting to the
Commission on Form SCI of certain types of incidents.\629\ Finally,
Regulation SCI has provisions requiring disclosures to persons affected
by certain incidents.\630\
---------------------------------------------------------------------------
\624\ See 17 CFR 248.1 through 248.30.
\625\ See 17 CFR 248.201 and 202.
\626\ See 17 CFR 242.1000 through 1007.
\627\ See 17 CFR 242.301 through 304.
\628\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID to have policies and procedures
to address certain cybersecurity risks).
\629\ See section II.F.1.d. of this release (discussing in more
detail the existing immediate notification and subsequent reporting
requirements of Regulation SCI).
\630\ See section II.F.1.e. of this release (discussing in more
detail the existing disclosure requirements of Regulation SCI).
---------------------------------------------------------------------------
Broker-dealers are also subject to the Commission's financial
responsibility rules. Rule 15c3-1 requires broker-dealers to maintain
minimum amounts of net capital, ensuring that the broker-dealer at all
times has enough liquid assets to promptly satisfy all creditor claims
if the broker-dealer were to go out of business.\631\ Rule 15c3-3 under
the Exchange Act imposes requirements relating to safeguarding customer
funds and securities.\632\ These rules provide protections for broker-
dealer counterparties and customers and can help to mitigate the risks
to, and impact on, customers and other market participants by
protecting them from the consequences of financial failure that may
occur because of a systems issue at a broker-dealer.
---------------------------------------------------------------------------
\631\ See 17 CFR 240.15c3-1.
\632\ See 17 CFR 240.15c3-3.
---------------------------------------------------------------------------
Under Exchange Act Rule 15c3-4, OTC derivatives dealers must
establish, document, and maintain a system of internal risk management
controls to assist it in managing the risks associated with its
business activities, including market, credit, leverage, liquidity,
legal, and operational risks.\633\ The required risk management system
must include, among other things: a risk control unit that reports
directly to senior management, periodic reviews which may be performed
by internal audit staff, and annual reviews which must be conducted by
independent certified public accountants.\634\ Management must
periodically review the entity's business activities for consistency
with risk management guidelines, including that the data necessary to
conduct the risk monitoring and risk management function as well as the
valuation process
[[Page 20286]]
over the entity's portfolio of products is accessible on a timely basis
and information systems are available to capture, monitor, analyze, and
report relevant data.\635\
---------------------------------------------------------------------------
\633\ See 17 CFR 240.15c3-4(a).
\634\ See 17 CFR 240.15c3-4(c).
\635\ Id.
---------------------------------------------------------------------------
Exchange Act Rules 17a-3 and 17a-4 require broker-dealers to make
and keep current records detailing, among other things, securities
transactions, money balances, and securities positions.\636\ Further, a
broker-dealer that fails to make and keep current the records required
by Rule 17a-3 must give notice to the Commission of this fact on the
same day and, thereafter, within 48 hours transmit a report to the
Commission stating what the broker-dealer has done or is doing to
correct the situation.\637\
---------------------------------------------------------------------------
\636\ See 17 CFR 240.17a-3; 17 CFR 240.17a-4.
\637\ See 17 CFR 240.17a-11.
---------------------------------------------------------------------------
Moreover, with certain exceptions, broker-dealers must file
confidential SARs with FinCEN to report any suspicious transaction
relevant to a possible violation of law or regulation.\638\ The SARs
include information regarding who is conducting the suspicious
activity, what instruments or mechanisms are being used, when and where
the suspicious activity took place, and why the filer thinks the
activity is suspicious. Broker-dealers must make the records available
to FinCEN as well as to other appropriate law enforcement agencies,
federal or state securities regulators, and SROs registered with the
Commission.
---------------------------------------------------------------------------
\638\ See 31 CFR 1023.320; section IV.A. of this release
(discussing the requirements to file SARs in more detail).
---------------------------------------------------------------------------
Broker-dealers are generally required to register with the
Commission and join a national securities association or national
securities exchange.\639\ As SROs, national securities associations and
national securities exchanges are required to enforce their members'
compliance with the Exchange Act, the rules and regulations thereunder,
and the SRO's own rules. The vast majority of brokers and dealers join
FINRA. Broker-dealers that are members of FINRA are subject FINRA Rules
3110, 3120, and 4530(b) (among other FINRA rules).\640\ FINRA Rule 3110
requires broker-dealer members to have in place a system to supervise
its activities so that they are in compliance with applicable rules and
regulations. FINRA Rule 3120 requires broker-dealer members to test and
verify that the supervisory procedures are reasonably designed with
respect to the activities of the member and its associated persons, as
well as to achieve compliance with applicable securities laws and
regulations and with applicable FINRA rules. In addition, broker-dealer
members must create additional or amended supervisory procedures where
a need is identified by such testing and verification. The designated
individual(s) must submit to the broker-dealer member's senior
management no less than annually a report detailing each member's
system of supervisory controls, the summary of the test results and
significant identified exceptions, and any additional or amended
supervisory procedures created in response to the test results. FINRA
Rule 4530(b) states that each broker-dealer member shall promptly
report to FINRA, but not later than 30 calendar days after the member
has concluded or reasonably should have concluded, that an associated
person of the member or the member itself has violated any securities-,
insurance-, commodities-, financial- or investment-related laws, rules,
regulations, or standards of conduct of any domestic regulatory body,
foreign regulatory body, or SRO. Furthermore, Commission staff has
issued statements \641\ and FINRA has issued guidance \642\ in the area
of cybersecurity.\643\ The statements and FINRA guidance with respect
to these rules identify common elements of reasonably designed
cybersecurity policies and procedures including risk assessment, user
security and access, information protection, incident response,\644\
and training.\645\
---------------------------------------------------------------------------
\639\ See 15 U.S.C. 78o(a)(1) and 15 U.S.C. 78o(b)(8).
\640\ Broker-dealers that are members of national securities
exchanges are also subject to the rules of the national securities
exchanges regarding membership, registration, operation, and
business conduct, among other exchange regulations.
\641\ See, e.g. EXAMS, Risk Alert, Safeguarding Client Accounts;
EXAMS, Risk Alert, Select COVID-19 Compliance Risks and
Considerations for Broker-Dealers and Investment Advisers (Aug. 12,
2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf; EXAMS,Risk Alert, Ransomeware; EXAMS,
Report on OCIE Cybersecurity and Resiliency Observations (Jan. 27,
2020), available at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf (``EXAMS
Cybersecurity and Resiliency Observations''); EXAMS, Safeguarding
Customer Records and Information in Network Storage--Use of Third
Party Security Features (May 23, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf;
EXAMS, Investment Adviser and Broker-Dealer Compliance Issues
Related to Regulation S-P--Privacy Notices and Safeguard Policies
(Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf; EXAMS, Observations
from Cybersecurity Examinations (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf
(``EXAMS Observations from Cybersecurity Examinations''); EXAMS,
Cybersecurity: Ransomware Alert (May 17, 2017), available at https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf;
EXAMS, OCIE's 2015 Cybersecurity Examination Initiative (Sept. 15,
2015), available at https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf; EXAMS, Cybersecurity
Examination Sweep Summary (Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf (``Cybersecurity Examination Sweep Summary''); EXAMS,
OCIE's 2014 Cybersecurity Initiative (Apr. 15, 2014), available at
https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert-Appendix-4.15.14.pdf.
\642\ See FINRA, Core Cybersecurity Threats and Effective
Controls for Small Firms (May 2022), available at https://www.finra.org/sites/default/files/2022-05/Core_Cybersecurity_Threats_and_Effective_Controls-Small_Firms.pdf;
FINRA, Cloud Computing in the Securities Industry (Aug. 16, 2021),
available at https://www.finra.org/sites/default/files/2021-08/2021-cloud-computing-in-the-securities-industry.pdf; FINRA, 2021 Report
on FINRA's Examination and Risk Monitoring Program (Feb. 1, 2021),
available at https://www.finra.org/sites/default/files/2021-02/2021-report-finras-examination-risk-monitoring-program.pdf (``FINRA 2021
Report on Examination and Risk Monitoring Program''); FINRA, 2019
Report on FINRA Examination Findings and Observations (Oct. 16,
2019), available at https://www.finra.org/sites/default/files/2019-10/2019-exam-findings-and-observations.pdf; FINRA Common
Cybersecurity Threats; FINRA, Report on Selected Cybersecurity
Practices--2018 (Dec. 1, 2018), available at https://www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf (``FINRA Report on
Selected Cybersecurity Practices''); FINRA, Report on FINRA
Examination Findings (Dec. 6, 2017), available at https://www.finra.org/sites/default/files/2017-Report-FINRA-Examination-Findings.pdf; FINRA, Small Firm Cybersecurity Checklist (May 23,
2016), available at https://www.finra.org/compliance-tools/small-firm-cybersecurity-checklist.
\643\ Cybersecurity has also been a regular theme of FINRA's
Regulatory and Examination Priorities Letter since 2008 often with
reference to Regulation S-P. Similarly, while risks related to data
compromises were highlighted in the Commission staff's exam
priorities, an official focus on ``cyber'' began in 2014 after the
SEC sponsored a Cybersecurity Roundtable and the Division of
Examination conducted cybersecurity initiative I and II to assess
industry practices and legal and compliance issues associated with
broker-dealer and investment adviser cybersecurity preparedness.
Cybersecurity initiatives I and II were each separate series of
examinations of cybersecurity practices conducted by EXAMS,
concluding in 2014 and 2017. The examinations covered broker-
dealers, investment advisers, and funds. EXAMS released a summary
report for each initiative.
\644\ See FINRA 2021 Report on Examination and Risk Monitoring
Program (noting that FINRA recommended among effective practices
with respect to incident response: (1) establishing and regularly
testing--often using tabletop exercises--a written formal incident
response plan that outlines procedures for responding to
cybersecurity and information security incidents; and (2) developing
frameworks to identify, classify, prioritize, track and close
cybersecurity-related incidents).
\645\ These categories vary somewhat in terms of nomenclature
and the specific categories themselves across different Commission
and FINRA publications.
---------------------------------------------------------------------------
Consistent with these rules, nearly all broker-dealers that
participated in two Commission exam sweeps in 2015 and 2017 reported
\646\ maintaining some
[[Page 20287]]
cybersecurity policies and procedures; conducting some periodic risk
assessments to identify threats and vulnerabilities,\647\ conducting
firm-wide systems inventorying or cataloguing, ensuring regular system
maintenance including the installation of software patches to address
security vulnerabilities, performing some penetration testing.\648\ A
separate staff statement observed that at least some firms implemented
capabilities that are able to control, monitor, and inspect all
incoming and outgoing network traffic to prevent unauthorized or
harmful traffic and implemented capabilities that are able to detect
threats on endpoints.\649\ In the two Commission exam sweeps, many
firms indicated that policies and procedures were vetted and approved
by senior management and that firms provided annual cybersecurity
reports to the board while some also provided ad hoc reports in the
event of major cybersecurity events.\650\ Broadly, many broker-dealers
reported relying on industry standards with respect to cybersecurity
\651\ typically by adhering to a specific industry standard or
combination of industry standards or by using industry standards as
guidance in designing policies and procedures.
---------------------------------------------------------------------------
\646\ See Cybersecurity Examination Sweep Summary (noting that
of 57 examined broker-dealers, the vast majority adopted written
information security policies, conducted periodic audits to
determine compliance with these information security policies and
procedures, conducted risk assessments and reported considering such
risk assessments in establishing their cybersecurity policies and
procedures, and that with respect to vendors, the majority of the
broker-dealers required cybersecurity risk assessments of vendors
with access to their firms' networks and had at least some specific
policies and procedures relating to vendors). See also EXAMS
Observations from Cybersecurity Examinations (noting that nearly all
firms surveyed had incident response plans).
\647\ See FINRA Report on Selected Cybersecurity Practices. This
report noted that FINRA has conducted a voluntary Risk Control
Assessment (``RCA'') Survey with all active member firms for a
number of years. According to the 2018 RCA, 94% of higher revenue
firms and 70% of mid-level revenue firms use a risk assessment as
part of their cybersecurity program.
\648\ Id. According to FINRA's 2018 RCA, 100% of higher revenue
firms include penetration testing as a component in their overall
cybersecurity program.
\649\ See EXAMS Cybersecurity and Resiliency Observations.
\650\ See FINRA, Report on Cybersecurity Practices (Feb. 2015),
available at https://www.finra.org/sites/default/files/2020-07/2015-report-on-cybersecurity-practices.pdf (``FINRA Report on
Cybersecurity Practices'').
\651\ Id. Among the firms that were part of the sweep, nearly
90% used one or more of the NIST, International Organization for
Standardization (``ISO'') or Information Systems Audit and Control
Association (``ISACA'') frameworks or standards. More specifically,
65% of the respondents reported that they use the ISO 27001/27002
standard while 25% use the Control Objectives for Information and
Related Technologies (``COBIT'') framework created by ISACA. Some
firms use combinations of these standards for various parts of their
cybersecurity programs. While the report focused on firm utilization
of cybersecurity frameworks specifically, in many cases, the
referenced frameworks were broader IT frameworks.
---------------------------------------------------------------------------
With respect to broker-dealer reporting to their boards regarding
cybersecurity policies and procedures and cybersecurity incidents, the
board reporting frequency ranged from quarterly to ad-hoc among the
firms FINRA reviewed.\652\ Approximately two-thirds of the broker-
dealers (68%) examined in a 2015 survey had an individual explicitly
assigned as the firm's CISO which might suggest extensive executive
leadership engagement.
---------------------------------------------------------------------------
\652\ See FINRA Report on Cybersecurity Practices. At a number
of firms, the board received annual cybersecurity-related reporting
while other firms report on a quarterly basis. A number of firms
also provide ad hoc reporting to the board in the event of major
cybersecurity events.
---------------------------------------------------------------------------
There are no current Commission or FINRA requirements for broker-
dealers to disseminate notifications of breaches to members or clients
although many firms do so \653\ pursuant to various state data breach
laws.\654\ Broker-dealers are subject to state laws known as ``Blue Sky
Laws,'' which generally are regulations established as safeguards for
investors against securities fraud.\655\ All 50 states have enacted
laws in recent years requiring firms to notify individuals of data
breaches. These laws differ by state, with some states imposing
heightened notification requirements relative to other states.\656\
---------------------------------------------------------------------------
\653\ See Cybersecurity Examination Sweep Summary. Based on a
small sample of firms, the vast majority of broker-dealers
maintained plans for data breach incidents and most had plans for
notifying customers of material events.
\654\ See Digital Guardian, The Definitive Guide to U.S. State
Data Breach Laws (Nov. 15, 2022), available at https://info.digitalguardian.com/rs/768-OQW-145/images/the-definitive-guide-to-us-state-data-breach-laws.pdf.
\655\ See, e.g., Office of Investor Education and Advocacy,
Commission, Blue Sky Laws, available at https://www.investor.gov/introduction-investing/investing-basics/glossary/blue-sky-laws.
\656\ For example, some states may require a firm to notify
individuals when a data breach includes biometric information, while
others do not. Compare Cal. Civil Code Sec. 1798.29 (stating that
notice to California residents of a data breach is generally
required when a resident's personal information was or is reasonably
believed to have been acquired by an unauthorized person and that
``personal information'' is defined to mean an individual's first or
last name in combination with one of a list of specified elements,
which includes certain unique biometric data), with Ala. Stat.
Sec. Sec. 8-38-2, 8-38-4, 8-38-5 (stating that notice of a data
breach to Alabama residents is generally required when sensitive
personally identifying information has been acquired by an
unauthorized person and is reasonably likely to cause substantial
harm to the resident to whom the information relates and that
``sensitive personally identifying information'' is defined as the
resident's first or last name in combination with one of a list of
specified elements, which does not include biometric information).
---------------------------------------------------------------------------
ii. SROs
National securities exchanges, registered clearing agencies, FINRA,
and the MSRB are all SROs and are all considered to be SCI Entities,
which requires them to comply with Regulation SCI.\657\ As discussed
earlier, Regulation SCI has provisions requiring policies and
procedures to address certain types of cybersecurity risks.\658\
Regulation SCI also requires immediate written or telephonic notice and
subsequent reporting to the Commission on Form SCI of certain types of
incidents.\659\ Finally, Regulation SCI has provisions requiring
disclosures to persons affected by certain incidents.\660\
---------------------------------------------------------------------------
\657\ See 17 CFR 242.1000 through 1007.
\658\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation SCI to have policies
and procedures to address certain cybersecurity risks).
\659\ See section II.F.1.d. of this release (discussing in more
detail the existing immediate notification and subsequent reporting
requirements of Regulation SCI).
\660\ See section II.F.1.e. of this release (discussing in more
detail the existing disclosure requirements of Regulation SCI).
---------------------------------------------------------------------------
In addition, as described above, Rule 613 of Regulation NMS
requires the Participants to jointly develop and submit to the
Commission a CAT NMS Plan.\661\ The Participants conduct the activities
of the CAT through a jointly owned limited liability company,
Consolidated Audit Trail, LLC. The CAT is intended to function as a
modernized audit trail system that provides regulators with more timely
access to a comprehensive set of trading data, thus enabling regulators
to more efficiently and effectively reconstruct market events, monitor
market behavior, and investigate misconduct. The CAT System accepts
data that are submitted by the Participants and broker-dealers, as well
as data from certain market data feeds like SIP and OPRA.\662\
---------------------------------------------------------------------------
\661\ See 17 CFR 242.613; see also section II.F.1.c. of this
release (discussing the CAT NMS Plan in general and describing the
roles of the Participants and Plan Processor).
\662\ CAT data is not public, although some information in the
CAT may be available through public sources (e.g., market data feeds
like the SIP or proprietary exchange feeds).
---------------------------------------------------------------------------
FINRA CAT, LLC--a wholly-owned subsidiary of FINRA--has entered
into an agreement with the Company to act as the Plan Processor and, as
such, is responsible for building, operating and maintaining the CAT.
However, because the CAT System is owned and operated by FINRA CAT, LLC
on behalf of the national securities exchanges and FINRA, the
Participants remain ultimately responsible for the performance of the
CAT and its compliance with statutes, rules, and regulations.
[[Page 20288]]
Under the Commission approved CAT NMS Plan, the Plan Processor must
develop various policies and procedures related to data security,
including a comprehensive information security program that includes,
among other things, requirements related to: (1) connectivity and data
transfer, (2) data encryption, (3) data storage, (4) data access, (5)
breach management, including requirements related to the development of
a cyber incident response plan and documentation of all information
relevant to breaches, and (6) personally identifiable information data
management.\663\ As part of this requirement, the Plan Processor is
required to create and enforce policies, procedures, and control
structures to monitor and address CAT data security, including reviews
of industry standards \664\ and periodic penetration testing.\665\
Under the CAT NMS Plan the comprehensive information security program
must be updated by the Plan Processor at least annually.\666\
Furthermore, both the Participants and the Plan Processor must also
implement various data confidentiality measures that include safeguards
to secure access and use of the CAT.\667\ The Plan Processor must also
review Participant information security policies and procedures related
to the CAT to ensure that such policies and procedures are comparable
to those of the CAT System.\668\ In addition to these policies and
procedures requirements,\669\ the CAT NMS Plan requires several forms
of periodic review of CAT, including an annual written assessment,\670\
regular reports,\671\ and an annual audit.\672\
---------------------------------------------------------------------------
\663\ See CAT NMS Plan, appendix D, sections 4 and 6.12.
\664\ The Company is subject to certain industry standards with
respect to its comprehensive information security program, including
but not limited to: NIST 800-23 (Guidelines to Federal Organizations
on Security Assurance and Acquisition/Use of Test/Evaluated
Products), NIST 800-53 (Security and Privacy Controls for Federal
Information Systems and Organizations), NIST 800-115 (Technical
Guide to Information Security Testing and Assessment), and, to the
extent not otherwise specified, all other provisions of the NIST
cyber security framework. See CAT NMS Plan, Appendix D, section 4.2.
\665\ Id. at section 6.2(b)(v); Appendix D, sections 4 and 6.12.
\666\ See CAT NMS Plan at Appendix D, section 4.1.
\667\ Specifically, the measures implemented by the Plan
Processor must include, among other things: (1) restrictions on the
acceptable uses of CAT Data; (2) role-based access controls; (3)
authentication of individual users; (4) MFA and password controls;
(5) implementation of information barriers to prevent unauthorized
staff from accessing CAT Data; (6) separate storage of sensitive
personal information and controls on transmission of data; (7)
security-driven monitoring and logging; (8) escalation of non-
compliance events or security monitoring; and (9) remote access
controls. Id. at Appendix D, sections 4.1, 5.3, 8.1.1, and 8.2.2;
section 6.2(a)(v)(J)-(L); section 6.2(b)(vii); section 6.5(c)(i);
section 6.5(f).
\668\ CAT NMS Plan at section 6.2(b)(vii).
\669\ In August 2020, the Commission proposed certain amendments
to the CAT NMS Plan that are designed to enhance the security of the
CAT. See https://www.sec.gov/rules/proposed/2020/34-89632.pdf.
\670\ The Participants are required to provide the Commission
with an annual written assessment of the Plan Processor's
performance, which must include, among other things, an evaluation
of potential technology upgrades and an evaluation of the CAT
information security program. Id. at section 6.6(b); section
6.2(a)(v)(G).
\671\ The Plan Processor is required to provide the operating
committee with regular reports on various topics, including data
security issues and the Plan Processor. Id. at section 6.1(o);
section 6.2(b)(vi); section 6.2(a)(v)(E); and section 4.12(b)(i).
\672\ The Plan Processor is required to create and implement an
annual audit plan that includes a review of all Plan Processor
policies, procedures, control structures, and tools that monitor and
address data security, in addition to other types of auditing
practices. Id. at section 6.2(a)(v)(B)-(C); Appendix D, section
4.1.3; Appendix D, section 5.3.
---------------------------------------------------------------------------
iii. SBS Entities
Section 15F(j)(2) of the Exchange Act, among other things, requires
each SBS Entity to establish robust and professional risk management
systems adequate for managing its day-to-day business.\673\
Additionally, certain SBS Entities must comply with specified
provisions of Rule 15c3-4 and, therefore, establish, document, and
maintain a system of internal risk management controls to assist in
managing the risks associated with their business activities.\674\
Further, SBS Entities could be subject to Regulation S-ID if they are
``financial institutions'' or ``creditors.'' \675\
---------------------------------------------------------------------------
\673\ 15 U.S.C. 78o-10(j). The Commission also requires that
specified SBS Entity trading relationship documentation include the
process for determining the value of each security-based swap for
purposes of complying with, among other things, the risk management
requirements of section 15F(j) of the Exchange Act and paragraph
(h)(2)(iii)(I) of Rule 15Fh-3, and any subsequent regulations
promulgated pursuant to section 15F(j). See 17 CFR 140.15Fi-5(b)(4).
The documentation must include either: (1) alternative methods for
determining the value of the security-based swap in the event of the
unavailability or other failure of any input required to value the
security-based swap for such purposes; or (2) a valuation dispute
resolution process by which the value of the security-based swap
shall be determined for the purposes of complying with the rule. See
17 CFR 140.15Fi-5(b)(4)(ii). Further, SBS Entities must engage in
portfolio reconciliation to resolve discrepancies, among other
things. See 17 CFR 240.15Fi-3(a) and (b). Such discrepancies include
those resulting from a cybersecurity incident.
\674\ See 17 CFR 240.15c3-1(a)(7)(iii) (applies to broker-
dealers authorized to use models, including broker-dealers dually
registered as an SBSD); 17 CFR 240.15c3-1(a)(10)(ii) (applies to
broker-dealers not authorized to use models that are dually
registered as an SBSD); 17 CFR 240.18a-1(f) (applies to SBSDs that
are not registered as a broker-dealer, other than an OTC derivatives
dealer, and that do not have a prudential regulator); 17 CFR
240.18a-2(c) (applies to MSBSPs); see also 17 CFR 240.15c3-4; see
section IV.C.1.b.i. of this section (discussing requirements of Rule
15c3-4).
\675\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15. U.S.C. 1681) that is required to be
``registered under the Securities Act of 1934.'' See 17 CFR
248.201(a). Because SBS Entities are required to be so registered,
an SBS Entity that is a ``financial institution'' or ``creditor'' as
defined in the Fair Credit Reporting Act is within the scope of
Regulation S-ID.
---------------------------------------------------------------------------
SBS Entities are subject to additional Commission rules to have
risk management policies and procedures, to review policies and
procedures, to report information about compliance to the Commission,
and to disclose certain risks to their counterparties. For example,
paragraph (h) of Rule 15Fh-3 requires, among other things, that an SBSD
or MSBSP establish, maintain, and enforce written policies and
procedures regarding the supervision of the types of security-based
swap business in which it is engaged and the activities of its
associated persons that are reasonably designed to prevent violations
of applicable federal securities laws and the rules and regulations
thereunder.\676\ The policies and procedures must include, among other
things: (1) procedures for a periodic review, at least annually, of the
security-based swap business in which the SBS Entity engages and (2)
procedures reasonably designed to comply with duties set forth in
section 15F(j) of the Exchange Act, such as risk management duties set
forth in section 15F(j)(2).\677\
---------------------------------------------------------------------------
\676\ See 17 CFR 240.15Fh-3(h). An SBS Entity must amend its
written supervisory procedures, as appropriate, when material
changes occur in its business or supervisory system. Material
amendments to the SBS Entity's supervisory procedures must be
communicated to all associated persons to whom such amendments are
relevant based on their activities and responsibilities. See 17 CFR
240.15Fh-3(h)(4).
\677\ See 17 CFR 240.15Fh-3(h)(2)(iii).
---------------------------------------------------------------------------
Paragraph (b) of Rule 15Fk-1 requires each SBS Entity's CCO to,
among other things, report directly to the board of directors or to the
senior officer of the SBS Entity and to take reasonable steps to ensure
that the SBS Entity establishes, maintains, and reviews written
policies and procedures reasonably designed to achieve compliance with
the Exchange Act and the rules and regulations thereunder relating to
its business as an SBS Entity by: (1) reviewing its compliance with
respect to the requirements described in section 15F of the Act and the
rules and regulations thereunder, where the review involves preparing
the an annual assessment of its written policies and procedures
reasonably designed to achieve compliance with section 15F of
[[Page 20289]]
the Act and the rules and regulations thereunder; (2) taking reasonable
steps to ensure that the SBS Entity establishes, maintains, and reviews
policies and procedures reasonably designed to remediate non-compliance
issues identified by the chief compliance officer through any means;
and (3) taking reasonable steps to ensure that the SBS Entity
establishes and follows procedures reasonably designed for the
handling, management response, remediation, retesting, and resolution
of non-compliance issues.\678\
---------------------------------------------------------------------------
\678\ See 17 CFR 240.15Fk-1(b)(2). The CCO also must administer
each policy and procedure that is required to be established
pursuant to section 15F of the Exchange Act and the rules and
regulations thereunder. See 17 CFR 240.15Fk-1(b)(4).
---------------------------------------------------------------------------
Paragraph (c) of Rule 15Fk-1 requires an SBS Entity to submit an
annual compliance report containing, among other things, a description
of: (1) its assessment of the effectiveness of its policies and
procedures relating to its business as an SBS Entity; (2) any material
changes to the SBS Entity's policies and procedures since the date of
the preceding compliance report; (3) any areas for improvement, and
recommended potential or prospective changes or improvements to its
compliance program and resources devoted to compliance; (4) any
material non-compliance matters identified; and (5) the financial,
managerial, operational, and staffing resources set aside for
compliance with the Exchange Act and the rules and regulations
thereunder relating to its business as a SBSD or MSBSP, including any
material deficiencies in such resources.\679\ The compliance report
must be submitted to the Commission within 30 days following the
deadline for filing the SBS Entity's annual financial report.\680\
---------------------------------------------------------------------------
\679\ See 17 CFR 240.15Fk-1(c)(2).
\680\ Id.
---------------------------------------------------------------------------
SBS Entities' operations also are governed, in part, by paragraph
(b) of Rule 15Fh-3 in that they must, at a reasonably sufficient time
prior to entering into a security-based swap, disclose to a
counterparty (other than a SBSD, MSBSP, swap dealer, or major swap
participant) material information concerning the security-based swap in
a manner reasonably designed to allow the counterparty to assess
material risks and characteristics as well as material incentives or
conflicts of interest.\681\ Relevant risks may include market, credit,
liquidity, foreign currency, legal, operational, and any other
applicable risks.\682\ Further, SBSDs must establish, maintain, and
enforce written policies and procedures reasonably designed to obtain
and retain a record of the essential facts concerning each counterparty
whose identity is known to the SBSD that are necessary for conducting
business with such counterparty.\683\ Among other things, the essential
facts regarding the counterparty are facts required to implement the
SBSD's operational risk management policies in connection with
transactions entered into with such counterparty.\684\
---------------------------------------------------------------------------
\681\ See 17 CFR 240.15Fh-3(b).
\682\ See 17 CFR 240.15Fh-3(b)(1).
\683\ See 17 CFR 240.15Fh-3(e).
\684\ See 17 CFR 240.15Fh-3(e)(2).
---------------------------------------------------------------------------
iv. SBSDRs
Section 13(n) of the Exchange Act specifies the requirements and
core principles with which SBSDRs are required to comply. The
Commission adopted rules that cover the receiving and maintenance of
security-based swap data, how entities can access such information, and
the maintaining the continued privacy of confidential information.
Security-based swap data repositories must have written policies and
procedures reasonably designed to review any prohibition or limitation
of any person with respect to access to services offered, directly or
indirectly, or data maintained by the SBSDR.\685\
---------------------------------------------------------------------------
\685\ 17 CFR 240.13n-4(c)(1)(iv).
---------------------------------------------------------------------------
The SBSDRs must enforce written policies and procedures reasonably
designed to protect the privacy of security-based swap transaction
information.\686\ As a result, they must establish and maintain
safeguards, policies, and procedures reasonably designed to prevent the
misappropriation or misuse, directly or indirectly, of confidential
information, including, but not limited to, trade data; position data;
and any nonpublic personal information about a market participant or
any of its customers, material, nonpublic information, and/or
intellectual property, such as trading strategies or portfolio
positions, by the SBSDR or any person associated with the SBSDR for
personal benefit or for the benefit of others. Such safeguards,
policies, and procedures must address, without limitation: (1) limiting
access to such confidential information, material, nonpublic
information, and intellectual property; (2) standards pertaining to
trading by persons associated with the SBSDR for their personal benefit
or for the benefit of others; and (3) adequate oversight to ensure
compliance with these safeguards. These rules cover potential
unauthorized access from within or outside of the SBSDR, which could
include a cybersecurity breach.\687\
---------------------------------------------------------------------------
\686\ 17 CFR 240.13n-9(b)(1).
\687\ 17 CFR 240.13n-9(b)(2).
---------------------------------------------------------------------------
Additionally, a SBSDR must furnish to a market participant, prior
to accepting its securities-based swap data, a disclosure document that
contains information from which the market participant can identify and
evaluate accurately the risks and costs associated with using the
services of the SBSDR.\688\ Key points include, among other things, the
criteria for providing others with access to services offered and data
maintained by the SBSDR; criteria for those seeking to connect to or
link with the SBSDR; policies and procedures regarding the SBDR's
safeguarding of data and operational reliability, as described in Rule
13n-6; policies and procedures reasonably designed to protect the
privacy of any and all security-based swap transaction information that
the SBSDR receives from a SBSD, counterparty, or any registered entity,
as described in Rule 13n-9(b)(1); policies and procedures regarding its
non-commercial and/or commercial use of the security-based swap
transaction information that it receives from a market participant, any
registered entity, or any other person; dispute resolution procedures
involving market participants, as described in Rule 13n-5(b)(6); and
governance arrangements of the swap-based security data
repository.\689\
---------------------------------------------------------------------------
\688\ See 17 CFR 240.13n-10.
\689\ See 17 CFR 240.13n-10(b).
---------------------------------------------------------------------------
v. Transfer Agents
Transfer agents registered with the Commission (but not transfer
agents registered with another appropriate regulatory agency) are
subject to the Regulation S-P Disposal Rule.\690\ Transfer agents also
may be subject to Regulation S-ID if they are ``financial
institutions'' or ``creditors.'' \691\ As discussed earlier, the
Regulation S-P Disposal Rule and Regulation S-ID have provisions
requiring policies and procedures to address certain types of
cybersecurity risks.\692\
---------------------------------------------------------------------------
\690\ See 17 CFR 248.30(b)(2).
\691\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
\692\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of the Regulation S-P Disposal Rule
and Regulation S-ID to have policies and procedures to address
certain cybersecurity risks).
---------------------------------------------------------------------------
Rule 17Ad-12 requires transfer agents to ensure that all securities
are held in safekeeping and are handled, in light of all facts and
circumstances, in a manner that is reasonably free from risk of theft,
loss, or destruction. In addition, the transfer agent must ensure that
funds
[[Page 20290]]
are protected, in light of all facts and circumstances, against misuse.
In evaluating which particular safeguards and procedures must be
employed, the cost of the various safeguards and procedures as well as
the nature and degree of potential financial exposure are two relevant
factors.\693\
---------------------------------------------------------------------------
\693\ 17 CFR 240.17Ad-12(a).
---------------------------------------------------------------------------
Transfer agents are subject indirectly to state corporation law
when acting as agents of corporate issuers, and they are directly
subject to state commercial law, principal-agent law, and other laws,
many of which are focused on corporate governance and the rights and
obligations of issuers and securityholders.\694\ The transfer of
investment securities is primarily governed by UCC Article 8, which has
been adopted by the legislatures of all 50 states,\695\ the District of
Columbia, Puerto Rico, and the Virgin Islands. Transfer agents may also
be subject to the laws of the states of incorporation for both issuers
and their securityholders that apply to specific services provided by
the transfer agent, such as data privacy.\696\
---------------------------------------------------------------------------
\694\ See, e.g., Del. Code Ann. tit. 8 (Delaware General
Corporation Law), Del. Code Ann. tit. 6, art. 8 (Investment
Securities), Restatement (Third) of Agency (2006).
\695\ Louisiana has enacted the provisions of Article 8 into the
body of its law, among others, but has not adopted the UCC as a
whole.
\696\ For example, California's privacy statute which became
effective in 2003, was the first significant effort by a state to
assert substantive regulation of privacy of customer data. See Cal.
Civ. Code Sec. Sec. [thinsp]1798.80-1798.84. While state
regulations vary across jurisdictions, other states have followed
suit with similar regulatory initiatives. See, e.g., Minn. Stat.
Sec. [thinsp]325E.61, Neb. Rev. Stat. Sec. Sec. [thinsp]87-801-
807.
---------------------------------------------------------------------------
c. Market Entities Subject to CFTC Regulations
Certain types of Market Entities are dually registered with the
Commission and the CFTC. For example, some clearing agencies are
registered with the CFTC as derivative clearing organizations
(``DCOs'') and some SBSDRs are registered with the CFTC as swap data
repositories (``SDRs''). In addition, some broker-dealers are
registered with the CFTC as futures commission merchants (``FCMs'') or
swap dealers. Most currently registered SBSDs are also registered with
the CFTC as swap dealers. As CFTC registrants, these Market Entities
are subject to requirements that pertain to cybersecurity or are
otherwise relevant to the proposals in this release.
i. Requirements for DCOs
DCOs are subject to a CFTC systems safeguards rule.\697\ This rule
requires them--among other things--to establish and maintain: (1) a
program of risk analysis and oversight with respect to their operations
and automated systems to identify and minimize sources of operational
risk; and (2) a business continuity and disaster recovery plan,
emergency procedures, and physical, technological, and personnel
resources sufficient to enable the timely recovery and resumption of
operations and the fulfillment of each obligation and responsibility of
the DCO, including, but not limited to, the daily processing, clearing,
and settlement of transactions, following any disruption of its
operations.\698\ The safeguards rule also requires vulnerability and
penetration testing (among other things).\699\ Further, it requires
notice to the CFTC staff if the DCO experiences certain exceptional
events.\700\
---------------------------------------------------------------------------
\697\ See 17 CFR 39.18.
\698\ See 17 CFR 39.18(b) and (c). The program of risk analysis
and oversight must include--among other elements--information
security, including, but not limited to, controls relating to:
access to systems and data (including, least privilege, separation
of duties, account monitoring and control); user and device
identification and authentication; security awareness training;
audit log maintenance, monitoring, and analysis; media protection;
personnel security and screening; automated system and
communications protection (including, network port control, boundary
defenses, encryption); system and information integrity (including,
malware defenses, software integrity monitoring); vulnerability
management; penetration testing; security incident response and
management; and any other elements of information security included
in generally accepted best practices. See 17 CFR 39.18(b)(2)(i).
\699\ See 17 CFR 39.18(e).
\700\ See 17 CFR 39.18(g).
---------------------------------------------------------------------------
ii. Requirements for SDRs
SDRs are subject to a CFTC systems safeguards rule.\701\ This rule
requires them--among other things--to: (1) establish and maintain a
program of risk analysis and oversight to identify and minimize sources
of operational risk through the development of appropriate controls and
procedures and the development of automated systems that are reliable,
secure, and have adequate scalable capacity; (2) establish and maintain
emergency procedures, backup facilities, and a business continuity-
disaster recovery plan that allow for the timely recovery and
resumption of operations and the fulfillment of their duties and
obligations as an SDR; and (3) periodically conduct tests to verify
that backup resources are sufficient to ensure continued fulfillment of
all their duties under the Commodity Exchange Act and the CFTC's
regulations.\702\ The program of risk analysis and oversight required
by the SDR safeguards rule--among other things--must address: (1)
information security; and (2) business continuity-disaster recovery
planning and resources.\703\ The safeguards rule also requires the SDR
to notify the CFTC promptly of--among other events--all cyber security
incidents or targeted threats that actually or potentially jeopardize
automated systems operation, reliability, security, or capacity.\704\
---------------------------------------------------------------------------
\701\ See 17 CFR 49.24.
\702\ See 17 CFR 49.24(a).
\703\ See 17 CFR 49.24(b)(2) and (3). For the purposes of the
SDR safeguards rule, information security includes, but is not
limited to, controls relating to: access to systems and data
(including least privilege, separation of duties, account monitoring
and control); user and device identification and authentication;
security awareness training; audit log maintenance, monitoring, and
analysis; media protection; personnel security and screening;
automated system and communications protection (including network
port control, boundary defenses, encryption); system and information
integrity (including malware defenses, software integrity
monitoring); vulnerability management; penetration testing; security
incident response and management; and any other elements of
information security included in generally accepted best practices.
See 17 CFR 49.24(b)(2).
\704\ See 17 CFR 49.24(g)(2).
---------------------------------------------------------------------------
iii. Requirements for FCMs and Swap Dealers
The CFTC does not have a cybersecurity regime for FCMs and swap
dealers comparable to that being proposed in this release.\705\
However, FCMs and swap dealers are currently subject to information
security requirements by virtue of their membership with the National
Futures Association (NFA).\706\ Specifically, NFA
[[Page 20291]]
examines swap dealers and FCMs for compliance with NFA Interpretive
Notice 9070, which establishes general requirements for NFA members
relating to their information systems security programs (ISSPs).\707\
The notice requires members to adopt and enforce a written ISSP
reasonably designed to provide safeguards to protect against security
threats or hazards to their technology systems. The safeguards must be
appropriate to the member's size, complexity of operations, type of
customers and counterparties, the sensitivity of the data accessible
within its systems, and its electronic interconnectivity with other
entities. The notice further provides guidance on how to meet this
requirement, including that members should document and describe the
safeguards in the ISSP, identify significant internal and external
threats and vulnerabilities, create an incident response plan, and
monitor and regularly review their ISSPs for effectiveness, among other
things. Members should also have procedures to promptly notify NFA in
the form and manner required of a cybersecurity incident related to the
member's commodity interest business and that results in: (1) any loss
of customer or counterparty funds; (2) any loss of a member's own
capital; or (3) in the member providing notice to customers or
counterparties under state or federal law.
---------------------------------------------------------------------------
\705\ Current CFTC requirements relating to information security
for FCMs and swap dealers are more general in nature or limited in
application. See, e.g., 17 CFR 23.600(c)(4)(vi) (providing that swap
dealer's risk management program policies and procedures shall take
into account, among other things, secure and reliable operating and
information systems with adequate, scalable capacity, and
independence from the business trading unit; safeguards to detect,
identify, and promptly correct deficiencies in operating and
information systems; and reconciliation of all data and information
in operating and information systems); 162.21, 160.30 (requiring
FCMs and swap dealers to adopt written policies and procedures
addressing administrative, technical, and physical safeguards with
respect to the information of consumers). The current CFTC Chairman
has, however, announced support for developing cybersecurity
requirements for FCMs and swap dealers. See CFTC, Address of
Chairman Rostin Behnam at the ABA Business Law Section Derivatives &
Futures Law Committee Winter Meeting (Feb. 3, 2023), available at
https://www.cftc.gov/PressRoom/SpeechesTestimony/opabehnam31.
\706\ See NFA, Interpretive Notice 9070--NFA Compliance Rules 2-
9, 2-36 and 2-49: Information Systems Security Programs (Sept. 30,
2019), available at https://www.nfa.futures.org/rulebooksql/rules.aspx?RuleID=9070&Section=9. NFA has also issued guidance
relating to the oversight of third-party service providers. See NFA,
Interpretive Notice 9079--NFA Compliance Rules 2-9 and 2-36:
Members' Use of Third-Party Service Providers (Sept. 30, 2021),
available at https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079.
\707\ Id.
---------------------------------------------------------------------------
The CFTC does require swap dealers to establish and maintain a
business continuity and disaster recovery plan that outlines the
procedures to be followed in the event of an emergency or other
disruption of their normal business activities.\708\ The business
continuity and disaster recovery plan must be designed to enable the
swap dealer to continue or to resume any operations by the next
business day with minimal disturbance to its counterparties and the
market, and to recover all documentation and data required to be
maintained by applicable law and regulation.\709\ The business
continuity and disaster recovery plan must--among other requirements--
be tested annually by qualified, independent internal personnel or a
qualified third party service.\710\ The date the testing was performed
must be documented, together with the nature and scope of the testing,
any deficiencies found, any corrective action taken, and the date that
corrective action was taken.\711\
---------------------------------------------------------------------------
\708\ See 17 CFR 23.603. The business continuity and disaster
recovery plan must include: (1) the identification of the documents,
data, facilities, infrastructure, personnel and competencies
essential to the continued operations of the swap dealer and to
fulfill its obligations; (2) the identification of the supervisory
personnel responsible for implementing each aspect of the business
continuity and disaster recovery plan and the emergency contacts
required to be provided; (3) a plan to communicate with specific
persons the in the event of an emergency or other disruption, to the
extent applicable to the operations of the swap dealer; (4)
procedures for, and the maintenance of, back-up facilities, systems,
infrastructure, alternative staffing and other resources to achieve
the timely recovery of data and documentation and to resume
operations as soon as reasonably possible and generally within the
next business day; (5) maintenance of back-up facilities, systems,
infrastructure and alternative staffing arrangements in one or more
areas that are geographically separate from the swap dealer's
primary facilities, systems, infrastructure and personnel (which may
include contractual arrangements for the use of facilities, systems
and infrastructure provided by third parties); (6) back-up or
copying, with sufficient frequency, of documents and data essential
to the operations of the swap dealer or to fulfill the regulatory
obligations of the swap dealer and storing the information off-site
in either hard-copy or electronic format; and (7) the identification
of potential business interruptions encountered by third parties
that are necessary to the continued operations of the swap dealer
and a plan to minimize the impact of such disruptions. See 17 CFR
23.603(b).
\709\ See 17 CFR 23.603(a).
\710\ See 17 CFR 23.603(g).
\711\ Id.
---------------------------------------------------------------------------
d. Market Entities Subject to Federal Banking Regulations
Broker-dealers affiliated with a banking organization \712\ and
some SBS Entities and transfer agents that are banking organizations
are subject to the requirements of prudential regulators such as the
FDIC, Federal Reserve Board, and the OCC. These prudential regulators
have rules requiring banking organizations to notify them no later than
36 hours after learning of a ``computer-security incident,'' which is
defined ``as an occurrence that results in actual harm to the
confidentiality, integrity, or availability of an information system or
the information that the system processes, stores, or transmits.''
---------------------------------------------------------------------------
\712\ In the simplification of the Volcker Rule, effective Jan.
21, 2020, Commission staff estimated that there were 202 broker-
dealers that were affiliated with banking organizations.
---------------------------------------------------------------------------
The rule also requires a bank service provider to notify at least
one bank-designated point of contact at each affected customer bank as
soon as possible when it determines it has experienced a computer-
security incident that has materially disrupted or degraded, or is
reasonably likely to disrupt or degrade, covered services provided to
the bank for four or more hours. If the bank has not previously
provided a designated point of contact, the notification must be made
to the bank's chief executive officer (``CEO'') and CIO or to two
individuals of comparable responsibilities.'' \713\ Prudential
regulators have also published guidance for banking organizations
relating to cybersecurity.\714\
---------------------------------------------------------------------------
\713\ See 12 CFR 53.1 through 53.4 (OCC); 12 CFR 225.300 through
225.303 (Federal Reserve Board); 12 CFR 304.21 through 24 (FDIC).
\714\ See, e.g., SR 21-14: Authentication and Access to
Financial Institution Services and Systems (Aug. 11, 2021),
available at https://www.federalreserve.gov/supervisionreg/srletters/sr2114.htm; SR 15-9: FFIEC Cybersecurity Assessment Tool
for Chief Executive Officers and Boards of Directors (July 2, 2015),
available at https://www.federalreserve.gov/supervisionreg/srletters/sr1509.htm; SR 05-23/CA 05-10: Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice (Dec. 1, 2005), available at https://www.federalreserve.gov/boarddocs/srletters/2005/SR0523.htm.
---------------------------------------------------------------------------
e. Information Sharing
Information sharing is an important part of cybersecurity. Alerts
that are issued by the Commission or by the securities industry make
Market Entities aware of trends in cybersecurity incidents and
potential threats. This advanced warning can help Market Entities to
prepare for future cybersecurity attacks by testing and upgrading their
cybersecurity infrastructure.
The value of such information sharing has long been recognized. In
1998, Presidential Decision Directive 63 established industry-based
information sharing and analysis centers (``ISACs'') to promote the
disclosure and sharing of cybersecurity information among firms.\715\
The FS-ISAC provides financial firms with such a forum.\716\ However,
observers have questioned the efficacy of these information-sharing
partnerships.\717\ Although the Commission does not have data on the
extent of Market Entities' use of such forums or their efficacy,
surveys of securities firms conducted by FINRA suggest that there is
considerable variation in firms' willingness to share
[[Page 20292]]
information about cybersecurity threats on a voluntary basis, with
larger firms being more likely to do so.\718\ Similarly, a recent
survey of financial firms found that while recognition of the value of
information-sharing arrangements is widespread, the majority of firms
report hesitance to participate due to regulatory restrictions or
privacy concerns.\719\
---------------------------------------------------------------------------
\715\ See President Decision Directive/NSC-63, Critical
Infrastructure Protection (May 22, 1998); Presidential Decision
Directive 63, Critical Infrastructure Protection: Sector
Coordinators, 98 FR 41804 (Aug. 5, 1998) (notice and request for
expressions of interest); see also National Council of ISACs,
available at https://www.nationalisacs.org.
\716\ Information about FS-ISAC is available at https://www.fsisac.com.
\717\ See James A. Lewis and Denise E. Zheng, Cyber Threat
Information Sharing, 2015 Cre. for Strategic and Int'l Stud. 62
(Mar. 2015) (stating that the ``benefits of information sharing,
when done correctly, are numerous'' but that [p]rogrammatic,
technical, and legal challenges, as well as lack of buy-in from the
stakeholder community, are the key impediments'' to effective
information-sharing partnerships).
\718\ See FINRA Report on Cybersecurity Practices. Survey
respondents included large investment banks, clearing firms, online
brokerages, high-frequency traders, and independent dealers.
\719\ See Julie Bernard, Mark Nicholson, and Deborah Golden,
Reshaping the Cybersecurity Landscape, Deloitte (Jul. 24, 2020),
available at https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html (``Reshaping the Cybersecurity Landscape''). Survey
respondents consisted of CISOs (or equivalent) of 53 members of the
FS-ISAC. Of the respondents, 24 reported being in the retail/
corporate banking sector, 20 reported being in the consumer/
financial services (non-banking) sector, and 17 reported being in
the insurance sector. Other respondents included IT service
providers, financial utilities, trade associations, and credit
unions. Some respondents reported being in multiple sectors.
---------------------------------------------------------------------------
Market surveillance and regulatory activities--such as enforcement
by SROs--can result in information sharing with--and referrals to--the
Commission and other federal agencies, particularly if the issues being
investigated are cybersecurity related.
f. Adequacy of Current Cybersecurity Policies and Procedures
While spending on cybersecurity measures in the financial services
industry is considerable, and the growing risk of cybersecurity events
has led many corporate executives to significantly increase their
cybersecurity budget,\720\ the budget levels themselves are not the
most important facet of a cybersecurity program.\721\ In a recent
survey of 20 consumer/financial (non-banking) services firms,
respondents ranked cybersecurity budget levels lower than other facets
of cybersecurity maintenance.\722\ For example, financial companies'
boards and management teams indicated that overall cybersecurity
strategy, the identification threats and cybersecurity risks, the
firm's susceptibility to breaches when other financial institutions are
successfully attacked, and the results of cybersecurity testing all
ranked higher than security budgets themselves.\723\ Surveys of
financial services firms indicate that 10.5% of their information
technology budgets are spent on cybersecurity, and the per-employee
expenditure is approximately $2,348 annually as of 2020.\724\ This per-
employee value can be used to estimate the cybersecurity expenditures
at each of the Market Entities that would be affected by the proposed
rule.\725\
---------------------------------------------------------------------------
\720\ For example, according to one source, as of 2020, ``55% of
enterprise executives [were planning] to increase their
cybersecurity budgets in 2021 and 51% are adding full-time cyber
staff in 2021.'' Louis Columbus, The Best Cybersecurity Predictions
for 2021 Roundup, Forbes.com (Dec. 15, 2020), available at https://www.forbes.com/sites/louiscolumbus/2020/12/15/the-best-cybersecurity-predictions-for-2021-roundup/?sh=6d6db8b65e8c.
\721\ See Reshaping the Cybersecurity Landscape.
\722\ Id.
\723\ Id.
\724\ Id.
\725\ The per-employee expenditure can be multiplied by the
Market Entity's employee head count on a full-time equivalent basis
to estimate its spending on cybersecurity protection.
---------------------------------------------------------------------------
2. Market Structure
a. Broker-Dealers
The operations and functions of broker-dealers are discussed
earlier in this release.\726\ The following broker-dealers would be
Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customer accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS.\727\ Broker-dealers that do not fall into one of those
six categories would not be Covered Entities (i.e., they would be Non-
Covered Broker-Dealers). As discussed above, broker-dealers that are
Covered Entities would be subject to additional policies and
procedures, reporting, and disclosure requirements under proposed Rule
10.\728\ These additional requirements would not apply to broker-
dealers that are not Covered Entities.\729\
---------------------------------------------------------------------------
\726\ See section I.A.2.b. of this release.
\727\ See paragraphs (a)(1)(i)(A) through (F) of proposed Rule
10.
\728\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity'').
\729\ See paragraph (e) of proposed Rule 10 (setting forth the
requirements for Market Entities that do not meet the definition of
``covered entity'').
---------------------------------------------------------------------------
Table 1 presents a breakdown of all broker-dealers registered with
the Commission as of the third quarter of 2022. Based on 2022 FOCUS
Part II/IIA data, there were 3,510 registered broker-dealers with
average total assets of $1.5 billion and average regulatory capital of
$144 million. Of those broker-dealers, 1,541 would be classified as
Covered Entities with average total assets of $3.5 billion and average
regulatory capital of $325 million. Meanwhile, the 1,969 brokers that
would be classified as Non-Covered Broker-Dealers were generally much
smaller than broker-dealers that would be classified as Covered
Entities, having an average total asset level of $4.7 million and
regulatory capital of $3 million. In other words, Non-Covered Broker-
Dealers accounted for only about 0.2 percent of total asset value and
only 0.1 percent of total regulatory capital in the third quarter of
2022.
The majority of small broker-dealers, as defined by Rule 0-10 \730\
were classified as Non-Covered Broker-Dealers (74%) compared to a
minority of small broker-dealers that were classified as Covered
Entities (26%), which means that most small broker-dealers would be
subject to the less stringent regulatory requirements under the
proposed Rule 10 for Non-Covered Broker-Dealers. The small broker-
dealers that qualified as Covered Entities and would be subject to
additional requirements of proposed Rule 10 generally were broker-
dealers that introduce their customer accounts to carrying broker-
dealers on a fully disclosed basis.
---------------------------------------------------------------------------
\730\ See 17 CFR 240.0-10 (``Rule 0-10'') for definition of
small entities including small broker-dealers under the Exchange Act
for purposes of the Regulatory Flexibility Act (``RFA''). This
definition is for the economic analysis only. See also section VI of
this release (setting forth the Commission's RFA analysis).
Table 1--Broker-Dealers as Covered Entities as of September 2022
[Average broker-dealer total assets and regulatory equity]
----------------------------------------------------------------------------------------------------------------
Average
Total number Number of Number of Average total regulatory
Categories of covered BDs of BDs small BDs retail BDs assets equity
included (millions) (millions)
----------------------------------------------------------------------------------------------------------------
Carrying........................ 162 0 145 $28,250.9 $2,528.7
Introducing..................... 1219 195 1106 103.0 44.3
Market making................... 19 0 1 179.2 17.4
[[Page 20293]]
ATS............................. 36 0 21 4.1 3.1
>$50 Million Regulatory Equity 105 0 44 6,891.6 351.5
and/or >$1 billion total assets
----------------------------------------------------------------------------------------------------------------
Covered......................... 1541 195 1317 3,523.3 325.1
----------------------------------------------------------------------------------------------------------------
Non-Covered..................... 1969 569 1115 4.7 3.0
-------------------------------------------------------------------------------
Total....................... 3510 764 2432 1,549.9 144.4
----------------------------------------------------------------------------------------------------------------
Covered Broker-Dealers provide a broad spectrum of services to
their clients, including, for example: trade execution, clearing,
market making, margin and securities lending, sale of investment
company shares, research services, underwriting and selling, retail
sales of corporate securities, private placements, and government and
Series K securities sales and trading. In contrast, Non-Covered Broker-
Dealers tend to offer a more focused and limited set of services.
In terms of specific services offered, as presented in Table 2
below, while the majority of broker-dealers that are Covered Entities
have lines of business devoted to broker and dealer services across a
broad spectrum of financial instruments, Non-Covered Broker-Dealers as
a whole focus on private placements. In addition, a significant
minority of Non-Covered Broker-Dealers also engages in mutual fund
sales and underwriting, variable contract sales, corporate securities
underwriting, and direct investment offerings.
Table 2--Lines of Business at Broker-Dealers as of September 2022 *
[Percent of covered entity and non-covered broker-dealers engaged in
each line of business]
------------------------------------------------------------------------
Percent of Percent of non-
covered broker- covered broker-
Line of business dealers dealers
(percent) (percent)
------------------------------------------------------------------------
Retailing Corporate Equity Securities 76.4 8.1
Over The Counter.......................
Corporate Debt Securities............... 69.6 7.9
Mutual Funds............................ 62.2 19.5
Private Placements...................... 58.1 72.1
Options................................. 58.1 3.7
US Government Securities Broker......... 56.2 3.9
Municipal Debt/Bonds--Broker............ 53.1 6.4
Other Securities Business............... 52.0 65.1
Underwriter--Corporate Securities....... 45.0 11.5
Trading Via Floor Broker................ 43.4 5.7
Variable Contracts...................... 42.4 16.3
Proprietary Trading..................... 40.4 3.8
Investment Advisory Services............ 25.8 4.6
Municipal Debt/Bonds--Dealer............ 25.4 1.5
Direct investments--Primary............. 21.2 13.2
US Government Securities Dealer......... 20.7 0.9
Other Non-Securities Business........... 18.1 11.2
Time Deposits........................... 16.5 1.2
Commodities............................. 12.5 1.1
Market Making........................... 12.3 0.6
Mortgage or Asset Backed Securities..... 11.9 1.3
Bank Networking/Kiosk Relationship...... 11.0 0.4
Internet/Online Trading Accounts........ 10.8 0.5
Exchange Non-Floor Activities........... 10.6 0.9
Direct investments--Secondary........... 8.2 2.0
Oil and Gas Interests................... 7.9 3.1
Underwriter--Mutual Funds............... 6.4 7.8
Exchange Floor Activities............... 5.9 1.2
Executing Broker........................ 5.5 0.6
Day Trading Accounts.................... 4.8 0.3
Insurance Networking/Kiosk Relationship. 4.7 0.6
Non Profit Securities................... 4.2 0.4
Real Estate Syndication................. 2.8 2.8
Prime Broker............................ 1.6 0.0
Issuer Affiliated Broker................ 1.2 1.1
Clearing Broker in a Prime Broker 1.2 0.0
Arrangement............................
Crowdfunding FINRA Rule 4518 (a)........ 0.7 1.1
Funding Portal.......................... 0.2 0.3
Crowdfunding FINRA Rule 4518 (b)........ 0.1 0.3
[[Page 20294]]
Capital Acquisition Broker.............. 0.1 1.2
------------------------------------------------------------------------
* This information is derived from Form BD, Question 12.
As of November 2022, there were 33 NMS Stock ATSs with an effective
Form ATS-N on file with the Commission \731\ and 68 non-NMS Stock ATSs
with a Form ATS on file with the Commission.\732\ Most broker-dealer
ATS operators operate a single ATS.
---------------------------------------------------------------------------
\731\ See Form ATS-N Filings and Information, available at
https://www.sec.gov/divisions/marketreg/form-ats-n-filings.htm.
\732\ See the current list of registered ATSs on the
Commission's website, available at https://www.sec.gov/foia/docs/atslist.
---------------------------------------------------------------------------
b. Clearing Agencies
The operations and functions of clearing agencies are discussed
earlier in this release.\733\ A clearing agency (whether registered
with the Commission or exempt) would be considered a Covered Entity
under proposed Rule 10.\734\ There are a total of 16 clearing agencies
that would meet the definition of a Covered Entity under proposed Rule
10. There are seven registered and active clearing agencies: DTC, FICC,
NSCC, ICC, ICEEU, the Options Clearing Corp., and LCH SA. Two clearing
agencies are registered with the Commission but are inactive and
currently do not provide clearing and settlement activities. Those
clearing agencies are the BSECC and SCCP.\735\ In addition, there are
five clearing agencies that are exempt from registering with the
Commission. Those exempt clearing agencies are DTCC ITP Matching U.S.
LLC, Bloomberg STP LLC, and SS&C Technologies, Inc., which provide
matching services; and Clearstream Banking, S.A. and Euroclear Bank SA/
NV, which provide clearing agency services with respect to transactions
involving U.S. government and agency securities for U.S.
participants.\736\
---------------------------------------------------------------------------
\733\ See section I.A.2.c. of this release.
\734\ See paragraph (a)(1)(iii). of proposed Rule 10.
\735\ BSECC and SCCP have not provided clearing services in over
a decade. See BSECC Notice (stating that BSECC ``returned all
clearing funds to its members by September 30, 2010, and [ ] no
longer maintains clearing members or has any other clearing
operations as of that date . . . . BSECC [ ] maintain[s] its
registration as a clearing agency with the Commission for possible
active operations in the future''); SCCP Notice (noting that SCCP
``returned all clearing fund deposits by September 30, 2009; [and]
as of that date SCCP no longer maintains clearing members or has any
other clearing operations . . . . SCCP [] maintain[s] its
registration as a clearing agency for possible active operations in
the future.''). BSECC and SCCP are included in the economic baseline
and must be considered in the benefits and costs analysis due to
their registration with the Commission. They also are included in
the PRA for purposes of the PRA estimate. See section V of this
release (setting forth the Commission's PRA analysis).
\736\ In addition to the 14 clearing agencies discussed above,
the Commission's expects that two entities may apply to register or
to seek an exemption from registration as a clearing agency in the
next three years. As a result, they were included in the PRA in
section V.
---------------------------------------------------------------------------
Of the seven operating registered clearing agencies, six provide
CCP clearing services and one provides CSD services. In addition, NSCC,
FICC, and DTC are all registered clearing agencies that are
subsidiaries of the Depository Trust and Clearing Corporation.
Together, this subset of registered clearing agencies offer clearing
and settlement services for equities, corporate, and municipal bonds,
government and mortgage-backed securities, derivatives, money market
instruments, syndicated loans, mutual funds, and alternative investment
products in the United States. ICC and ICEEU are both registered
clearing agencies for credit default swaps (``CDS'') and are both
subsidiaries of ICE. LCH SA, a France-based subsidiary of LCH Group
Holdings Ltd, is a registered clearing agency that also offers clearing
for CDS. The seventh registered clearing agency, the Options Clearing
Corp., offers clearing services for exchange-traded U.S. equity
options.
c. The MSRB
The operations and functions of the MSRB are discussed earlier in
this release.\737\ The MSRB would be considered a Covered Entity under
proposed Rule 10.\738\ As an SRO registered with the Commission, the
MSRB protects municipal securities investors, municipal entities,
obligated persons, and the public interest. While the MSRB used to only
regulate the activities of broker-dealers and banks that buy, sell, and
underwrite municipal securities, it regulates certain activities of
municipal advisors.
---------------------------------------------------------------------------
\737\ See section I.A.2.d. of this release.
\738\ See paragraph (a)(1)(iv) of proposed Rule 10.
---------------------------------------------------------------------------
d. National Securities Associations
The operations and functions of national securities association are
discussed earlier in this release.\739\ A national securities
association would be considered a Covered Entity under proposed Rule
10.\740\ FINRA currently is the only national securities association
registered with the Commission and is a not-for-profit organization
with 3,700 employees that oversees broker-dealers, including their
branch offices, and registered representatives through examinations,
enforcement, and surveillance.
---------------------------------------------------------------------------
\739\ See section I.A.2.e. of this release.
\740\ See paragraph (a)(1)(i)(v) of proposed Rule 10.
---------------------------------------------------------------------------
FINRA, among other things, provides a forum for securities
arbitration and mediation; conducts market regulation, including by
contract for a majority of the national securities exchanges; regulates
its broker-dealer members; administers testing and licensing of
registered persons; collects and stores regulatory filings; \741\ and
operates industry utilities such as Trade Reporting Facilities.\742\
Through the collection of regulatory filings submitted by broker-
dealers as well as stock options and fixed-income quote, order, and
trade data, FINRA maintains certain confidential information--not only
its own but of other SROs.
---------------------------------------------------------------------------
\741\ Some of the filings collected include FOCUS reports; Form
OBS; Form SSOI; Form Custody; firm clearing arrangements filings;
Blue Sheets; customer margin balance reporting; short interest
reporting; Form PF; Form 211; public offering and private placement
related filings; FINRA Rules 4311 and 4530 reporting; subordination
agreements; and Regulations M, T, and NMS.
\742\ These include Trade Reporting and Compliance Engine
(TRACE), OTC ATS and Non-ATS data, Over-the-Counter Reporting
Facility (ORF), Trade Reporting Facility (TRF), Alternative Display
Facility (ADF), and Order Audit Trail System (OATS) (phased out as
of 2021).
---------------------------------------------------------------------------
e. National Securities Exchanges
The operations and functions of the national securities exchanges
are discussed earlier in this release.\743\ A national securities
exchange would be considered a Covered Entity under proposed Rule
10.\744\ There are 24
[[Page 20295]]
national securities exchanges \745\ currently registered with the
Commission that would meet the definition of a Covered Entity under
proposed Rule 10(a)(1): BOX Exchange LLC; Cboe BYX Exchange, Inc.; Cboe
BZX Exchange, Inc.; Cboe C2 Exchange, Inc.; Cboe EDGA Exchange, Inc.;
Cboe EDGX Exchange, Inc.; Cboe Exchange, Inc.; Investors Exchange LLC;
Long-Term Stock Exchange, Inc.; MEMX, LLC; Miami International
Securities Exchange; MIAX Emerald, LLC; MIAX PEARL, LLC; Nasdaq BX,
Inc.; Nasdaq GEMX, LLC; Nasdaq ISE, LLC; Nasdaq MRX, LLC; Nasdaq PHLX
LLC; The Nasdaq Stock Market; New York Stock Exchange LLC; NYSE Arca,
Inc.; NYSE Chicago, Inc.; NYSE American, LLC; and NYSE National,
Inc.\746\
---------------------------------------------------------------------------
\743\ See section I.A.2.f. of this release.
\744\ See paragraph (a)(1)(vi) of proposed Rule 10.
\745\ Exempt securities exchanges governed by section 5 of the
Act are not considered to be national securities exchanges.
\746\ Two exchanges, The Island Futures Exchange, LLC, and NQLX
LLC, were formerly registered with the Commission as national
securities exchanges.
---------------------------------------------------------------------------
f. SBS Entities and SBSDRs
Operations and functions of SBS Entities and SBSDRs are discussed
earlier in this release.\747\ An SBS Entity and an SBSDR would be
considered a Covered Entity under proposed Rule 10.\748\ As of January
4, 2023, there were 50 registered SBSDs that would meet the definition
of a Covered Entity under proposed Rule 10(a)(1).\749\ There were no
MSBSPs as of January 4, 2023.
---------------------------------------------------------------------------
\747\ See sections I.A.2.g. and I.A.2.h. of this release.
\748\ See paragraphs (a)(1)(iii), (vii), and (viii) of proposed
Rule 10 (defining, respectively, MSBSPs, SBSDRs, and SBSDs as
``covered entities'').
\749\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants (Jan. 4, 2023), available at
https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants.
---------------------------------------------------------------------------
There are three SBSDRs that would meet the definition of a Covered
Entity under proposed Rule 10(a)(1). The Commission has two registered
security-based swap data repositories (ICE Trade Vault, LLC and DTCC
Data Repository (U.S.), LLC). GTR North America provides transaction
reporting services for derivatives in the United States through the
legal entity DTCC Data Repository (U.S.) LLC. DTCC Data Repository
(U.S.), LLC enables firms to meet their reporting obligations under the
Dodd-Frank Act and accepts trade submissions directly from reporting
firms as well as through third-party service providers.\750\ In
addition to the two registered SBSDRs, the Commission expects that an
additional entity may apply to be a registered SBSDR in the next three
years.
---------------------------------------------------------------------------
\750\ See DTCC, GTR North America, available at https://www.dtcc.com/repository-and-derivatives-services/repository-services/gtr-north-america.
---------------------------------------------------------------------------
g. Transfer Agents
The operations and functions of transfer agents are discussed
earlier in this release.\751\ Transfer agents would be Covered Entities
under proposed Rule 10.\752\ Transfer agents generally work for issuers
of securities. Among other functions, they may: (1) track, record, and
maintain on behalf of issuers the official record of ownership of each
issuer's securities; (2) cancel old certificates, issue new ones, and
perform other processing and recordkeeping functions that facilitate
the issuance, cancellation, and transfer of securities; (3) facilitate
communications between issuers and registered securityholders; and (4)
make dividend, principal, interest, and other distributions to
securityholders.\753\ Transfer agents are required to be registered
with the Commission, or if the transfer agent is a bank, then with a
bank regulatory agency. As of December 31, 2022, there were 353
registered transfer agents.\754\
---------------------------------------------------------------------------
\751\ See section I.A.2.i. of this release.
\752\ See paragraph (a)(1)(ix) of proposed Rule 10.
\753\ See Transfer Agent Regulations, Exchange Act Release No.
76743 (Dec. 22, 2015), 80 FR 81948, 81949 (Dec. 31, 2015).
\754\ See Commission, Transfer Agent Data Sets (Dec. 31, 2022),
available at https://www.sec.gov/dera/data/transfer-agent-data-sets.
---------------------------------------------------------------------------
h. Service Providers
Many Market Entities utilize service providers to perform some or
all of their cybersecurity functions. Market Entities that are large--
relative to other Market Entities--in terms of their total assets,
number of clients or members, or daily transactions processed are
likely to have significant information technology, their own
information technology departments and dedicated staff such that some
functions are performed in-house. Other services may be contracted out
to service providers that cater to Market Entities. Smaller Market
Entities that do not have large technology budgets may rely more
heavily (or completely) on third parties for their cybersecurity needs.
According to a voluntary survey, financial services firms spend
approximately 0.3 percent of revenue or 10% of their information
technology budgets on cybersecurity, highlighting the fact that
identifying vulnerabilities and having cybersecurity policies and
procedures in place are more important than the actual cybersecurity
budget itself, particularly with respect to expensive hardware and
software.\755\
---------------------------------------------------------------------------
\755\ See Reshaping the Cybersecurity Landscape.
---------------------------------------------------------------------------
In performing their contracted duties, specialized service
providers may receive, maintain, or process confidential information
from Market Entities, or are otherwise permitted to access Market
Entities' information systems and the information residing on those
systems. Market Entities work with service providers that provide
certain critical functions, such as process payment providers,
regulatory services consultants, data providers, custodians, and
valuation services. However, Market Entities also employ general
service providers, such as email providers, relationship management
systems, cloud applications, and other technology vendors.
Regardless of their size, Market Entities typically enter into
contracts with service providers to perform a specific function for a
given time frame at a set price. At the conclusion of a contract, it
may be renewed if both parties are satisfied. Because prices typically
increase over time, there may be some need to negotiate a new fee for
continued service. Negotiations also occur if additional services are
requested from a given third-party provider. In the instance where
additional services are required mid-contract, for example, due to
increased regulatory requirements, the service provider may be able to
bill for the extra work that it must incur separately to provide the
additional service, particularly if that party is in a highly
concentrated market for that service and can wield market power. This
may be the case because that condition is specified in the contract
with the Market Entity.
Service providers that cater to the securities industry with
specialized services are likely to have economies of scale that allow
them to more easily handle requests from Market Entities for additional
services.\756\ Some service providers, however, may not have the
technical expertise to provide a requested additional service or may
refuse to do so for other reasons. In this case, the Market Entity
would need to find another service provider. The costs associated with
service provider contracts, including those of renegotiating them or
tacking on of supplemental fees, are passed on to the Market Entity's
customers, counterparties, members, participants,
[[Page 20296]]
or users to the extent that the Market Entities are able to do so.
---------------------------------------------------------------------------
\756\ See Bharath Aiyer et al., New Survey Reveals $2 Trillion
Market Opportunity for Cybersecurity Technology and Service
Providers (2022), available at https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers.
---------------------------------------------------------------------------
D. Benefits and Costs of Proposed Rule 10, Form SCIR, and Rule
Amendments
In this section, the Commission considers the benefits and costs of
the rule, form, and amendments being proposed in this release.\757\ As
discussed earlier, proposed Rule 10 would require all Market Entities
(Covered Entities and non-Covered Entities) to establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks.\758\ All Market Entities also, at
least annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\759\ They also would
be required to prepare a report (in the case of Covered Entities) or a
record (in the case of non-Covered Entities) with respect to the annual
review.\760\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\761\
---------------------------------------------------------------------------
\757\ Throughout the following, the Commission also considers
benefits and costs related to potential effects on economic
efficiency, competition, and capital formation. The Commission
summarizes these effects in section IV.E. of this release.
\758\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10; see also sections II.B.1. and II.C. of this release (discussing
these proposed requirements in more detail).
\759\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10; see also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\760\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10; see also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\761\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10; see also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\762\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\762\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity''); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\763\
---------------------------------------------------------------------------
\763\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
Section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities would need to make certain records
pursuant to the policies and procedures required under proposed Rule
10. In particular, Covered Entities would be required to document in
writing periodic assessments of cybersecurity risks associated with the
Covered Entity's information systems and information residing on those
systems.\764\ Additionally, Covered Entities would be required to
document in writing any cybersecurity incident, including the Covered
Entity's response to and recovery from the cybersecurity incident.\765\
---------------------------------------------------------------------------
\764\ See paragraph (b)(1)(i)(B) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this documentation
requirement in more detail).
\765\ See paragraph (b)(1)(v)(B) of proposed Rule 10; see also
section II.B.1.e. of this release (discussing this documentation
requirement in more detail).
---------------------------------------------------------------------------
Third, Covered Entities--in addition to providing the Commission
with immediate written electronic notice upon having a reasonable basis
to conclude that the significant cybersecurity incident has occurred or
is occurring--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission by filing it with the Commission through the
EDGAR system.\766\ The form would elicit information about the
significant cybersecurity incident and the Covered Entity's efforts to
respond to, and recover from, the incident. Covered Entities would be
required to file updated versions of proposed Form SCIR when material
information becomes available or previously reported information is
deemed inaccurate. Lastly, a final proposed Form SCIR would need to be
submitted after a significant cybersecurity incident is resolved.
---------------------------------------------------------------------------
\766\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Fourth, Covered Entities would need to disclose publicly summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\767\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's public-facing business internet website
and, in the case of Covered Entities that are carrying or introducing
broker-dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\767\ See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
Form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\768\ The proposed amendments would specify
that the Rule 10 Records must be retained for three years. In the case
of the written policies and procedures to address cybersecurity risks,
the record would need to be maintained until three years after the
termination of the use of the policies and procedures.\769\ In
addition, orders exempting certain clearing agencies from registering
with the Commission are proposed to be amended to establish
preservation and maintenance
[[Page 20297]]
requirements for the Rule 10 Records that would apply to the exempt
clearing agencies subject to those orders.\770\ The amendments would
provide that the records need to be retained for five years (consistent
with Rules 13n-7 and 17a-1).\771\ In the case of the written policies
and procedures to address cybersecurity risks, the record would need to
be maintained until three years after the termination of the use of the
policies and procedures.
---------------------------------------------------------------------------
\768\ See sections II.B.5. and II.C. of this release (discussing
these proposed amendments in more detail). Rule 17a-4 sets forth
record preservation and maintenance requirements for broker-dealers,
Rule 17ad-7 sets forth record preservation and maintenance
requirements for transfer agents, and Rule 18a-6 sets forth record
preservation and maintenance requirements for SBS Entities.
\769\ See proposed rule 17a-4(e).
\770\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\771\ As discussed in section II.B.5.a. of this release, the
existing requirements of Rule 13n-7 (which applies to SBSDRs) and
Rule 17a-1 (which applies to registered clearing agencies, the MSRB,
national securities associations, and national securities exchanges)
will require these Market Entities to retain the Rule 10 Records for
five years and, in the case of the written policies and procedures,
for five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
1. Benefits and Costs of the Proposal to the U.S. Securities Markets
The Commission is proposing rules to require all Market Entities,
based on the reasons discussed throughout, to take steps to protect
their information systems and the information residing on those systems
from cybersecurity risk.\772\ For example, as discussed above, Market
Entities may not take the steps necessary to address adequately their
cybersecurity risks.\773\ A Market Entity that fails to do so is more
vulnerable to succumbing to a significant cybersecurity incident. As
discussed earlier, a significant cybersecurity incident can cause
serious harm not only to the Market Entity but also to its customers,
counterparties, members, registrants, or users, as well as to any other
market participants (including other Market Entities) that interact
with the impacted Market Entity.\774\ Therefore, it is vital to the
U.S. securities markets and the participants in those markets that all
Market Entities address cybersecurity risk, which, as discussed above,
is increasingly threatening the financial sector.\775\
---------------------------------------------------------------------------
\772\ See section I.A.1. of this release (discussing the
attractiveness of the U.S. securities market to threat actors).
\773\ See section IV.B. of this release (discussing broad
economic considerations).
\774\ See section I.A.2. of this release (discussing how
critical operations of Market Entities are exposed to cybersecurity
risk).
\775\ See section I.A.1. of this release (discussing threats to
the U.S. financial sector).
---------------------------------------------------------------------------
a. Benefits
The Commission anticipates that an important economic benefit of
the proposal would be to protect the fair, orderly, and efficient
operations of the U.S. securities markets and the soundness of Market
Entities better by requiring all Market Entities to establish,
maintain, and enforce written policies and procedures cybersecurity
policies and procedures. As noted earlier, the average loss in the
financial services industry was $18.3 million, per company per
cybersecurity incident. Adopting and enforcing cybersecurity policies
and procedures could assist Market Entities from incurring such losses.
Furthermore, the requirement to implement cybersecurity policies and
procedures could protect potential negative downstream effects that
could be incurred by other participants in the U.S. securities markets,
such as the Market Entity's customers, counterparties, members,
registrants, and users, in the event of a cybersecurity attack. By
requiring each Market Entity to implement policies and procedures to
address cybersecurity risk, the proposed rule would reduce the
likelihood that one Market Entity's cybersecurity incident can
adversely affect other Market Entities and market participants, as well
as the U.S. securities markets at large.
In addition, FSOC has stated that ``[m]aintaining and improving
cybersecurity resilience of the financial sector requires continuous
assessment of cyber vulnerabilities and close cooperation across firms
and governments within the U.S. and internationally.'' \776\ The
information provided to the Commission under the proposed reporting
requirements could help in assessing potential cybersecurity risks that
affect the U.S. securities markets. The reporting of significant
cybersecurity incidents also could be used to address future
cyberattacks. For example, these reports could assist the Commission in
identifying patterns and trends across Covered Entities, including
widespread cybersecurity incidents affecting multiple Covered Entities
at the same time. Further, the reports could be used to evaluate the
effectiveness of various approaches that are used to respond to and
recover from significant cybersecurity incidents. Therefore, requiring
Covered Entities to report significant cybersecurity incidents to the
Commission could help assist the Commission in carrying out its mission
of maintaining fair, orderly, and efficient operations of the U.S.
securities markets.
---------------------------------------------------------------------------
\776\ FSOC, Annual Report (2022), at 70, available at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf (``FSOC
2022 Annual Report'') (``By exchanging cyber threat information
within a sharing community, organizations can leverage the
collective knowledge, experience, and capabilities of that sharing
community to gain a more complete understanding of the threats the
organization may face.'') See also NIST, Special Pub. 800-150, Guide
to Cyber Threat Information Sharing iii (2016), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.
The NIST Special Publication also notes that the use of structured
data can facilitate information sharing. Id. at 7 (``Structured data
that is expressed using open, machine-readable, standard formats can
generally be more readily accessed, searched, and analyzed by a
wider range of tools. Thus, the format of the information plays a
significant role in determining the ease and efficiency of
information use, analysis, and exchange.'').
---------------------------------------------------------------------------
Similarly, requiring Covered Entities to publicly disclose summary
descriptions of their cybersecurity risks and significant cybersecurity
incidents would provide enhanced transparency about cybersecurity
threats that could impact the U.S. securities markets. Participants in
these markets could use this additional information to enhance the
management of their own cybersecurity risks, which also could serve to
strengthen the resilience of the U.S. securities markets to future
cybersecurity threats.
b. Costs
In general, the costs associated with the proposals include the
costs of developing, implementing, documenting, and reviewing
cybersecurity policies and procedures. For example, a Market Entity
that has only the minimal cybersecurity protection needed to meet the
current regulatory requirements may incur substantial costs when
implementing the policies and procedures required by proposed Rule 10.
These costs could be significantly lower for a Market Entity that
currently has a well-developed and documented cybersecurity program. A
Market Entity that incurs costs under the proposal may attempt to pass
them on to other market participants and even other Market Entities to
the extent that they are able to do that. This could increase costs for
the Market Entity's customers, counterparties, members, registrants, or
users participate in the U.S. securities markets.
In general, compliance costs with proposed Rule 10 would vary
across the various types of Market Entities. As discussed above, one
factor determining costs would be the extent to which a Market Entity's
existing measures to address cybersecurity risk would comply with the
proposal. Other factors would be the Market Entity's particular
business model, size, and unique cybersecurity risks. While the
compliance costs for smaller entities, such as Non-Covered Broker-
Dealers, may be relatively smaller, those costs may not be
inconsequential relative to their size. Further, Covered Entities may
incur substantial compliance costs given their relatively large size.
[[Page 20298]]
2. Policies and Procedures and Annual Review Requirements for Covered
Entities
The definition of a ``covered entity'' includes a wide range of
Commission registrants. The different Covered Entities that would be
subject to proposed Rule 10 vary based on the types of businesses they
are involved in, their relative sizes, and the number of competitors
they face. As a result, the benefits and costs associated with the
requirements to establish, maintain, and enforce written cybersecurity
policies and procedures and to review them at least annually likely
will vary among the different types of Covered Entities. Because the
benefits and costs are heterogeneous across the different types of
Covered Entities, the costs and benefits that are common to all Covered
Entities are discussed first. Next, the benefits and costs associated
with each type of Covered Entity are examined separately to account for
the different operations and functions they perform and the differences
in how existing or proposed regulations apply to them. The estimated
cost of compliance for a given Covered Entity and for all Covered
Entities combined is provided in the common costs discussion.
a. Common Benefits and Costs for Covered Entities
i. Benefits
As discussed above, due to the interconnected nature of the U.S.
securities market, strong policies and procedures to address
cybersecurity risks are needed by Covered Entities to protect not only
themselves, but also the Market Entities with whom they do business, as
well as other market participants, such as the Covered Entity's
customers, counterparties, members, or users. The Commission
anticipates that an important economic benefit of the cybersecurity
policies and procedures and annual review requirements of proposed Rule
10 would be to reduce the cybersecurity vulnerabilities of each Market
Entity and enhance the preparedness of each Market Entity against
cybersecurity threats to its operations. This would reduce the
likelihood that the Market Entity experiences the adverse consequences
of a cybersecurity incident. With written cybersecurity policies and
procedures that are maintained and enforced, as well as periodically
reviewed and assessed, Market Entities can better protect themselves
against cybersecurity threats; harden the security surrounding their
information systems and the data, which includes the prevention of
unauthorized access; minimize the damage from successful cyberattacks;
and recover more quickly from significant cybersecurity incidents when
they do occur. For example, the Covered Entity's risk assessment
policies and procedures would need to require written documentation of
these risk assessments.\777\
---------------------------------------------------------------------------
\777\ See paragraph (b)(1)(i)(B) of proposed Rule 10.
---------------------------------------------------------------------------
Relatedly, proposed Rule 10 would require that the incident
response and recovery policies and procedures include written
documentation of a cybersecurity incident, including the Covered
Entity's response to and recovery from the incident.\778\ These records
could be used by the Covered Entity to assess the efficacy of, and
adherence to, its incident response and recovery policies and
procedures. The record of the cybersecurity incidents further could be
used as a ``lessons-learned'' document to help the Covered Entity
respond more effectively the next time it experiences a cybersecurity
incident. The Commission staff also could use the records to review
compliance with this aspect of proposed Rule 10.
---------------------------------------------------------------------------
\778\ See paragraph (b)(1)(v)(B) of proposed Rule 10.
---------------------------------------------------------------------------
The records discussed above generally could be used by the Covered
Entity when it performs its review to analyze whether its current
policies and procedures need to be updated, to inform the Covered
Entity of the risks specific to it, and to support responses to
cybersecurity risks by identifying cybersecurity threats to information
systems that, if compromised, could result in significant cybersecurity
incidents.\779\ The documentation also could be used by Commission
staff and internal auditors of the Covered Entity to examine for
adherence to the risk assessment policies and procedures.
---------------------------------------------------------------------------
\779\ See paragraph (b)(2) of proposed Rule 10 (which would
require a Covered Entity to review and assess the design and
effectiveness of the cybersecurity policies and procedures,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review). See
also section II.B.1.f. of this release (discussing the proposed
requirements in more detail).
---------------------------------------------------------------------------
Moreover, the annual review requirement is designed to require the
Covered Entity to evaluate whether its cybersecurity policies and
procedures continue to work as designed and whether changes are needed
to ensure their continued effectiveness, including oversight of any
delegated responsibilities. As discussed earlier, the sophistication of
the tactics, techniques, and procedures employed by threat actors is
increasing.\780\
---------------------------------------------------------------------------
\780\ See section I.A.1. of this release (discussing, for
example, how cybersecurity threats are evolving); see also Bank of
England CBEST Report (stating that ``[t]he threat actor community,
once dominated by amateur hackers, has expanded to include a broad
range of professional threat actors, all of whom are strongly
motivated, organised and funded'').
---------------------------------------------------------------------------
As discussed above, it is unlikely that Covered Entities do not
currently have some minimum level of cybersecurity policies and
procedures in place due to their own business decisions and certain
existing regulations and oversight. However, as discussed above,
current Commission regulations regarding cybersecurity policies and
procedures are narrower in scope. Proposed Rule 10 aims to be
comprehensive in terms of mandating that Covered Entities have
cybersecurity policies and procedures that address all cybersecurity
incidents that may affect their information systems and the funds and
securities as well as personal, confidential, and proprietary
information that may be stored on those systems. The benefits of the
proposed Rule 10 would be lessened to the extent that a Covered Entity
already has implemented cybersecurity policies and procedures that are
generally consistent with the written policies and procedures and
annual review requirements under proposed Rule 10.
If a Covered Entity has to supplement its existing cybersecurity
policies and procedures, amend them, or institute annual reviews and
document their assessments in a report, the benefit of proposed Rule 10
for that Covered Entity would be greater. The proposal will help ensure
the Covered Entity has robust procedures in place to prevent
cybersecurity incidents, may enable Covered Entities to detect
cybersecurity incidents earlier, and help ensure that Covered Entities
have a plan in place to remediate cybersecurity incidents quickly.
Lastly, as a second-order effect, it could reduce the Covered Entities'
risk of exposure to other Covered Entities' cybersecurity incidents
stemming--for example--from the interconnectedness of Covered Entities'
information systems.
The Commission currently does not have reliable data on the extent
to which each Covered Entity's existing policies and procedures are
consistent with the proposed Rule 10. Therefore, it is not possible to
quantify the scale of the benefits arising from the proposed policies
and procedures and annual review requirements. However, given the
importance of the U.S. securities markets, the value of the funds and
assets that are traded and held, and the current state of transactions
where much of them are electronic, it seems likely that the Covered
Entities that
[[Page 20299]]
transact business digitally have a strong incentive to implement
cybersecurity policies and procedures in order to protect and maintain
their operations. The proposed rule will require Covered Entities to
implement stronger protections that go beyond what they do based on
those market incentives.
To the extent that Covered Entities engage in business activities
involving crypto assets (which depend almost exclusively on the
operations of information systems), developing strong cybersecurity
policies and procedures would result in large benefits for them and
potentially for their customers, counterparties, members, registrants
or users. For example, robust cybersecurity policies and procedures
would help to ensure that Covered Entities are better shielded from the
theft of crypto assets by threat actors, which may be difficult or
impossible to recover, given the nature of the distributed ledger
technology.\781\ In addition, Covered Entities would avoid negative
reputational damage associated with a successful cyberattack.
---------------------------------------------------------------------------
\781\ See section II.G. of this release (noting that there is no
centralized IT infrastructure that can dynamically detect and
prevent cyberattacks on wallets or prevent the transfer of
illegitimately obtained crypto assets by bad actors).
---------------------------------------------------------------------------
ii. Costs
The costs associated with the policies and procedures and annual
review requirements of proposed Rule 10 would primarily result from
compliance costs borne by Covered Entities in the design,
implementation, review, written assessment, and updates of the
cybersecurity policies and procedures. The proposed requirement will
likely change a Covered Entity's behavior toward cybersecurity risk and
necessitates a certain amount of investment in cybersecurity
protection.\782\ In addition to the aforementioned direct compliance
costs faced by Covered Entities, those Covered Entities that utilize
service providers would need to take steps to oversee them under
proposed Rule 10.\783\ The costs of this oversight, including direct
compliance costs, ultimately would likely be passed on to the Covered
Entities' customers, counterparties, members, participants, or users to
the extent Covered Entities are able to do so. As indicated above, the
compliance costs generally may be lessened to the extent that Covered
Entities' existing policies and procedures would be consistent with the
requirements of proposed Rule 10. Therefore, the marginal increase in
compliance costs that arise likely would be due to the extent to which
a Covered Entity needs to make modifications to its existing
cybersecurity policies and procedures, implement annual reviews of
those policies and procedures, and/or write assessments reports.
---------------------------------------------------------------------------
\782\ While the existing policies and procedures of Covered
Entities largely could be consistent with the requirements of
proposed Rule 10, without a requirement to do so, they may not
conduct annual reviews and draft assessment reports. The annual
review and report costs are estimated be around $1,500 and $20,000
based on the costs of obtaining a cybersecurity audit. See How Much
Does a Security Audit Cost?, Cyber Security Advisor (Jan. 29, 2019),
available at https://cybersecadvisor.org/blog/how-much-does-a-security-audit-cost (``Cost of Security Audit'').
\783\ See paragraphs (b)(1)(i)(A)(2), (b)(1)(iii)(B), and (b)(2)
of proposed Rule 10.
---------------------------------------------------------------------------
The compliance costs associated with developing, implementing,
documenting, and reviewing the cybersecurity policies and procedures
for Covered Entities' activities that involve crypto assets likely
would be higher than those connected with traditional services and
technologies offered and used, respectively, by Covered Entities. The
cost difference primarily would be due to technological features of
distributed ledger technologies as well as with the costs increasing as
a Covered Entity engages in activities with additional crypto assets
and blockchains.
iii. Service Providers
As indicated above, Covered Entities may use service providers to
supply them with some or all of their necessary cybersecurity
protection. In general, the cost of contracted cybersecurity services
depends on the size of the entity, where larger firms may offer a wider
range of services and thus needing more cybersecurity protection.
According to a data security provider blog, ``[a]mong mid-market
organizations (250-999 employees), 46% spend under $250,000 on security
each year and 43% spend $250,000 to $999,999. Among enterprise
organizations (1,000-9,999 employees), 57% spend between $250,000 and
$999,999, 23% spend less than $250,000, and 20% spend at least $1
million. Half of large enterprises (more than 10,000 employees) spend
$1 million or more on security each year and 43% spend between $250,000
and $999,999.'' \784\
---------------------------------------------------------------------------
\784\ See Desdemona Bandini, New Security Report: The Security
Bottom Line, How Much Security Is Enough?, (Nov. 19, 2019),
available at https://duo.com/blog/new-security-report-the-security-bottom-line-how-much-security-is-enough.
---------------------------------------------------------------------------
Under the proposal, Covered Entities need to identify their service
providers that receive, maintain, or process information, or are
otherwise permitted to access its information systems and the
information residing on those systems, and then assess the
cybersecurity risks associated with their use by those service
providers.\785\ The policies and procedures for protecting information
would require oversight of the service providers that receive,
maintain, or process the Covered Entities' information, or are
otherwise permitted to access the Covered Entities' information systems
and the data residing on those systems, through a written contractual
agreement, as specified in paragraph (b)(iii)(B) of proposed Rule
10.\786\ Service providers would be required to implement and maintain,
pursuant to a written contract with the Covered Entities, appropriate
measures, including the practices described in paragraph (b) of
proposed Rule 10.
---------------------------------------------------------------------------
\785\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\786\ See paragraph (b)(1)(iii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
The proposed requirements will likely impose additional costs, at
least initially, on service providers catering to Covered Entities, as
they would be asked to provide services not included in existing
contracts. The Commission believes that most service providers
providing business-critical services would likely face pressure to
enhance their cybersecurity practices to satisfy demand from Covered
Entities due to new regulatory requirements placed on those Covered
Entities.\787\ Service providers may be willing to bear additional
costs in order to continue their business relationships with the
Covered Entities, particularly if the parties are operating under an
ongoing contract.\788\ Such situations are more likely to arise with
services that are considered general information technology, such as
email, relationship management, website hosting, cloud applications,
and other common technologies, given that the service provider does not
have market power because it has many competitors offering these
services. In contrast, providers of more specialized services--such as
payment service providers, regulatory service providers, data
providers, custodians, and providers of valuation services--may have
significant market power and may be able to charge a Covered Entity
separately for the additional services that would be required under
proposed Rule 10. Whether passed on to Covered Entities immediately or
reflected in
[[Page 20300]]
subsequent contract renewals, the costs associated the additional
services--including the associated negotiation process--would likely be
passed on to the Covered Entities' customers, counterparties, members,
participants, or users to the extent that they are able to do so.
---------------------------------------------------------------------------
\787\ A service provider involved in any business-critical
function would likely need to receive, maintain, or process
information from the Covered Entities as well as the Covered
Entities' customers, counterparties, members, registrants, or users.
\788\ See, e.g., Cost of Security Audit.
---------------------------------------------------------------------------
In terms of the cost of additional services received from service
providers, those providers that offer a specialized service and have
market power may not be willing to give any price concessions in the
negotiation process. The same may be true for service providers where
Covered Entities make up a small proportion of their overall business.
Other service providers in a more competitive environment--such as
those that offer general information technology services--may be more
willing to provide a discount to keep the Covered Entity as a
customer.\789\ Moreover, the compliance costs for service providers of
common technologies may be generally larger than those realized by
firms that offer specialized services because they cater to a wider
variety of customers, which makes contracts with different parties more
idiosyncratic.
---------------------------------------------------------------------------
\789\ See Jon Brodkin, IT Shops Renegotiate Contracts to Get
Savings Out of Vendors, Computer World (Nov. 6, 2008), available at
https://www.computerworld.com/article/2781173/it-shops-renegotiate-contracts-to-get-savings-out-of-vendors.html.
---------------------------------------------------------------------------
Some Covered Entities may find that one or several of their
existing service providers may not be technically able to--or may not
wish to make the investment to--support the Covered Entities'
compliance with the proposed rule. Similarly, some Covered Entities may
find that one or several of their existing service providers may not be
able to--or wish to because of significant market power--enter into
written contracts where the costs are not mutually agreeable. Also,
some service providers may not want to amend their contracts and take
on the particular obligations even if they already have the technical
abilities. In those cases, the Covered Entities would need to change
service providers and bear the associated switching costs, while the
service providers would suffer loss of their customer base.\790\
---------------------------------------------------------------------------
\790\ For example, the Covered Entity has insufficient market
power to affect changes in the service provider's business practices
and the suite of cybersecurity technologies it currently offers to
that Covered Entity.
---------------------------------------------------------------------------
For service providers that do business with Covered Entities, the
proposed rule may impose additional costs related to revising the
service provider's cybersecurity practices to satisfy the requirements
that would be imposed on the Covered Entities. Moreover, if a service
provider is already providing services to a Covered Entity that are
largely compliant with proposed Rule 10, then the resulting increase in
compliance costs likely would be minor.
Even if satisfying additional client requirements would not
represent a significant expense for service providers, the processes
and procedures that are necessary to implement an infrequently utilized
service may prevent some service providers from continuing to work with
the Covered Entity.\791\ That is, the provision of the service may be
viewed as more burdensome than the revenue received from the Covered
Entity. This consequence would serve as a disincentive to the service
provider. In such cases, Covered Entities would bear costs related to
finding alternative service providers while existing service providers
would suffer lost revenue once the Covered Entities switch service
providers.\792\
---------------------------------------------------------------------------
\791\ For example, the costs associated with legal review of
alterations to standard contracts may not be worth bearing by the
service provider if Covered Entities represent a small segment of
the service provider's business.
\792\ At the same time, these frictions would benefit service
providers that cater to customers in regulated industries.
---------------------------------------------------------------------------
To estimate the costs associated with the proposed policies and
procedures requirements and annual review requirements, the Commission
considered the initial and ongoing compliance costs.\793\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$14,631.54 per Covered Entity, and $29,102,133.06 in total. These costs
include a blended rate of $462 for a compliance attorney and assistant
general counsel for a total of 31.67 hours. The annual external costs
for adopting and implementing the policies and procedures, as well as
the annual review of the policies and procedures are estimated to be
$3,472 per Covered Entity, and $6,905,808 in total. This includes the
cost of using outside legal counsel at a rate of $496 per hour for a
total of seven hours.
---------------------------------------------------------------------------
\793\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
b. Broker-Dealers
i. Benefits
The benefits of the policies and procedures requirements of
proposed Rule 10 for Covered Broker-Dealers likely will not be
consistent across these entities, as their services vary. Covered
Broker-Dealers that are larger, more interconnected with other market
participants, and offer more services have a higher potential for
greater losses for themselves and others in the event of a
cybersecurity incident. Thus, the benefits arising from robust
cybersecurity practices increases with the size and number of services
offered by Covered Broker-Dealers. For example, a cybersecurity
incident at a large Covered Broker-Dealer that facilitates trade
executions and/or provides carrying and clearing services carries
greater risk due to the larger number of services it provides as well
as its interconnections with other Market Entities. For example,
carrying broker-dealers may provide services to multiple introducing
brokers-dealers and their customers. Commission staff determined that,
as of September 2022, carrying broker-dealers have an average of 44
introducing broker-dealers on behalf of which they carry funds and
securities,\794\ with a median number of five broker-dealers.
Furthermore, a carrying broker-dealer may intermediate the connection
between one introducing broker-dealer and the final carrying broker-
dealer.\795\ As a result, there are potentially many avenues for
infiltration, from the introducing broker-dealers to the carrying
broker-dealers. Such Covered Broker-Dealers will not only hold
customers' personally identifiable information and records, but also
typically have control over customers' funds and assets. This makes
them attractive targets for threat actors. In addition, even a brief
disruption of the services offered by a carrying broker-dealer (e.g.,
from a ransomware attack) could have large, negative downstream
repercussions on the broker-dealer's customers and other Covered
Entities (e.g., inability to submit orders during volatile market
conditions or to access funds and securities). The persons negatively
impacted could include not only individuals but also institutional
customers, such as introducing broker-dealers, hedge funds, and family
offices. In this scenario, the Covered Broker-Dealer could incur major
losses if it experienced a significant cybersecurity incident. Thus,
compliance with written cybersecurity policies and procedures, along
with annual reviews and a written assessment report, likely would have
substantial benefits for those Covered Broker-Dealers that hold
customer information, funds, and assets.
---------------------------------------------------------------------------
\794\ Based on Form Custody, Item 4, as of 2021.
\795\ Id.
---------------------------------------------------------------------------
Because Covered Broker-Dealers perform a number of functions in the
U.S. securities markets and those functions are increasingly performed
through the use of information systems,
[[Page 20301]]
it is important that those information systems be secure against
cyberattacks. Covered Broker-Dealers use networks to connect their
information systems to those of national securities exchanges, clearing
agencies, and to communicate and transact with other Covered Broker-
Dealers. Written policies and procedures would strengthen a Covered
Broker-Dealer's cybersecurity protocols so that it would be more
difficult for threat actors to disrupt market-making activities in
securities or otherwise compromise the liquidity of the securities
markets, an occurrence that could negatively impact the ability of
investors to liquidate or purchase certain securities at favorable or
predictable prices or in a timely manner.
ATSs are trading systems that meet the definition of ``exchange''
under federal securities laws but are not required to register as
national securities exchanges if they comply with the conditions of the
Regulation ATS exemption, which includes registering as a broker-
dealer. ATSs have become significant venues for orders and non-firm
trading interest in securities.\796\ ATSs use data feeds, algorithms,
and connectivity to perform their functions. ATSs rely heavily on
information systems to perform these functions, including to connect to
other Market Entities, such as other Covered Broker-Dealers and
national securities exchanges.
---------------------------------------------------------------------------
\796\ Exchange Act Rule 3a1-1(a)(2) exempts an ATS from the
definition of exchange under section 3(a)(1) of the Exchange Act on
the condition that the ATS complies with Regulation ATS. See
generally Regulation of NMS Stock Alternative Trading Systems
Release, 83 FR 38768; Amendments Regarding the Definition of
``Exchange'' and ATSs Release, 87 FR 15496.
---------------------------------------------------------------------------
A significant cybersecurity incident that disrupts an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent it provides liquidity to the market for those
securities. Furthermore, the records stored by ATSs on their
information systems consist of proprietary information about Market
Entities that use their services, including confidential business
information (e.g., information about their trading activities). A
significant cybersecurity incident at an ATS could lead to the improper
use of this information to harm the Market Entities (e.g., public
exposure of confidential trading information) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information). Comprehensive cybersecurity policies and procedures,
along with periodic assessments, would fortify broker-dealer ATS
operations in their efforts to thwart cybersecurity attacks.
On the other hand, a small Covered Broker-Dealer could experience a
cybersecurity incident that has significant negative impacts on the
entity and its customers, such as a disruption to its services or the
theft of a customer's personal information. These types of incidents
would have profound negative effects for the small Covered Broker-
Dealer and its customers, but the negative effects would likely be
insignificant relative to the size of the entire U.S. securities
markets. In this case, strong cybersecurity policies and procedures
generally could provide substantial benefits to small Covered Broker-
Dealers themselves and their customers, but likely not to other market
participants.
As discussed in the baseline, Covered Broker-Dealers currently are
subject to Regulations S-P, Regulation S-ID, FINRA rules, and SRO and
Commission oversight, as well as Regulation ATS applying to broker-
dealer operated ATSs.\797\ In addition, Covered Broker-Dealers that
operate an ATS and trade certain stocks exceeding specific volume
thresholds are subject to Regulation SCI.\798\ As discussed above,
Regulation S-P, Regulation ATS, and Regulation S-ID have requirements
to establish policies and procedures that address certain cybersecurity
risks.\799\ Therefore, Covered Broker-Dealers subject to these other
regulations have existing cybersecurity policies and procedures that
address certain cybersecurity risks. However, proposed Rule 10 would
require all Covered Broker-Dealers to establish, maintain, and enforce
a set of cybersecurity policies and procedures that is broader and more
comprehensive than is required under the existing requirements of
Regulation S-P, Regulation S-ID, and Regulation ATS that pertain to
cybersecurity risk. This could substantially benefit these Covered
Broker-Dealers and their customers and counterparties as well as other
Market Entities that provide services to them or transact with them. In
particular, the failure to protect a particular information system from
cybersecurity risk can create a vulnerability that a threat actor could
exploit to access other information systems of the Covered Broker-
Dealer. Therefore, proposed Rule 10--because it would require all
information systems to be protected by policies and procedures--would
result in benefits to Covered Broker-Dealers (i.e., enhanced
cybersecurity resiliency).
---------------------------------------------------------------------------
\797\ See section IV.C.1.b.i. of this release (discussing as
part of the baseline the current relevant regulations applicable to
broker-dealers); see also section II.F. of this release (discussing
other relevant regulations applicable to Covered Broker-Dealers).
\798\ Id.
\799\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation S-P, Regulation ATS,
and Regulation S-ID to have policies and procedures to address
certain cybersecurity risks).
---------------------------------------------------------------------------
Covered Broker-Dealers that are registered as FCMs or swap dealers
are subject to NFA requirements that relate to proposed Rule 10.\800\
These additional requirements may bring those dually-registered Covered
Broker-Dealers more in line with the requirements of the proposed
rule.\801\ As a result, the marginal benefit of compliance for them may
be smaller than those that are only registered with the Commission.
---------------------------------------------------------------------------
\800\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline current CFTC-related requirements applicable to
FCMs and swap dealers).
\801\ See section I.B. of this release (discussing the proposed
requirements for Covered Entities, including Covered Broker-Dealers,
with respect to cybersecurity policies and procedures).
---------------------------------------------------------------------------
ii. Costs
The compliance costs of the policies and procedures requirements of
proposed Rule 10 for Covered Broker-Dealers may generally be lower, to
the extent their current policies and procedures are designed to comply
with Regulation SCI, Regulation S-P, Regulation ATS (if they operate an
ATS), Regulation S-ID, and FINRA rules and are consistent with certain
of the requirements of the proposed Rule 10.\802\ However, the
requirements of proposed Rule 10 are designed to address all of the
Covered Broker-Dealer's cybersecurity risks; whereas the requirements
of these other regulations that relate to cybersecurity are more
narrowly focused. Consequently, the marginal costs associated with
implementing the cybersecurity policies and procedures required under
the proposed Rule 10 would depend on the extent to which broker-
dealers' existing cybersecurity protections address cybersecurity risks
beyond those that are required to be addressed by these other
regulations.
---------------------------------------------------------------------------
\802\ See section II.F.1.c. of this release (discussing the
requirements of proposed Rule 10 and how they relate to Regulation
S-P, Regulation ATS, and Regulation S-ID).
---------------------------------------------------------------------------
Covered Broker-Dealers that are dually registered with the CFTC as
FCMs or swap dealers are subject to
[[Page 20302]]
NFA requirements, as noted above.\803\ These additional requirements
may make compliance with the proposed rule less burdensome and thus
less costly, as those NFA requirements are already in place.
---------------------------------------------------------------------------
\803\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline current CFTC-related requirements applicable to
FCMs and swap dealers).
---------------------------------------------------------------------------
c. Clearing Agencies and National Securities Exchanges
i. Benefits
Strong cybersecurity protocols at national securities exchanges
would help maintain their critical function of matching orders of
buyers and sellers. A cybersecurity incident could prevent an exchange
from executing trades, therefore preventing members and their customers
from buying or selling securities at the exchange. Interruptions in
order flow and execution timing could lead to inefficiencies in order
matching, possibly resulting in a less desirable execution price.
Moreover, customer information could be stolen and trading strategies
could be revealed. Lastly, a cybersecurity breach could be problematic
for market surveillance staff that monitors the market for illegal
trading activity. Thus, the policies and procedures requirements of
proposed Rule 10 could offer significant benefits to national
securities exchanges and market participants that depend on their
processing of order flow and the ability of regulators to surveil the
market.
Clearing agencies serve an important role in the securities markets
by ensuring that executed trades are cleared and that the funds and
securities are transferred to and from the appropriate accounts. A
cybersecurity incident at a clearing agency could result in delays in
clearing as well as in the movement of funds and assets. Such an
incident also could lead to the loss or misappropriation of customer
information, funds, and assets. Threat actors could also gain access to
and misappropriate the clearing agency's default fund by, for example,
obtaining access to the clearing agency's account in which the fund is
held. Strong cybersecurity policies and procedures would assist
clearing agencies in protecting the funds and securities in their
control. This would benefit the clearing agency, its members, and
market participants that rely on the services of its members.
As discussed in the baseline, national securities exchanges,
registered clearing agencies, and certain exempt clearing agencies are
subject to Regulation SCI.\804\ Regulation SCI has requirements for SCI
entities to establish policies and procedures that address certain
cybersecurity risks The proposed requirements of proposed Rule 10, in
contrast, apply to all of the Covered Entity's information systems. The
benefits of the policies and procedures requirements of proposed Rule
10 would depend on the extent to which the national securities
exchanges' and clearing agencies' current cybersecurity policies and
procedures (which include those required by Regulation SCI) are
consistent with those required under the proposed rule. Major changes
in cybersecurity policies and procedures could yield large benefits.
However, the marginal benefit of the proposed rule likely would decline
the more closely a national securities exchange's or clearing agency's
cybersecurity policies and procedures are consistent with the
requirements of proposed Rule 10.
---------------------------------------------------------------------------
\804\ See section IV.C.1.b.ii. of this release (discussing as
part of the baseline the relevant regulations applicable to national
securities exchanges and clearing agencies).
---------------------------------------------------------------------------
Clearing agencies that are registered as DCOs are subject to
additional CFTC requirements that may be related to those of proposed
Rule 10.\805\ As a result, the marginal benefit of proposed Rule 10 may
be smaller than those that are only registered with the Commission.
---------------------------------------------------------------------------
\805\ See section IV.C.1.d.i. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to DCOs).
---------------------------------------------------------------------------
ii. Costs
The incremental cost of compliance with the policies and procedures
requirements of proposed Rule 10 for national exchanges and clearing
agencies depends on how much their current cybersecurity policies and
procedures go beyond what is required by Regulation SCI. This is
because the requirements of proposed Rule 10 are designed to address
all of the cybersecurity risks faced by a national securities exchange
or clearing agency; in contrast, the requirements of Regulation SCI
that relate to cybersecurity are more narrowly focused.\806\ Therefore,
national securities exchanges and clearing agencies that have policies
and procedures in place that only address the requirements of
Regulation SCI will need to make potentially significant changes to
their cybersecurity policies and procedures in order to comply with the
requirements of proposed Rule 10. Alternatively, national securities
exchanges and clearing agencies that currently have comprehensive
cybersecurity policies and procedures may incur fewer costs to comply
with proposed Rule 10. Nevertheless, assuming that they do not do so
already, ensuring that those cybersecurity policies and procedures are
documented and reviewed on an annual basis as required by the proposal,
with an accompanying written assessment, would assist national
securities exchanges and clearing agencies to withstand cybersecurity
incidents and address them more effectively, thus minimizing the
negative effects of such occurrences.
---------------------------------------------------------------------------
\806\ See section II.F.1.c. of this release (discussing the
requirements of proposed Rule 10 and how they relate to the
requirements of Regulation SCI).
---------------------------------------------------------------------------
Clearing agencies that are dually registered with the CFTC as DCOs
are subject to that agency's systems safeguards rule, as noted
above.\807\ Complying with the CFTC requirements may make compliance
with the proposed rule less burdensome and thus less costly, to the
extent that the registered DCO implements the CFTC requirements on the
registered clearing agency side of its operations.
---------------------------------------------------------------------------
\807\ See section IV.C.1.c.i. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to DCOs).
---------------------------------------------------------------------------
Finally, national securities exchanges and clearing agencies that
are registered with the Commission but currently are not active would
incur substantially higher costs relative to their active peers if they
needed to come into compliance with proposed Rule 10. If they resume
clearing activities and operations, they may incur significant costs to
develop, document, implement, maintain, and enforce policies and
procedures, including cybersecurity policies and procedures, as well as
establish protocols for written annual reviews with necessary
modifications and updates.
d. FINRA and the MSRB
i. Benefits
FINRA is the only national securities association currently
registered with the Commission. Similarly, the MSRB is the only entity
(other than the Commission) established by Congress to, among other
activities, propose and adopt rules with respect to transactions in
municipal securities.
FINRA issues cybersecurity-related statements to members that
discuss best practices for achieving adequate cybersecurity
protection.\808\ FINRA and MSRB members are also subject to internal
oversight and external audits. Nevertheless, both FINRA and the
[[Page 20303]]
MSRB store proprietary information about their members, including
confidential business information, on their respective information
systems. FINRA stores information about broker-dealers and trades. Some
information and systems under FINRA's control may belong to other
organizations where FINRA is simply contracted to perform data
processing duties. There also may be sensitive information related to
FINRA's oversight practices that is not made public, such as regulatory
assessments of various broker-dealers or internal analyses regarding
its examinations and examination programs. Furthermore, FINRA may keep
information on cyberattacks on itself and on broker-dealers that, if
made public, could compromise existing cybersecurity systems.
Therefore, FINRA and the MSRB themselves require their own
cybersecurity policies and procedures.
---------------------------------------------------------------------------
\808\ See FINRA, Cybersecurity, available at https://www.finra.org/rules-guidance/key-topics/cybersecurity#overview.
---------------------------------------------------------------------------
As discussed in the baseline, FINRA and the MSRB are subject to
Regulation SCI.\809\ Regulation SCI has requirements to establish
policies and procedures that address certain cybersecurity risks.\810\
Therefore, the benefits of the policies and procedures requirements of
proposed Rule 10 would depend on the extent to which the FINRA's and
the MSRB's current cybersecurity policies and procedures (which include
those required by Regulation SCI) are consistent with those required
under the proposed rule. This means the marginal benefit of the
proposed rule may be limited depending on how closely FINRA's and the
MSRB's cybersecurity policies and procedures are consistent with
proposed Rule 10. Nevertheless, ensuring that those cybersecurity
policies and procedures are documented and reviewed on an annual basis,
with an accompanying written assessment, could assist the two entities
in avoiding cybersecurity incidents and addressing them more
effectively, thus minimizing the negative effects of such occurrences.
---------------------------------------------------------------------------
\809\ See section IV.C.1.b.ii. of this release (discussing as
part of the baseline the current relevant regulations applicable to
national securities associations and FINRA).
\810\ See section II.F.1.c. of this release (discussing in more
detail the requirements of Regulation SCI).
---------------------------------------------------------------------------
ii. Costs
As with national securities exchanges and clearing agencies, the
Commission does not expect that FINRA and the MSRB will incur
significant costs as a result of complying with the policies and
procedures requirements of proposed Rule 10 because they are already
subject to Regulation SCI and, due to their importance in the oversight
and oversight of their members or registrants, as well as the storage
of trade information and data owned by other parties, there are strong
incentives for FINRA and the MSRB to invest in comprehensive
cybersecurity programs.
e. SBS Entities
i. Benefits
As discussed in the baseline, SBS Entities must comply with section
15F(j)(2) of the Exchange Act and various Commission rules. SBS
Entities that are dually registered with the CFTC are subject to that
agency's rules as well as the rules of the NFA.\811\ The benefits that
would accrue to SBS Entities depend on the level of cybersecurity
protection they currently have in place. Policies and procedures that
are consistent with the policies and procedures requirements of
proposed Rule 10 may only need moderate updating and adjustment. As a
result the marginal benefits likely are small. There would be much
greater benefits for SBS Entities that must significantly revise their
current policies and procedures. Further, proposed Rule 10 would
require that SBS Entities have policies and procedures to respond to
and recover from cybersecurity incidents, which would assist the SBS
Entities in minimizing the harm caused by the incident and enhancing
their ability to recover from it. Annual reviews also would help them
update their policies and procedures to address emerging threats.
---------------------------------------------------------------------------
\811\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline current relevant regulations applicable to SBS
Entities).
---------------------------------------------------------------------------
SBS Entities that are registered as swap dealers are subject to
additional requirements of the CFTC and NFA that may be related to
those of proposed Rule 10.\812\ As a result, the marginal benefit of
compliance for them may be smaller than those that are only registered
with the Commission.
---------------------------------------------------------------------------
\812\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
ii. Costs
Complying with the policies and procedures requirements of proposed
Rule 10 may not be costly for SBS Entities. SBS Entities must comply
with section 15F(j)(2) of the Exchange Act and various Commission
rules. The costs that arise from compliance with proposed Rule 10
depend on how closely their current documented policies and procedures,
as well as annual reviews and summary reports, are consistent with the
proposed rule. SBS Entities that have very similar cybersecurity
policies and procedures to those that would be required under proposed
Rule 10 would have small associated costs to come into compliance with
the rule. SBS Entities that need to make more substantial changes to
their cybersecurity policies and procedures to comply with the proposed
rule would incur higher attendant costs. Ultimately, the ability of SBS
Entities to bear those additional costs depends on the competitive
landscape of the security-based swap market.
SBS Entities that are dually registered with the CFTC as swap
dealers are subject to that agency's requirements, as noted above.\813\
These additional requirements may make compliance with the proposed
rule less burdensome and thus less costly, as the CFTC requirements are
already in effect and dually registered SBS Entities must comply with
those regulations.
---------------------------------------------------------------------------
\813\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
f. SBSDRs
i. Benefits
SBSDRs collect and maintain security-based swap transaction data so
that relevant authorities can access and analyze the data from secure,
central locations, thereby allowing regulators to monitor for potential
market abuse and risks to financial stability.\814\ SBSDRs also reduce
operational risk and enhance operational efficiency in the security-
based swap market, such as by maintaining transaction records that help
counterparties ensure that their records reconcile.\815\
---------------------------------------------------------------------------
\814\ See SBSDR Adopting Release, 80 FR at 14440 (``[SBSDRs] are
required to collect and maintain accurate SBS transaction data so
that relevant authorities can access and analyze the data from
secure, central locations, thereby putting them in a better position
to monitor for potential market abuse and risks to financial
stability.'').
\815\ See SBSDR Proposing Release at 77307 (stating that ``[t]he
enhanced transparency provided by an [SBSDR is important to help
regulators and others monitor the build-up and concentration of risk
exposures in the [security-based swap] market . . . . In addition,
[SBSDRs] have the potential to reduce operational risk and enhance
operational efficiency in the [security-based swap] market'').
---------------------------------------------------------------------------
The Commission requires SBSDRs to have written documentation
regarding how they keep such transaction information secure.\816\ If
the policies and procedures requirements of proposed Rule 10 requires
an SBSDR to do additional development, documentation, implementation,
and review of its cybersecurity policies and procedures, then the
benefits that accrue
[[Page 20304]]
from doing so will be large. In this circumstance, compliance with the
policies and procedures requirements of proposed Rule 10 would bolster
SBSDRs' cybersecurity resiliency. As a result, SBSDRs would be better
prepared to identify cybersecurity vulnerabilities and prevent
significant cybersecurity incidents, thereby safeguarding the security-
based swap trade data that they receive and maintain. Further, proposed
Rule 10 would require that SBSDRs have policies and procedures to
respond to and recover from a significant cybersecurity incident, which
would assist SBSDRs in minimizing the harm caused by the incident and
enhancing their ability to recover from it. Annual reviews also would
help them update their policies and procedures to address emerging
threats.
---------------------------------------------------------------------------
\816\ See section IV.C.1.b.iv. of this release (discussing as
part of the baseline the current relevant regulations applicable to
SBSDRs).
---------------------------------------------------------------------------
SBSDRs that are dually registered with the CFTC as SDRs must comply
with that agency's systems safeguards rule, applicable to information
systems for data under the CFTC's jurisdiction.\817\ These additional
requirements may bring those dually-registered SBSDRs more in line with
the requirements of the proposed rule, to the extent that the
registered entity applies the CFTC's systems safeguard requirements to
the SBSDR operations. As a result, the marginal benefit of compliance
for them may be smaller than those that are only registered with the
Commission.
---------------------------------------------------------------------------
\817\ See section IV.C.1.d.ii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to SDRs).
---------------------------------------------------------------------------
ii. Costs
The costs that arise from compliance with the policies and
procedures requirements of proposed Rule 10 depend on how closely the
current documented policies and procedures of SBSDRs are consistent
with the proposed rule. SBSDRs that have very similar cybersecurity
policies and procedures to those that would be required under proposed
Rule 10 would face small costs to amend their cybersecurity policies
and procedures. SBSDRs that need to make more substantial changes to
their cybersecurity policies and procedures to comply with the proposed
rule would realize greater marginal benefits from attaining compliance,
while incurring higher attendant costs.
SBSDRs that are dually registered with the CFTC as SDRs are subject
to that agency's system safeguards rule, as noted above.\818\ These
additional requirements may make compliance with the proposed rule less
burdensome and thus less costly, to the extent the registered entity
applies the CFTC's system safeguard requirements to its SBSDR
operations.
---------------------------------------------------------------------------
\818\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
g. Transfer Agents
i. Benefits
The benefits of the policies and procedures requirements of
proposed Rule 10 likely will differ across transfer agents, as their
size and the level of their services may vary. Transfer agents, among
other functions, may: (1) track, record, and maintain on behalf of
issuers the official record of ownership of each issuer's securities;
(2) cancel old certificates, issue new ones, and perform other
processing and recordkeeping functions that facilitate the issuance,
cancellation, and transfer of those securities; (3) facilitate
communications between issuers and registered securityholders; and (4)
make dividend, principal, interest, and other distributions to
securityholders.\819\ A cybersecurity incident at a transfer agent
would have varying negative impacts depending on the range of services
offered by the transfer agent. Nonetheless, for the issuer who depends
on the transfer agent to maintain the official record of ownership, or
for securityholders who depend on the transfer agent for distributions,
an incident at even a small transfer agent with limited services could
have profound negative implications.
---------------------------------------------------------------------------
\819\ See section I.A.2.i. of this release (discussing critical
operations and functions of transfer agents).
---------------------------------------------------------------------------
In addition, some transfer agents may maintain records and
information related to securityholders that could include names,
addresses, phone numbers, email addresses, employers, employment
history, bank and specific account information, credit card
information, transaction histories, securities holdings, and other
detailed and individualized information related to the transfer agents'
recordkeeping and transaction processing on behalf of issuers. This
information may make a transfer agent particularly attractive to threat
actors. Compliance with written cybersecurity policies and procedures
under proposed Rule 10, along with annual reviews and a written
assessment report, would likely produce a large benefit for clients and
investors of transfer agents.
Preventing successful cyberattacks would keep securities from being
stolen by threat actors and would ensure that dividends are paid when
promised. In addition, because transfer agents have information on the
securityholders' personal information, policies and procedures to
protect that information from unauthorized access or use would benefit
the transfer agent and the securityholders. Moreover, if a significant
cybersecurity incident materializes, transfer agents would have a plan
to resolve the issue, thus potentially reducing the timeframe and
damage associated with the incident.
As discussed in the baseline, transfer agents registered with the
Commission (but not transfer agents registered with another appropriate
regulatory agency) are subject to the Regulation S-P Disposal Rule and
may be subject to Regulation S-ID.\820\ The Regulation S-P Disposal
Rule and Regulation S-ID require measures that implicate a certain
cybersecurity risk.\821\ Nonetheless, the policies and procedures
requirements of proposed Rule 10 would still provide substantial
benefits to transfer agents. This is because, as discussed above,
proposed Rule 10 would require all transfer agents to establish,
maintain, and enforce policies and procedures to address cybersecurity
risks that are broader and more comprehensive than those policies and
procedures required by the existing requirements of Regulation S-P or
Regulation S-ID.
---------------------------------------------------------------------------
\820\ See section IV.C.1.b.v. of this release (discussing as
part of the baseline the current relevant regulations applicable to
transfer agents). Transfer agents that are subsidiaries of bank
holding companies would incur minimal cost since they are already
subject to federal banking cybersecurity regulations.
\821\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of the Regulation S-P Disposal Rule
and Regulation S-ID).
---------------------------------------------------------------------------
ii. Costs
Transfer agents likely would incur moderate costs in complying with
the policies and procedures requirements of proposed Rule 10 if their
current policies and procedures--including those to comply with the
Regulation S-P Disposal Rule and Regulation S-ID (if either or both
apply)--would need to be augmented to meet the requirements of proposed
Rule 10. Transfer agents also would have to do annual reviews and write
assessment reports. Such costs likely would be passed on to the
entities that use transfer agent's services. Transfer agents that have
made the business decision to implement robust cybersecurity policies,
procedures, and practices would incur lower marginal compliance costs,
to the degree those policies, procedures, and practices are consistent
with the requirements of proposed Rule 10.
[[Page 20305]]
h. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the policies and procedures,
review and assessment, and report requirements of proposed Rule 10.
Commenters are requested to provide empirical data in support of any
arguments or analyses. In addition, the Commission is requesting
comment on the following matters:
1. Please discuss which types of Covered Entities have some level
of cybersecurity in place and which may not? If not, explain why.
Please describe the level of cybersecurity policies and procedures that
have been implemented by Covered Entities and compare them to the
requirements of proposed Rule 10.
2. Do the benefits and costs associated with Covered Entities
having written cybersecurity policies and procedures, including
provisions for written annual reviews and assessments, reports, and
updates (if necessary) vary by the type of Covered Entity? If so,
explain how. Are there benefits and costs of the proposals not
described above? If so, please describe them.
3. Are the estimated compliance costs (both initially and on an
ongoing basis) for Covered Entities to adopt cybersecurity policies and
procedures, along with reviewing them annually and drafting a summary
report, reasonable? If not, explain why and provide estimates of the
compliance costs.
4. How costly would it be for a given type of Covered Entity to
become compliant with proposed Rule 10? Please explain and provide
estimates of the costs.
5. Do Covered Entities typically document their cybersecurity
policies and procedures? If not, how costly would it be for them to be
documented?
6. Please describe practices of Covered Entities with regard to the
use of service providers in connection with their information systems
and the information residing on those systems. How many Market Entities
contract with service providers? What functions are contracted out
versus completed in house? Are the cybersecurity policies and
procedures implemented by these service providers comparable to the
requirements of proposed Rule 10? Please explain. Would it be costly
contractually to request that a service provider provide compliant
services, including documented policies and procedures? What are the
costs of finding a new service provider if one or more could not
provide services that are compliant with the proposed rule?
7. How costly would it be to review and update, if necessary,
cybersecurity policies and procedures at least annually? Would it be
preferable to conduct the reviews on either a more or less frequent
basis? Explain why. Would it be less costly to have a third party
conduct the review and update of a Covered Entities' cybersecurity
policies and procedures? Please explain.
3. Regulatory Reporting of Cybersecurity Incidents by Covered Entities
Under proposed Rule 10, Covered Entities would need to provide the
Commission with immediate written electronic notice of a significant
cybersecurity incident affecting the Covered Entity and, thereafter,
report and update information about the significant cybersecurity
incident by filing Part I of proposed Form SCIR with the Commission
through the EDGAR system.\822\ The form would elicit information about
the significant cybersecurity incident and the Covered Entity's efforts
to respond to, and recover from, the incident. In the case of certain
Covered Entities, the notice and subsequent reports would need to be
provided to other regulators.
---------------------------------------------------------------------------
\822\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
a. Benefits
The requirements of proposed Rule 10 that Covered Entities provide
immediate written electronic notice and subsequent reporting about
significant cybersecurity incidents to the Commission and would improve
the Commission's ability to assess these incidents. These requirements
also would allow the Commission to understand better the causes and
impacts of significant cybersecurity incidents and how Covered Entities
respond to and recover from them. Thus, the notification and reporting
requirements--through the information they would provide the
Commission--could be used to understand better how significant
cybersecurity incidents materialize and, therefore, how Covered
Entities can better protect themselves from them and, when they occur,
how Covered Entities can better mitigate their impacts and recover more
quickly from them. Over time, this database of information could
provide useful insights into how to minimize the harm more broadly that
is caused by significant cybersecurity incidents, which have the
potential to cause broader disruptions to the U.S. securities markets
and undermine financial stability.
A Covered Entity would be required to provide immediate written
electronic notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the incident
has occurred or is occurring.\823\ This timeframe allows for quick
notification to the Commission and, in some cases, other regulators
about the significant cybersecurity incident, which--in turn--would
allow for more timely assessment of the incidents. These incidents, if
not addressed quickly, could have harmful spillover impacts to other
Market Entities and participants in the U.S. securities markets.
---------------------------------------------------------------------------
\823\ See paragraph (c)(1) of proposed Rule 10.
---------------------------------------------------------------------------
The immediate written electronic notice would need to identify the
Covered Entity, state that the notice is being given to alert the
Commission of a significant cybersecurity incident impacting the
Covered Entity, and provide the name and contact information of an
employee of the Covered Entity who can provide further details about
the significant cybersecurity incident.\824\ By not requiring detailed
information about the significant cybersecurity incident, the Covered
Entity would be able to provide the notice quickly while it continues
to assess which information systems have been subject to the
significant cybersecurity incident and the impact that the incident has
had on those systems. This would facilitate the Covered Entity's
ability to alert the Commission and other regulators (if applicable) at
a very early stage after it has a reasonable basis to conclude that a
significant cybersecurity incident has occurred or is occurring. This,
in turn, would allow the Commission and other regulators (if
applicable) to begin taking steps to assess the significant
cybersecurity incident at that early stage.
---------------------------------------------------------------------------
\824\ Id.
---------------------------------------------------------------------------
This proposed immediate written electronic notification requirement
is modelled on other notification requirements that apply to broker-
dealers and SBSDs pursuant to other Exchange Act rules. Under these
existing requirements, broker-dealers and certain SBSDs must provide
the Commission with same-day written notification if they undergo
certain adverse events, including falling below their minimum net
capital requirements or failing to make and keep current required books
and records.\825\ The objective of these requirements is to provide the
Commission staff with the opportunity to respond when a broker-
[[Page 20306]]
dealer or SBSD is in financial or operational difficulty.\826\
Similarly, the immediate written electronic notification requirement of
proposed Rule 10 would provide the Commission staff with the
opportunity to promptly begin to assess the situation when a Covered
Entity is experiencing a significant cybersecurity incident.
---------------------------------------------------------------------------
\825\ See 17 CFR 240.17a-11 (notification rule for broker-
dealers); 17 CFR 240.18a-8 (notification rule for SBS Entities).
\826\ See SBS Entity Recordkeeping and Reporting Proposing
Release, 79 FR at 25247.
---------------------------------------------------------------------------
Promptly thereafter (but no later than 48 hours), a Covered Entity
would be required to report separately more detailed information about
the significant cybersecurity incident by filing initial, amended and
final versions of Part I of proposed Form SCIR with the Commission
through the EDGAR.\827\ The Covered Entity also would be required to
file updated reports and a final report.
---------------------------------------------------------------------------
\827\ See paragraphs (c)(2) of proposed Rule 10. As discussed
below, Part II of proposed Form SCIR would be used by Covered
Entities to make public disclosures about the cybersecurity risks
they face and the significant cybersecurity incidents they
experienced during the current or previous calendar year. See
sections II.B.2. and II.B.4. of this release (discussing these
proposed requirements).
---------------------------------------------------------------------------
The reporting requirements under proposed Rule 10 would provide the
Commission and its staff with information to understand better the
nature and extent of a particular significant cybersecurity incident
and the efficacy of the Covered Entity's response to mitigate the
disruption and harm caused by the incident.\828\ It also strengthens
and expands the Commission's knowledge regarding cybersecurity
incidents beyond what is already required by current Commission
regulations. In addition, the reporting would provide the staff with a
view into the Covered Entity's understanding of the scope and impact of
the significant cybersecurity incident. All of this information would
assist the Commission and its staff in assessing the significant
cybersecurity incident impacting the Covered Entity. It also could
benefit other Market Entities to the extent the confidential
information provided by the impacted Covered Entity could be used to
assist them (without divulging the identity of the impacted Covered
Entity) in avoiding a similar significant cybersecurity incident or
succumbing to an attack by the same threat actor that caused the
significant cybersecurity incident.
---------------------------------------------------------------------------
\828\ See Line Items 2 through 14 of Part I of proposed Form
SCIR (eliciting information about the significant cybersecurity
incident and the Covered Entity's response to the incident).
---------------------------------------------------------------------------
The information provided to the Commission under the proposed
reporting requirements also would be used to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be used to address future significant
cybersecurity incidents or address cybersecurity vulnerabilities that
may be present at other similar Covered Entities. For example, these
reports could assist the Commission in identifying patterns and trends
across Covered Entities, including widespread cybersecurity incidents
affecting multiple Covered Entities at the same time. Further, the
reports could be used to evaluate the effectiveness of various
approaches to respond to and recover from a different types of
significant cybersecurity incidents. This could benefit all Market
Entities, other participants in the U.S. securities markets, and
ultimately promote the fair, orderly, and efficient operation of the
U.S. securities markets.
Requiring Covered Entities to file Part I of proposed Form SCIR in
EDGAR in a custom XML would allow for more efficient processing of
information about significant cybersecurity incidents. It would create
a comprehensive set of data of all significant cybersecurity incidents
impacting Covered Entities that is based on these entities responding
to the same check boxes and questions on the form. This would
facilitate analysis of the data, including analysis across different
Covered Entities and significant cybersecurity incidents. Eventually,
this set of data and the analysis of it by searching and sorting based
on how different Covered Entities responded to the same questions on
the form could be used to spot common trending risks and
vulnerabilities as well as best practices employed by Covered Entities
to respond to and recover from significant cybersecurity incidents.
As discussed above, Covered Entities have incentives to not
disclose information about significant cybersecurity incidents. Such
incentives constrain the information available about cybersecurity
threats and thereby inhibit the efficacy of collective (i.e., an
industry's or a society's) cybersecurity measures.\829\ At the same
time, complete transparency in this area likely runs the risk of
facilitating future attacks.\830\ As discussed above, the challenge of
effective information sharing has long been recognized, and government
efforts at encouraging such sharing on a voluntary basis have had only
limited success.\831\ The Commission would not publicly disclose and
would keep them confidential to the extent permitted by law Part I of
proposed Form SCIR. This would limit the risks associated with public
disclosure of vulnerabilities as a result of successful cybersecurity
incidents. The Commission also may share information with relevant law
enforcement or national security agencies.
---------------------------------------------------------------------------
\829\ See section IV.B. of this release (discussing broad
economic considerations); see, e.g., Lewis and Zheng, Cyber Threat
Information Sharing (recommending that regulators encourage
information sharing).
\830\ Although ``security through obscurity'' as a cybersecurity
philosophy has long been derided, ``obscurity,'' or more generally
``deception,'' has been recognized as an important cyber resilience
technique. See Ron Ross, Victoria Pillitteri, Richard Graubart,
Deborah Bodeau, and Rosalie McQuaid, Developing Cyber Resilient
Systems: A Systems Security Engineering Approach, 2 Nat. Inst. of
Standards and Tech. (Dec. 2021), available at https://doi.org/10.6028/NIST.SP.800-160v2r1. See also Section IV.D.2.b (discussion
of costs associated with disclosure).
\831\ See section IV.C.1.e. of this release (discussing
information sharing).
---------------------------------------------------------------------------
The aforementioned benefits arise from improved information sharing
between the affected Covered Entity and the Commission. Delays in
incident reporting may hinder the utility of Part I of proposed Form
SCIR because the Commission would not be able to assess the situation
close to the time of its occurrence or discovery. Thus, the utility of
such reports, at least initially, may be more limited if they are not
filed as quickly as proposed.
Requiring Covered Entities to identify themselves on Part I of
proposed Form SCIR with a UIC \832\ if they already have a UIC would be
beneficial because the LEI--which is a Commission-approved UIC--is a
globally-recognized standard identifier \833\ with reference data that
is
[[Page 20307]]
available free of charge.\834\ Unlike many identifiers that are
specific to a particular regulatory authority or jurisdiction, the LEI
is a permanent, unique global identifier that also contains ``Level 2''
parent and (direct/indirect) child entity information. Entity parent-
child relationships are particularly relevant to assessing the risks of
entities operating in the securities markets, where financial entities'
interconnectedness and complex group structures could otherwise make
understanding the scope of potential widespread risks challenging.\835\
Additionally, unlike most company registries, all LEI data elements are
validated annually and subject to a ``quality program [that] scans the
full [data] repository daily and publishes the results monthly in
quality reports[,]'' which helps to ensure the accuracy--and
usefulness--of LEI data as compared to other types of entity
identifiers that lack such features.\836\
---------------------------------------------------------------------------
\832\ As mentioned in section II.B.2.b. of this release, the
instructions of proposed Form SCIR would define UIC to mean an
identifier that has been issued by an IRSS that has been recognized
by the Commission pursuant to Rule 903(a) of Regulation SBSR (17 CFR
242.903(a)).
\833\ ``The [LEI] is a reference code--like a bar code--used
across markets and jurisdictions to uniquely identify a legally
distinct entity[.]'' Office of Financial Research, U.S. Treasury
Dep't, Legal Entity Identifier--Frequently Asked Questions,
available at https://www.financialresearch.gov/data/legal-entity-identifier-faqs/. ``The financial crisis underscored the need for a
global system to identify financial connections, so regulators and
private sector firms could understand better the true nature of risk
exposures across the financial system.'' Id. Using the LEI as a UIC
to facilitate tracking financial entity cybersecurity incidents and
risks is feasible because ``[t]he Global LEI System was established
for a large range of potential uses.'' The Legal Entity Identifier
Regulatory Oversight Committee (``LEIROC''), LEI Uses, available at
https://www.leiroc.org/lei/uses.htm. The functionality of the LEI is
such that it could be used to identify and track entities for
various purposes. For example, the LEI is one of three identifiers
that firms can use under a December 2022 U.S. Customs & Border
Protection Pilot for automation program for enhanced tracing in
international supply chains. See U.S. Customs and Border Protection,
Announcement of the National Customs Automation Program Test
Concerning the Submission Through the Automated Commercial
Environment of Certain Unique Entity Identifiers for the Global
Business Identifier Evaluative Proof of Concept, 87 FR 74157 (Dec.
2, 2022), available at https://www.federalregister.gov/documents/2022/12/02/2022-26213/announcement-of-the-national-customs-automation-program-test-concerning-the-submission-through-the.
\834\ Bank for Int'l Settlements, David Leung, et al., Corporate
Digital Identity: No Silver Bullet, but a Silver Lining, BIS Paper
No. 126, at 20 (June 2022), available at https://www.bis.org/publ/bppdf/bispap126.pdf. (``BIS Papers 126'') (stating that ``LEI data
[is] available free of charge to users in both the public and
private sector''). The FSOC has stated the LEI ``enables unique and
transparent identification of legal entities.'' FSOC, 2021 Annual
Report, at 171 (stating that ``[b]roader adoption of the LEI by
financial market participants continues to be a Council priority'').
The FSOC also has stated that the LEI ``facilitate[s] many financial
stability objectives, including improved risk management in firms
[and] better assessment of microprudential and macroprudential
risks[.]'' FSOC, 2022 Annual Report 99 (2022), available at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf. The
same principles that make the LEI well-suited for allowing
regulators to track entity exposures to financial market risks
across jurisdictions and entities should apply in other contexts,
such as cross-border payments. See FSB, FSB Options to Improve
Adoption of the LEI, in Particular for Use in Cross-border Payments
(July 7, 2022), available at https://www.fsb.org/wp-content/uploads/P070722.pdf.
\835\ FSB Peer Review Report; see also European Systemic Risk
Board, Francois Laurent, et al., The Benefits of the Legal Entity
Identifier for Monitoring Systemic Risk, Occasional Paper Series No.
18, (Sept. 2021) (``The fact that the LEI enables full reporting of
the group structure in the LEI database is also crucial for risk
analysis. Indeed, the risk usually stems from the group and not from
individual entities, and conducting a relevant risk analysis implies
aggregating exposures at the level of the group.''). For a
discussion of the cybersecurity implications of the
interconnectedness of Market Entities' information systems, see
section I.A.1 of this release.
\836\ See BIS Papers 126, at 16 (noting that ``[h]istorically,
corporate identification has mainly come from company registries in
individual jurisdictions[,]'' with the registries connected to the
filing of certain documents and the paying of required fees
necessary to create legal entities). Under company registry regimes,
each company typically is identified by name and ``a company
registration number'' that is not standardized across jurisdictions
and is not part of a harmonized system of corporate identification.
See id. (stating that ``[w]ith greater globalization of business and
finance, [the existing company registry system] has become a source
of inefficiency and risks from the standpoint of financial
stability, market integrity, and investor protection''). Further,
``company registries typically do not offer similar types of quality
programs for the corporate data they provide'' and that such data
generally is ``declarative--provided by the registrant'' without
independent verification or validation. See id. at 20.
---------------------------------------------------------------------------
b. Costs
Covered Entities would incur costs complying with the requirements
of proposed Rule 10 to provide immediate written electronic notice and
subsequent reporting about significant cybersecurity incidents to the
Commission and, in the case of certain Covered Entities, other
regulators, on Part I of proposed Form SCIR. The immediate notification
requirement would impose minimal costs given the limited nature of the
information that would need to be included in the written notice and
the fact that it would be filed electronically.
The costs of complying with the requirements to file Part I of
proposed Form SCIR to report a significant cybersecurity incident would
be significantly greater than the initial notice, given the amount of
information that would need to be included in the filing. In addition,
because Part I of proposed Form SCIR is a regulatory filing, Covered
Entities likely would incur costs associated with a legal and
compliance review prior to the form being filed on EDGAR.
In terms of the costs of filing Part I of Form SCIR on EDGAR,
several categories of Covered Entities already file forms in EDGAR.
Specifically, all transfer agents, SBSDs, MSBSPs, and SBSDRs must file
registration or reporting forms in EDGAR,\837\ and some broker-dealers
choose to file certain reports on EDGAR rather than filing them in
paper form. The applicable EDGAR forms for these entities are filed, at
least in part, in a custom XML. Covered Entities that do not currently
file registration or reporting forms on EDGAR would have to file a
notarized Form ID to receive a CIK number and access codes to file on
EDGAR.\838\ Consequently, the requirement to file Part I of proposed
Form SCIR in EDGAR using a form-specific XML may impose some compliance
costs on certain Covered Entities. These Covered Entities would need to
complete Form ID to obtain the EDGAR-system access codes that enable
entities to file documents through the EDGAR system. They would have to
pay a notary to notarize Form ID. The inclusion of a UIC on proposed
Form SCIR would not impose any marginal costs because a Covered Entity
would only be required to provide a UIC if they have already obtained
one.
---------------------------------------------------------------------------
\837\ SBSDRs received temporary relief from filing through
EDGAR. See Cross-Border Application of Certain Security-Based Swap
Requirements, Exchange Act Release No. 87780 (Dec. 18, 2019) [85 FR
6270, 6348 (Feb. 2, 2020)].
\838\ See section V of this release (discussing of the number of
Covered Entities who do not currently file forms in EDGAR and the
costs that would be associated with an EDGAR-filing requirement in
more detail).
---------------------------------------------------------------------------
To estimate the costs for Market Entities to research the validity
of a suspected significant cybersecurity incident and to provide
immediate written electronic notification to the Commission regarding
the significant cybersecurity incident that are real or reasonably
determined to be true, the Commission considered the initial and
ongoing compliance costs.\839\ The internal annual costs for these
requirements (which include an initial burden estimate annualized over
a three year period) are estimated to be $1,648.51 per Market Entity,
and $6,524,802.58 in total. These costs include a blended rate of $353
for an assistant general counsel, compliance manager, and systems
analyst for a total of 4.67 hours. The annual external costs for these
requirements are estimated to be $1,488 per Market Entity, and
$5,889,504 in total. This includes the cost of using outside legal
counsel at a rate of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\839\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
To estimate the costs for Covered Entities to fill out an initial
Part I of proposed Form SCIR, and file an amended Part I of Form SCIR,
the Commission considered the initial and ongoing compliance
costs.\840\ The internal annual costs for these requirements (which
include an initial burden estimate annualized over a three year period)
are estimated to be $1,077.50 per Covered Entity, and $2,143,147.50 in
total. These costs include a blended rate of $431 for an assistant
general counsel and compliance manager for a total of 2.5 hours. The
annual external costs for these requirements are estimated to be $992
per Covered Entity, and $1,973,088 in total. This includes the cost of
using outside legal counsel at a rate of $496 per hour for a total of
two hours.
---------------------------------------------------------------------------
\840\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
[[Page 20308]]
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the requirements to provide
immediate notification and subsequent reporting of significant
cybersecurity incidents. Commenters are requested to provide empirical
data in support of any arguments or analyses. In addition, the
Commission is requesting comment on the following matters:
8. Are the estimated compliance costs (both initially and on an
ongoing basis) for Covered Entities to provide the notification and
subsequent reports reasonable? If not, explain why and provide
estimates of the compliance costs.
9. Are there any other benefits and costs that the confidential
reporting would provide the Commission? If so, please describe them.
Please provide views on the costs of reporting significant
cybersecurity incidents to the Commission relative to the Commission's
cost estimates.
10. What are the costs and benefits associated with requiring
Covered Entities to file Part I of proposed Form SCIR using a
structured data language? Should the Commission require Covered
Entities to file Part I of proposed Form SCIR using a structured data
language, such as a custom XML? Should the Commission require Covered
Entities to file Part I of proposed Form SCIR using a different
structured data language than a custom XML, such as Inline XBRL? Why or
why not?
11. Are there any Covered Entities that should be exempted from the
proposed structured data requirements for filing Part I of proposed
Form SCIR? If so, what particular exemption threshold should the
Commission use for the structured data requirements and why?
12. Should Covered Entities be required to file proposed Form SCIR
with a CIK number? What are the costs and benefits associated with
requiring Covered Entities to identify themselves on Part I of proposed
Form SCIR with a CIK number?
13. Should Covered Entities be required to file Part I of proposed
Form SCIR with a UIC (i.e., such as an LEI), particularly when some
Covered Entities do not have a UIC and would have to obtain one? What
are the benefits associated with requiring Covered Entities with a UIC
to identify themselves with that UIC?
14. Would requiring a UIC on Part I of proposed Form SCIR allow the
Commission to better evaluate cybersecurity threats to Covered Entities
using data from other regulators and from law enforcement agencies?
Please explain how.
15. Are there any Covered Entities for which the proposed
structured data requirements for Part I of proposed Form SCIR should be
exempted? If so, what particular exemption threshold or thresholds
should the Commission use for the structured data requirements under
the proposed rule amendments, and why?
4. Public Disclosure of Cybersecurity Risks and Significant
Cybersecurity Incidents
Under proposed Rule 10, Covered Entities would need to publicly
disclose summary descriptions of their cybersecurity risks and the
significant cybersecurity incidents they experienced during the current
or previous calendar year on Part II of proposed Form SCIR.\841\ The
form would need to be filed with the Commission through the EDGAR
system and posted on the Covered Entity's business internet website
and, in the case of Covered Entities that are carrying or introducing
broker-dealers, provided to customers at account opening and at least
annually thereafter.
---------------------------------------------------------------------------
\841\ See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
a. Benefits
As discussed above, there exists an information asymmetry between
Covered Entities and their customers, counterparties, members,
registrants, or users.\842\ This information asymmetry, together with
limitations to private contracting, inhibits the ability of customers,
counterparties, members, registrants, and users to screen and
discipline the Covered Entities with whom they do business or obtain
services from based on the effectiveness of the Covered Entity's
cybersecurity policies. The public disclosure requirements of proposed
Rule 10 would help alleviate this information asymmetry, and in so
doing would enable customers, counterparties, members, registrants, or
users to better assess the effectiveness of Covered Entities'
cybersecurity preparations and the cybersecurity risks of doing
business with any one of them. For example, customers, counterparties,
members, registrants, or users could use the frequency or nature of
significant cybersecurity incidents--as disclosed under the proposed
public disclosure requirement--to infer a Covered Entity's effort
toward preventing cybersecurity incidents. Likewise customers,
counterparties, members, registrants, or users could use the
descriptions of cybersecurity risks to avoid certain Covered Entities
with less well-developed cybersecurity procedures.
---------------------------------------------------------------------------
\842\ See section IV.B. of this release (discussing broad
economic considerations).
---------------------------------------------------------------------------
Public disclosures mitigate the information asymmetry. Customers,
counterparties, members, registrants, or users can use the information
to understand better the risks of doing business with certain Covered
Entities. A Covered Entity disclosing that it addresses cybersecurity
risks in a robust manner and that it has not experienced a significant
cybersecurity incident or few such incidents could signal to customers,
counterparties, members, registrants, or users that customer
information, funds, and assets are safeguarded properly. In contrast,
disclosures of sub-par cybersecurity practices or a history of
significant cybersecurity incidents may convince customers,
counterparties, members, registrants, or users to not do business with
that Covered Entity.
In addition to mitigating information asymmetries with stakeholders
in general, public disclosure would also mitigate a source of
principal-agent problems in the customer-Covered Entity relationship.
As discussed above, Covered Entities may have different incentives than
customers in the area of cybersecurity prevention.\843\ Insofar as
principals (customers) prefer a higher level of cybersecurity focus by
agents (Covered Entities), public disclosure would act as an incentive
for Covered Entities to increase their focus in this area and signal
their commitment to protecting customers' funds and data.
---------------------------------------------------------------------------
\843\ See section IV.B. of this release (discussing broad
economic considerations).
---------------------------------------------------------------------------
The proposed requirement for Covered Entities to post the required
disclosures on their websites would help inform, for example, retail
customers about Covered Broker-Dealers because they are likely to look
for information about their broker-dealers on the firm's websites. In
addition, requiring the submission of Part II of proposed Form SCIR in
a custom XML data language would likely facilitate more effective and
thorough review, analysis, and comparison of cybersecurity risks and
significant cybersecurity incidents by the Commission and by Covered
Entities' existing and prospective customers, counterparties, members,
registrants, or users.\844\ The public disclosure
[[Page 20309]]
requirement of proposed Rule 10 expands Market Entities', other market
participants', the public's, the Commission's, and other regulatory
bodies' knowledge about the cybersecurity risks faced by Covered
Entities as well as their past experiences regarding significant
cybersecurity incidents that is beyond what is provided by current
Commission regulations.
---------------------------------------------------------------------------
\844\ While the Commission would separately receive the
information significant cybersecurity incidents impacting Covered
Entities thought the filings of Part I of proposed Form SCIR, those
filings would not include the Covered Entity's summary description
of the cybersecurity risks that could materially affect the Covered
Entity's business and operations and how it assesses, prioritizes,
and addresses those cybersecurity risks that would be disclosed on
Part II of proposed Form SCIR.
---------------------------------------------------------------------------
Requiring Covered Entities to file Part II of proposed Form SCIR
through the EDGAR system would allow the Commission--as well as
customers, counterparties, members, and users of Covered Entity
services--to download the Part II disclosures directly from a central
location, thus facilitating efficient access, organization, and
evaluation of the reported disclosures about significant cybersecurity
incidents. Likewise, because Part II of proposed Form SCIR would be
structured in SCIR-specific XML, the public disclosures would be
machine-readable and, therefore, more readily accessible to the public
and the Commission for comparisons across Covered Entities and time
periods. With centralized filing in EDGAR in a custom XML, Commission
staff as well as Covered Entities' customers, counterparties, members,
registrants, or users (and the Covered Entities themselves) would be
better able to assemble, analyze, review, and compare a large
collection of data about reported cybersecurity risks and significant
cybersecurity incidents, which could facilitate the efficient
identification of trends in cybersecurity risks and significant
cybersecurity incidents in the U.S. securities markets.
Centralized filing of the summary descriptions of the Covered
Entity's cybersecurity risks and significant cybersecurity incidents on
Part II of proposed Form SCIR in a structured format on EDGAR would
enable investors and others--such as other government agencies,
standard-setting groups, analysts, market data aggregators, and
financial firms--to more easily and efficiently compare how one Covered
Entity compares with others in terms of cybersecurity risks and
incidents. For example, banks assessing potential security-based swap
counterparties could efficiently aggregate and compare disclosures of
multiple security-based swap dealers. Similarly, public companies
deciding which transfer agent to use could efficiently aggregate and
compare the disclosures of many transfer agents.
These market participants would also be able to discern broad
trends in cybersecurity risks and incidents more efficiently due to the
central filing location and machine-readability of the disclosures. The
more efficient dissemination of information about trends regarding
cybersecurity risks and significant cybersecurity incidents could, for
example, enable Covered Entities to better and more efficiently
determine if they need to modify, change, or upgrade their
cybersecurity defense measures in light of those trends. Likewise, more
efficient assimilation of information about trends in significant
cybersecurity incidents could enable Covered Entities customers,
counterparties, members, or users and their services to more
efficiently understand and manage their cybersecurity risks.
Accordingly, centralized EDGAR filing of public cybersecurity
disclosures in a machine-readable data language could help reduce the
number of Covered Entities or their customers, counterparties, members,
or users that suffer harm from cybersecurity breaches, or reduce the
extent of such harm in the market, thus helping prevent or mitigate
cybersecurity-related disruptions to the orderly operations of the U.S.
securities markets.
Lastly, Covered Entities rely on electronic information,
communication, and computer systems to perform their functions.\845\
Because many Covered Entities play critical global financial system, a
cyberattack against Covered Entities without strong cybersecurity
protocols could lead to more widespread breaches. Therefore, the
centralized, public, structured filing of cybersecurity disclosures
with Part II of proposed Form SCIR, which would be updated promptly
upon the occurrence of a new significant cybersecurity incident, would
increase the efficiency with which new cybersecurity information would
be assimilated into the market, thereby also likely increasing the
speed with which Covered Entities could react to potential contagion.
This increased agility on the part of Covered Entities could reduce
potential contagion in the U.S. securities markets. Additionally,
Covered Entities would know that the centralized, public filing of
information about significant cybersecurity incidents would make
comparison with their competitors easier, and this could motivate
Covered Entities to take cybersecurity preparedness and risk management
more seriously than they might otherwise, either by devoting more
resources to cybersecurity or by addressing cybersecurity risks in a
more effective manner. Such an effect could help reduce the number and
extent of cybersecurity incidents, particularly those that negatively
impact the U.S. securities markets.
---------------------------------------------------------------------------
\845\ See section I.A.2. of this release (discussing how Covered
Entities use information systems).
---------------------------------------------------------------------------
As with Part I of proposed Form SCIR, the Commission also is
proposing to require Covered Entities to identify themselves on Part II
of proposed Form SCIR with a UIC, such as an LEI, if they have obtained
one, to help facilitate efficient collection and analysis of
cybersecurity incidents in the financial markets. The addition of UICs
could facilitate coordinated inter-governmental responses to
cybersecurity incidents that affect U.S. firms.\846\ Existing
identifiers that are not UICs are more limited in scope, such as CIK
numbers, which are Commission-specific identifiers for companies and
individuals that have filed reports with the Commission. This limits
their utility in analyzing and comparing significant cybersecurity
incidents among Covered Entities and non-Commission-regulated financial
institutions.
---------------------------------------------------------------------------
\846\ The Commission has recognized the benefits of LEIs in
other contexts. See Joint Industry Plan; Order Approving the
National Market System Plan Governing the Consolidated Audit Trail,
Release No. 34-79318; File No. 4-698 (Nov. 15, 2016), 81 FR 84696,
84745 (Nov. 23, 2016) (``The Commission believes use of the LEI
enhances the quality of identifying information for Customers by
incorporating a global standard identifier increasingly used
throughout the financial markets.''); Investment Company Reporting
Modernization, Release Nos. 33-10231; 34-79095; IC-32314; File No.
S7-08-15 (Oct. 13, 2016), 81 FR 81870, 81877 (Nov. 18, 2016)
(``Uniform reporting of LEIs by funds [] will help provide a
consistent means of identification that will facilitate the linkage
of data reported on Form N-PORT with data from other filings and
sources that is or will be reported elsewhere as LEIs become more
widely used by regulators and the financial industry.'').
---------------------------------------------------------------------------
The markets for different Covered Entities present customers,
counterparties, members, registrants, or users with a complex, multi-
dimensional, choice problem. In choosing a Covered Entity to work with,
customers, counterparties, members, registrants, or users may consider
cybersecurity risk exposure (i.e., financial, operational, legal,
etc.), past significant cybersecurity incidents, reputation, etc. While
the Commission is not aware of any studies that examine the role
perceptions of cybersecurity play in this choice problem, the extant
academic literature suggests that investors focus on salient, headline-
grabbing information, such as large losses of customer information,
when
[[Page 20310]]
making such choices.\847\ Details regarding significant cybersecurity
incidents may allow customers, counterparties, members, registrants, or
users to assess the severity of one incident compared to that of
another. However, the public disclosures will be generalized (i.e.,
summary descriptions) to a degree such that threat actors cannot take
advantage of known vulnerabilities. Therefore, to the extent that
cybersecurity disclosures from Covered Entities are ``boilerplate,''
they may be less informative.\848\ Thus, it may be difficult to choose
among Covered Entities that have experienced similar significant
cybersecurity incidents.
---------------------------------------------------------------------------
\847\ See, e.g., Brad M. Barber, Terrance Odean, and Lu Zheng,
Out of Sight, Out of Mind: The Effects of Expenses on Mutual Fund
Flows, 78 J. Bus. 2095 (2005) (``Out of Sight, Out of Mind'').
\848\ However, as discussed above, the process of adopting
``boilerplate'' language by Covered Entities may itself affect
improvements in policies and procedures.
---------------------------------------------------------------------------
Significant cybersecurity incidents--especially those that involve
loss of data or assets of customers, counterparties, members,
registrants, or users--are likely to garner attention. Thus, the
Commission expects that the proposed requirement to disclose
significant cybersecurity incidents would have a direct effect on the
choices of customers, counterparties, members, registrants, or users.
In addition, third parties such as industry analysts--who may be more
capable of extracting useful information across Covered Entities'
disclosures--may incorporate it in assessment reports that are
ultimately provided to customers, counterparties, members, registrants,
or users. Whether directly or indirectly, Covered Entities with subpar
cybersecurity policies and procedures--as revealed by a relatively
large number of significant cybersecurity incidents--could face
pressure to improve their policies procedures to reduce such
incidents.\849\
---------------------------------------------------------------------------
\849\ This assumes that customers, counterparties, members,
registrants, or users evaluating the Covered Entities would favor
those Covered Entities that include language that cites strong
cybersecurity procedures in their disclosures. Further, the
Commission assumes that customers, counterparties, members,
registrants, and users would prefer to do business with Covered
Entities that have ``superior'' cybersecurity procedures.
---------------------------------------------------------------------------
The disclosures of significant cybersecurity incidents also should
benefit a Covered Entity's current customers, counterparties, members,
registrants, or users if the Covered Entity experiences a significant
cybersecurity incident by providing notice that, for example, personal
information, transaction data, securities, or funds may have been
compromised. While the customers, counterparties, members, registrants,
or users that are directly impacted may be individually notified of
significant cybersecurity incidents based on individual state laws and
Commission rules, thus initiating timely remedial actions, other
parties may benefit from the disclosures. Specifically, customers,
counterparties, members, registrants, or users that are not affected by
a significant cybersecurity incident may take the time to change and
strengthen passwords, monitor account activity on a more consistent
basis, and audit their financial statements for discrepancies.
b. Costs
The requirements to have reasonably designed policies and
procedures to address cybersecurity risk and to report significant
cybersecurity incidents to the Commission by filing Part I of proposed
Form SCIR on EDGAR would--in practice--require the collection of the
information that also would be used in the proposed public disclosures
required to be made on Part II of proposed Form SCIR. Therefore, the
disclosure requirement itself would not impose significant compliance
costs beyond those already discussed with respect to the requirements
to have reasonably designed policies and procedures to address
cybersecurity risk and to report significant cybersecurity incidents to
the Commission by filing Part I of proposed Form SCIR on EDGAR.\850\
Generally, it is expected that a compliance analysis would be needed to
summarize the cybersecurity risks faced by the Covered Entity and a
summary of previous significant cybersecurity incidents. In addition,
there may be internal legal review of the public disclosure and
administrative costs would be incurred associated with posting the
disclosure on the Covered Entity's website.
---------------------------------------------------------------------------
\850\ See sections IV.D.2. and IV.D.3. of this release
(discussing the costs of those requirements).
---------------------------------------------------------------------------
However, if the action of disclosing summary descriptions of a
Covered Entity's cybersecurity risks and significant cybersecurity
incidents encourages the Covered Entity and/or other Covered Entities
to review their policies and procedures and potentially direct more
resources to cybersecurity protection, that would be an additional
cost. Moreover, the disclosures may impose costs due to market
reactions and exploitable information they may reveal to adverse
parties.
Depending on the Covered Entity, reports of many significant
cybersecurity incidents and, to a lesser extent, reports of greater
cybersecurity risks and exposure to financial, operational, legal,
reputational, or other consequences that could materially affect its
business and operations as a result of a cybersecurity incident
adversely impacting its information systems may bear costs arising from
reactions in the marketplace. That is, a Covered Entity may lose
business or suffer harm to its reputation and brand value.\851\ These
costs would be borne by the affected Covered Entity even if it made
reasonable efforts to prevent them. If customers, counterparties,
members, registrants, or users ``overreact'' \852\ to disclosures of
significant cybersecurity incidents, Covered Entities may pursue a
strategy of overinvesting in cybersecurity precautions (to avoid such
overreactions), resulting in reduced efficiency. The extent of such
costs likely depends on a number of factors, including the size of a
Covered Entity relative to others in the same category (e.g., Covered
Broker-Dealers, national securities exchanges, and clearing agencies),
the severity and scope of the cybersecurity incident, and the
availability of substitutes for a given Covered Entity.\853\
---------------------------------------------------------------------------
\851\ Customers, counterparties, members, registrants, and users
would be more likely to act in response to realized significant
cybersecurity incidents than in response to Covered Entities'
descriptions of their cybersecurity risks and how they address those
risks.
\852\ Such overreactions can be the result of overconfidence
about the precision of the signal. See, e.g., Kent Daniel, David
Hirshleifer and Avanidhar Subrahmanyam, Investor Psychology and
Security Market Under- and Overreactions, 53 J. Fin. 1839 (1998);
see also Out of Sight, Out of Mind.
\853\ One can differentiate between the smallest and largest
Covered Broker-Dealer. A large broker-dealer may be more able to
absorb more costs associated with a cybersecurity incident and
continue to stay in business than a small broker-dealer. In
addition, a large broker-dealer could have a more prestigious
reputation that may persuade customers to continue using it despite
the cybersecurity event. Or a large broker-dealer could have more
news about it in the public domain that dilutes bad news about
cybersecurity incidents, whereas a smaller firm's name may become
inextricably associated with one significant cybersecurity incident.
In addition, significant cybersecurity incidents that are crippling
and affect all of a Covered Entity's customers, counterparties,
members, registrants, and users would be more costly its reputation
than ones that are more localized. Lastly, the cost of lost business
for a Covered Entity may be muted if there are fewer competitors to
choose from. For example, there is only one national securities
association (i.e., FINRA) relative to 353 transfer agents. It
therefore could be costly in terms of lost business for a transfer
agent as its customers can transfer their business to one of the
many others that perform the same services.
---------------------------------------------------------------------------
The national securities exchanges and clearing agencies that are
currently registered with the Commission but are not active would not
incur any costs related to the proposed public disclosure requirement
if they remain inactive. However, if their operations restart, they
likely would incur
[[Page 20311]]
moderate costs associated with the disclosure because they may need to
restart their websites and provide summary descriptions of their
cybersecurity risks. No significant cybersecurity incidents would need
to be disclosed initially since they have been dormant for so long. In
addition, many transfer agents do not have websites. Therefore, those
transfer agents that do not have websites would incur the cost of
obtaining a domain name as well as establishing and maintaining a
website (either by themselves or using a third party) before being able
to post their public disclosures. Small, independent broker-dealers
also may not have websites. In a 2015 survey of 13 broker-dealers, 80%
of respondents stated that they have a web policy or program; however,
7.6% do not have a web policy or program and 13.3% of the respondents
were not sure. Furthermore, 47% of respondents reported that less than
half of their firm's advisors (i.e., registered representatives)
currently have a website. Interestingly, the survey participants noted
the value of having a website to establish credibility (80%), generate
leads (53%), get referrals (40%), qualify and engage prospects (40%)
and maintain existing client relationships (47%).\854\ The remaining
Market Entities likely have websites.
---------------------------------------------------------------------------
\854\ See Broker Dealers and Web Marketing: What You Should Know
(Dec. 9, 2015), available at https://www.advisorwebsites.com/blog/
blog/general/broker-dealers-and-web-marketing-what-you-should-
know#:~:text=While%2080%25%20of%20Broker-
Dealers%20reps%20we%20polled%20say,to%20build%20and%20maintain%20a%20
strong%20web%20presence.
---------------------------------------------------------------------------
Website costs can be broken into several categories: (1) obtaining
a domain name ($12 to $15 per year); (2) web hosting ($100 per month
for premium service); (3) website theme or template (one-time fee of
$20 to $200 or more); and SSL certificate ($10 to $200 per year).\855\
Ongoing website costs could be as high as $1,215 per year to maintain.
---------------------------------------------------------------------------
\855\ See Jennifer Simonson, website Hosting Cost Guide 2023,
Forbes, available at https://www.forbes.com/advisor/business/website-hosting-cost/.
---------------------------------------------------------------------------
Mandating the disclosure of significant cybersecurity incidents
entails a tradeoff. While disclosure can inform customers,
counterparties, members, registrants, and users, disclosure can also
inform cyber attackers that they have been detected. Also, disclosing
too much (e.g., the types of systems that were affected and how they
were compromised) could be used by threat actors to better attack their
targets, imposing subsequent potential losses on Covered Entities. For
example, announcing a significant cybersecurity incident naming a
specific piece of malware and the degree of compromise can provide
details about the structure of the target's computer systems, the
security measures employed (or not employed), and potentially suggest
promising attack vectors for future targets by other would-be
attackers.
Under proposed Rule 10, to mitigate these costs and to promote
compliance with the disclosure requirements, each Covered Entity would
be required to disclose summary descriptions of their cybersecurity
risks and significant cybersecurity incidents on Part II of proposed
Form SCIR.\856\ In the summary description of the significant
cybersecurity incident, the Covered Entity would need to identify: (1)
the person or persons affected; (2) the date the incident was
discovered and whether it is still ongoing; (3) whether any data were
stolen, altered, or accessed or used for any other unauthorized
purpose; (4) the effect of the incident on the Covered Entity's
operations; and (5) whether the Covered Entity, or service provider,
has remediated or is currently remediating the incident.\857\ Thus,
Covered Entities generally would not be required to disclose technical
details about significant cybersecurity incidents that could compromise
their cybersecurity protections going forward. As before, the costs
associated with conveying this information to attackers is
impracticable to estimate.\858\
---------------------------------------------------------------------------
\856\ See paragraph (d)(1) of proposed Rule 10.
\857\ See paragraph (d)(1)(ii) of proposed Rule 10.
\858\ As noted in section IV.B. of this release, firms are
generally hesitant to provide information about cyberattacks.
Similarly, cybercriminals are not generally forthcoming with data on
attacks, their success, or factors that made the attacks possible.
Consequently, data from which plausible estimates could be made is
not available.
---------------------------------------------------------------------------
While registering with the EDGAR system is free, the requirement to
centrally file Part II of proposed Form SCIR in EDGAR would impose
incremental costs on Covered Entities that have not previously filed
documents in EDGAR. More specifically, Covered Entities that have never
made a filing with the Commission via EDGAR would need to file a
notarized Form ID, which is used to request the assignment of access
codes to file on EDGAR. Thus, first-time EDGAR filers would incur
modest costs associated with filing Form ID.\859\ That said, Covered
Entities that already file documents in EDGAR would not incur the cost
of having to register with EDGAR. As discussed earlier, the extent to
which different categories of Covered Entities are already required to
file documents in EDGAR varies. For example, SBSDs, MSBSPs, SBSDRs, and
transfer agents are already required to file some forms in EDGAR.
---------------------------------------------------------------------------
\859\ Any Covered Entity that has made at least one filing with
the Commission via EDGAR since 2002 has been entered into the EDGAR
system by the Commission and will not need to file Form ID to file
electronically on EDGAR.
---------------------------------------------------------------------------
Likewise, as mentioned earlier, the Commission approved a UIC--
namely, the LEI--in a previous rulemaking. The Commission could approve
another standard identifier as a UIC in the future, but currently the
LEI is the only approved UIC. Covered Entities that already have an LEI
would not bear any cost to including it on proposed Form SCIR, as they
would have already paid to obtain and maintain an LEI for some other
purpose. Covered Entities that do not already have an LEI are not
required to obtain an LEI in order to file proposed Form SCIR, thus,
there is no additional cost to those Covered Entities that do not have
an LEI.
In addition, a Covered Broker-Dealer would be required to provide
the written disclosure form to a customer as part of the account
opening process. Thereafter, the Covered Broker-Dealer would need to
provide the customer with the written disclosure form annually and when
it is updated using the same means that the customer elects to receive
account statements (e.g., by email or through some type of postal
service). The Commission anticipates that the cost of initial and
annual reporting will be negligible because the report text can be
incorporated into other initial disclosures and periodic statements.
The cost of furnishing updated reports in response to significant
cybersecurity incidents depends on the degree to which such incidents
occur and are detected, which cannot reliably be predicted. The
Commission assumes that the delivery costs are the same regardless of
the delivery method.
To estimate the costs associated for a Covered Entity to file a
Part II of proposed Form SCIR with the Commission through EDGAR, as
well as post a copy of the form on its website, the Commission
considered the initial and ongoing compliance costs.\860\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$1,377.46 per Covered Entity, and $2,739,767.94 in total. These costs
include a blended rate of $375.33 for an
[[Page 20312]]
assistant general counsel, senior compliance examiner, and compliance
manager for a total of 3.67 hours. The annual external costs for these
requirements are estimated to be $1,488 per Covered Entity, and
$2,959,632 in total. This includes the cost of using outside legal
counsel at a rate of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\860\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
To estimate the costs associated for a Covered Broker-Dealer to
deliver its disclosures to new customers, as well as deliver
disclosures to existing customers on an annual basis, the Commission
considered the initial and ongoing compliance costs.\861\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$3,536.94 per Covered Broker-Dealer, and $5,450,424.54 in total. These
costs include a rate of $69 per hour for a general clerk for a total of
51.26 hours. It is estimated that there will be $0 annual external cost
for this additional disclosure requirement for Covered Broker-Dealers.
With respect to the additional disclosure fees for broker dealers, the
cost covers the clerks employed by the broker-dealers for stuffing
envelopes and mailing them out. The legal fees associated with drafting
the disclosure is already tied to the burden of filing the disclosure
in Part II of EDGAR and putting the disclosure on its website.
---------------------------------------------------------------------------
\861\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the requirements to provide
immediate notification and subsequent reporting of significant
cybersecurity incidents. Commenters are requested to provide empirical
data in support of any arguments or analyses. In addition, the
Commission is requesting comment on the following matters:
16. Please provide views on the benefits and costs associated with
posting the public disclosures on Covered Entities' websites and
submitting them to the Commission through EDGAR. Will the general
nature of the public disclosure be useful to Market Entities as well as
customers, counterparties, members, participants, and users? Should the
Commission require Covered Entities to both post cybersecurity risk and
incident histories on Covered Entity websites and file that information
on Part II of proposed Form SCIR in EDGAR? Should the Commission exempt
some subset(s) of Covered Entities from the requirement to file Part II
of proposed Form SCIR in EDGAR? If so, please explain. Should the
Commission exempt some subset(s) of Covered Entities from the
requirement to post cybersecurity risk and incident history information
on their websites? Explain.
17. Are the cost estimates associated with posting the public
disclosure on the Covered Entities' websites, submitting Part II of
proposed Form SCIR to the Commission through EDGAR, and providing
disclosures to new and existing customers reasonable? If not, explain
why? Are there any other benefits and costs of these proposed
requirements? If so, please describe them.
18. Are there any other costs and benefits associated with
requiring Covered Entities to file Part II of proposed Form SCIR using
a structured data language? If so, please describe them. Should the
Commission require Covered Entities to file Part II of proposed Form
SCIR using a structured data language, such as a custom XML? Should the
Commission require Covered Entities to file Part II of proposed Form
SCIR using a different structured data language than a custom XML, such
as Inline XBRL? Why or why not?
19. Are there any Covered Entities for whom the proposed structured
data requirements of Part II of proposed Form SCIR should be exempted?
If so, what particular exemption threshold or thresholds should the
Commission use for the structured data requirements under the proposed
rule amendments, and why?
20. Please provide views on the benefits and costs associated with
requiring Covered Entities to identify themselves on Part II of
proposed Form SCIR with both a CIK number and a UIC (such as an LEI)?
What would be the benefits and costs of requiring Covered Entities
without a UIC to obtain one in order to file Part II of proposed Form
SCIR? What, if any, standard identifiers should the Commission require
Covered Entities to use to identify themselves on Part II of proposed
Form SCIR?
21. What would be the benefits and costs of requiring Covered
Entities to place the required cybersecurity risk and incident history
disclosures on individual Covered Entity websites and in EDGAR with
Part II of proposed Form SCIR relative to the alternatives discussed
below in section IV.F. of this release? Should the Commission instead
adopt one of the alternatives for the requirements around where Covered
Entities must place the public cybersecurity disclosures? Specifically,
the Commission is proposing to require Covered Entities to publish the
disclosures on their individual firm websites and to file the
information in EDGAR using Part II of proposed Form SCIR. Should the
Commission eliminate one, or both, of those requirements?
22. Are there any Covered Entities for whom the proposed structured
data requirements for Part II of proposed Form SCIR should be exempted?
If so, what particular exemption threshold or thresholds should the
Commission use for the structured data requirements under the proposed
rule amendments, and why?
5. Record Preservation and Maintenance by Covered Entities
As discussed above, proposed Rule 10 would require a Covered Entity
to: (1) establish, maintain, and enforce written policies and
procedures that are reasonably designed to address cybersecurity risks;
(2) create written documentation of risk assessments; (3) create
written documentation of any cybersecurity incident, including its
response to and recovery from the incident; (4) prepare a written
report each year describing its annual review of its policies and
procedures to address cybersecurity risks; (5) provide immediate
written notice of a significant cybersecurity incident; (6) report a
significant cybersecurity incident on Part I of proposed Form SCIR; and
(7) provide a written disclosure containing a summary description of
its cybersecurity risk and significant cybersecurity incidents on Part
II of proposed Form SCIR. Consequently, proposed Rule 10 would require
a Covered Entity to create several different types of records, but it
would not include its own record preservation and maintenance
provisions. Instead, these requirements would be imposed through
amendments, as necessary, to the existing record preservation and
maintenance rules applicable to the Covered Entities. In particular,
the Commission is proposing to amend the record preservation and
maintenance rules for: (1) broker-dealers (i.e., Rule 17a-4); (2) SBS
Entities (i.e., Rule 18a-6); and (3) transfer agents (i.e., Rule 17ad-
7). The proposed amendments would specify that the Rule 10 Records must
be retained for three years. In the case of the written policies and
procedures to address cybersecurity risks, the record would need to be
maintained until three years after the termination of the use of the
policies and procedures.
The existing record maintenance and preservation rule applicable to
registered clearing agencies, the MSRB, national securities
associations, and
[[Page 20313]]
national securities exchanges (i.e., Rule 17a-1) requires these
categories of Covered Entities keep and preserve at least one copy of
all documents, including all correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by the Covered Entity in the course of its business as such and in the
conduct of its self-regulatory activity. Under the existing provisions
of Rule 17a-1, registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges would be
required to preserve at least one copy of the Rule 10 Records for at
least five years, with the first two years in an easily accessible
place. Similarly, the existing record maintenance and preservation rule
applicable to SBSDRs (i.e., Rule 13n-7) requires these Market Entities
to preserve records. And with respect to exempt clearing agencies, the
Commission is proposing to amend the clearing agency exemption orders
to add a condition that each exempt clearing agency must retain the
Rule 10 Records for a period of at least five years after the record is
made or, in the case of the written policies and procedures to address
cybersecurity risks, for at least five years after the termination of
the use of the policies and procedures.
a. Benefits
There would be a number of benefits for Covered Entities to
preserving and maintaining the Rule 10 records. With respect to
cybersecurity policies and procedures and the written documentation
concerning risk assessments and any cybersecurity incidents, the
Covered Entity's records could be reviewed for compliance purposes as
well as a reference in future self-conducted audits of the Covered
Entity's cybersecurity system. In addition, the written report each
year describing the Covered Entity's annual review of its policies and
procedures could be used to determine if the Covered Entity's
cybersecurity risk management program is working as expected and to see
if any changes should be made. Lastly, maintaining records of
compliance would assist the Commission in its oversight role,
particularly when conducting examinations of Covered Entities. With
respect to the immediate written notice of a significant cybersecurity
incident, as well as any submitted Part I of proposed Form SCIR, the
records would facilitate examination of Covered Entities for compliance
with proposed Rule 10.
Finally, with respect to the public disclosures that Covered
Entities would make on Part II of proposed Form SCIR, keeping records
of these forms and submissions would be beneficial to Covered Entities
for compliance purposes as well as use as a reference when updating the
public disclosure. For example, a Covered Entity would need to file an
updated Part II of proposed Form SCIR if the information in the summary
description of a significant cybersecurity incident included on the
form is no longer within the look-back period (i.e., the current or
previous calendar year). However, the retention period for the records
(e.g., three years in the case of broker-dealers, SBS Entities, and
transfer agents, or five years in the case of registered clearing
agencies, the MSRB, national securities associations, national
securities exchanges, SBSDRs, and certain exempt clearing agencies)
would require the Covered Entity to maintain a record of that
particular public disclosure for a longer period of time.
Benefits also arise due to the Commission's regulation and
oversight of Covered Entities with respect to their books and
records.\862\
---------------------------------------------------------------------------
\862\ The Commission also would retain copies of Parts I and II
of proposed Form SCIR filed through EDGAR.
---------------------------------------------------------------------------
b. Costs
The costs associated with preserving the Covered Entity's
cybersecurity policies and procedures and annual review are likely to
be small. The cost would result from the requirement to preserve the
Rule 10 Records for either three or five years. Given that the
incremental volume of records that each Covered Entity would be
required to retain would be relatively small, the costs should be
minimal. Moreover, Covered Entities subject to other record retention
requirements likely already have a system in place to maintain those
records. Therefore, adding the records associated with proposed Rule 10
likely would be a small burden.
To estimate the costs associated for a Covered Entity to comply
with its recordkeeping maintenance and preservation requirement, the
Commission considered the initial and ongoing compliance costs.\863\
The internal annual cost for this requirement is estimated to be $441
per Covered Entity, and $877,149 in total. These costs include a
blended rate of $73.50 for a general clerk and compliance clerk for a
total of 6 hours. It is estimated that there will be $0 annual external
cost for the recordkeeping maintenance and preservation requirement.
---------------------------------------------------------------------------
\863\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the proposed record preservation
and maintenance requirements. Commenters are requested to provide
empirical data in support of any arguments or analyses. In addition,
the Commission is requesting comment on the following matter:
23. Are there any other benefits and cost associated with the
requirements to preserve the Rule 10 Records? If so, please describe
them.
6. Policies and Procedures, Annual Review, Immediate Notification of
Significant Cybersecurity Incidents, and Record Preservation
Requirements for Non-Covered Broker-Dealers
As discussed earlier, proposed Rule 10 would require Non-Covered
Broker-Dealers to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address their cybersecurity
risks taking into account the size, business, and operations of the
firm.\864\ The proposed rule also would require Non-Covered Broker-
Dealers to review the design and effectiveness of their cybersecurity
policies and procedures annually, including whether the policies and
procedures reflect changes in cybersecurity risk over the time period
covered by the review. Furthermore, Non-Covered Broker-Dealers would be
required to provide the Commission and their examining authority with
immediate written electronic notice of the occurrence of a significant
cybersecurity incident.\865\ The Commission also is proposing to amend
the record preservation and maintenance rule for broker-dealers (Rule
17a-4) to specifically require Non-Covered Broker-Dealers to preserve
certain records in connection with Rule 10.
---------------------------------------------------------------------------
\864\ See section II.C.1. of this release (discussing in more
detail the proposed policies and procedures, annual review, and
record preservation requirements for Non-Covered Broker-Dealers).
\865\ The Commission is not proposing that Non-Covered Broker
Dealers be subject to the requirements to file Parts I and II of
proposed Form SCIR and post copies of the most recently filed Part
II of proposed Form SCIR on their websites and provide copies of
that filing to their customers.
---------------------------------------------------------------------------
a. Benefits
The requirement under proposed Rule 10 for Non-Covered Broker-
Dealers to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address their cybersecurity
risks would generally
[[Page 20314]]
improve cybersecurity preparedness of Non-Covered Broker-Dealers--and
hence reduce their clients' exposure to cybersecurity incidents. This
is because, in establishing and maintaining a set of cybersecurity
policies and procedures in a written format, a Non-Covered Broker-
Dealer can evaluate whether its cybersecurity policies and procedures
continue to work as designed and whether changes are needed to assure
their continued effectiveness. In addition, by permitting Non-Covered
Broker-Dealers to take into account their size, business, and
operations of the firm when designing their written policies and
procedures, Non-Covered Broker-Dealers can more efficiently utilize
their resources. Moreover, by requiring Non-Covered Broker-Dealers to
establish reasonably designed cybersecurity policies and procedures,
the Commission would be better able to understand the protections that
these broker-dealers put in place to address cybersecurity risk. During
an examination, the Commission can assess the adequacy and completeness
of a Non-Covered Broker-Dealers cybersecurity policies and procedures.
Documenting a Non-Covered Broker-Dealer's cybersecurity policies and
procedures in a written format also would aid the Commission in its
review and oversight.
Due to the varying sizes and operations of Non-Covered Broker-
Dealers, the benefits that accrue from the cybersecurity policies and
procedures requirement likely differ across entities. Because Non-
Covered Broker-Dealers are generally smaller and have fewer assets and
interconnections with other Market Entities than Covered Broker-
Dealers, there is less of a risk that a significant cybersecurity
incident at a Non-Covered Broker-Dealer could provide the threat actor
with access to other Market Entities. However, even though a Non-
Covered Broker-Dealer may not pose a significant overall risk to the
U.S. securities markets, a significant cybersecurity event at a Non-
Covered Broker-Dealer could have profound negative effects if a threat
actor is able to misappropriate customers' confidential financial
information. Consequently, greater cybersecurity investment by a Non-
Covered Broker-Dealer likely would lead to significant benefits for
itself and its customers.
Non-Covered Broker-Dealers may already have implemented
cybersecurity policies and procedures. The marginal benefits of the
proposed rule would be mitigated to the extent that these existing
policies and procedures are consistent with the proposed rule's
requirements. However, existing policies and procedures that are
already consistent with the proposed rule would facilitate Non-Covered
Broker-Dealers in conducting annual reviews, assessing the design and
effectiveness of their cybersecurity policies and procedures, and
making necessary adjustments.
The primary benefit of reviewing a Non-Covered Broker-Dealer's
cybersecurity policies and procedures on an annual basis would help to
ensure that they are working as designed, that they accurately reflect
the firm's cybersecurity practices, and that they reflect changes and
developments in the firm's cybersecurity risk over the time period
covered by the review. The documented policies and procedures would
serve as a benchmark when conducting the annual review. The Non-Covered
Broker-Dealer would be required, for compliance purposes and future
reference, to make a written record that documents the steps taken in
performing the annual review and the conclusions of the annual review.
Cybersecurity threats constantly evolve, and threat actors
consistently identify new ways to infiltrate information systems. An
annual review requirement would ensure that Non-Covered Broker-Dealers
conduct a regular assessment and undertake updates to prevent policies
and procedures from becoming stale or ineffective, in light of the
dynamism of cybersecurity threats.
The primary benefit of requiring Non-Covered Broker-Dealers to
retain their written cybersecurity policies and procedures as well as a
record of the annual reviews, is to assist the Commission in its
oversight function. In reviewing their records, Non-Covered Broker-
Dealers may see trends in their own cybersecurity risks, which may
serve as an impetus to make adjustments to their cybersecurity policies
and procedures. Furthermore, Proposed Rule 10 would expand beyond
current Commission regulations Non-Covered Broker-Dealers'
cybersecurity policies and procedures that address all cybersecurity
risks that may affect their information systems and the funds and
securities as well as personal, confidential, and proprietary
information that may be stored on those systems.
As noted above, Non-Covered Broker-Dealers would be required to
give the Commission immediate written electronic notice of a
significant cybersecurity incident upon having a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring. Compared to the suite of proposed requirements for Covered
Entities, including filing Parts I and II of proposed Form SCIR and
publicly disclosing Part II (which would contain summary descriptions
of the Covered Entity's cybersecurity risks and significant
cybersecurity incidents that occurred in current and previous calendar
years), the proposed requirement to provide immediate written
electronic notice of significant cybersecurity incidents is relatively
small but can yield significant benefits. Most notably, such immediate
notifications would make Commission staff aware of significant
cybersecurity incidents across all broker-dealers and not just at
Covered Broker-Dealers, thus significantly increasing its oversight
powers in the broker-dealer space with respect to cybersecurity
incidents. Trends that impact Non-Covered Broker-Dealers, such as
through malware or a particular type of software, may be detected by
staff, which can then inform other Market Entities of emerging risks.
This is particularly important due to the interconnected nature of the
U.S. securities industry. Breaches that occur at Non-Covered Broker-
Dealers may spread to larger firms, such as Covered Entities, that
could cause more widespread financial disruptions. Furthermore, we
anticipate that the burden on Non-Covered broker dealers of furnishing
immediate written notification of a significant cybersecurity incident
will be minimal.\866\
---------------------------------------------------------------------------
\866\ See section IV.D.6.b. of this release.
---------------------------------------------------------------------------
b. Costs
The costs associated with proposed Rule 10 for Non-Covered Broker-
Dealers with respect to the written cybersecurity policies and
procedures requirements would primarily result from establishing
written cybersecurity policies and procedures that are reasonably
designed. Such costs may be passed on to the Non-Covered Broker-
Dealers' customers, either in part or in full.
Many Non-Covered Broker-Dealers currently have cybersecurity
policies and procedures in place; to the extent a Non-Covered Broker-
Dealer's existing policies and procedures are consistent with the
requirements of the proposed rule, those Non-Covered Broker-Dealers
would have limited need to update those policies and procedures, thus
mitigating the costs of the proposal. Non-Covered Broker-Dealers may be
subject to Regulation S-P, Regulation S-ID, and state regulations. In
those particular instances, they may have already implemented policies
and procedures that are consistent with the requirements of the
proposed Rule 10,
[[Page 20315]]
which would mitigate some of the compliance costs associated with the
proposed policies and procedures requirements.
The cost of complying with the proposed annual review requirement
along with the accompanying written review and conclusion would depend
on the size, business, and operations of the Non-Covered Broker-Dealer.
A Non-Covered Broker-Dealer with simpler operations likely would incur
lower annual review and modification costs than firms with larger
operations. Furthermore, a Non-Covered Broker-Dealer may choose to hire
a third-party for assistance or consultation regarding the completion
of a written annual review and conclusion. This cost, in those
situations, would depend on the services requested and the fees that
are charged by the third-parties and consultants. Such costs could be
passed along to the Non-Covered Broker-Dealer's customers depending on
the competitive nature of the Non-Covered Broker-Dealer's market and
its business model.
In either case, Non-Covered Broker-Dealers could tailor the
policies and procedures to its cybersecurity risks taking into account
its size, business, and operations. This offers Non-Covered Broker-
Dealers the flexibility to implement cybersecurity policies and
procedures based on the sophistication and complexity of their
information systems. Of course, the cost of cybersecurity systems and
modifications to cybersecurity policies and procedures may be higher as
the size, business, and operation of a Non-Covered Broker-Dealer
increases and becomes more complex.
The costs associated with giving the Commission immediate written
electronic notice of a significant cybersecurity incident are likely to
be relatively similar to, or possibly somewhat larger, than those
incurred by Covered Broker-Dealers. As noted previously, the cost of
immediate notification consists of notifying the Commission of a
significant cybersecurity incident upon having a reasonable basis to
conclude it has occurred or is occurring as well as researching the
detailing of the incident in question. Non-Covered Broker-Dealers may
be able to make the same determination and notify the Commission in the
same amount of time as their Covered Broker-Dealer counterparts.
However, smaller broker-dealers may not have the staffing or
information technology expertise to make a reasonable decision about a
suspected significant cybersecurity event as quickly as a Covered
Broker-Dealer that may have in-house staff dedicated to this function,
thus increasing the overall immediate notification cost. On the other
hand, smaller broker-dealers could instead contract with third parties
for cybersecurity functions that could identify plausible significant
cybersecurity attacks in the same amount of time as Covered Broker-
Dealers. Unlike Covered Broker-Dealers, Non-Covered Broker-Dealers do
not have to provide more detail beyond the immediate written
notification requirement. Additional information regarding significant
cybersecurity incidents do not have to be provided to the Commission on
a confidential basis through the filing of Part I of proposed Form
SCIR. Moreover, a summary of past incidents do not have to be publicly
disclosed on their websites and with the Commission.
To estimate the costs associated with the proposed policies and
procedures requirements and annual review requirements, the Commission
considered the initial and ongoing compliance costs.\867\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$9,702 per Non-Covered Broker-Dealer, and $19,103,238 in total. These
costs include a blended rate of $462 for a compliance attorney and
assistant general counsel for a total of 21 hours. The annual external
costs for adopting and implementing the policies and procedures, as
well as the annual review of the policies and procedures are estimated
to be $2,480 per Non-Covered Broker-Dealer, and $4,883,120 in total.
This includes the cost of using outside legal counsel at a rate of $496
per hour for a total of five hours.
---------------------------------------------------------------------------
\867\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
The cost associated Non-Covered Broker Dealer to research a
suspected cybersecurity incident and provide immediate written
notification to the Commission were combined earlier with those costs
for Covered Entities.\868\ Broken out solely for Non-Covered Broker-
Dealers, the Commission considered the initial and ongoing compliance
costs. The internal annual costs for these requirements (which include
an initial burden estimate annualized over a three year period) are
estimated to be $1,648.51 per Non-Covered Broker-Dealer, and $3,245,916
in total. These costs include a blended rate of $353 for an assistant
general counsel, compliance manager, and systems analyst for a total of
4.67 hours. The annual external costs for these requirements are
estimated to be $1,488 per Non-Covered Broker-Dealer, and $2,959,872 in
total. This includes the cost of using outside legal counsel at a rate
of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\868\ See section IV.D.3.b. of this release (discussing the cost
of immediate notification).
---------------------------------------------------------------------------
Pursuant to proposed Rule 10, a Non-Covered Broker-Dealer would be
required to: (1) establish, maintain, and enforce written policies and
procedures that are reasonably designed to address the cybersecurity
risks of the firm; (2) make a written record that documents its annual
review; and (3) provide immediate electronic written notice to the
Commission of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring. The additional cost of the
proposed amendments to Rule 17a-4 of preserving and maintaining these
documents for three years, whether in paper or digital form, is likely
minimal.
To estimate the costs associated for a Non-Covered Broker-Dealer to
comply with its recordkeeping maintenance and preservation requirement,
the Commission considered the initial and ongoing compliance
costs.\869\ The internal annual cost for this requirement is estimated
to be $220.50 per Non-Covered Broker-Dealer, and $434,164.50 in total.
These costs include a blended rate of $73.50 for a general clerk and
compliance clerk for a total of 2 hours. It is estimated that there
will be $0 annual external cost for the recordkeeping maintenance and
preservation requirement.
---------------------------------------------------------------------------
\869\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the proposed requirements for
Non-Covered Broker-Dealers. Commenters are requested to provide
empirical data in support of any arguments or analyses. In addition,
the Commission is requesting comment on the following matters:
24. What level of cybersecurity policies and procedures have Non-
Covered Broker-Dealers implemented? For example, would they meet the
cybersecurity policies and procedures requirements of the proposed
rule, thus making the compliance cost relatively low? Are those
policies and procedures documented?
25. Are there any other benefits and costs for a Non-Covered
Broker-Dealer
[[Page 20316]]
in establishing, maintaining, and enforcing written policies and
procedures under proposed Rule 10? If so, please describe them.
26. Are the estimated costs of compliance for Non-Covered Broker-
Dealers to establish, maintain, and enforce written policies and
procedures cybersecurity policies and procedures that comply with the
proposed rule reasonable? If not, why not?
27. Would Non-Covered Broker-Dealers consult with a third party or
hire a consultant with cybersecurity expertise in order to establish
the cybersecurity policies and procedures under proposed Rule 10?
28. Are there quantifiable benefits to complying with the
cybersecurity policies and procedures requirements of the proposed
rule? If so, please describe them. Are there quantifiable costs for
Non-Covered Broker-Dealers to review their cybersecurity policies
annually that are different than those discussed above? If so, describe
them.
29. Are there any other benefits in reviewing and updating Non-
Covered Broker-Dealers' cybersecurity policies and procedures on an
annual basis? If so, please describe them.
30. Is the estimated cost to review Non-Covered Broker-Dealers
cybersecurity policies and procedures reasonable? If not, explain why?
31. Would it be more or less costly to outsource the responsibility
of an annual review of cybersecurity policies and procedures to a third
party?
7. Substituted Compliance for Non-U.S. SBS Entities
Commission Rule 3a71-6 states that the Commission may,
conditionally or unconditionally, by order, make a determination with
respect to a foreign financial regulatory system that compliance with
specified requirements under such foreign financial regulatory system
by a registered SBS Entity or class thereof, may satisfy the certain
requirements that would otherwise apply to such an SBS Entity (or class
thereof). The Commission may make such substituted compliance
determinations to permit SBS Entities that are not U.S. persons (as
defined in 17 CFR 240.3a71-3(a)(4)), but not SBS Entities that are U.S.
persons, to satisfy the eligible requirements by complying with
comparable foreign requirements.\870\ The Commission is proposing to
amend Rule 3a71-6 to permit eligible applicants \871\ to seek a
Commission determination with respect to the cybersecurity requirements
of proposed Rule 10 and Form SCIR as applicable to SBS Entities that
are not U.S. persons.\872\ Additionally, Rule 3a71-6 currently permits
eligible applicants to seek a substituted compliance determination from
the Commission with regard to the requirements of Rule 18a-6, including
the proposed amendments to Rule 18a-6 if adopted.\873\
---------------------------------------------------------------------------
\870\ See 17 CFR 240.3a71-6(d).
\871\ See 17 CFR 240.3a71-6(c).
\872\ See section II.D.3.
\873\ See paragraph (d)(6) of Rule 3a71-6.
---------------------------------------------------------------------------
a. Benefits
The Commission is proposing amendments to Rule 3a71-6 to make
substituted compliance available to eligible SBS Entities that are not
U.S. persons, if the Commission determines that compliance with
specified requirements under a foreign financial regulatory system by a
registered SBS Entity, or class thereof, satisfies the corresponding
requirements of proposed Rule 10 and Form SCIR. Other regulatory
regimes may achieve regulatory outcomes that are comparable to the
Commission's proposed cybersecurity risk management requirements.
Allowing for the possibility of substituted compliance may avoid
regulatory duplication and conflict that may increase entities'
compliance burdens without an analogous increase in benefits. The
availability of substituted compliance could decrease the compliance
burden for non-U.S. SBS Entities, in particular as it pertains to the
establishment, maintenance, and enforcement of cybersecurity policies
and procedures, notification and reporting to regulators, disclosure of
cybersecurity risks and incidents, and record preservation. Allowing
for the possibility of substituted compliance may help achieve the
benefits of proposed Rule 10, Form SCIR, and the proposed amendments to
Rule 18a-6 in a manner that avoids the costs that SBS Entities that are
not U.S. persons would have to bear due to regulatory duplication or
conflict.
Further, substituted compliance may have broader market
implications, namely greater foreign SBSDs' activity in the U.S.
market, expanded access by both U.S. and foreign SBS Entities to global
liquidity, and reduced possibility of liquidity fragmentation along
jurisdictional lines. The availability of substituted compliance for
non-U.S. SBS Entities also could promote market efficiency, while
enhancing competition in U.S. markets. Greater participation and access
to liquidity is likely to improve efficiencies related to hedging and
risk sharing while simultaneously increasing competition between
domestic and foreign SBS Entities.
b. Costs
The Commission believes that the availability of substituted
compliance for proposed Rule 10, Form SCIR, and the proposed amendments
to Rule 18a-6 will not substantially alter the benefits intended by
those requirements. In particular, it is expected that the availability
of substituted compliance will not detract from the risk management
benefits that stem from implementing proposed Rule 10, Form SCIR, and
the proposed amendments to Rule 18a-6.
To the extent that substituted compliance reduces duplicative
compliance costs, non-U.S. SBS Entities may incur lower overall costs
associated with cybersecurity preparedness than they would otherwise
incur without the option of substituted compliance availability, either
because a non-U.S. SBS Entity may have already implemented foreign
regulatory requirements which have been deemed comparable by the
Commission, or because security-based swap counterparties eligible for
substituted compliance do not need to duplicate compliance with two
sets of comparable requirements.
A substituted compliance request can be made either by a foreign
regulatory jurisdiction on behalf of its market participants, or by the
registered market participant itself.\874\ The decision to request
substituted compliance is voluntary, and therefore, to the extent that
requests are made by individual market participants, such participants
would request substituted compliance only if compliance with foreign
regulatory requirements was less costly, in their own assessment, than
compliance with both the foreign regulatory regime and the relevant
Title VII requirements, including the requirements of proposed Rule 10,
Form SCIR, and the proposed amendments to Rule 18a-6. Even after a
substituted compliance determination is made, market participants would
only choose substituted compliance if the benefits that they expect to
receive exceed the costs that they expect to bear for doing so.
---------------------------------------------------------------------------
\874\ See 17 CFR 240.3a71-6(c).
---------------------------------------------------------------------------
E. Effects on Efficiency, Competition, and Capital Formation
As discussed in the foregoing sections, market imperfections could
lead to underinvestment in cybersecurity by Market Entities, and
information asymmetry could contribute
[[Page 20317]]
to a market-wide inefficient provision of cybersecurity defenses. The
proposed rule aims to mitigate the inefficiencies resulting from these
imperfections by: (1) imposing mandates for cybersecurity policies and
procedures that could reduce cybersecurity underinvestment; (2)
creating a reporting framework that could improve information sharing
and improved cybersecurity defense investment and protection; and (3)
providing public disclosure to inform Covered Entities' customers,
counterparties, members, registrants, or users about the Covered
Entities' cybersecurity efforts and experiences, thus potentially
reducing information asymmetry.\875\ While the proposed rule has the
potential to mitigate inefficiencies resulting from market
imperfections, the scale of the overall effect would depend on numerous
factors, including the state of existing of cybersecurity
preparations,\876\ the degree to which the proposed provisions induce
increases to these preparations, the effectiveness of additional
preparations at reducing cybersecurity risks,\877\ the degree to which
customers, counterparties, members, registrants, and users value
additional cybersecurity preparations,\878\ the degree of information
asymmetry and bargaining power between customers, counterparties,
members, registrants, and users vis-[agrave]-vis Market Entities,\879\
the bargaining power of Market Entities vis-[agrave]-vis service
providers,\880\ service providers' willingness to provide bespoke
contractual provisions to affected Market Entities,\881\ the
informational utility of the proposed disclosures, the scale of the
negative externalities on the broader financial system,\882\ the
effectiveness of existing information sharing arrangements, and the
informational utility of the required regulatory reports (as well as
the Commission's ability to make use of them).\883\
---------------------------------------------------------------------------
\875\ See sections IV.B. and IV.D. of this release (discussing
the broad economic considerations and benefits and costs of the
proposals, respectively.
\876\ See section IV.C.1. of this release. Here, the Commission
is concerned about the degree to which Market Entities' state of
cybersecurity preparations diverge from socially optimal levels.
\877\ Formally, the marginal product of the proposed policies
and procedures in the production of cybersecurity defenses.
\878\ Formally, customers', counterparties', members',
registrants', and users' utility functions--specifically the
marginal utilities of Covered Entities' and Non-Covered Broker-
Dealers' cybersecurity policies and procedures.
\879\ In other words, the degree to which customers,
counterparties, members, registrants, or users can affect the
policies of Market Entities. Generally, the Commission expects that
customers, counterparties, members, registrants, or users may be
smaller than the affected Market Entity with which they conduct
business and thus be subject to asymmetry and have limited ability
to affect the policies of the Market Entity. However, that may not
always be the case. For example, for customers of broker-dealers,
the situation is likely to involve more heterogeneity, with some
parties (e.g., small retail clients) wielding very little power over
the broker-dealer's policies while others (e.g., large institutional
investors) wielding considerable power.
\880\ In certain cases, a Covered Entity may determine that a
competing service provider can be used as a bargaining chip in the
renegotiation of existing service agreements, potentially imposing
substantial contracting costs on the parties, which would eventually
be passed on to the Covered Entities' customers, counterparties,
members, participants, or users.
\881\ Id.
\882\ See sections IV.D.2.a. and IV.D.2.b. of this release.
\883\ See section IV.D.3. of this release.
---------------------------------------------------------------------------
However, since the proposed cybersecurity policies and procedures
and related annual assessment are intended to prevent cybersecurity
incidents at Market Entities that would otherwise cause financial loss
and operational failure, compliance with the proposed rule likely would
result in a safer environment to engage in securities transactions that
protects the efficiency with which markets operate. Specifically, the
proposed requirements are intended to protect the efficiency of
securities market through the prevention of cybersecurity incidents
that can adversely impact Market Entities and that, in turn, can
interrupt the normal operations of U.S. securities markets and disrupt
the efficient flow of information and capital.
The additional requirements applicable to Covered Entities (namely,
the specific elements of the cybersecurity policies and procedures, the
reporting to the Commission of any significant cybersecurity incident
through Part I of proposed Form SCIR, and the disclosure of
cybersecurity risks and significant cybersecurity incidents) would also
allow for greater information sharing and would reduce the risk of
underinvestment in cybersecurity across the securities industry. For
example, confidential reporting to the Commission through Part I of
proposed Form SCIR would provide regulators with the opportunity to
promptly begin to assess the situation when a Covered Entity is
experiencing a significant cybersecurity incident and begin to evaluate
potential impacts on the market. In addition, public disclosures by
Covered Entities through Part II of proposed Form SCIR and website
postings would allow their customers, counterparties, members,
registrants, and users to manage risk and choose with whom to do
business, potentially allocating their resources to Covered Entities
with greater cybersecurity preparedness. In addition, the sharing of
information through public disclosures could assist in the development
and implementation of cybersecurity policies and procedures,
particularly by smaller and less sophisticated Market Entities which
likely have fewer resources to develop robust cybersecurity protocols.
Such information may be useful to them in in choosing one option over
another, potentially allowing those smaller and less sophisticated
Market Entities to develop their cybersecurity protection in the most
cost-effective way possible.
Because the proposed rule would likely have differential effects on
Market Entities along a number of dimensions, its overall effect on
competition among Market Entities may be difficult to predict in
certain instances. For example, smaller Market Entities, such as Non-
Covered Broker-Dealers and certain transfer agents are likely to face
disproportionately higher costs relative to revenues resulting from the
proposed rule.\884\ With respect to broker-dealers, the Commission has
endeavored to provide Non-Covered Broker-Dealers with a more limited
and flexible set of requirements that better suits their business
models and would therefore be less onerous. Still, a number of small
broker-dealers would be subject to the proposed rule as Covered
Entities, which could tilt the competitive playing field in favor of
their larger Covered Broker-Dealer counterparts.\885\ In addition, all
transfer agents would be Covered Entities under the proposed rule,
regardless of their size, so the same concern is present.
---------------------------------------------------------------------------
\884\ See section IV.B. of this release.
\885\ See section VI.C. of this release (noting that certain
small broker-dealers would meet the definition of ``covered entity''
for purposes of the proposed rule).
---------------------------------------------------------------------------
On the other hand, if customers, counterparties, members,
registrants, or users believe that the proposed rule effectively
induces the appropriate level of cybersecurity effort among Market
Entities, smaller Market Entities would likely benefit the most from
these improved perceptions, as they would be thought to have sufficient
cybersecurity policies and procedures in place compared to not having
enough cybersecurity protections. Similar differential effects can
occur within a particular group of Market Entities and service
providers that are more (or less) focused on their cybersecurity.
With respect to competition among Covered Entities' service
providers, the overall effect of the proposed rule and amendments is
similarly ambiguous. It is likely that requiring affected Covered
[[Page 20318]]
Entities to request oversight of service providers' cybersecurity
practices pursuant to a written contract would lead some service
providers to cease offering services to affected Covered Entities.\886\
The additional regulation could serve as a barrier to entry to new
service providers and could disproportionally affect would-be Market
Entities.
---------------------------------------------------------------------------
\886\ See section I.A.1. of this release.
---------------------------------------------------------------------------
In terms of capital formation, the proposed rule would have second-
order effects, namely through a safer financial marketplace. As noted
above, FSOC states that a destabilizing cybersecurity incident could
potentially threaten the stability of the U.S. financial system by
causing, among other things, a loss of confidence among a broad set of
market participants, which could cause participants to question the
safety or liquidity of their assets or transactions, and lead to
significant withdrawal of assets or activity.\887\ The Market Entities
covered by this rule play important roles in capital formation through
the various services they provide.\888\ Due to their interconnected
systems, a significant cybersecurity incident affecting Market Entities
could have a cascading effect across the U.S. financial system with a
significant impact on investor confidence, resulting in withdrawal of
assets and impairment of capital formation.
---------------------------------------------------------------------------
\887\ See FSOC 2021 Annual Report.
\888\ See sections I.A.1. and II.A.1. of this release.
---------------------------------------------------------------------------
The proposed rule provides the backbone for having sufficient
cybersecurity measures in place to protect customer information, funds,
and securities. Moreover, proposed provisions likely would lead to
increased efficiency in the market, thus resulting in improved capital
formation.\889\ With a more predictable investment environment due to
improved cybersecurity implementation by Market Entities and service
providers, capital formation through the demand for securities
offerings will be less prone to interruptions.
---------------------------------------------------------------------------
\889\ The proposed provisions do not implicate channels
typically associated with capital formation (e.g., taxation policy,
financial innovation, capital controls, intellectual property, rule-
of-law, and diversification). Thus, the proposed rule are likely to
have only indirect, second order effects on capital formation
arising from any improvements to economic efficiency. Qualitatively,
these effects are expected to be small.
---------------------------------------------------------------------------
As part of the analysis on competition, efficiency, and capital
formation, the Commission requests comment from all parties,
particularly the Market Entities that are affected by these proposed
rule:
a. Do firms within the Covered Entity and Non-Covered Broker-Dealer
groups compare their cybersecurity safety measures among themselves or
among firms of a particular type within a group (e.g., national
securities exchanges only or transfer agents only)? Does one entity's
level of cybersecurity protection incentivize competing entities to
improve their cybersecurity policies and procedures? Is it possible
that an entity with subpar cybersecurity protocols may be forced to
exit the market, either because of business migrating to its
competitors or because of the sheer number of cybersecurity incidents
at that entity?
b. Would better cybersecurity policies and procedures, especially
those that are reviewed and updated, provide more stability in the
securities markets that encourages additional investment?
c. Would public disclosures of cybersecurity risks and significant
cybersecurity incidents during the current or previous calendar year
encourage investment in cybersecurity protections that later provide
more stability in the market, thus encouraging capital formation?
d. Does the Commission's knowledge of cybersecurity incidents as
well as of the policy and procedures at Market Entities lead to a
calming effect on the market though oversight and compliance with the
proposed rule, which would then foster greater capital formation?
F. Reasonable Alternatives
1. Alternatives to the Policies and Procedures Requirements of Proposed
Rule 10
a. Require Only Disclosure of Cybersecurity Policies and Procedures
Without Prescribing Specific Elements
Rather than requiring Covered Entities to adopt cybersecurity
policies and procedures with specific enumerated elements, the
Commission considered requiring Covered Entities to only provide
explanations or summaries of their cybersecurity practices to their
customers, counterparties, members, registrants, or users. In this
alternative scenario, each Covered Entity would provide a disclosure
containing a general overview of its existing cybersecurity policies
and procedures, rather than be required to establish cybersecurity
policies and procedures pursuant to the requirements of paragraph (b)
of proposed Rule 10. Under this alternative, the general disclosure
about the Covered Entity's cybersecurity policies and procedures would
be publicly available to its customers, counterparties, members,
registrants, and users, but it would not reveal specific details of the
Covered Entity's policies and procedures. Further, under this
alternative, detailed and comprehensive information about the Covered
Entity's cybersecurity risks and protocols--including the policies and
procedures themselves--would remain internal to the Covered Entity. The
only other organizations that would be able to review or examine this
more detailed information would be the Commission, FINRA, the MSRB (to
the extent applicable), and other regulators with authority to examine
this information in the course of their oversight activities.
This alternative approach would create weaker incentives for
Covered Entities to address potential underspending on cybersecurity
measures, as it would rely, in part, on customers', counterparties',
members', registrants', or users' (or third parties' providing analyses
to those customers, counterparties, members, registrants, or users)
\890\ ability to assess the effectiveness of Covered Entities'
cybersecurity practices from the Covered Entities' public disclosures.
Further, any benefits to be gained by requiring public disclosure of a
Covered Entity's cybersecurity policies and procedures can also be
realized through the proposed rule's public disclosure requirement. In
particular, proposed Rule 10 would require each Covered Entity to
provide a summary description of the cybersecurity risks that could
materially affect its business and operations and how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity risks.
In addition, each Covered Entity would need to disclose a summary
description of each significant cybersecurity incident that occurred
during the current or previous calendar year, if applicable. This
disclosure would serve as another way for market participants to
evaluate the Covered Entity's cybersecurity risks and vulnerabilities
apart from the general disclosure of its cybersecurity risks. As
mentioned above, this information could be useful to the Covered
Entity's customers, counterparties, members, registrants, or users to
manage their own cybersecurity risks and, to the extent they have
choice, select a Covered Entity with whom to transact or otherwise
conduct business.\891\
---------------------------------------------------------------------------
\890\ See section IV.D.1.a. of this release.
\891\ Furthermore, third-party financial service firms could
conduct studies on cybersecurity preparedness at Market Entities,
such as certain entities not being in line with industry practices
or standards, which also could inform the choices of customers,
counterparties, members, registrants, or users.
---------------------------------------------------------------------------
Given the cybersecurity risks of disclosing detailed explanations
of
[[Page 20319]]
cybersecurity practices (which would necessarily be disclosed if the
Covered Entity would be required to disclose its existing cybersecurity
policies and procedures),\892\ it is likely that requiring such
disclosure would result in the Covered Entity including only general
language in its disclosure and providing few, if any, specific details
that could be used by threat actors to take advantage of weak links in
a Covered Entity's cybersecurity preparedness. Consequently, this
alternative ``disclosure-only'' regime for cybersecurity policies and
procedures would be unlikely to provide enough information and detail
to differentiate between one Covered Entity's cybersecurity policies
and procedures from another's policies and procedures, thus maintaining
information asymmetry between the Covered Entity and other market
participants. If information asymmetry was maintained, it is unlikely
that meaningful change could be effected in the Covered Entities'
cybersecurity practices through market pressure or Commission oversight
over the Covered Entity's policies and procedures.\893\ Furthermore,
not requiring specific enumerated elements in cybersecurity policies
and procedures would likely result in less uniform cybersecurity
preparedness across Covered Entities, leaving market participants with
inconsistent information about the robustness of Covered Entities'
cybersecurity practices. However, if Market Entities believed that
providing more detailed information would give them a competitive
advantage, they would do so.
---------------------------------------------------------------------------
\892\ See section IV.D.2.b. of this release (discussing
tradeoffs of cybersecurity disclosure).
\893\ Here, changes in cybersecurity practices would depend
entirely on market discipline exerted by relatively uninformed
market participants.
---------------------------------------------------------------------------
On the other hand, the costs associated with this alternative
likely would be minimal relative to those associated with the proposed
requirements regarding written policies and procedures, as Covered
Entities would be unlikely to face pressure to adjust their existing
cybersecurity policies and procedures as long as they do not experience
any significant cybersecurity incidents. However, if a Covered Entity
does experience a significant cybersecurity incident, it may force the
Covered Entity to revise its existing cybersecurity policies and
procedures and consequently revise its disclosures to other market
participants concerning its cybersecurity policies and procedures. It
is also conceivable that being required to make public disclosures
regarding its cybersecurity policies and procedures or undergoing
third-party market analyses that aggregate these types of disclosures
(and may focus on, for example, the Covered Entity's lack of conformity
with industry practices and standards) may provide the impetus for a
Covered Entity to make its cybersecurity policies and procedures more
robust.
b. Limiting the Scope of the Proposed Cybersecurity Policies and
Procedures With Respect to Third-Party Service Providers
The Commission also considered limiting the scope of the proposed
requirement that the Covered Entity's policies and procedures require
oversight of service providers that receive, maintain, or process the
Covered Entity's information, or are otherwise permitted to access the
Covered Entity's information systems and the information residing on
those systems, pursuant to a written contract between the Covered
Entity and the service provider.\894\ Specifically, the Commission
considered narrowing the scope of service providers in the enumerated
categories discussed above \895\ and requiring a periodic review and
assessment of the pared-down list of service providers' cybersecurity
policies and procedures rather than apply the Service Provider
Oversight requirement to each service prover that receives, maintains,
or processes the Covered Entity's information, or is otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems. The types of service providers
that would still be covered by the written contract requirement would
be those that provide cybersecurity related-services as well as
business-critical services that are necessary for a Covered Entity to
operate its core functions. The Commission further considered requiring
service providers that receive, maintain, or process the Covered
Entity's information, or are otherwise permitted to access the Covered
Entity's information systems and the information residing on those
systems to provide security certifications in lieu of the written
contract requirement.
---------------------------------------------------------------------------
\894\ See paragraph (b)(1)(iii)(B) of proposed Rule 10 (setting
forth the Service Provider Oversight Requirement).
\895\ See section IV.C.2.h. of this release.
---------------------------------------------------------------------------
Narrowing the scope of the types of service providers affected by
the proposal could lower costs for Covered Entities, especially smaller
Covered Entities that rely on generic contracts with service providers
(because they have less negotiating power with their service providers)
and would have difficulty effecting changes in contractual terms with
such service providers.\896\ However, in the current technological
context in which businesses increasingly rely on third-party ``cloud
services'' that effectively place business data out of the business'
immediate control, the cybersecurity risk exposure of Covered Entities
is unlikely to be limited to (or even concentrated in) certain named
service providers. Narrowing the scope of service providers likely
would lead to lower costs only insofar as it reduces effectiveness of
the regulation. A related basis to reject this alternative is the
signaling effect that it sends to threat actors. By excluding certain
categories of service providers, the Commission could be providing
information to threat actors about which service providers would be
easiest to attack, as that universe of excluded vendors may have
relatively inferior policies and procedures than vendors that are
covered by the proposed rule.
---------------------------------------------------------------------------
\896\ See section IV.D.1.b. of this release (discussing service
providers).
---------------------------------------------------------------------------
Alternatively, maintaining the proposed scope but only requiring a
standard, recognized, certification in lieu of a written contract could
also lead to cost savings for Covered Entities, particularly if the
certification is completed in-house or if a particular entity has many
service contracts with different third parties that specify they are in
compliance with the certification.\897\ However, the Commission
preliminary believes that it would be difficult to prescribe a set of
characteristics for such a ``standard'' certification that would
sufficiently address the varied types of Covered Entities and their
respective service providers.\898\ Another difficulty may be that if a
single third-party entity is used for the certification, that entity
would have to be well-versed in all contracted services in order to
accurately assess them for compliance. In contrast, individualized
contracts with each
[[Page 20320]]
service provider likely would ensure better compliance with the intent
of the proposed rule as those third-party providers specialize in the
services that they offer.
---------------------------------------------------------------------------
\897\ Service providers may currently be providing
certifications as part of a registrant's policies and procedures.
See also section II.B.1.g. of this release (seeking comment on
alternative approaches to the Service Provider Oversight
Requirement, including whether this cybersecurity risk could be
addressed through policies and procedures to obtain written
assurances or certifications from service providers that the service
provider manages cybersecurity risk in a manner that would be
consistent with how the Covered Entity would need to manage this
risk under paragraph (b) of proposed Rule 10).
\898\ See section IV.C.3. of this release(discussing the variety
of affected registrants); see also section IV.F.1. of this release
(discussing the limitations of uniform prescriptive requirements).
---------------------------------------------------------------------------
c. Require Specific Standardized Elements for Addressing Cybersecurity
Risks of Covered Entities
The Commission considered including more standardized elements in
that would need to be included in a Covered Entity's cybersecurity
policies and procedures. For example, Covered Entities could be
required to implement particular controls (e.g., specific encryption
protocols, network architecture, or authentication procedures) that are
designed to address each general element of the required cybersecurity
policies and procedures. Given the considerable diversity in the size,
focus, and technical sophistication of affected Covered Entities,\899\
any specific requirements likely would result in some Covered Entities
needing to substantially alter their cybersecurity policies and
procedures.
---------------------------------------------------------------------------
\899\ See section IV.C.3. of this release.
---------------------------------------------------------------------------
The potential benefit of such an approach would be to provide
assurance that Covered Entities have implemented certain specific
cybersecurity practices. But this approach would also entail
considerably higher costs, as many Covered Entities would need to
adjust their existing practices to something else that is more costly
than potential alternatives that could provide the same outcome level
of protection. In addition, considering the variety of Covered Entities
registered with the Commission, it would be exceedingly difficult for
the Commission to devise specific requirements that are appropriately
suited for all Covered Entities: a uniform set of requirements would
certainly be both over- and under-inclusive, while providing varied
requirements based on the circumstances of each Covered Entity would be
complex and impractical. For example, standardized requirements that
ensure reasonably designed cybersecurity policies and procedures for
the largest, most sophisticated and active Covered Entities would
likely be overly burdensome for smaller and less sophisticated Covered
Entities with more limited cybersecurity risk exposures. Conversely, if
these standardized requirements were tailored to smaller Covered
Entities with more limited operations or cybersecurity risks, such
requirements likely would be inadequate in addressing larger Covered
Entities' cybersecurity risks. As a result, instituting blanket
requirements likely would not provide the most efficient and cost-
effective way of instituting appropriate cybersecurity policies and
procedures.
An important cost associated with this approach is the burden and
complexity of prescribing detailed technical requirements tailored to
the broad variety of Covered Entities that would be subject to proposed
Rule 10. More broadly, imposing standardized requirements would
effectively place the Commission in the role of dictating details
related to the information technology practices of Covered Entities
without the benefit of the Covered Entities' knowledge of their own
particular circumstances. Moreover, given the complex and constantly
evolving cybersecurity landscape, detailed regulatory requirements for
cybersecurity practices would likely limit Covered Entities' ability to
adapt quickly to changes in the cybersecurity landscape.\900\
---------------------------------------------------------------------------
\900\ If as in the previous example, the Commission were to
require Covered Entities to adopt a specific encryption algorithm,
future discovery of vulnerabilities in that algorithm would prevent
registrants from fully mitigating the vulnerability (i.e., switching
to improved algorithms) in the absence of Commission action.
---------------------------------------------------------------------------
d. Require Audits of Internal Controls Regarding Cybersecurity
Instead of requiring all Market Entities to establish, maintain,
and enforce cybersecurity policies and procedures, the Commission
considered requiring these entities to obtain audits of the
effectiveness of their existing cybersecurity controls--for example,
obtaining third-party audits with respect to their cybersecurity
practices. This approach would not require Market Entities to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address their cybersecurity risks as
proposed, but instead would require Market Entities to engage an
independent, qualified third party to assess their cybersecurity
controls and prepare a report describing its assessment and any
potential deficiencies.
Under this alternative, an independent third party (e.g., an
auditing firm) would certify to the effectiveness of the Market
Entities' cybersecurity practices. If the firms providing such
certifications have sufficient reputational motives to issue credible
assessment,\901\ and if the scope of such certifications is not overly
circumscribed,\902\ it is likely that Market Entities' cybersecurity
practices would end up being more robust under this alternative than
under the current proposal. By providing certification of a Market
Entities' cybersecurity practices, a firm would--in effect--be lending
its reputation to the Market Entity. Because ``lenders'' are naturally
most sensitive to downside risks (here, loss of reputation, lawsuits,
damages, and regulatory enforcement actions), one would expect them to
avoid ``lending'' to Market Entities with cybersecurity practices whose
effectiveness is questionable.\903\
---------------------------------------------------------------------------
\901\ This would be the case if there was sufficient market
pressure or regulatory requirements to obtain certification from
``reputable'' third-parties with business models premised on
operating as a going-concern and maintaining a reputation for
honesty.
\902\ In this alternative, it is assumed that certification
would not be limited to only evaluating whether a Market Entity's
stated policies and procedures are reasonably designed, but rather
also would include an assessment of whether the policies and
procedures are actually implemented in an effective manner.
\903\ Under the proposal it is the Market Entity itself that
effectively ``certifies'' its own cybersecurity policies and
procedures. Like the third-party auditor, the Market Entity faces
down-side risks from ``certifying'' inadequate cybersecurity
practices (i.e., Commission enforcement actions). However, unlike
the auditor, the Market Entity also realizes the potential up-side:
cost savings through reduced cybersecurity expenditures.
---------------------------------------------------------------------------
While certification by industry-approved third parties could lead
to more robust cybersecurity practices, the costs of such an approach
would likely be considerably higher. Because of the aforementioned
sensitivity to downside risk, firms would likely be hesitant to provide
cybersecurity certifications without a thorough understanding of a
Market Entity's systems and practices. In many cases, developing such
an understanding would involve considerable effort particularly for
certain larger and more sophisticated Covered Entities.\904\ In
addition, there may be a need for a consensus as to what protocols
constitute industry standards in which certifying third parties would
need to stay proficient. Finally, while such a scenario is somewhat
similar to the Service Provider Oversight Requirement, this alternative
does not allow for immediate repercussions or remediation if the third-
party finds deficiencies in the Covered Entity's cybersecurity policies
and procedures. The Commission would need to have a copy of the report
and audit the Market Entity to ensure that Market Entity subsequently
resolved the problem(s). This leads to an inefficient method of
implementing reasonably
[[Page 20321]]
designed cybersecurity policies and procedures.
---------------------------------------------------------------------------
\904\ It would be difficult for an auditor to provide a credible
assessment of the effectiveness of the Market Entity's cybersecurity
practices without first understanding the myriad of systems involved
and how those practices are implemented. Presumably, a Market Entity
would not bear these costs as it is likely to possess such an
understanding.
---------------------------------------------------------------------------
e. Bifurcate Non-Broker-Dealer Market Entities Into Covered Entities
and Non-Covered Entities
The Commission considered bifurcating other categories of Market
Entities into Covered Entities and Non-Covered Entities (in addition to
broker-dealers) based on certain characteristics of the firm such that
the Non-Covered Entities would not be required to include certain
elements in their cybersecurity risk management policies and
procedures. For example, the Commission considered defining as Non-
Covered Entities Market Entities with assets below a certain threshold
or with only a limited number of customers, counterparties, members,
registrants, or users. This approach also could be scaled based on a
Covered Entity's size, business, or another criterion, similar to the
proposed distinction between Covered Broker-Dealers and Non-Covered
Broker-Dealers. However, as discussed above, cybersecurity risks are
likely to be unique to each Covered Entity primarily because Covered
Entities vary drastically based on their size, business, and the
services they provide. It would be difficult come up with one
characteristic that is common to all Covered Entities such that each of
them can be both broken out into separate groups. For example, it would
be difficult to differentiate between transfer agents the same way one
could distinguish between large and small clearing agencies or even
harder, national securities associations. The only effective way to
differentiate firms with a given Covered Entity category is to choose a
characteristic that is sensible for the type of Covered Entity.\905\
---------------------------------------------------------------------------
\905\ For additional detail on the importance of each of the
proposed Covered Entity's role in the U.S. securities markets, see
section I.A.2. of this release (discussing critical operations of
each Market Entity). See also section II.A.1. of this release
(discussing why it would not be appropriate to exclude small
transfer agents and certain small broker-dealers from the definition
of Covered Entity).
---------------------------------------------------------------------------
Finally, as discussed earlier, in determining which Market Entities
should be Covered Entities and which should be Non-Covered Entities,
the Commission considered: (1) how the category of Market Entity
supports the fair, orderly, and efficient operation of the U.S.
securities markets and the consequences if that type of Market Entity's
critical functions were disrupted or degraded by a significant
cybersecurity incident; (2) the harm that could befall investors,
including retail investors, if that category of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which the category of Market Entity poses
cybersecurity risk to other Market Entities though information system
connections, including the number of connections; (4) the extent to
which the category of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the category of Market Entity and other
persons (e.g., investors) stored on the Market Entity's information
systems and the harm that could be caused if that information were
accessed or used by threat actors through a cybersecurity breach.\906\
However, the Commission seeks comment on this topic, particularly if
certain proposed Covered Entities should be Non-Covered Entities with
attendant reduced requirements.\907\
---------------------------------------------------------------------------
\906\ See section II.A.1. of this release.
\907\ See section II.A.10. of this release.
---------------------------------------------------------------------------
f. Administration and Oversight of Cybersecurity Policies and
Procedures of Covered Entities
The Commission considered various alternative requirements with
respect to administration and oversight of Covered Entities'
cybersecurity policies and procedures, such as requiring them to
designate a CISO (or another individual that serves in a similar
capacity) or requiring the boards of directors (to the extent
applicable), to oversee directly a Covered Entity's cybersecurity
policies and procedures. There is a broad spectrum of potential
approaches to this alternative, ranging from the largely nominal (e.g.,
requiring Covered Entities simply to designate someone to be a CISO) to
the stringent (e.g., requiring a highly-qualified CISO to attest to the
effectiveness of the Covered Entities' policies).
Stringent requirements, such as requiring an attestation from a
highly qualified CISO as to the effectiveness of a Covered Entity's
cybersecurity practices in specific enumerated areas, could be quite
effective. Expert practitioners in cybersecurity are in high demand and
command high salaries.\908\ Thus, such an approach would impose
substantial ongoing costs on Covered Entities who do not already have
appropriately qualified individuals on staff. This burden would be
disproportionately borne by smaller Covered Entities, such as small
Covered Broker-Dealers or small transfer agents, for whom keeping a
dedicated CISO on staff would be cost prohibitive. Allowing Covered
Entities to employ part-time CISOs would mitigate this cost burden, but
such requirements would likely create a de facto audit regime. Such an
audit regime would certainly be more effective if explicitly designed
to function as such.\909\
---------------------------------------------------------------------------
\908\ A recent survey reports CISO median total compensation of
$668,903 for CISOs at companies with revenues of $5 billion or less.
See Matt Aiello and Scott Thompson, 2020 North American Chief
Information Security Officer (CISO) Compensation Survey (2020),
available at https://www.heidrick.com/-/media/heidrickcom/publications-and-reports/2020-north-american-chief-information-security-officer-ciso-compensation-survey.pdf.
\909\ In designing an effective audit regime, aligning
incentives of auditors to provide credible assessments is a central
concern. In the context of audit regimes, barriers to entry and the
reputation motives of auditing firms helps align incentives. It
would be considerably more difficult to obtain similar incentive
alignment with itinerant part-time CISOs. See section IV.F.1.e. of
this release (describing the audit regime alternative).
---------------------------------------------------------------------------
2. Alternatives to the Requirements of Proposed Form SCIR and Related
Notification and Disclosure Requirements of Proposed Rule 10
a. Public Disclosure of Part I of Proposed Form SCIR
The Commission considered requiring the public disclosure of Part I
of proposed Form SCIR. Making Part I of proposed Form SCIR filings
public would increase the knowledge of a Covered Entity's customer,
counterparties, members, registrants, or users about significant
cybersecurity incidents impacting the Covered Entity and thus improve
their ability to draw inferences about a Covered Entity's level of
cybersecurity preparations. At the same time, doing so could assist
would-be threat actors, who may gain additional insight into the
vulnerabilities of a Covered Entity's system. As discussed above,
releasing too much detail about a significant cybersecurity incident
could further compromise cybersecurity of the victim, especially in the
short term.\910\ Given these risks, requiring public disclosure of Part
I of proposed Form SCIR filings would likely have the effect of
incentivizing Covered Entities to significantly reduce the detail
provided in these filings. As a result, the information set of
customers, counterparties, members, registrants, users, and would-be
attackers would remain largely unchanged (vis-[agrave]-vis the
proposal), while the ability of the Commission to facilitate
information sharing and to coordinate responses aimed at reducing
overall risks to the financial system would be diminished.
---------------------------------------------------------------------------
\910\ See section IV.B. of this release.
---------------------------------------------------------------------------
[[Page 20322]]
b. Modify the Standard Identifier Requirements for Proposed Form SCIR
In addition to proposing to require Covered Entities to identify
themselves on Parts I and II of proposed Form SCIR with CIK numbers,
the proposed rule requests that Covered Entities with a UIC--such as an
LEI--include that identifier, if available, on both parts of proposed
Form SCIR. Those Covered Entities that do not have a UIC may file
either part of proposed Form SCIR without a UIC; they are not required
to obtain a UIC prior to filing proposed Form SCIR.
The Commission considered modifying the requirement that Covered
Entities identify themselves on proposed Form SCIR with CIK numbers and
UICs (if they have UICs). For example, the Commission could eliminate
the requirement that Covered Entities identify themselves on the forms
with a standard identifier, or the Commission could allow Covered
Entities to select a different standard identifier (or identifiers)
other than CIK numbers or UICs (if available). Alternatively, the
Commission could require the use of only one proposed standard
identifier--either CIK numbers, UICs (which would require Covered
Entities to obtain a UIC--such as an LEI--if they do not have
one),\911\ or some other standard identifier. While CIK numbers are
necessary to file in EDGAR and, as discussed earlier, the Commission
anticipates that significant benefits would flow from requiring Parts I
and II of proposed Form SCIR to be filed centrally in EDGAR using a
structured data language. Accordingly, the Commission's proposal would
require Covered Entities to identify themselves on the forms with CIK
numbers. One limitation of CIK numbers, however, is that they are a
Commission-specific identifier, which limits their utility for
aggregating, analyzing, and comparing financial market data involving
market participants that are not Commission registrants and EDGAR
filers.
---------------------------------------------------------------------------
\911\ Further, the Commission recognizes that some Covered
Entities may not have LEIs, which means that those Covered Entities
would have to register with a Local Operating Unit (``LOU'') of the
Global LEI System and pay fees initially and annually to obtain and
renew the LEI. See LEIROC, How To Obtain an LEI, available at
https://www.leiroc.org/lei/how.htm. A list of LOUs accredited by
GLEIF can be found at https://www.gleif.org/en/about-lei/get-an-lei-find-lei-issuing-organizations. Currently, U.S. entities may obtain
an LEI for a one-time fee of $65 and an annual renewal fee of $50.
See Bloomberg Finance L.P., Fees, Payments & Taxes (2022), available
at https://lei.bloomberg.com/docs/faq#what-fees-are-involved.
---------------------------------------------------------------------------
While the proposed rule does not require the inclusion of UICs on
proposed Form SCIR for those Covered Entities that do not have a UIC,
the Commission notes that the use of UICs would be beneficial because
the LEI, as a Commission-approved UIC, is a low-cost, globally-utilized
financial institution identifier that is available even to firms that
are not EDGAR filers or Commission registrants. For that reason, the
Commission considered proposing to require that every Covered Entity
that would need to file Part I or II of proposed Form SCIR to identify
themselves with a UIC. There is benefit to including a UIC identifier
on proposed Form SCIR. Among the alternative entity identifier policy
choices considered, requiring Covered Entities to identify themselves
on Parts I and II of proposed Form SCIR with a UIC is superior to other
alternatives, such as not requiring an entity identifier on proposed
Form SCIR or requiring only CIK numbers. Specifically, the mandatory
inclusion of a UIC on (Parts I and II of) proposed Form SCIR could
allow for greater inter-governmental and international coordination of
responses to cybersecurity incidents affecting financial institutions
globally because the LEI is a globally-utilized digital identifier that
is not specific to the Commission. Other regulatory entities and
bodies, including the CFTC, Alberta Securities Commission (Canada),
European Markets and Securities Authority, and Monetary Authority of
Singapore, require the use of an LEI.\912\ Another benefit of the LEI
is that the legal entity's identity is verified by a third party upon
issuance of the LEI and upon annual renewal of the LEI. Additionally,
LEIs contain ``Level 2'' information about the linkages between the
entities being identified and their various parents and subsidiaries,
which is particularly beneficial considering that some financial firms
and Commission registrants have complex, interlocking relationships
with affiliates and subsidiaries that can be different types of
Commission-regulated firms.
---------------------------------------------------------------------------
\912\ In addition, the FSB has stated that ``[t]he use of the
LEI in regulatory reporting can significantly improve the ability of
the public sector to understand and identify the build-up of risk
across multiple jurisdictions and across complex global financial
processes.'' FSB Peer Review Report.
---------------------------------------------------------------------------
A UIC requirement for Parts I and II of proposed Form SCIR would
not impose additional costs on those Covered Entities that already have
an LEI. For those Covered Entities that do not have an LEI, they would
need to obtain one before filing either part of proposed Form SCIR. An
LEI can be obtained for a $65 initial cost and a $50 per year renewal
cost.\913\ There also are administrative costs associated with filling
out the paperwork to obtain the LEI as well as to process payments for
the initial issuance of an LEI and its maintenance. The Commission
expects that this cost would be small relative to the benefit that
could be reaped if a significant cybersecurity incident were to occur
that impacted financial institutions across multiple domestic and
international jurisdictions.
After considering the benefits and costs of requiring the LEI as an
identifier for all Covered Entities via a UIC requirement, the
Commission is proposing to require Covered Entities to identify
themselves with a UIC on proposed Form SCIR only if they already have a
UIC so as to minimize the burden on Covered Entities and because
multiple other Commission disclosure forms also only require
registrants to identify themselves with UICs if they already have
UICs.\914\ In conclusion, requiring Covered Entities to identify
themselves on both parts of proposed Form SCIR with a CIK and with a
UIC (i.e., the LEI) if they already have a UIC is consistent with the
existing regulatory framework.
---------------------------------------------------------------------------
\914\ Covered Entities that do not have an LEI may obtain one if
they so choose.
---------------------------------------------------------------------------
Although CIK numbers and UICs (such as in the form of LEIs) are the
primary two entity standard identifiers used in Commission regulations,
the Commission could instead propose to require Covered Entities to
identify themselves with an alternative entity identifier other than
CIK numbers and UICs for the proposed rule. For the reasons stated
above, there are benefits from the use of CIK numbers (i.e., CIK
numbers enable EDGAR filing, which facilitates aggregation and analysis
of the information) and LEIs (i.e., the LEI is an affordable,
international standard identifier that facilitates information
sharing). Accordingly, the Commission decided against proposing to
require the use of another standard entity identifier for the purposes
of this proposal.
c. Require Only One Location for the Public Disclosures
Rather than requiring Covered Entities to publicly disclose their
cybersecurity risks and significant cybersecurity incidents during the
current or previous calendar year both on their websites and also file
that information centrally on Part II of proposed Form SCIR in EDGAR,
the Commission considered requiring that Covered Entities provide the
public disclosures on their websites only.
Requiring Covered Entities to place the cybersecurity disclosures
only on their websites could provide modest,
[[Page 20323]]
incremental reductions in the burdens associated with providing those
disclosures both on Covered Entity websites and through filing Part II
of proposed Form SCIR with the Commission. Additionally, the websites
of Covered Entities might be the natural place for their customers,
counterparties, members, registrants, or users to look for information
about the Covered Entity. Alternatively, requiring Covered Entities to
place their cybersecurity disclosures (Part II of Form SCIR) only in
EDGAR in a structured data language also could provide modest,
incremental reductions in the burdens associated with placing those
disclosures on their websites.
Accordingly, the Commission is proposing to require Covered
Entities to provide the information both on their websites and in EDGAR
on Part II of proposed Form SCIR.\915\ Publication on Covered Entity
websites is advantageous because that is where many Covered Entities'
customers, counterparties, members, registrants, or users will look for
information about their financial intermediaries. Centralized filing of
structured public disclosures of cybersecurity risks and significant
cybersecurity incidents during the current or previous calendar year in
EDGAR by Covered Entities would enable customers, counterparties,
members, registrants, and users, as well as financial analysts--and
even the Covered Entities themselves--to more efficiently discern broad
trends in cybersecurity risks and incidents, which would enable Covered
Entities and other market participants to more efficiently determine if
they need to modify, change, or upgrade their cybersecurity defense
measures in light of those trends. Accordingly, the Commission is
proposing to require Covered Entities to publish the required
cybersecurity disclosures on their websites and provide the information
in Part II of proposed Form SCIR, which would be filed in EDGAR using a
custom XML.
---------------------------------------------------------------------------
\915\ The Commission is seeking comment on this topic. See
section II.B.3.c. of this release.
---------------------------------------------------------------------------
d. Modify the Location of the EDGAR-Filed Public Cybersecurity
Disclosures for Some Covered Entities
Rather than requiring Covered Entities to provide the public
cybersecurity disclosures in EDGAR using Part II of proposed Form SCIR,
the Commission considered requiring Covered Entities that currently are
required to file forms in EDGAR to provide the disclosures in
structured attachments to existing EDGAR-filed forms. Currently, only
SBS Entities and transfer agents are required to file EDGAR forms.
SBSDs and MSBSPs must file in EDGAR registration applications on Form
SBSE, SBSE-A, or SBSE-BD, amendments to those Forms if the information
in them is or has become inaccurate, and certifications on Form SBSE-
C.\916\ As discussed above, Commission regulations require SBSDRs to
file Form SDR in EDGAR but the Commission temporarily relieved SBSDRs
of the EDGAR-filing requirement. Transfer agents file Forms TA-1, TA-2,
and TA-W in EDGAR in a custom XML.\917\ The Commission considered
permitting those types of Covered Entities that are not currently
subject to an EDGAR-filing requirement to file the cybersecurity
disclosures only on their individual firm websites (without needing to
also file the disclosures in EDGAR). Therefore, rather than requiring
all Covered Entities to file the cybersecurity disclosures using Part
II of proposed Form SCIR, the Commission could require Covered Entities
that are SBS Entities or transfer agents to provide the same
information as structured attachments to Form SBSE (for SBS Entities)
and Form TA-1 (for transfer agents). Likewise, the Commission could
require SBSDRs to file the cybersecurity disclosures as attachments to
Form SDR once the Commission temporary relief from the EDGAR-filing
requirement expires.
---------------------------------------------------------------------------
\916\ See Instruction A.2 to Form SBSE, Instruction A.2 to Form
SBSE-A, Instruction A.3 to Form SBSE-BD, and Instruction A.2 to Form
SBSE-C.
\917\ See Commission, Electronic Filing of Transfer Agent Forms
(Nov. 14, 2007), available at https://www.sec.gov/info/edgar/ednews/ta-filing.htm.
---------------------------------------------------------------------------
Requiring all Covered Entities to provide the disclosures on a
single, uniform form would likely be simpler (because the information
would be in one location)--and thereby more efficient--for the
Commission, Covered Entities, and others who might seek the information
in the cybersecurity disclosures (including Covered Entities' users,
members, customers, or counterparties) than putting the cybersecurity
disclosures in attachments on disparate forms and (for those firms not
subject to EDGAR-filing requirements) on individual Covered Entity
websites.
e. Modify the Structured Data Requirement for the Public Cybersecurity
Disclosures
Rather than requiring Covered Entities to file Part II of proposed
Form SCIR in EDGAR using a custom XML, the Commission could either
eliminate the structured data language requirement for some or all
Covered Entities or require the use of a different structured data
language, such as Inline XBRL.\918\ For example, the Commission could
eliminate the requirement that Covered Entities file Part II of
proposed Form SCIR in a custom XML or in any structured data language.
By eliminating the structured data requirement, the Commission would
allow Covered Entities to submit the new cybersecurity disclosures in
unstructured HTML or ASCII, thereby avoiding the need to put the
information for Part II of proposed Form SCIR into a fillable web form
that EDGAR would use to generate the custom XML filing, or instead file
Part II of proposed Form SCIR directly in custom XML using the XML
schema for proposed Form SCIR, as published on the Commission's
website.
---------------------------------------------------------------------------
\918\ XBRL is a structured data language that is specifically
designed to handle business-related information, including financial
information, entity descriptions, corporate actions, ledgers and
sub-ledgers, and other summary and ledger-level information. By
comparison, Inline XBRL is a structured data language that embeds
XBRL data directly into an HTML document, enabling a single document
to provide both human-readable and structured machine-readable data.
---------------------------------------------------------------------------
Another option is that the Commission could remove the structured
data filing requirement for some subset of Covered Entities. For
example, the Commission could instead require only certain types of
Covered Entities, such as national securities exchanges or SBS
Entities, to file Part II of proposed Form SCIR in a custom XML.
Alternatively, the Commission could require the use of a structured
data language only for those Covered Entities that exceeded some
threshold, be it assets or trading volumes, depending on the type of
Covered Entity in question. Eliminating the requirement that Part II of
proposed Form SCIR be filed in a structured data language, however,
would reduce the benefits of the proposed rule because the use of a
structured data language would make the information contained in Part
II of proposed Form SCIR easier and more efficient for Commission
staff--as well as the Covered Entity's customers, counterparties,
members, registrants, or users--to assemble, review, and analyze.
Financial analysts at third-party information providers also could use
the public disclosures to produce analyses and reports that market
participants may find useful.
The Commission could require Covered Entities to file Part II of
proposed Form SCIR in Inline XBRL rather than in custom XML on the
grounds that Inline XBRL is an internationally-recognized freely
available industry standard for reporting business-related information
and a data
[[Page 20324]]
language that allows EDGAR filers to prepare single documents that are
both human-readable and machine-readable, particularly in connection
with forms containing publicly-available registrant financial
statements. The Commission believes that the use of a form-specific XML
would be appropriate here given the relative simplicity of Part II of
proposed Form SCIR disclosures and the ability for EDGAR to provide
fillable web forms for entities to comply with their custom XML
requirements, leading to a lower burden of compliance for Covered
Entities without Inline XBRL experience.
3. General Request for Comment
The Commission requests comment on the benefits and costs
associated the alternatives outlined above.
V. Paperwork Reduction Act Analysis
Certain provisions of the proposed rule, form, and rule amendments
in this release would contain a new ``collection of information''
within the meaning of the Paperwork Reduction Act of 1995
(``PRA'').\919\ The Commission is submitting the proposed rule
amendments and proposed new rules to the Office of Management and
Budget (``OMB'') for review and approval in accordance with the PRA and
its implementing regulations.\920\ An agency may not conduct or
sponsor, and a person is not required to respond to a collection of
information unless it displays a currently valid OMB control
number.\921\ The titles for the collections of information are:
---------------------------------------------------------------------------
\919\ See 44 U.S.C. 3501 et seq.
\920\ See 44 U.S.C. 3507; 5 CFR 1320.11.
\921\ See 5 CFR 1320.11(l).
---------------------------------------------------------------------------
(1) Rule 10;
(2) Form SCIR;
(3) Rule 17a-4--Records to be preserved by certain exchange
members, brokers and dealers (OMB control number 3235-0279);
(4) Rule 17ad-7--Record retention (OMB control number 3235-0291);
(5) Rule 18a-6--Records to be preserved by certain security-based
swap dealers and major security-based swap participants (OMB control
number 3235-0751); and
(6) Rule 3a71-6--Substituted Compliance for Foreign Security-Based
Swap Entities (OMB control number 3235-0715).
The burden estimates contained in this section do not include any
other possible costs or economic effects beyond the burdens required to
be calculated for PRA purposes.
A. Summary of Collections of Information
1. Proposed Rule 10
Proposed Rule 10 would require all Market Entities (Covered
Entities and non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\922\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\923\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of non-Covered Entities) with respect to the annual
review.\924\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\925\
---------------------------------------------------------------------------
\922\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10. See also Sections II.B.1 and II.C. of this release (discussing
these proposed requirements in more detail).
\923\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also Sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\924\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also Sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\925\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10. See also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\926\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\926\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity''); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\927\
---------------------------------------------------------------------------
\927\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
Section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission through the EDGAR system.\928\ The form would
elicit information about the significant cybersecurity incident and the
Covered Entity's efforts to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\928\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to publicly disclose summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\929\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's business internet website and, in the
case of Covered Entities that are carrying or introducing broker-
dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\929\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
[[Page 20325]]
pursuant to conditions in relevant exemption orders.\930\
---------------------------------------------------------------------------
\930\ See sections II.B.5. and II.C. of this release (discussing
these proposed requirements in more detail).
---------------------------------------------------------------------------
2. Form SCIR
Proposed Rule 10 would require Covered Entities to: (1) report and
update information about a significant cybersecurity incident; \931\
and (2) publicly disclose summary descriptions of their cybersecurity
risks and the significant cybersecurity incidents they experienced
during the current or previous calendar year.\932\ Parts I and II of
proposed Form SCIR would be used by Covered Entities, respectively, to
report and update information about a significant cybersecurity
incident and publicly disclose summary descriptions of their
cybersecurity risks and the significant cybersecurity incidents they
experienced during the current or previous calendar year.
---------------------------------------------------------------------------
\931\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
\932\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
3. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities, respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
Form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\933\ The proposed amendments would specify
that the Rule 10 Records must be retained for three years. In the case
of the written policies and procedures to address cybersecurity risks,
the record would need to be maintained until three years after the
termination of the use of the policies and procedures. In addition,
orders exempting certain clearing agencies from registering with the
Commission would be amended to establish preservation and maintenance
requirements for the Rule 10 Records that would apply to the exempt
clearing agencies subject to those orders.\934\ The amendments to the
orders would provide that the records need to be retained for five
years (consistent with Rules 13n-7 and 17a-1).\935\ In the case of the
written policies and procedures to address cybersecurity risks, the
record would need to be maintained until five years after the
termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\933\ See sections II.B.5. and II.C. of this release (discussing
these proposed amendments in more detail). Rule 17a-4 sets forth
record preservation and maintenance requirements for broker-dealers,
Rule 17ad-7 sets forth record preservation and maintenance
requirements for transfer agents, and Rule 18a-6 sets forth record
preservation and maintenance requirements for SBS Entities.
\934\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\935\ For the reasons discussed in section II.B.5.a. of this
release, the proposal would not amend Rules 13n-7 or 17a-1. As
explained in that section of the release, the existing requirements
of Rule 13n-7 (which applies to SBSDRs) and Rule 17a-1 (which
applies to registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges) will
require these Market Entities to retain the Rule 10 Records for five
years and, in the case of the written policies and procedures, for
five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
4. Substituted Compliance (Rule 3a71-6)
Paragraph (d)(1) of Rule 3a71-6 would be amended to add proposed
Rule 10 and Form SCIR to the list of Commission requirements eligible
for a substituted compliance determination.\936\ If adopted, this
amendment together with existing paragraph (d)(6) of Rule 3a71-6 would
permit eligible SBS Entities to file an application requesting that the
Commission make a determination that compliance with specified
requirements under a foreign regulatory system may satisfy the
requirements of proposed Rule 10, Form SCIR, and the related record
preservation requirements. As provided by Exchange Act Rule 0-13,\937\
which the Commission adopted in 2014,\938\ applications for substituted
compliance determinations must be accompanied by supporting
documentation necessary for the Commission to make the determination,
including information regarding applicable requirements established by
the foreign financial regulatory authority or authorities, as well as
the methods used by the foreign financial regulatory authority or
authorities to monitor and enforce compliance; applications should cite
to and discuss applicable precedent.\939\
---------------------------------------------------------------------------
\936\ See section II.D. of this release (discussing these
proposed amendments in more detail).
\937\ 17 CFR 240.0-13.
\938\ See SBS Entity Definitions Adopting Release, 79 FR at
47357-59.
\939\ See 17 CFR 240.0-13(e). In adopting Rule 0-13, the
Commission noted that because Rule 0-13 was a procedural rule that
did not provide any substituted compliance rights, ``collections of
information arising from substituted compliance requests, including
associated control numbers, [would] be addressed in connection with
any applicable substantive rulemakings that provide for substituted
compliance.'' See SBS Entity Definitions Adopting Release, 79 FR at
47366 n.778.
---------------------------------------------------------------------------
B. Proposed Use of Information
The proposed requirements to have written policies and procedures
to address cybersecurity risks, to document risk assessments and
significant cybersecurity incidents, to create a report or record of
the annual review of the policies and procedures, to provide immediate
notification and subsequent reporting of significant cybersecurity
incidents, to publicly disclose summary descriptions of cybersecurity
risks and significant cybersecurity incidents, and to preserve the
written policies and procedures, reports, and records would constitute
collection of information requirements under the PRA. Collectively,
these collections of information are designed to address cybersecurity
risk and the threat it poses to Market Entities and the U.S. securities
markets.
Market Entities would use the written policies and procedures, the
records required to be made pursuant to those policies and procedures,
and the report or record of the annual review of the policies and
procedures to address the specific cybersecurity risks to which they
are exposed. The Commission could use the written policies and
procedures, reports, and records to review Market Entities' compliance
with proposed Rule 10.
Market Entities would use the immediate written electronic
notifications to notify the Commission (and, in some cases, other
regulators) about significant cybersecurity incidents they experience
pursuant to proposed Rule 10. The Commission could use the immediate
written electronic notification to promptly begin to assess the
situation by, for example, when warranted, assessing the Market
Entity's operating status and engaging in discussions with the Market
Entity to understand better what steps it is taking to protect its
customers, counterparties, members, registrants, or users.
Covered Entities would use Part I of proposed Form SCIR to report
to the Commission (and, in some cases, other regulators) significant
cybersecurity incidents they experienced pursuant to proposed Rule 10.
The Commission could use the reports of significant cybersecurity
incidents filed using Part I of proposed Form SCIR to understand better
the nature and extent of a particular significant cybersecurity
incident and the efficacy of the Covered Entity's response to mitigate
the disruption and harm caused by the incident. The Commission staff
could use the reports to focus on the Covered Entity's operating status
and to facilitate their outreach to, and discussions with,
[[Page 20326]]
personnel at the Covered Entity who are addressing the significant
cybersecurity incident. In addition, the reporting would provide the
staff with a view into the Covered Entity's understanding of the scope
and impact of the significant cybersecurity incident. All of this
information would be used by the Commission and its staff in assessing
the significant cybersecurity incident impacting the Covered Entity.
Further, the Commission would be use the database of reports to assess
the potential cybersecurity risks affecting U.S. securities markets
more broadly. This information could be used to address future
significant cybersecurity incidents. For example, these reports could
assist the Commission in identifying patterns and trends across Covered
Entities, including widespread cybersecurity incidents affecting
multiple Covered Entities at the same time. Further, the reports could
be used to evaluate the effectiveness of various approaches to respond
to and recover from a significant cybersecurity incident.
Covered Entities would use Part II of proposed Form SCIR to
publicly disclose summary descriptions of their cybersecurity risks and
the significant cybersecurity incidents they experienced during the
current or previous calendar year pursuant to proposed Rule 10. These
disclosures would be used to provide greater transparency to customers,
counterparties, registrants, or members of the Covered Entity, or to
users of its services, about the Covered Entity's cybersecurity risk
profile. This information could be used by these persons to manage
their own cybersecurity risk and, to the extent they have choice,
select a Covered Entity with whom to transact or otherwise conduct
business. In addition, because the reports would be filed through
EDGAR, Covered Entities' customers, counterparties, members,
registrants, or users would be able to run search queries to compare
the disclosures of multiple Covered Entities. This would make it easier
for Commission staff and others to assess the cybersecurity risk
profiles of different types of Covered Entities and could facilitate
trend analysis by members of the public of significant cybersecurity
incidents.
Under the proposed amendment to Rule 3a71-6, the Commission would
use the information collected to evaluate requests for substituted
compliance with respect to proposed Rule 10, Form SCIR, and the related
record preservation requirements applicable to SBS Entities. Consistent
with Exchange Act Rule 0-13(h),\940\ the Commission would publish in
the Federal Register a notice that a complete application had been
submitted, and provide the public the opportunity to submit to the
Commission any information that relates to the Commission action
requested in the application, subject to appropriate requests for
confidential treatment being submitted pursuant to any applicable
provisions governing confidentiality under the Exchange Act.\941\
---------------------------------------------------------------------------
\940\ 17 CFR 240.0-13(h).
\941\ See section V.F of this release.
---------------------------------------------------------------------------
C. Respondents
The following table summarizes the estimated number of respondents
that would be subject to the proposed Rule 10, Form SCIR, and
recordkeeping burdens.
------------------------------------------------------------------------
Type of registrant Number
------------------------------------------------------------------------
Covered Broker-Dealers.................................. 1,541
Non-Covered Broker-Dealers.............................. 1,969
Clearing agencies and exempt clearing agencies.......... 16
MSRB.................................................... 1
National securities exchanges........................... 24
National securities associations........................ 1
SBS Entities............................................ 50
SBSDRs.................................................. 3
Transfer agents......................................... 353
---------------
Total Covered Entities.............................. 1,989
Total Non-Covered Broker-Dealers.................... 1,969
Total Respondents................................... 3,958
------------------------------------------------------------------------
The respondents subject to these collection of information
requirements include the following:
1. Broker-Dealers
Each broker-dealer registered with the Commission would be subject
to proposed Rule 10 as either a Covered Entity or a Non-Covered Broker-
Dealer. As of September 30, 2022, there were 3,510 broker-dealers
registered with the Commission.\942\ The Commission estimates that
1,541 of these broker-dealers would be Covered Entities under the
proposed rule because they fit within one or more of the following
categories: carrying broker-dealer; broker-dealer that introduces
customer accounts to a carrying broker-dealer on a fully disclosed
basis; broker-dealer with regulatory capital equal to or exceeding $50
million; broker-dealer with total assets equal to or exceeding $1
billion; broker-dealer that operates as a market maker under the
securities laws; or a broker-dealer that operates as an ATS.\943\ The
Commission estimates that 1,969 broker-dealers (i.e., the remaining
broker-dealers registered with/the Commission) would be Non-Covered
Broker-Dealers for purposes of the rules.
---------------------------------------------------------------------------
\942\ This estimate is derived from broker-dealer FOCUS filings
and ATS Form ATS-R quarterly reports as of September 30, 2022.
\943\ Id.
---------------------------------------------------------------------------
2. Clearing Agencies
With regard to clearing agencies, respondents under these rules
are: (1) nine registered clearing agencies; \944\ and (2) five exempt
clearing agencies.\945\ The Commission estimates for purposes of the
PRA that two additional entities may seek to register as a clearing
agency in the next three years, and so for purposes of this proposal
the Commission has assumed sixteen total
[[Page 20327]]
clearing agency and exempt clearing agency respondents.
---------------------------------------------------------------------------
\944\ The registered and active clearing agencies are: (1) DTC;
(2) FICC; (3) NSCC; (4) ICC; (5) ICEEU; (6) the Options Clearing
Corp.; and (7) LCH SA. The clearing agencies that are registered
with the Commission but conduct no clearance or settlement
operations are: (1) BSECC; and (2) SCCP.
\945\ The exempt clearing agencies that provide matching
services are: (1) DTCC ITP Matching U.S. LLC; (2) Bloomberg STP LLC;
(3) SS&C Technologies, Inc.; (4) Euroclear Bank SA/NV; and (5)
Clearstream Banking, S.A.
---------------------------------------------------------------------------
3. The MSRB
The sole respondent to the proposed collection of information for
the MSRB is the MSRB itself.
4. National Securities Exchanges and National Securities Associations
The respondents to the proposed collections of information for
national securities exchanges and national securities associations
would be the 24 national securities exchanges currently registered with
the Commission under section 6 of the Exchange Act,\946\ and the one
national securities association currently registered with the
Commission under section 15A of the Exchange Act.\947\
---------------------------------------------------------------------------
\946\ See 15 U.S.C. 78f. The national securities exchanges
registered with the Commission are: (1) BOX Options Exchange LLC;
(2) Cboe BZX Exchange, Inc.; (3) Cboe BYX Exchange, Inc.; (4) Cboe
C2 Exchange, Inc.; (5) Cboe EDGA Exchange, Inc.; (6) Cboe EDGX,
Inc.; (7) Cboe Exchange, Inc.; (8) Investors Exchange Inc.; (9)
Long-Term Stock Exchange, Inc.; (10) MEMX, LLC; (11) Miami
International Securities Exchange LLC; (12) MIAX PEARL, LLC; (13)
MIAX Emerald, LLC; (14) NASDAQ BX, Inc.; (15) NASDAQ GEMX, LLC; (16)
NASDAQ ISE, LLC; (17) NASDAQ MRX, LLC; (18) NASDAQ PHLX LLC; (19)
The NASDAQ Stock Market LLC; (20) New York Stock Exchange LLC; (21)
NYSE MKT LLC; (22) NYSE Arca, Inc.; (23) NYSE Chicago Stock
Exchange, Inc.; and (24) NYSE National, Inc.
\947\ See 15 U.S.C. 78o-3. The one national securities
association registered with the Commission is FINRA.
---------------------------------------------------------------------------
5. SBS Entities
As of January 4, 2023, 50 SBSDs have registered with the
Commission, while no MSBSPs have registered with the Commission.\948\
Of the 50 SBSDs that have registered with the Commission, 7 entities
are also broker-dealers.\949\
---------------------------------------------------------------------------
\948\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants, available at: https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants.
\949\ A Covered Entity that is both a broker-dealer and an SBS
Entity (which includes all seven of these broker-dealers) will have
burdens with respect to the proposed rule, Form SCIR, and
recordkeeping amendments as they apply to both its broker-dealer
business and its security-based swap business. Therefore, such
``dual-hatted'' entities will be counted as both Covered Entities
that are broker-dealers and as SBS Entities for purposes of the PRA.
---------------------------------------------------------------------------
Requests for a substituted compliance determination under Rule
3a71-6 with respect to the proposed Rule 10, Form SCIR, and the related
record preservation requirements may be filed by foreign financial
authorities, or by non-U.S. SBSDs or MSBSPs. The Commission had
previously estimated that there may be approximately 22 non-U.S.
entities that may potentially register as SBSDs, out of approximately
50 total entities that may register as SBSDs.\950\ Potentially all non-
U.S. SBSDs, or some subset thereof, may seek to rely on a substituted
compliance determination in connection with the proposed cybersecurity
risk management requirements.\951\ However, the Commission had expected
that the great majority of substituted compliance applications would be
submitted by foreign authorities \952\ given their expertise in
connection with the relevant substantive requirements, and in
connection with their supervisory and enforcement oversight with regard
to SBSDs and their activities.\953\ The Commission expected that very
few substituted compliance requests would come from SBS Entities.\954\
For purposes of PRA assessments, the Commission estimated that three
SBS Entities would submit such applications.\955\ Although, as of
January 4, 2023, 30 entities had identified themselves as a nonresident
SBSD in their application for registration with the Commission,\956\
the Commission has issued only one order in response to a request for
substituted compliance from potential registrants.\957\ The Commission
continues to believe that its estimate that three such entities will
submit applications remains appropriate for purposes of this PRA
assessment because applicants may file additional requests.
---------------------------------------------------------------------------
\950\ See Proposed Rule Amendments and Guidance Addressing
Cross-Border Application of Certain Security-Based Swap
Requirements, Exchange Act Release No. 85823 (May 10, 2019), 84 FR
24206, 24253 (May 24, 2019). See also Security-Based Swap
Transactions Connected With a Non-U.S. Person's Dealing Activity
That Are Arranged, Negotiated, or Executed by Personnel Located in a
U.S. Branch or Office or in a U.S. Branch or Office of an Agent;
Security-Based Swap Dealer De Minimis Exception, Exchange Act
Release No. 77104 (Feb. 10, 2016), 81 FR 8597, 8605 (Feb. 19, 2016)
(``SBS Entity U.S. Activity Adopting Release''); Business Conduct
Standards Adopting Release, 81 FR at 30090, 30105; SBS Entity
Recordkeeping and Reporting Release, 84 FR at 68607-09; and Capital,
Margin, and Segregation Requirements Adopting Release, 84 FR at
43960-61.
\951\ Consistent with prior estimates, the Commission further
believes that there may up to five MSBSPs. See Registration Process
for Security-Based Swap Dealers and Major Security-Based Swap
Participants, Exchange Act Release No. 75611 (Aug. 5, 2015), 80 FR
48963, 48990 (Aug. 14, 2015) (``SBS Entity Registration Adopting
Release''); see also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30089, 30099. It is possible that some subset of
those entities will be non-U.S. MSBSPs that will seek to rely on
substituted compliance in connection with proposed Rule 10, Form
SCIR, and the related record preservation requirements.
\952\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097; SBS Entity Trade Acknowledgement and
Verification Adopting Release, 81 FR at 39832.
\953\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6384. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30090; SBS Entity Trade Acknowledgement and
Verification Adopting Release, 81 FR at 39832.
\954\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097, n.1582 and accompanying text; SBS Entity
Trade Acknowledgement and Verification Adopting Release, 81 FR at
39832.
\955\ Id. See also SBS Entity Recordkeeping and Reporting
Adopting Release, 84 FR at 68609; Capital, Margin, and Segregation
Requirements Adopting Release, 84 FR at 43967.
\956\ No entity has registered as an MSBSP. See List of
Registered Security-Based Swap Dealers and Major Security-Based Swap
Participants, available at: https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants (providing the list of registered
SBSDs and MSBSPs that was updated as of January 4, 2023).
\957\ See Order Granting Conditional Substituted Compliance in
Connection With Certain Requirements Applicable to Non-U.S.
Security-Based Swap Dealers Subject to Regulation in the Swiss
Confederation, Exchange Act Release No. 93284 (Oct. 8, 2021), 86 FR
57455 (Oct. 15, 2021) (File No. S7-07-21). The Commission's other
substituted compliance orders have been in response to requests from
foreign authorities; see https://www.sec.gov/tm/Jurisdiction-Specific-Apps-Orders-and-MOU.
---------------------------------------------------------------------------
6. SBSDRs
Two SBSDRs are currently registered with the Commission.\958\ The
Commission estimates for purposes of the PRA that one additional entity
may seek to register as an SBSDR in the next three years, and so for
purposes of this proposal the Commission has assumed three SBSDR
respondents.
---------------------------------------------------------------------------
\958\ The Commission approved the registration of two SBSDRs in
2021. The two registered SBSDRs are: (1) DTCC Data Repository
(U.S.), LLC; and (2) ICE Trade Vault, LLC.
---------------------------------------------------------------------------
7. Transfer Agents
The proposed rule would apply to every transfer agent as defined in
section 3(a)(25) of the Exchange Act that is registered or required to
be registered with an appropriate regulatory agency as defined in
section 3(a)(34)(B) of the Exchange Act. As of December 31, 2022, there
were 353 transfer agents that were either registered with the
Commission through Form TA-1 or registered with other appropriate
regulatory agencies.
D. Total Initial and Annual Reporting Burdens
As stated above, each requirement to disclose information, offer to
provide information, or adopt policies and procedures constitutes a
collection of information requirement under the PRA. The Commission
discusses below the collection of information burdens associated with
the proposed rule and rule amendment.
1. Proposed Rule 10
The Commission has made certain estimates of the burdens associated
with
[[Page 20328]]
the policies and procedures and review and report of the review
requirements of proposed Rule 10 applicable to Covered Entities solely
for the purpose of this PRA analysis.\959\ Table 1 below summarizes the
initial and ongoing annual burden and cost estimates associated with
the policies and procedures and review and report of the review
requirements.
---------------------------------------------------------------------------
\959\ These requirements are discussed in section II.B.1. of
this release.
Table 1--Rule 10 PRA Estimates--Cybersecurity Policies and Procedures and Review and Report of the Review Requirements for Covered Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal Internal annual
initial burden burden hours Wage rate \2\ Internal time Annual external
hours \1\ costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies and 50 \4\ 21.67 $462 (blended rate for compliance $10,011.54 \5\ $1,488
procedures \3\. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual review of policies and procedures and 0 \6\ 10 $462 (blended rate for compliance 4,620 \7\ 1,984
report of review. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered Entity.. ............... 31.67 .................................. 14,631.54 3,472
Number of Covered Entities...................... ............... x 1,989 .................................. x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual aggregate burden........... ............... 62,991.63 .................................. 29,102,133.06 6,905,808
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a 3-year period.
\2\ The Commission's estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry
and Financial Markets Association's Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (``SIFMA Wage Report'').
The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
\3\ These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with
respect to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
\4\ Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 21.67 hours is based on
the following calculation: ((50 initial hours/3) + 5 additional ongoing burden hours) = 21.67 hours.
\5\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\6\ The Commission estimates 10 additional ongoing burden hours.
\7\ This estimated burden is based on the estimated wage rate of $496/hour, for 4 hours, for outside legal services. See note 5 (regarding wage rates
with respect to external cost estimates).
The Commission has made certain estimates of the burdens associated
with the policies and procedures and review and record of the review
requirements of proposed Rule 10 applicable to Non-Covered Broker-
Dealers solely for the purpose of this PRA analysis.\960\ Table 2 below
summarizes the initial and ongoing annual burden and cost estimates
associated with the proposed rule's policies and procedures and review
and record of the review requirements for Non-Covered Broker-Dealers.
---------------------------------------------------------------------------
\960\ These requirements are discussed in section II.C. of this
release.
Table 2--Rule 10 PRA Estimates--Cybersecurity Policies and Procedures and Review and Record of the Review Requirements for Non-Covered Broker-Dealers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal Internal annual
initial burden burden hours Wage rate \2\ Internal time Annual external
hours \1\ costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies and 30 \4\ 15 $462 (blended rate for compliance $6,930 \5\ $1,488
procedures \3\. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual review of policies and procedures and 0 \6\ 6 $462 (blended rate for compliance 2,772 \7\ 992
report of review. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Non-Covered ............... 21 .................................. 9,702 2,480
Broker-Dealer.
Number of Non-Covered Broker-Dealers............ ............... x 1,969 .................................. x 1,969 x 1,969
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual aggregate burden........... ............... 41,349 .................................. 19,103,238 4,883,120
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a 3-year period.
\2\ The Commission's estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry
and Financial Markets Association's Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (``SIFMA Wage Report'').
The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
\3\ These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with
respect to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
\4\ Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 15 hours is based on the
following calculation: ((30 initial hours/3) + 5 additional ongoing burden hours) = 15 hours.
\5\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\6\ The Commission estimates 6 additional ongoing burden hours.
\7\ This estimated burden is based on the estimated wage rate of $496/hour, for 2 hours, for outside legal services. See note 5 (regarding wage rates
with respect to external cost estimates).
[[Page 20329]]
The Commission has made certain estimates of the burdens associated
with the notification requirement of proposed Rule 10 applicable to
Market Entities solely for the purpose of this PRA analysis.\961\ Table
3 below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule's notification requirements
for Market Entities.
---------------------------------------------------------------------------
\961\ This requirement is discussed in section II.B.2.a. of this
release.
Table 3--Rule 10 PRA Estimates--Notification Requirements for Market Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Making a determination of significant 5 \1\ 4.67 x $353 (blended rate for $1,648.51 \2\ $1,488
cybersecurity incident and immediate notice assistant general counsel,
to the Commission. compliance manager and systems
analyst).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Market ............... 4.67 ............................... 1,648.51 1,488
Entity.
Number of Market Entities................... ............... x 3,958 ............................... x 3,958 x 3,958
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 18,483.86 ............................... 6,524,802.58 5,889,504
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 3 ongoing annual burden hours. The estimate of 4.67 hours is based on
the following calculation: ((5 initial hours/3) + 3 additional ongoing burden hours) = 4.67 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
The Commission has made certain estimates of the burdens associated
with the requirement of proposed Rule 10 that Covered Broker-Dealers
provide the disclosures that would need to made on Part II of proposed
Form SCIR requirements to their customers solely for the purpose of
this PRA analysis.\962\ Table 4 below summarizes the initial and
ongoing annual burden and cost estimates associated with the
requirement of proposed Rule 10 that Covered Broker-Dealers provide the
disclosures that would need to made on Part II of proposed Form SCIR
requirements to their customers.
---------------------------------------------------------------------------
\962\ These requirements are discussed in section II.B.3.b. of
this release.
Table 4--Rule 10 PRA Estimates--Additional Disclosure Requirements for Broker-Dealers That Are Covered Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Delivery of disclosures to new customers.... \1\ 6.68 6.68 x $69 (general clerk)............ $460.92 $0
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual delivery of disclosures to existing \2\ 44.48 44.48 $69 (general clerk)............ 3,076.02 0
customers.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per broker- ............... 51.26 ............................... 3,536.94 ...............
dealer Covered Entities.
Number of broker-dealer Covered Entities.... ............... x 1,541 ............................... x 1,541 ...............
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 78,991.66 ............................... 5,450,424.54 ...............
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ The Commission estimates that a broker-dealer that isa Covered Entity will require no more than 0.02 hours to send the broker-dealer'srequired
disclosures to each new customer, or an annual burden of 6.68 hours perbroker-dealer. (0.02 hours per customer x 334 median number of new customers
per broker-dealer based on FOCUS Schedule I data as of December 31, 2022 = approximately 6.68 hours per broker-dealer.) The Commission notes that the
burden for preparing disclosures to customers is already incorporated into a separate burden estimate under other broker-dealer rules promulgated by
the Commission (e.g., 17 CFR 240.17a-3) and FINRA rules. The Commission expects that broker-dealers subject to this new disclosure requirement will
make their delivery of disclosures to new customers as part of an email or mailing they already send to new customers; therefore, the Commission
estimates that the additional burden will be adding a few pages to the email attachment or mailing.
\2\ The Commission estimates that, with a bulk mailing or email, a broker-dealer that is a Covered Entity will require no more than 0.02 hours to send
the broker-dealer's required disclosures to each existing customer, or an annual burden of 44.58 hours per broker-dealer. (0.02 hours per customer x
2,229 median number of customers per broker-dealer based on FOCUS Schedule I data as of December 31, 2022 = approximately 44.58 hours per broker-
dealer.) The Commission notes that the burden for preparing disclosures to customers is already incorporated into a separate burden estimate under
other broker-dealer rules promulgated by the Commission (e.g., 17 CFR 240.17a-3) and FINRA rules. The Commission expects that broker-dealers subject
to this new disclosure requirement will make their annual delivery to existing customers as part of an email or mailing of an account statement they
already send to customers; therefore, the Commission estimates that the additional burden will be adding a few pages to the email attachment or
mailing.
2. Form SCIR
The Commission has made certain estimates of the burdens associated
with filing the initial and amended Part I of Form SCIR under proposed
Rule 10 applicable to Covered Entities solely for the purpose of this
PRA analysis.\963\ Table 5 below summarizes the initial and ongoing
annual burden and cost estimates associated with filing proposed Form
SCIR.
---------------------------------------------------------------------------
\963\ These requirements are discussed in sections II.B.2. and
II.B.4. of this release.
[[Page 20330]]
Table 5--Part I of Form SCIR PRA Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED PART I OF FORM SCIR ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Filing out initial Part I of Form SCIR...... 3 \1\ 1.5 $431 (blended rate for $646.50 \2\ $496
assistant general counsel,
compliance manager).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Filing an amended Part I of SCIR............ 1 1 $431 (blended rate for 431 \3\ 496
assistant general counsel,
compliance manager).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered ............... 2.5 ............................... 1077.50 992
Entity.
Number of Covered Entity.................... ............... x 1,989 ............................... x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 4,972.5 ............................... 2,143,147.5 1,973,088
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 0.5 ongoing annual burden hours. The estimate of 1.5 hours is based on
the following calculation: ((3 initial hours/3) + 0.5 additional ongoing burden hours) = 1.5 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\3\ This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission has made certain estimates of the burdens associated
with filing the Part II of Form SCIR under proposed Rule 10 applicable
to Covered Entities solely for the purpose of this PRA analysis.\964\
Table 6 below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule's disclosure requirements
for Covered Entities.
---------------------------------------------------------------------------
\964\ These requirements are discussed in sections II.B.3. and
II.B.4. of this release.
Table 6--Part II of Form SCIR PRA Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED PART II OF FORM SCIR ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Disclosure of significant cybersecurity 5 \1\ 3.67 x $375.33 per hour (blended rate $1,377.46 \2\ $1,488
incidents and cybersecurity risks on Part for assistant general counsel,
II of Form SCIR and posting form on website. senior compliance examiner and
compliance manager) \3\.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered ............... 3.67 ............................... 1,377.46 1,488
Entity.
Number of Covered Entities.................. ............... x 1,989 ............................... x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 7,299.63 ............................... 2,739,767.94 2,959,632
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 2 ongoing annual burden hours. The estimate of 3 hours is based on the
following calculation: ((5 initial hours/3) + 2 additional ongoing burden hours) = 3.67 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\3\ The $375.33 wage rate reflects current estimates from the SIFMA Wage Report of the blended hourly rate for an assistant general counsel ($518),
senior compliance examiner ($264) and a compliance manager ($344). ($518 + $264 + $344)/3 = $375.33.
In addition, the requirement to file Form SCIR in EDGAR using a
form-specific XML may impose some compliance costs. Covered Entities
that are not otherwise required to file in EDGAR--for example, clearing
agencies, the MSRB, national securities associations, and national
securities exchanges, as well as any broker-dealer Covered Entities
that choose not to file Form X-17A-5 Part III or Form 17-H through the
EDGAR system, would need to complete Form ID to obtain the EDGAR-system
access codes that enable entities to file documents through the EDGAR
system.\965\ The Commission estimates that each filer that currently
does not have access to EDGAR would incur an initial, one-time burden
of 0.30 hours to complete and submit a Form ID.\966\ Therefore, the
Commission believes the one-time industrywide reporting burden
associated with the proposed requirements to file on
---------------------------------------------------------------------------
\965\ Form ID (OMB control number 3235-0328) must be completed
and filed with the Commission by all individuals, companies, and
other organizations who seek access to file electronically on EDGAR.
Accordingly, a filer that does not already have access to EDGAR must
submit a Form ID, along with the notarized signature of an
authorized individual, to obtain an EDGAR identification number and
access codes to file on EDGAR. The Commission currently estimates
that Form ID would take 0.30 hours to prepare, resulting in an
annual industry-wide burden of 17,199 hours. See Supporting
Statement for the Paperwork Reduction Act Information Collection
Submission for Form ID (Dec. 20 2021), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202112-3235-003.
\966\ The Commission does not estimate a burden for SBS Entities
since these firms have already filed Form ID so they can file Form
SBSE on EDGAR. Similarly, the Commission does not estimate a burden
for transfer agents since these firms already file their annual
report on Form TA-2 on EDGAR.
---------------------------------------------------------------------------
[[Page 20331]]
EDGAR is 4.8 hours for clearing agencies,\967\ 0.30 hours for the
MSRB,\968\ 7.5 hours for national securities exchanges and
associations; \969\ 0.9 hours for SBSDRs; \970\ and 242.4 hours for
Covered Broker-Dealers not already filing their annual audits on
EDGAR.\971\ In addition, the requirement to file Form SCIR using custom
XML (with which a Covered Entity would be able to comply by inputting
its disclosures into a fillable web form), the Commission estimates
each Covered Entity would incur an internal burden of 0.5 hours per
filing.\972\ Accordingly, the Commission estimates that Covered
Entities will collectively have an ongoing burden of 994.5 hours \973\
with respect to filing Form SCIR in custom XML.
---------------------------------------------------------------------------
\967\ 0.30 hours x 16 clearing agencies = 4.8 hours.
\968\ 0.30 hours x 1 MSRB = 0.30 hours.
\969\ 0.30 hours x (24 national securities exchanges and 1
national securities association) = 7.5 hours.
\970\ 0.30 hours x 3 SBSRs = 0.9 hours.
\971\ 0.30 hours x 808 Covered Broker-Dealers not already filing
on EDGAR = 242.4 hours.
\972\ This estimate would mirror the Commission's internal
burden hour estimate for a proposed custom XML requirement for
Schedules 13D and 13G. See Modernization of Beneficial Ownership
Reporting Release.
\973\ 1,989 Covered Entities x .5 hours = 994.5 hours.
---------------------------------------------------------------------------
3. Rules 17a-4, 17ad-7, 18a-6, and Clearing Agency Exemption Orders
(and Existing Rules 13n-7 and 17a-1)
The Commission has made certain estimates of the burdens associated
with the proposed record preservation requirements solely for the
purpose of this PRA analysis.\974\ Table 7 below summarizes the initial
and ongoing annual burden and cost estimates associated with the
additional recordkeeping requirements.
---------------------------------------------------------------------------
\974\ These requirements are discussed in sections II.B.5.a. and
II.C. of this release.
\975\ Given the general nature of the recordkeeping requirements
for national securities exchanges, national securities associations,
registered clearing agencies, and the MSRB under Rule 17a-1 (OMB
control number 3235-0208, Recordkeeping Rule for National Securities
Exchanges, National Securities Associations, Registered Clearing
Agencies, and the Municipal Securities Rulemaking Board) and for
SBSDRs under Rule 13n-7 (OMB control number 3235-0719, Security-
Based Swap Data Repository Registration, Duties, and Core Principles
and Form SDR), it is anticipated that the new recordkeeping
requirements proposed in this release would result in a one-time
nominal increase in burden per entity that would effectively be
encompassed by the existing burden estimates associated with these
existing rules as described in those collections of information.
Below, the Commission solicits comment regarding all of the PRA
estimates discussed in this release.
Table 7--PRA Estimates--Proposed Amendments to Rules 17a-4, 18a-6, and 17ad-7 and Clearing Agency Exemption
Orders (and Existing Rules 17a-1 and 13n-7) \975\
----------------------------------------------------------------------------------------------------------------
Annual
Internal annual Wage rate Internal time external cost
hour burden costs burden
----------------------------------------------------------------------------------------------------------------
PROPOSED ESTIMATES FOR RECORDKEEPING BURDENS
----------------------------------------------------------------------------------------------------------------
Retention of cybersecurity 1................. x $73.5............ $73.5 $0
policies and procedures. (blended rate for
general clerk
and compliance
clerk).
Total burden per Covered 1................. 73.5 0
Entity or Non-Covered
Broker-Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of written report 1................. x 73.5............. 73.5 0
documenting annual review. (blended rate for
general clerk
and compliance
clerk).
Total annual burden per Covered 1................. 73.5 0
Entity or Non-Covered Broker-
Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of copy of any Form 1................. x 73.5............. 73.5 0
SCIR or immediate notice to (blended rate for
the Commission. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity or Non-
Covered Broker-Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of records 1................. x 73.5............. 73.5 0
documenting a cybersecurity (blended rate for
incident. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
Retention of records 1................. x 73.5............. 73.5 0
documenting a Covered Entity's (blended rate for
cybersecurity risk assessment. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
Retention of copy of any public 1................. x 73.5............. 73.5 0
disclosures. (blended rate for
general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
[[Page 20332]]
Total annual aggregate 17,601 hours...... 1,293,673.5 0
burden of
recordkeeping
obligations.
----------------------------------------------------------------------------------------------------------------
4. Substituted Compliance--Rule 3a71-6
Rule 3a71-6 would require submission of certain information to the
Commission to the extent SBS Entities elect to request a substituted
compliance determination with respect to proposed Rule 10, Form SCIR,
and the related record preservation requirements. Consistent with
Exchange Act Rule 0-13, such applications must be accompanied by
supporting documentation necessary for the Commission to make the
determination, including information regarding applicable foreign
requirements, and the methods used by foreign authorities to monitor
and enforce compliance. If Rule 3a71-6 is amended as proposed, the
Commission expects that the majority of such requests will be made
during the first year following the effective date.
The Commission expects that the great majority of substituted
compliance applications will be submitted by foreign authorities, and
that very few substituted compliance requests will come from SBS
Entities. For purposes of this assessment, the Commission estimates
that three such SBS Entities will submit such an application.\976\
---------------------------------------------------------------------------
\976\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097, n.1582 and accompanying text; SBS Entity
Trade Acknowledgement and Verification Adopting Release, 81 FR at
39832; SBS Entity Recordkeeping and Reporting Adopting Release, 84
FR at 68609; Capital, Margin, and Segregation Requirements Adopting
Release, 84 FR at 43967.
---------------------------------------------------------------------------
The Commission has previously estimated that the paperwork burden
associated with filing a request for a substituted compliance
determination related to existing business conduct, supervision, chief
compliance officer, and trade acknowledgement and verification
requirements described in Rule 3a71-6(d)(1)-(3) was approximately 80
hours of in-house counsel time, plus $84,000 \977\ for the services of
outside professionals, and the paperwork burden estimate associated
with making a request for a substituted compliance determination
related to the existing recordkeeping and reporting requirements
described in Rule 3a71-6(d)(6) was approximately 80 hours of in-house
counsel time, plus $84,000 \978\ for the services of outside
professionals.\979\ To the extent that an SBS Entity files a request
for a substituted compliance determination in connection with Rule 10,
Form SCIR, the related record preservation requirements, and
requirements currently identified in Rule 3a71-6(d) as eligible for
substituted compliance determinations, the Commission believes that the
paperwork burden associated with the request would be greater than that
associated with a narrower request due to the need for more information
regarding the comparability of the relevant rules and the adequacy of
the associated supervision and enforcement practices. However, the
Commission believes that its prior paperwork burden estimate is
sufficient to cover a combined substituted compliance request that also
seeks a determination in connection with Rule 10, Form SCIR, and the
related record preservation requirements.\980\
---------------------------------------------------------------------------
\977\ Based on 200 hours of outside time x $420 per hour. This
estimated burden also includes the burden associated with making a
request for a substituted compliance determination related to the
portfolio reconciliation, portfolio compression, and trading
relationship documentation requirements described in Rule 3a71-
6(d)(7); see SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389.
\978\ Based on 200 hours of outside time x $420 per hour.
\979\ See Supporting Statement for the Paperwork Reduction Act
Information Collection Submission for Exchange Act Rule 3a71-6 (June
10, 2021), available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202106-3235-008.
\980\ Although applicants may file requests for substituted
compliance determinations related multiple eligible requirements,
applicants may instead file requests for substituted compliance
determinations related to individual eligible requirements. As such,
the Commission's estimates reflect the total paperwork burden of
requests filed by (i) applicants that would be seeking a substituted
compliance determination related to Rule 10, Form SCIR, and the
related record preservation requirements combined with a request for
a substituted compliance determination related to other eligible
requirements, and (ii) applicants that previously filed requests for
substituted compliance determinations related to other eligible
requirements and would be seeking an additional substituted
compliance determination in connection with Rule 10, Form SCIR, and
the related record preservation requirements.
---------------------------------------------------------------------------
Nevertheless, the Commission is revising its estimate of the hourly
rate for outside professionals to $496, consistent with the other
paperwork burden estimates in this release. Therefore, the Commission
estimates that the total paperwork burden incurred by entities
associated with preparing and submitting a request for a substituted
compliance determination in connection with the proposed cybersecurity
risk management requirements applicable to SBS Entities would be
reflected in the estimated burden of a request for a substituted
compliance determination related to the business conduct, supervision,
chief compliance officer, trade acknowledgement and verification, and
the portfolio reconciliation, portfolio compression, and trading
relationship documentation requirements described in Rule 3a71-6(d)(1)-
(3) and (7) of approximately 80 hours of in-house counsel time, plus
$99,200 for the services of outside professionals,\981\ and the
paperwork burden associated with making a request for a substituted
compliance determination related to the recordkeeping and reporting
requirements described in Rule 3a71-6(d)(6) of approximately 80 hours
of in-house counsel time, plus $99,200 for the services of outside
professionals.\982\ This estimate results in an aggregate total one-
time paperwork burden associated with preparing and submitting requests
for substituted compliance determinations relating to the requirements
described in Rule 3a71-6(d)(1) through (3), (6) and (7), including the
proposed cybersecurity risk management requirements, of approximately
480 internal hours,\983\ plus $595,200 for the services of outside
professionals \984\ for all three requests.
---------------------------------------------------------------------------
\981\ Based on 200 hours of outside time x $496 per hour.
\982\ Based on 200 hours of outside time x $496 per hour.
\983\ (80 hours related to Rule 3a71-6(d)(1) through (3), (7)
plus 80 hours related to Rule 3a71-6(d)(6)) * 3 requests.
\984\ ($99,200 related to Rule 3a71-6(d)(1) through (3), (7)
plus $99,200 related to Rule 3a71-6(d)(6)) * 3 requests.
---------------------------------------------------------------------------
E. Collection of Information is Mandatory
The collections of information pursuant to proposed Rule 10, Form
SCIR, and the relevant recordkeeping
[[Page 20333]]
rules are mandatory, as applicable, for Market Entities. With respect
to Rule 3a71-6, the application for substituted compliance is mandatory
for all foreign financial regulatory authorities or SBS Entities that
seek a substituted compliance determination.
F. Confidentiality of Responses to Collection of Information
The Commission expects to receive confidential information in
connection with the collections of information. A Market Entity can
request confidential treatment of the information.\985\ If such
confidential treatment request is made, the Commission anticipates that
it will keep the information confidential subject to applicable
law.\986\
---------------------------------------------------------------------------
\985\ See 17 CFR 200.83. Information regarding requests for
confidential treatment of information submitted to the Commission is
available on the Commission's website at https://www.sec.gov/foia/howfo2.htm#privacy.
\986\ See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x (governing
the public availability of information obtained by the Commission).
---------------------------------------------------------------------------
With regard to Rule 3a71-6, the Commission generally will make
requests for a substituted compliance determination public, including
supporting documentation provided by the requesting party, subject to
requests for confidential treatment being submitted pursuant to any
applicable provisions governing confidentiality under the Exchange
Act.\987\ If confidential treatment is granted, the Commission would
keep such information confidential, subject to the provisions of
applicable law.\988\
---------------------------------------------------------------------------
\987\ See, e.g., 17 CFR 200.83; 17 CFR 240.24b-2; see also SBS
Entity Definitions Adopting Release, 79 FR at 47359.
\988\ See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x (governing
the public availability of information obtained by the Commission).
---------------------------------------------------------------------------
G. Retention Period for Recordkeeping Requirements
Rule 17a-4, as proposed to be amended, specifies the required
retention periods for records required to be made and preserved by a
broker-dealer, whether electronically or otherwise.\989\ Rule 17ad-7,
as proposed to be amended, specifies the required retention periods for
records required to be made and preserved by transfer agents, whether
electronically or otherwise.\990\ Rule 18a-6, as proposed to be
amended, specifies the required retention periods for records required
to be made and preserved by SBSDs or MSBSPs, whether electronically or
otherwise.\991\ All records required of certain of the Market Entities
pursuant to the proposed rule amendments must be retained for three
years.\992\ Existing Rule 17a-1 specifies the required retention
periods for records required to be made and preserved by national
securities exchanges, national securities associations, registered
clearing agencies, and the MSRB, whether electronically or
otherwise.\993\ Under the existing provisions of Rule 17a-1, registered
clearing agencies, the MSRB, national securities associations, and
national securities exchanges would be required to preserve at least
one copy of the Rule 10 Records for at least five years, the first two
years in an easily accessible place. Existing Rule 13n-7, which is not
proposed to be amended, specifies the required retention periods for
records required to be made and preserved by SBSDRs, whether
electronically or otherwise.\994\ Rule 13n-7 provides that the SBSDR
must keep the documents for a period of not less than five years, the
first two years in a place that is immediately available to
representatives of the Commission for inspection and examination.\995\
Finally, exempt clearing agencies are generally subject to conditions
that mirror certain of the recordkeeping requirements in Rule 17a-
1.\996\ Nonetheless, the Commission is proposing to amend the clearing
agency exemption orders to add a condition that each exempt clearing
agency must retain the Rule 10 Records for a period of at least five
years after the record is made or, in the case of the written policies
and procedures to address cybersecurity risks, for at least five years
after the termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\989\ See Rule 17a-4, as proposed to be amended.
\990\ See Rule 17ad-7, as proposed to be amended.
\991\ See Rule 18a-6, as proposed to be amended.
\992\ See Rules 17a-4, 17A-d, and 18a-6, as proposed to be
amended.
\993\ See Rule 17a-1.
\994\ See Rule 13n-7.
\995\ See paragraph (b)(2) of Rule 13n-7.
\996\ See, e.g., BSTP SS&C Order, 80 FR at 75411 (conditioning
BSTP's exemption by requiring BSTP to, among other things, preserve
a copy or record of all trade details, allocation instructions,
central trade matching results, reports and notices sent to
customers, service agreements, reports regarding affirmation rates
that are sent to the Commission or its designee, and any complaint
received from a customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall retain these
records for a period of not less than five years, the first two
years in an easily accessible place).
---------------------------------------------------------------------------
H. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits
comment on the proposed collections of information in order to:
Evaluate whether the proposed collections of information
are necessary for the proper performance of the functions of the
Commission, including whether the information would have practical
utility;
Evaluate the accuracy of the Commission's estimates of the
burden of the proposed collections of information;
Determine whether there are ways to enhance the quality,
utility, and clarity of the information to be collected; and
Evaluate whether there are ways to minimize the burden of
the collection of information on those who respond, including through
the use of automated collection techniques or other forms of
information technology.
Persons submitting comments on the collection of information
requirements should direct them to the Office of Management and Budget,
Attention: Desk Officer for the Securities and Exchange Commission,
Office of Information and Regulatory Affairs, Washington, DC 20503, and
should also send a copy of their comments to Vanessa A. Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090, with reference to File Number S7-06-23.
Requests for materials submitted to OMB by the Commission with regard
to this collection of information should be in writing, with reference
to File Number S7-06-23 and be submitted to the Securities and Exchange
Commission, Office of FOIA/PA Services, 100 F Street NE, Washington, DC
20549-2736. As OMB is required to make a decision concerning the
collections of information between 30 and 60 days after publication, a
comment to OMB is best assured of having its full effect if OMB
receives it within 30 days of publication.
VI. Initial Regulatory Flexibility Act Analysis
The RFA requires the Commission, in promulgating rules, to consider
the impact of those rules on small entities.\997\ Section 603(a) of the
Administrative Procedure Act,\998\ as amended by the RFA, generally
requires the Commission to undertake a regulatory flexibility analysis
of all proposed rules to determine the impact of such rulemaking on
``small entities.'' \999\ Section 605(b) of the RFA states that this
requirement shall not apply to any proposed rule which, if adopted,
would not have a significant
[[Page 20334]]
economic impact on a substantial number of small entities.\1000\
---------------------------------------------------------------------------
\997\ See 5 U.S.C. 601 et seq.
\998\ 5 U.S.C. 603(a).
\999\ Section 601(b) of the RFA permits agencies to formulate
their own definitions of ``small entities.'' See 5 U.S.C. 601(b).
The Commission has adopted definitions for the term ``small entity''
for the purposes of rulemaking in accordance with the RFA. These
definitions, as relevant to this proposed rulemaking, are set forth
in Rule 0-10.
\1000\ See 5 U.S.C. 605(b).
---------------------------------------------------------------------------
The Commission has prepared the following Initial Regulatory
Flexibility Analysis (``IRFA'') in accordance with section 3(a) of the
RFA.\1001\ It relates to: (1) proposed Rule 10 under the Exchange Act;
(2) proposed Form SCIR; and (3) proposed amendments to Rules 17a-4,
17ad-7, and 18a-6 under the Exchange Act.\1002\
---------------------------------------------------------------------------
\1001\ 5 U.S.C. 603(a).
\1002\ The Commission is also certifying that that amendments to
Rule 3a71-6 will not have a significant economic impact on a
substantial number of small entities for purposes of the RFA. See
section VI.C.5. of this release.
---------------------------------------------------------------------------
A. Reasons for, and Objectives of, Proposed Action
The reasons for, and objectives of, the proposed rule and rule
amendments are discussed above.\1003\
---------------------------------------------------------------------------
\1003\ See sections I and II of this release.
---------------------------------------------------------------------------
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
Proposed Rule 10 would require all Market Entities (Covered
Entities and non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\1004\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\1005\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of non-Covered Entities) with respect to the annual
review.\1006\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\1007\
---------------------------------------------------------------------------
\1004\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10. See also sections II.B.1 and II.C. of this release (discussing
these proposed requirements in more detail).
\1005\ See paragraph (b)(2) of proposed Rule 10; paragraph
(e)(1) of proposed Rule 10. See also sections II.B.1.f. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1006\ See paragraph (b)(2) of proposed Rule 10; paragraph
(e)(1) of proposed Rule 10. See also sections II.B.1.f. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1007\ See paragraph (c)(1) of proposed Rule 10; paragraph
(e)(2) of proposed Rule 10. See also sections II.B.2.a. and II.C. of
this release (discussing these proposed requirements in more
detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\1008\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\1008\ See paragraph (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e) of proposed Rule 10
(setting forth the requirements for Market Entities that do not meet
the definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\1009\
---------------------------------------------------------------------------
\1009\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission through the EDGAR system.\1010\ The form would
elicit information about the significant cybersecurity incident and the
Covered Entity's efforts to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\1010\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to publicly disclose summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\1011\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's business internet website and, in the
case of Covered Entities that are carrying or introducing broker-
dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\1011\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
pursuant to conditions in relevant exemption orders.\1012\
---------------------------------------------------------------------------
\1012\ See sections II.B.5. and II.C. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Collectively, these requirements are designed to address
cybersecurity risk and the threat it poses to Market Entities and the
U.S. securities markets. The written policies and procedures, the
records required to be made pursuant to those policies and procedures,
and the report or record of the annual review of the policies and
procedures would address the specific cybersecurity risks to which
Market Entities are exposed. The Commission could use these written
policies and procedures, reports, and records to review Market
Entities' compliance with proposed Rule 10.
The Commission could use the immediate written electronic
notification of significant cybersecurity incidents to promptly begin
to assess the situation by, for example, when warranted, assessing the
Market Entity's operating status and engaging in discussions with the
Market Entity to understand better what steps it is taking to protect
its customers, counterparties, members, registrants, or user. The
Commission could use the subsequent reports about the significant
cybersecurity incident filed by Covered Entities using Part I of
proposed Form SCIR to understand better the nature and extent of a
particular significant cybersecurity incident and the efficacy of the
Covered Entity's response to mitigate the disruption and harm caused by
the incident. The Commission staff could use the reports to focus on
the Covered Entity's operating status and to facilitate their outreach
to, and discussions with, personnel at the Covered Entity who are
addressing the significant cybersecurity incident. In
[[Page 20335]]
addition, the reporting would provide the staff with a view into the
Covered Entity's understanding of the scope and impact of the
significant cybersecurity incident. All of this information could be
used by the Commission and its staff in assessing the significant
cybersecurity incident impacting the Covered Entity. Further, the
Commission could be use the database of reports to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be used to address future significant
cybersecurity incidents. For example, these reports could assist the
Commission in identifying patterns and trends across Covered Entities,
including widespread cybersecurity incidents affecting multiple Covered
Entities at the same time. Further, the reports could be used to
evaluate the effectiveness of various approaches to respond to and
recover from a significant cybersecurity incident.
The disclosures by Covered Entities on Part II of proposed Form
SCIR would be used to provide greater transparency to customers,
counterparties, registrants, or members of the Covered Entity, or to
users of its services, about the Covered Entity's cybersecurity risk
profile. This information could be used by these persons to manage
their own cybersecurity risk and, to the extent they have choice,
select a Covered Entity with whom to transact or otherwise conduct
business. In addition, because the reports would be filed through
EDGAR, Covered Entities' customers, counterparties, members,
registrants, or users would be able to run search queries to compare
the disclosures of multiple Covered Entities. This would make it easier
for Commission staff and others to assess the cybersecurity risk
profiles of different types of Covered Entities and could facilitate
trend analysis by members of the public of significant cybersecurity
incidents.
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities, respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\1013\ The proposed amendments would
specify that the Rule 10 Records must be retained for three years. In
the case of the written policies and procedures to address
cybersecurity risks, the record would need to be maintained until three
years after the termination of the use of the policies and
procedures.\1014\ In addition, orders exempting certain clearing
agencies from registering with the Commission would be amended to
establish preservation and maintenance requirements for the Rule 10
Records that would apply to the exempt clearing agencies subject to
those orders.\1015\ The amendments would provide that the records need
to be retained for five years (consistent with Rules 13n-7 and 17a-
1).\1016\ In the case of the written policies and procedures to address
cybersecurity risks, the record would need to be maintained until five
years after the termination of the use of the policies and procedures.
The preservation of these records would make them available for
examination by the Commission and other regulators.
---------------------------------------------------------------------------
\1013\ See sections II.B.5. and II.C. of this release
(discussing these proposed amendments in more detail). Rule 17a-4
sets forth record preservation and maintenance requirements for
broker-dealers, Rule 17ad-7 sets forth record preservation and
maintenance requirements for transfer agents, and Rule 18a-6 sets
forth record preservation and maintenance requirements for SBS
Entities.
\1014\ See proposed amendments to Rule 17a-4.
\1015\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\1016\ For the reasons discussed in section II.B.5.a. of this
release, the proposal would not amend Rules 13n-7 or 17a-1. As
explained in that section of the release, the existing requirements
of Rule 13n-7 (which applies to SBSDRs) and Rule 17a-1 (which
applies to registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges) will
require these Market Entities to retain the Rule 10 Records for five
years and, in the case of the written policies and procedures, for
five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
B. Legal Basis
The Commission is proposing Rule 10 and Form SCIR under the
Exchange Act, as well as amendments to Rules 17a-4, 17ad-7, and 18a-6
under the Exchange Act, under the following authorities under the
Exchange Act: (1) Sections 15, 17, and 23 for broker-dealers (15 U.S.C.
78o, 78q, and 78w); (2) Sections 17, 17A, and 23 for clearing agencies
(15 U.S.C. 78q, 17q-1, and 78w(a)(1)); (3) Sections 15B, 17, and 23 for
the MSRB (15 U.S.C. 78o-4, 78q(a), and 78w); (4) Sections 6(b), 11A,
15A, 17, and 23 for national securities exchanges and national
securities associations (15 U.S.C. 78f, 78k-1, 78o-3, and 78w); (5)
Sections 15F, 23, and 30(c) for SBS Entities (15 U.S.C. 78o-10, 78w,
and 78dd(c)); (6) Sections 13 and 23 for SBSDRs (15 U.S.C. 78m and
78w); and (7) Sections 17a, 17A, and 23 for transfer agents (78q, 17q-
1, and 78w).
C. Small Entities Subject to Proposed Rule, Form SCIR, and
Recordkeeping Rule Amendments
As discussed above, the Commission estimates that a total of
approximately 1,989 Covered Entities (consisting of 1,541 broker-
dealers, 16 clearing agencies, the MSRB, 25 total national securities
exchanges and national securities associations, 50 SBS Entities, 3
SBSDRs, and 353 transfer agents) and 1,969 Non-Covered Broker-Dealers
would be subject to the new cybersecurity requirements and related
recordkeeping requirements as a result of: (1) proposed Rule 10 under
the Exchange Act; (2) proposed Form SCIR; and (3) proposed amendments
to Rules 17a-4, 17ad-7, and 18a-6 under the Exchange Act. The number of
these firms that may be considered ``small entities'' are discussed
below.
1. Broker-Dealers
For purposes of Commission rulemaking, a small entity includes,
when used with reference to a broker-dealer, a broker-dealer that: (1)
had total capital (net worth plus subordinated liabilities) of less
than $500,000 on the date in the prior fiscal year as of which its
audited financial statements were prepared pursuant to Rule 17a-5(d)
under the Exchange Act, or, if not required to file such statements, a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the last day of the preceding
fiscal year (or in the time that it has been in business, if shorter);
and (2) is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\1017\
---------------------------------------------------------------------------
\1017\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
Based on FOCUS Report data, the Commission estimates that as of
September 30, 2022, approximately 764 broker-dealers total (195 broker-
dealers that are Covered Entities and 569 broker-dealers that are Non-
Covered Broker-Dealers) that might be deemed small entities for
purposes of this analysis.
2. Clearing Agencies
For the purposes of Commission rulemaking, a small entity includes,
when used with reference to a clearing agency, a clearing agency that:
(1) compared, cleared, and settled less than $500 million in securities
transactions during the preceding fiscal year; (2) had less than $200
million of funds and securities in its custody or control at all times
during the preceding fiscal year (or at any time that it has been in
business, if shorter); and (3) is not
[[Page 20336]]
affiliated with any person (other than a natural person) that is not a
small business or small organization.\1018\
---------------------------------------------------------------------------
\1018\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently registered with the Commission, the Commission
preliminarily believes that such entities exceed the thresholds
defining ``small entities'' set out above. While other clearing
agencies may emerge and seek to register as clearing agencies, the
Commission preliminarily does not believe that any such entities would
be ``small entities'' as defined in Exchange Act Rule 0-10.
Consequently, the Commission certifies that the proposed rule and form
would not, if adopted, have a significant economic impact on a
substantial number of small entities.
3. The MSRB
The Commission's rules do not define ``small business'' or ``small
organization'' for purposes of entities like the MSRB. The MSRB does
not fit into one of the categories listed under the Commission rule
that provides guidelines for a defined group of entities to qualify as
a small entity for purposes of Commission rulemaking under the
RFA.\1019\ The RFA in turn, refers to the Small Business Administration
(``SBA'') in providing that the term ``small business'' is defined as
having the same meaning as the term ``small business concern'' under
section 3 of the Small Business Act.\1020\ The SBA provides a
comprehensive list of categories with accompanying size standards that
outline how large a business concern can be and still qualify as a
small business.\1021\ The industry categorization that appears to best
fit the MSRB under the SBA table is Professional Organization. The SBA
defines a Professional Organization as an entity having average annual
receipts of less than $15 million. Within the MSRB's 2021 Annual Report
the organization reported total revenue exceeding $35 million for
fiscal year 2021.\1022\ The Report also stated that the organization's
total revenue for fiscal year 2020 exceeded $47 million.\1023\ The
Commission is using the SBA's definition of small business to define
the MSRB for purposes of the RFA and has concluded that the MSRB is not
a ``small entity.'' Consequently, the Commission certifies that the
proposed rule and form would not, if adopted, have a significant
economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\1019\ See Rule 0-10.
\1020\ See 5 U.S.C. 601(3).
\1021\ See 13 CFR 121.201. See also SBA, Table of Small Business
Size Standards Marched to North American Industry Classification
System Codes, available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (outlining the list of small business
size standards within 13 CFR 121.201).
\1022\ See MSRB, 2021 Annual Report, 16, available at https://msrb.org/-/media/Files/Resources/MSRB-2021-Annual-Report.ashx.
\1023\ Id.
---------------------------------------------------------------------------
4. National Securities Exchanges and National Securities Associations
For the purposes of Commission rulemaking, and with respect to the
national securities exchanges, the Commission has defined a ``small
entity'' as an exchange that has been exempt from the reporting
requirements of Rule 601 of Regulation NMS and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization.\1024\ None of the national securities exchanges
registered under section 6 of the Exchange Act that would be subject to
the proposed rule and form is a ``small entity'' for purposes of the
RFA.
---------------------------------------------------------------------------
\1024\ See paragraph (e) of Rule 0-10.
---------------------------------------------------------------------------
There is only one national securities association (FINRA), and the
Commission has previously stated that it is not a small entity as
defined by 13 CFR 121.201.\1025\ Consequently, the Commission certifies
that the proposed rule and form would not, if adopted, have a
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\1025\ See, e.g., Securities Exchange Act Release No. 62174 (May
26, 2010), 75 FR 32556, 32605 n.416 (June 8, 2010) (``FINRA is not a
small entity as defined by 13 CFR 121.201.'').
---------------------------------------------------------------------------
5. SBS Entities
For purposes of Commission rulemaking, a small entity includes: (1)
when used with reference to an ``issuer'' or a ``person,'' other than
an investment company, an ``issuer'' or ``person'' that, on the last
day of its most recent fiscal year, had total assets of $5 million or
less; \1026\ or (2) a broker-dealer with total capital (net worth plus
subordinated liabilities) of less than $500,000 on the date in the
prior fiscal year as of which its audited financial statements were
prepared pursuant to Rule 17a-5(d) under the Exchange Act,\1027\ or, if
not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last day of the preceding fiscal year (or in the time that it
has been in business, if shorter); and is not affiliated with any
person (other than a natural person) that is not a small business or
small organization.\1028\
---------------------------------------------------------------------------
\1026\ See paragraph (a) of Rule 0-10.
\1027\ 17 CFR 240.17a-5(d).
\1028\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
With respect to SBS Entities, based on feedback from market
participants and our information about the security-based swap markets,
and consistent with our position in prior rulemakings arising out of
the Dodd-Frank Act, the Commission continues to believe that: (1) the
types of entities that will engage in more than a de minimis amount of
dealing activity involving security-based swaps--which generally would
be large financial institutions--would not be ``small entities'' for
purposes of the RFA, and (2) the types of entities that may have
security-based swap positions above the level required to be MSBSPs
would not be ``small entities'' for purposes of the RFA.\1029\
---------------------------------------------------------------------------
\1029\ See, e.g., SBS Entity Risk Mitigation Adopting Release,
85 FR at 6411; SBS Entity Registration Adopting Release, 80 FR at
49013; Recordkeeping and Reporting Requirements for Security-Based
Swap Dealers, Major Security-Based Swap Participants, and Broker-
Dealers; Capital Rule for Certain Security-Based Swap Dealers,
Exchange Act Release No. 71958 (Apr. 17, 2014), 79 FR 25193, 25296-
97 and n.1441 (May 2, 2014); Further Definition Release, 77 FR at
30743.
---------------------------------------------------------------------------
Consequently, the Commission certifies that with respect to SBS
Entities the proposed rule and form (as well as the amendments to Rule
3a71-6) would not, if adopted, have a significant economic impact on a
substantial number of small entities.
6. SBSDRs
For purposes of Commission rulemaking regarding SBSDRs, a small
entity includes: (1) when used with reference to an ``issuer'' or a
``person,'' other than an investment company, an ``issuer'' or
``person'' that, on the last day of its most recent fiscal year, had
total assets of $5 million or less; \1030\ or (2) a broker-dealer with
total capital (net worth plus subordinated liabilities) of less than
$500,000 on the date in the prior fiscal year as of which its audited
financial statements were prepared pursuant to Rule 17a-5(d) under the
Exchange Act,\1031\ or, if not required to file such statements, a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the last day of the preceding
fiscal year (or in the time that it has been in business, if shorter);
and is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\1032\
---------------------------------------------------------------------------
\1030\ See paragraph (a) of Rule 0-10.
\1031\ 17 CFR 240.17a-5(d).
\1032\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the SBSDRs
currently registered with the Commission, and consistent with the
Commission's prior
[[Page 20337]]
rulemakings,\1033\ the Commission preliminarily believes that such
entities exceed the thresholds defining ``small entities'' set out
above. While other SBSDRs may emerge and seek to register as SBSDRs,
the Commission preliminarily does not believe that any such entities
would be ``small entities'' as defined in Exchange Act Rule 0-10.
Consequently, the Commission certifies that the proposed rule and form
would not, if adopted, have a significant economic impact on a
substantial number of small entities.
---------------------------------------------------------------------------
\1033\ See, e.g., SBSDR Adopting Release, 80 FR at 14548-49
(stating that ``[i]n the Proposing Release, the Commission stated
that it did not believe that any persons that would register as
SBSDRs would be considered small entities. The Commission stated
that it believed that most, if not all, SBSDRs would be part of
large business entities with assets in excess of $5 million and
total capital in excess of $500,000. As a result, the Commission
certified that the proposed rules would not have a significant
impact on a substantial number of small entities and requested
comments on this certification. The Commission did not receive any
comments that specifically addressed whether Rules 13n-1 through
13n-12 and Form SBSDR would have a significant economic impact on
small entities. Therefore, the Commission continues to believe that
Rules 13n-1 through 13n-12 and Form SBSDR will not have a
significant economic impact on a substantial number of small
entities. Accordingly, the Commission hereby certifies that,
pursuant to 5 U.S.C. 605(b), Rules 13n-1 through 13n-12, Form SBSDR
will not have a significant economic impact on a substantial number
of small entities'').
---------------------------------------------------------------------------
7. Transfer Agents
For purposes of Commission rulemaking, Exchange Act Rule 0-10(h)
provides that the term small business or small organization shall, when
used with reference to a transfer agent, mean a transfer agent that:
(1) received less than 500 items for transfer and less than 500 items
for processing during the preceding six months (or in the time that it
has been in business, if shorter); (2) transferred items only of
issuers that would be deemed ``small businesses'' or ``small
organizations'' as defined in this section; and (3) maintained master
shareholder files that in the aggregate contained less than 1,000
shareholder accounts or was the named transfer agent for less than
1,000 shareholder accounts at all times during the preceding fiscal
year (or in the time that it has been in business, if shorter); and (4)
is not affiliated with any person (other than a natural person) that is
not a small business or small organization under this section.\1034\ As
of March 31, 2022, the Commission estimates there were 158 transfer
agents that were considered small organizations. Our estimate is based
on the number of transfer agents that reported a value of fewer than
1,000 for items 4(a) and 5(a) on Form TA-2 for the 2021 annual
reporting period (which was required to be filed by March 31,
2022).\1035\
---------------------------------------------------------------------------
\1034\ See paragraph (h) of Rule 0-10.
\1035\ Item 4(a) on Form TA-2 requires each transfer agent to
provide the number of items received for transfer during the
reporting period. Item 5(a) on Form TA-2 requires each transfer
agent to provide its total number of individual securityholder
accounts, including accounts in the Direct Registration System
(DRS), dividend reinvestment plans and/or direct purchase plans as
of December 31.''
---------------------------------------------------------------------------
D. Reporting, Recordkeeping, and Other Compliance Requirements
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
The proposed requirements under proposed Rule 10 and Parts I and II
of proposed Form SCIR, including compliance and recordkeeping
requirements, are summarized in this IRFA.\1036\ The burdens on
respondents, including those that are small entities, are discussed
above in the Commission's economic analysis and PRA analysis.\1037\
They also are discussed below.
---------------------------------------------------------------------------
\1036\ See section VI.A. of this release. See also section II of
this release (discussing the requirements of proposed Rule 10 and
Parts I and II of proposed Form SCIR in more detail).
\1037\ See sections IV and V of this release (setting forth the
Commission's economic analysis and PRA analysis, respectively).
---------------------------------------------------------------------------
As discussed above, there are approximately 764 small entity
broker-dealers. 195 of these broker-dealers would be Covered Entities
and 569 of these broker-dealers would be Non-Covered Broker-Dealers
under proposed Rule 10. In addition, there are approximately 158 small
entity transfer agents, all of which would be Covered Entities
(resulting in a total of 353 small entities that would be Covered
Entities). The total number of small entity broker-dealers or transfer
agents that would be subject to the requirements of proposed Rule 10 as
either Covered Entities or Non-Covered Broker-Dealers is 922.
The requirements under proposed Rule 10 to implement and review
certain policies and procedures would result in costs to these small
entities. For Covered Entities, this would create a new annual burden
of approximately 31.67 hours per firm, or 11,179.51 hours in aggregate
for small entities. The Commission therefore expects the annual
monetized aggregate cost to small entities to be $5,164,933.62.\1038\
For Non-Covered Broker-Dealers, the requirements would create a new
annual burden of approximately 21 hours per firm, or 11,949 hours in
aggregate for small entities. The Commission therefore expects the
annual monetized aggregate cost to small entities to be
$5,520,438.\1039\
---------------------------------------------------------------------------
\1038\ $29,102,133.06 total cost x (353 small entities/1,989
total entities) = $5,164,933.62.
\1039\ $19,103,238 total cost x (569 small entities/1,969 total
entities) = $5,520,438.
---------------------------------------------------------------------------
In addition, there are approximately 922 small entities that would
be subject to the notification requirements of proposed Rule 10. The
requirement to make a determination regarding a significant
cybersecurity incident and immediate notice to the Commission would
create a new annual burden of approximately 4.67 hours per Market
Entity, or 4,305.74 hours in aggregate for small entities. The
Commission therefore expects the annual monetized aggregate cost to
small entities associated with the proposed notification requirement
under Rule 10 to be $1,519,926.22.\1040\ The 353 small entities that
would be Covered Entities would also be subject to the requirements to
file Part I of proposed Form SCIR. This would create a new annual
burden of approximately 2.5 hours per Covered Entity, or 882.5 hours in
aggregate for small entities. The Commission therefore expects the
annual monetized aggregate cost to small entities associated with Part
I of proposed Form SCIR to be $380,357.50.\1041\
---------------------------------------------------------------------------
\1040\ $6,524,802.58 total cost x (922 small entities/3,958
total entities) = $1,519,926.22.
\1041\ $2,143,147.5 total cost x (353 small entities/1,989 total
entities) = $380,357.50.
---------------------------------------------------------------------------
In addition, the approximately 353 small entities that are Covered
Entities would be subject to the disclosure requirements of proposed
Rule 10. These 353 small entities would be required to make certain
public disclosures on Part II of proposed Form SCIR. This would create
a new annual burden of approximately 3.67 hours per Covered Entity, or
1,295.51 hours in aggregate for small entities. The Commission
therefore expects the annual monetized aggregate cost to small entities
associated with Part II of proposed Form SCIR to be $486,243.38.\1042\
---------------------------------------------------------------------------
\1042\ $2,739,767.94 total cost x (353 small entities/1,989
total entities) = $486,243.38.
---------------------------------------------------------------------------
Furthermore, the requirement to file Form SCIR using a form-
specific XML may impose some compliance costs for entities not already
required to file in EDGAR. Because all transfer agents are already
required to file in EDGAR their annual reports on Form TA-2, no small
entity transfer agent will incur an additional burden for filing their
public disclosures in EDGAR. Assuming all 195 small broker-dealers that
are Covered Entities do not already file in EDGAR, the requirement to
file the public disclosures in EDGAR would create an initial, one-time
burden of
[[Page 20338]]
approximately 0.30 hours per Covered Entity, or 58.5 hours in aggregate
for small entities, to complete and submit a Form ID. In addition, the
requirement to file Form SCIR using custom XML (with which a Covered
Entity would be able to comply by inputting its disclosures into a
fillable web form) would create an ongoing burden of 0.5 hours per
filing, or 176.5 hours for all small entities collectively.
As discussed above, there are approximately 195 small entity
broker-dealers that would be subject to the additional disclosure
requirements under proposed Rule 10 for customers of Covered Broker-
Dealers. This would create a new annual burden of approximately 51.26
hours per Covered Entity, or 9,995.7 hours in aggregate for small
entities. The Commission therefore expects the annual monetized
aggregate cost to small entities associated with the proposed
disclosure requirements for Covered Broker-Dealers to be
$689,703.30.\1043\
---------------------------------------------------------------------------
\1043\ $5,450,424.54 total cost x (195 small entities/1,541
total entities) = $689,703.30.
---------------------------------------------------------------------------
2. Rules 17a-4, 17ad-7, and 18a-6
The proposed amendments to Rules 17a-4, 17ad-7, and 18a-6 would
impose certain recordkeeping requirements, which--with respect to 17a-4
and 17ad-7--includes requirements for those that are small
entities.\1044\ The proposed amendments are discussed above in
detail,\1045\ and the requirements and the burdens on respondents,
including those that are small entities, are discussed above in the
economic analysis and PRA, respectively.\1046\
---------------------------------------------------------------------------
\1044\ See section VI.A.3. of this release.
\1045\ See sections II.B.5. and II.C. of this release
\1046\ See sections IV and V of the release.
---------------------------------------------------------------------------
There are approximately 353 small entities that would be subject to
the proposed amendments to Rules 17a-4 and 17ad-7 as Covered Entities.
As discussed above in the PRA analysis in section V, the proposed
amendments to Rules 17a-4 and 17ad-7 would require Market Entities to
retain certain copies of documents required under proposed Rule 10, and
would create a new annual burden of approximately 6 hours per entity,
or 2,118 hours in aggregate for small entities. The Commission
therefore expects the annual monetized aggregate cost to small entities
associated with the proposed amendments would be $155,673.\1047\
---------------------------------------------------------------------------
\1047\ $877,149 total cost x (353 small entities/1,989 total
entities) = $155,673.
---------------------------------------------------------------------------
As discussed above, there are approximately 569 small entity
broker-dealers that would be subject to the proposed amendments to Rule
17a-4 as Non-Covered Broker-Dealers. As discussed above in the PRA
analysis, in section V, the proposed amendments to Rule 17a-4 would
require Market Entities to retain certain copies of documents required
under proposed Rule 10, which would create a new annual burden of
approximately 3 hours per entity, or 1,707 hours in aggregate for small
entities. The Commission therefore expects the annual monetized
aggregate cost to small entities associated with the proposed
amendments would be $125,464.50.\1048\
---------------------------------------------------------------------------
\1048\ $434,164.50 total cost x (569 small entities/1,969 total
entities) = $125,464.50.
---------------------------------------------------------------------------
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
As discussed above certain broker-dealers--including an operator of
an ATS--and transfer agents would be small entities. Proposed Rule 10
would require all Market Entities to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks, and, at least annually, review and assess
the design and effectiveness of these policies and procedures.\1049\ As
discussed earlier, broker-dealers are subject to Regulation S-P and
Regulation S-ID.\1050\ In addition, ATSs that trade certain stocks
exceeding specific volume thresholds are subject to Regulation SCI.
Further, an ATS is subject to Regulation ATS. Transfer agents
registered with the Commission (but not transfer agents registered with
another appropriate regulatory agency) are subject to the Regulation S-
P Disposal Rule.\1051\ Transfer agents also may be subject to
Regulation S-ID if they are ``financial institutions'' or
``creditors.'' \1052\
---------------------------------------------------------------------------
\1049\ See paragraphs (b)(1) and (e)(1) of proposed Rule 10
(requiring Covered Entities and Non-Covered Broker-Dealers,
respectively, to have policies and procedures to address their
cybersecurity risks); sections II.B.1. and II.C.1. of this release
(discussing the requirements of paragraphs (b)(1) and (e)(1) of
proposed Rule 10 in more detail).
\1050\ See section IV.C.1.b.i. of this release (discussing
current relevant regulations applicable to broker-dealers).
\1051\ See section IV.C.1.b.v. of this release (discussing
current relevant regulations applicable to transfer agents).
\1052\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
---------------------------------------------------------------------------
As discussed earlier, these other regulations have provisions that
require policies and procedures that address certain cybersecurity
risks.\1053\ However, the policies and procedures requirements of
proposed Rule 10 are intended to differ in scope and purpose from those
other regulations, and because the policies and procedures required
under proposed Rule 10 are consistent with the existing and proposed
requirements of those other regulations that pertain to cybersecurity.
---------------------------------------------------------------------------
\1053\ See section II.F.1.c. of this release.
---------------------------------------------------------------------------
Proposed Rule 10 would require all Market Entities to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\1054\ Covered Entities--in addition to providing the
Commission with immediate written electronic notice of a significant
cybersecurity incident--would need to report and update information
about the significant cybersecurity incident by filing Part I of
proposed Form SCIR with the Commission.\1055\ Recently, the OCC,
Federal Reserve Board, and FDIC adopted a new rule that would require
certain banking organizations to notify the appropriate banking
regulator of any cybersecurity incidents within 36 hours of discovering
an incident.\1056\ Certain transfer agents are banking organizations
and, therefore, may be required to provide notification to the
Commission and other regulators under proposed Rule 10 and to their
banking regulator under this new rule if they experience a significant
cybersecurity incident.\1057\ However, the burdens of providing these
notices are minor and each requirement is designed to alert separate
regulators who have oversight responsibilities with respect to transfer
agents about cybersecurity incidents that could adversely impact the
transfer agent.
---------------------------------------------------------------------------
\1054\ See paragraph (c)(1) of proposed Rule 10; paragraph
(e)(2) of proposed Rule 10. See also sections II.B.2.a. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1055\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
\1056\ See section IV.C.1.d. of this release (discussing this
requirement in more detail).
\1057\ Similarly, to the extent that a Covered Entity is subject
to NFA rules, there may be overlapping notification requirements.
See NFA Interpretive Notice 9070--NFA Compliance Rules 2-9, 2-36 and
2-49: Information Systems Security Programs (effective March 1,
2016; April 1, 2019 and September 30, 2019) available at https://www.nfa.futures.org/rulebook/rules.aspx?RuleID=9070&Section=9.
---------------------------------------------------------------------------
Proposed Rule 10 would require a Covered Entity to make two types
of public disclosures relating to cybersecurity on Part II of proposed
[[Page 20339]]
Form SCIR.\1058\ Covered Entities would be required to make the
disclosures by filing Part II of proposed Form SCIR on EDGAR and
posting a copy of the filing on their business internet websites.\1059\
In addition, a Covered Entity that is either a carrying or introducing
broker-dealer would be required to provide a copy of the most recently
filed Part II of Form SCIR to a customer as part of the account opening
process. Thereafter, the carrying or introducing broker-dealer would
need to provide the customer with the most recently filed form
annually. Regulation SCI requires that SCI entities disseminate
information to their members, participants, or customers (as
applicable) regarding SCI events, including systems intrusions.\1060\
---------------------------------------------------------------------------
\1058\ See paragraph (d)(1) of proposed Rule 10.
\1059\ See section II.B.3.b. of this release (discussing these
proposed requirements in more detail).
\1060\ See 17 CFR 242.1002(c).
---------------------------------------------------------------------------
Consequently, a Covered Entity would, if it experiences a
``significant cybersecurity incident,'' be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business internet
website, and, in the case of a carrying or introducing broker-dealer,
by sending the disclosure to its customers using the same means that
the customer elects to receive account statements. Moreover, if Covered
Entity is an SCI entity and the significant cybersecurity incident is
or would be an SCI event under the current or proposed requirements of
Regulation SCI, the Covered Entity also could be required to
disseminate certain information about the SCI event to certain of its
members, participants, or customers (as applicable).
As discussed above, proposed Rule 10 and Regulation SCI require
different types of information to be disclosed. In addition, the
disclosures, for the most part, would be made to different persons: (1)
the public at large in the case of proposed Rule 10; \1061\ and (2)
affected members, participants, or customers (as applicable) of the SCI
entity in the case of Regulation SCI. For these reasons, the Commission
proposes to apply the disclosure requirements of proposed Rule 10 to
Covered Entities even if they would be subject to the disclosure
requirements of Regulation SCI.
---------------------------------------------------------------------------
\1061\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
---------------------------------------------------------------------------
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
As part of proposed Rule 10, the Commission is proposing
corresponding amendments to the books and records rules for Market
Entities. There are no duplicative, overlapping, or conflicting Federal
rules with respect to the proposed amendments to Rules 17a-4, 17ad-7,
18a-6 and clearing agency exemption orders.
F. Significant Alternatives
The RFA directs the Commission to consider significant alternatives
that would accomplish our stated objectives, while minimizing any
significant adverse effect on small entities.
1. Broker-Dealers
As discussed above, the proposal would apply to all registered
broker-dealers. Under the proposal, the following broker-dealers would
be Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customer accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS. Broker-dealers that do not fit into at least one of
these categories would not be Covered Entities (i.e., they would be
Non-Covered Broker-Dealers). As discussed earlier, Covered Entities
would be subject to additional requirements under proposed Rule
10.\1062\
---------------------------------------------------------------------------
\1062\ See paragraphs (b), (c), and (d) of proposed Rule 10
(setting forth the requirements for Covered Entities); paragraph (e)
of proposed Rule 10 (setting forth the requirements for Non-Covered
Broker-Dealers).
---------------------------------------------------------------------------
Of the 1,541 broker-dealers that would be Covered Entities,
approximately 195 are considered small entities. All but one of these
small entities are broker-dealers that introduce their customer
accounts to a carrying broker-dealer on a fully disclosed basis. The
remaining small entity broker-dealer is an operator of an ATS. The
Commission considered the following alternatives for small entities
that are Covered Broker-Dealers in relation to the proposal: (1)
differing compliance or reporting requirements that take into account
the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting
requirements under the proposed rule for such small entities; (3) the
use of design rather than performance standards; and (4) an exemption
from coverage of the proposed rule, or any part thereof, for such small
entities.
Regarding the first and fourth alternatives, the Commission decided
not to include differing requirements or exemptions for introducing
broker-dealers, regardless of size, and therefore, they would be
Covered Entities under the proposed rule. This decision was based on a
number of considerations.\1063\ For example, introducing broker-dealers
are a conduit to their customers' accounts at the carrying broker-
dealer and have access to information and trading systems of the
carrying broker-dealer. Consequently, a cybersecurity incident at an
introducing firm could directly harm the introducing firm's customers
to the extent it causes them to lose access to the systems allowing
them to view and transact in their securities accounts at the carrying
broker-dealer. Further, a significant cybersecurity incident at an
introducing broker-dealer could spread to the carrying broker-dealer
given the information systems that connect the two firms. These
connections also may make introducing broker-dealers attractive targets
for threat actors seeking to access the information systems of the
carrying broker-dealer to which the introducing broker-dealer is
connected. In addition, introducing broker-dealers may store personal
information about their customers on their information systems or be
able to access this information on the carrying broker-dealer's
information systems. If this information is accessed or stolen by
unauthorized users, it could result in harm (e.g., identity theft or
conversion of financial assets) to many individuals, including retail
investors.
---------------------------------------------------------------------------
\1063\ See section II.A.1.b. of this release (discussing why
introducing broker-dealers would be Covered Entities in more
detail).
---------------------------------------------------------------------------
The Commission decided not to include differing requirements or
exemptions for broker-dealers that operate an ATS, regardless of size,
and therefore, they would be Covered Entities under the proposed rule.
This decision was based on a number of considerations.\1064\ The
Commission also decided to include all broker-dealers, regardless of
size, that operate an ATS as Covered Entities in the proposed rule
because ATSs have become increasingly important venues for trading
securities in a fast and automated manner. ATSs perform
[[Page 20340]]
exchange functions to bring together buyers and sellers using limit
order books and order types. These developments have made ATSs
significant sources of orders and trading interest for securities. ATSs
use data feeds, algorithms, and connectivity to perform their
functions. In this regard, ATSs rely heavily on information systems,
including to connect to other Market Entities such as other broker-
dealers and principal trading firms. A significant cyber security
incident that disrupts a broker-dealer that operates as an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent the ATS provides liquidity to the market for those
securities. Further, a significant cybersecurity incident at an ATS
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. This could cause a cascading effect
where a significant cybersecurity incident initially impacting an ATS
spreads to other Market Entities causing major disruptions to the U.S.
securities markets. In addition, ATS are connected to a number of
different Market Entities through information systems, including
national securities exchanges and other broker-dealers. Therefore, they
create and are exposed to cybersecurity risk through the channels of
these information systems.
---------------------------------------------------------------------------
\1064\ See section II.A.1.b. of this release (discussing why
broker-dealers that operate an ATS would be Covered Entities in more
detail).
---------------------------------------------------------------------------
Regarding the second alternative, the Commission believes the
current proposal is clear and that further clarification,
consolidation, or simplification of the compliance requirements is not
necessary for small entities that are introducing broker-dealers or
broker-dealers that operate as ATSs. As discussed above, proposed Rule
10 would require Covered Entities to establish, maintain, and enforce
written cybersecurity policies and procedures that are reasonably
designed to address their cybersecurity risks and that specifically
address: (1) risk assessment; (2) user security and access; (3)
information protection; (4) cybersecurity threat and vulnerability
management; and (5) cybersecurity incident response and recovery.\1065\
It also would require Covered Entities to conduct an annual review and
assessment of these policies and procedures and produce a report
documenting the review and assessment. Further, the proposed rule would
require them to provide immediate notification and subsequent reporting
of significant cybersecurity incidents and to publicly disclose summary
descriptions of their cybersecurity risks and, if applicable, summary
descriptions of their significant cybersecurity incidents.\1066\ The
proposed rule would provide clarity in the existing regulatory
framework regarding cybersecurity and serve as an explicit requirement
for firms to establish, maintain, and enforce comprehensive
cybersecurity programs to their address cybersecurity risks, provide
information to the Commission about the significant cybersecurity
incidents they experience, and publicly disclose information about
their cybersecurity risks and significant cybersecurity incidents.
---------------------------------------------------------------------------
\1065\ See paragraph (b) of proposed Rule 10. See also section
II.B.1. of this release (discussing these requirements in more
detail).
\1066\ See paragraphs (c) and (d) of proposed Rule 10. See also
sections II.B.2. through II.B.4. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Regarding the third alternative, the Commission determined to use
performance standards rather than design standards. Although the
proposed rule requires Covered Entities to implement policies and
procedures that are reasonably designed and that must include certain
elements, the Commission does not place certain conditions or
restrictions on how to establish, maintain, and enforce such policies
and procedures. The general elements required to be included in the
policies and procedures are designed to enumerate the core areas that
firms would need to address when adopting, implementing, reassessing
and updating their cybersecurity policies and procedures.
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
The remaining 569 small entity broker-dealers registered would not
be Covered Entities. These firms are not conduits to their customer
accounts at a carrying broker-dealer. These firms also do not perform
exchange-like functions such as offering limit order books and other
order types, like an ATS would. As such, these firms are subject to
differing compliance, reporting, and disclosure requirements that take
into account the resources available to the entities. For example,
these firms are subject to simplified requirements concerning their
cybersecurity policies and procedures and annual review.\1067\ In
addition, these firms are exempted from the cybersecurity reporting and
disclosure requirements that apply to Covered Entities.
---------------------------------------------------------------------------
\1067\ Non-Covered Broker-Dealers that are small entities are
not, however, altogether exempted from the policies and procedures
requirements because having appropriate cybersecurity policies and
procedures in place would help address any cybersecurity risks and
incidents that occur at the broker-dealer and help protect broker-
dealers and their customers from greater risk of harm. The
Commission anticipates that these benefits should apply to customers
of smaller firms as well as larger firms. Non-Covered Broker-Dealers
are also not exempted from the requirement to provide the Commission
with immediate written electronic notice of a significant
cybersecurity incident affecting the entity.
---------------------------------------------------------------------------
2. Clearing Agencies
For the reasons stated above, this requirement is not applicable to
clearing agencies.
3. The MSRB
For the reasons stated above, this requirement is not applicable to
the MSRB.
4. National Securities Exchanges and National Securities Associations
For the reasons stated above, this requirement is not applicable to
national securities exchanges and national securities associations.
5. SBS Entities
For the reasons stated above, this requirement is not applicable to
SBS Entities.
6. SBSDRs
For the reasons stated above, this requirement is not applicable to
SBSDRs.
7. Transfer Agents
The proposed rule would apply to every transfer agent as defined in
section 3(a)(25) of the Exchange Act that is registered or required to
be registered with an appropriate regulatory agency as defined in
section 3(a)(34)(B) of the Exchange Act. As of December 31, 2022, there
were 353 transfer agents that were either registered with the
Commission through Form TA-1 or registered with
[[Page 20341]]
other appropriate regulatory agencies through Form TA-2. As of March
31, 2022, the Commission estimates there were 158 transfer agents that
were considered small organizations.
The Commission considered the following alternatives for small
organizations that are transfer agents in relation to the proposal: (1)
differing compliance or reporting requirements that take into account
the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting
requirements under the proposed rule for such small entities; (3) the
use of design rather than performance standards; and (4) an exemption
from coverage of the proposed rule, or any part thereof, for such small
entities.
Regarding the first and fourth alternatives, the Commission decided
not to include differing requirements or exemptions for transfer
agents, regardless of size, and therefore, they would be Covered
Entities under the proposed rule. This decision was based on a number
of considerations.\1068\ A transfer agents engage on behalf of an
issuer of securities or on behalf of itself as an issuer of securities
in (among other functions): (1) tracking, recording, and maintaining
the official record of ownership of each issuer's securities; (2)
canceling old certificates, issuing new ones, and performing other
processing and recordkeeping functions that facilitate the issuance,
cancellation, and transfer of those securities; (3) facilitating
communications between issuers and registered securityholders; and (4)
making dividend, principal, interest, and other distributions to
securityholders. Their core recordkeeping systems provide a direct
conduit to their issuer clients' master records that document and, in
many instances provide the legal underpinning for, registered
securityholders' ownership of the issuer's securities. If these
functions were disrupted, investors might not be able to transfer
ownership of their securities or receive dividends and interest due on
their securities positions.
---------------------------------------------------------------------------
\1068\ See section II.A.1.c. of this release (discussing why
transfer agents would be Covered Entities in more detail).
---------------------------------------------------------------------------
Transfer agents store proprietary information about securities
ownership and corporate actions. A significant cybersecurity incident
at a transfer agent could lead to the improper use of this information
to harm securities holders (e.g., public exposure of confidential
financial information) or provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential business information). Transfer agents also may store
personal information including names, addresses, phone numbers, email
addresses, employers, employment history, bank and specific account
information, credit card information, transaction histories, securities
holdings, and other detailed and individualized information related to
the transfer agents' recordkeeping and transaction processing on behalf
of issuers. Threat actors breaching the transfer agent's information
systems could use this information to steal identities or financial
assets of the persons to whom this information pertains. They also
could sell it to other threat actors.
Regarding the second alternative, the Commission is not proposing
further clarification, consolidation, or simplification of the
compliance requirements for small organizations that are transfer
agents. As discussed above, proposed Rule 10 would require Covered
Entities to establish, maintain, and enforce written cybersecurity
policies and procedures that are reasonably designed to address their
cybersecurity risks and that specifically address: (1) risk assessment;
(2) user security and access; (3) information protection; (4)
cybersecurity threat and vulnerability management; and (5)
cybersecurity incident response and recovery.\1069\ It also would
require Covered Entities to conduct an annual review and assessment of
these policies and procedures and produce a report documenting the
review and assessment. Further, the proposed rule would require them to
provide immediate notification and subsequent reporting of significant
cybersecurity incidents and to publicly disclose summary descriptions
of their cybersecurity risks and, if applicable, summary descriptions
of their significant cybersecurity incidents.\1070\ The proposed rule
would provide clarity in the existing regulatory framework regarding
cybersecurity and serve as an explicit requirement for firms to
establish, maintain, and enforce comprehensive cybersecurity programs
to their address cybersecurity risks, provide information to the
Commission about the significant cybersecurity incidents they
experience, and publicly disclose information about their cybersecurity
risks and significant cybersecurity incidents.
---------------------------------------------------------------------------
\1069\ See paragraph (b) of proposed Rule 10. See also section
II.B.1. of this release (discussing these requirements in more
detail).
\1070\ See paragraphs (c) and (d) of proposed Rule 10. See also
sections II.B.2. through II.B.4. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Regarding the third alternative, the proposed rule requires Covered
Entities to implement policies and procedures that are reasonably
designed and that must include certain elements. However, the proposed
rule does not place certain conditions or restrictions on how to
establish, maintain, and enforce such policies and procedures. The
general elements required to be included in the policies and procedures
are designed to enumerate the core areas that firms would need to
address when adopting, implementing, reassessing and updating their
cybersecurity policies and procedures.
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
G. Request for Comment
The Commission encourages written comments on the matters discussed
in this IRFA. The Commission solicits comment on the number of small
entities subject to the proposed Rule 10, Form SCIR, and proposed
amendments to Rules 3a71-6, 17a-4, 18a-6, and 17ad-7. The Commission
also solicits comment on the potential effects discussed in this
analysis; and whether this proposal could have an effect on small
entities that have not been considered. The Commission requests that
commenters describe the nature of any effect on small entities and
provide empirical data to support the extent of such effect. Such
comments will be placed in the same public file as comments on the
proposed rule and form and associated amendments. Persons wishing to
submit written comments should refer to the instructions for submitting
comments located at the front of this release.
[[Page 20342]]
VII. Small Business Regulatory Enforcement Fairness Act
For purposes of the Small Business Regulatory Enforcement Fairness
Act of 1996, or ``SBREFA,'' the Commission must advise OMB whether a
proposed regulation constitutes a ``major'' rule. Under SBREFA, a rule
is considered ``major'' where, if adopted, it results in or is likely
to result in (1) an annual effect on the economy of $100 million or
more; (2) a major increase in costs or prices for consumers or
individual industries; or (3) significant adverse effects on
competition, investment or innovation. The Commission requests comment
on the potential effect of the proposed amendments on the U.S. economy
on an annual basis; any potential increase in costs or prices for
consumers or individual industries; and any potential effect on
competition, investment or innovation. Commenters are requested to
provide empirical data and other factual support for their views to the
extent possible.
VIII. Statutory Authority
The Commission is proposing new Rule 10 (17 CFR 242.10) and Form
SCIR (17 CFR 249.624) and amending Regulation S-T (17 CFR 232.101),
Rule 3a71-6 (17 CFR 240.3a71-6), Rule 17a-4 (17 CFR 240.17a-4), Rule
17ad-7 (17 CFR 240.17ad-7), Rule 18a-6 (17 CFR 18a-6), and Rule 18a-10
(17 CFR 240.18a-10) under the Commission's rulemaking authority set
forth in the following sections of the Exchange Act: (1) sections 15,
17, and 23 for broker-dealers (15 U.S.C. 78o, 78q, and 78w); (2)
sections 17, 17A, and 23 for clearing agencies (15 U.S.C. 78q, 17q-1,
and 78w(a)(1)); (3) sections 15B, 17 and 23 for the MSRB (15 U.S.C.
78o-4, 78q(a), and 78w); (4) sections 6(b), 11A, 15A, 17, and 23 for
national securities exchanges and national securities associations (15
U.S.C. 78f, 78k-1, 78o-3, and 78w); (5) sections 15F, 23, and 30(c) for
SBS Entities (15 U.S.C. 78o-10, 78w, and 78dd(c)); (6) sections 13 and
23 for SBSDRs (15 U.S.C. 78m and 78w); and (7) sections 17a, 17A, and
23 for transfer agents (78q, 17q-1, and 78w).
List of Subjects in 17 CFR Part 232, 240, 242 and 249
Brokers, Confidential business information, Reporting and
recordkeeping requirements, Securities, Security-based swaps, Security-
based swap dealers, Major security-based swap participants.
Text of Proposed Rules and Rule Amendments
For the reasons set out in the preamble, the Commission is
proposing to amend title 17, chapter II of the Code of Federal
Regulations as follows:
PART 232--REGULATION S-T--GENERAL RULES AND REGULATIONS FOR
ELECTRONIC FILINGS
0
1. The general authority citation for part 232 is revised to read as
follows:
Authority: 15 U.S.C. 77c, 77f, 77g, 77h, 77j, 77s(a), 77z-3,
77sss(a), 78c(b), 78l, 78m, 78n, 78o(d), 78o-10, 78w(a), 78ll, 80a-
6(c), 80a-8, 80a-29, 80a-30, 80a-37, 80b-4, 80b-10, 80b-11, 7201 et
seq.; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
0
2. Section Sec. 232.101 is amended by revising paragraph (a)(1)(xxx)
and adding paragraph (a)(1)(xxxi) to read as follows:
Sec. 232.101 Mandated electronic submissions and exceptions.
(a) * * *
(1) * * *
(xxx) Documents filed with the Commission pursuant to section 33 of
the Investment Company Act (15 U.S.C. 80a-32); and
(xxxi) Form SCIR (Sec. 249.624 of this chapter).
* * * * *
PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF
1934
0
3. The authority citation for part 240 continues to read, in part, as
follows:
Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3,
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f,
78g, 78i, 78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78n-1, 78o, 78o-4,
78o-10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78ll, 78mm, 80a-20,
80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, and 7201 et. seq., and
8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350;
Pub. L. 111-203, 939A, 124 Stat. 1376 (2010); and Pub. L. 112-106,
sec. 503 and 602, 126 Stat. 326 (2012), unless otherwise noted.
* * * * *
0
4. Section 240.3a71-6 is amended by revising paragraph (d)(1) to read
as follows:
Sec. 240.3a71-6 Substituted compliance for security-based swap
dealers and major security-based swap participants.
* * * * *
(d) * * *
(1) Business conduct, supervision, and risk management. The
business conduct and supervision requirements of sections 15F(h) and
(j) of the Act (15 U.S.C. 78o-10(h) and (j)) and Sec. Sec. 240.15Fh-3
through 15Fh-6 (other than the antifraud provisions of section
15F(h)(4)(A) of the Act and Sec. 240.15Fh-4(a), and other than the
provisions of sections 15F(j)(3) and 15F(j)(4)(B) of the Act), and the
requirements of Sec. 242.10 of this chapter and Form SCIR (Sec.
249.624 of this chapter); provided, however, that prior to making such
a substituted compliance determination the Commission intends to
consider whether the information that is required to be provided to
counterparties pursuant to the requirements of the foreign financial
regulatory system, the counterparty protections under the requirements
of the foreign financial regulatory system, the mandates for
supervisory systems under the requirements of the foreign financial
regulatory system, and the duties imposed by the foreign financial
regulatory system, are comparable to those associated with the
applicable provisions arising under the Act and its rules and
regulations.
* * * * *
0
5. Section 240.17a-4 is amended by adding paragraph (e)(13) to read as
follows:
Sec. 240.17a-4 Records to be preserved by certain exchange members,
brokers and dealers.
* * * * *
(e) * * *
(13)(i) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) or Sec. 242.10(e)(1) of
this chapter until three years after the termination of the use of the
policies and procedures;
(ii) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(iii) The written documentation of the occurrence of a
cybersecurity incident pursuant to Sec. 242.10(b)(1)(v)(B) of this
chapter, including any documentation related to any response and
recovery from such an incident, for three years;
(iv) The written report of the annual review required to be
prepared pursuant to Sec. 242.10(b)(2)(ii) of this chapter or the
record of the annual review required pursuant to Sec. 240.10(e)(1) for
three years;
(v) A copy of any notice transmitted to the Commission pursuant to
Sec. 242.10(c)(1) or Sec. 240.10(e)(2) of this chapter or any Part I
of Form SCIR filed with the Commission pursuant to Sec. 242.10(c)(2)
of this chapter for three years; and
(vi) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 242.10(d) of this chapter for three years.
* * * * *
0
6. Redesignate Sec. 240.17Ad-7 as Sec. 240.17ad-7.
[[Page 20343]]
0
7. Newly redesignated Sec. 240.17ad-7 is amended by revising the
section heading, and adding paragraph (j) to read as follows:
Sec. 240.17ad-7 (Rule 17Ad-7) Record retention.
* * * * *
(j)(1) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) of this chapter until
three years after the termination of the use of the policies and
procedures;
(2) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(3) The written documentation of the occurrence of a cybersecurity
incident pursuant to Sec. 242.10(b)(1)(v)(B) of this chapter,
including any documentation related to any response and recovery from
such an incident, for three years;
(4) The written report of the annual review required to be prepared
pursuant to Sec. 242.10(b)(2)(ii) of this chapter for three years;
(5) A copy of any notice transmitted to the Commission and any ARA
pursuant to Sec. 242.10(c)(1) of this chapter or any Part I of Form
SCIR filed with the Commission pursuant to Sec. 240.2.10(c)(2) for
three years; and
(6) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 240.2.10(d) for three years.
0
8. Section 240.18a-6 is amended by adding paragraph (d)(6) to read as
follows:
Sec. 240.18a-6 Records to be preserved by certain security-based
swap dealers and major security-based swap participants
* * * * *
(d) * * *
(6)(i) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) of this chapter until
three years after the termination of the use of the policies and
procedures;
(ii) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(iii) The written documentation of the occurrence of a
cybersecurity incident pursuant to Sec. 242.10(b)(1)(v)(B) of this
chapter, including any documentation related to any response and
recovery from such an incident, for three years;
(iv) The written report of the annual review required to be
prepared pursuant to Sec. 242.10(b)(2)(ii) of this chapter for three
years;
(v) A copy of any notice transmitted to the Commission pursuant to
Sec. 242.10(c)(1) of this chapter or any Part I of Form SCIR filed
with the Commission pursuant to Sec. 242.10(c)(2) of this chapter for
three years; and
(vi) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 242.10(d) of this chapter for three years.
* * * * *
0
9. Section 240.18a-10 is amended by adding paragraph (g) to read as
follows:
Sec. 240.18a-10 Alternative compliance mechanism for security-based
swap dealers that are registered as swap dealers and have limited
security-based swap activities
* * * * *
(g) The provisions of this section do not apply to the record
maintenance and preservation requirements Sec. 240.18a-6(d)(6)(i)
through (vi).
PART 242--REGULATIONS M, SHO, ATS, AC, NMS, AND SBSR AND CUSTOMER
MARGIN REQUIREMENTS FOR SECURITY FUTURES
0
10. The general authority citation for part 242 is revised to read as
follows:
Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2),
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78o-
10, 78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a-23, 80a-29,
and 80a-37.
0
11. Section 242.10 is added to read as follows:
Sec. 242.10 Cybersecurity requirements.
(a) Definitions: For purposes of this section:
(1) Covered entity means:
(i) A broker or dealer registered with the Commission that:
(A) Maintains custody of cash and securities for customers or other
brokers or dealers and is not exempt from the requirements of Sec.
240.15c3-3 of this chapter;
(B) Introduces customer accounts on a fully disclosed basis to
another broker or dealer described in paragraph (a)(1)(i)(A) of this
section;
(C) Has regulatory capital equal to or exceeding $50 million;
(D) Has total assets equal to or exceeding $1 billion;
(E) Is a market maker under the Securities Exchange Act of 1934 (15
U.S.C. 78a, et seq.) (``Act'') or the rules thereunder (which includes
a broker or dealer that operates pursuant to Sec. 240.15c3-1(a)(6) of
this chapter) or is a market maker under the rules of a self-regulatory
organization of which the broker or dealer is a member; or
(F) operates an alternative trading system as defined in Sec.
242.300(a) or operates an NMS Stock ATS as defined in Sec. 242.300(k).
(ii) A clearing agency (registered or exempt) under section
3(a)(23)(A) of the Act.
(iii) A major security-based swap participant registered pursuant
to section 15F(b) of the Act.
(iv) The Municipal Securities Rulemaking Board.
(v) A national securities association registered under section 15A
of the Act.
(vi) A national securities exchange registered under section 6 of
the Act.
(vii) A security-based swap data repository under section 3(a)(75)
of the Act.
(viii) A security-based swap dealer registered pursuant to section
15F(b) of the Act.
(ix) A transfer agent as defined in section 3(a)(25) of the Act
that is registered or required to be registered with an appropriate
regulatory agency as defined in section 3(a)(34)(B) of the Act
(hereinafter also ``ARA'').
(2) Cybersecurity incident means an unauthorized occurrence on or
conducted through a market entity's information systems that
jeopardizes the confidentiality, integrity, or availability of the
information systems or any information residing on those systems.
(3) Cybersecurity risk means financial, operational, legal,
reputational, and other adverse consequences that could result from
cybersecurity incidents, cybersecurity threats, and cybersecurity
vulnerabilities.
(4) Cybersecurity threat means any potential occurrence that may
result in an unauthorized effort to affect adversely the
confidentiality, integrity, or availability of a market entity's
information systems or any information residing on those systems.
(5) Cybersecurity vulnerability means a vulnerability in a market
entity's information systems, information system security procedures,
or internal controls, including, for example, vulnerabilities in their
design, configuration, maintenance, or implementation that, if
exploited, could result in a cybersecurity incident.
(6) Information means any records or data related to the market
entity's business residing on the market entity's information systems,
including, for example, personal information received, maintained,
created, or processed by the market entity.
(7) Information systems means the information resources owned or
used by the market entity, including, for example, physical or virtual
infrastructure controlled by the information resources, or components
thereof, organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of the
[[Page 20344]]
covered entity's information to maintain or support the covered
entity's operations.
(8) Market Entity means a ``covered entity'' as defined in this
section and a broker or dealer registered with the Commission that is
not a ``covered entity'' as defined in this section.
(9) Personal information means any information that can be used,
alone or in conjunction with any other information, to identify a
person, including, but not limited to, name, date of birth, place of
birth, telephone number, street address, mother's maiden name, Social
Security number, government passport number, driver's license number,
electronic mail address, account number, account password, biometric
records, or other non-public authentication information.
(10) Significant cybersecurity incident means a cybersecurity
incident, or a group of related cybersecurity incidents, that:
(i) Significantly disrupts or degrades the ability of the market
entity to maintain critical operations; or
(ii) Leads to the unauthorized access or use of the information or
information systems of the market entity, where the unauthorized access
or use of such information or information systems results in or is
reasonably likely to result in:
(A) Substantial harm to the market entity; or
(B) Substantial harm to a customer, counterparty, member,
registrant, or user of the market entity, or to any other person that
interacts with the market entity.
(b)(1) Cybersecurity policies and procedures. A covered entity must
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address the covered entity's cybersecurity
risks, including policies and procedures that:
(i)(A) Risk assessment. Require periodic assessments of
cybersecurity risks associated with the covered entity's information
systems and information residing on those systems, including requiring
the covered entity to:
(1) Categorize and prioritize cybersecurity risks based on an
inventory of the components of the covered entity's information systems
and information residing on those systems and the potential effect of a
cybersecurity incident on the covered entity; and
(2) Identify the covered entity's service providers that receive,
maintain, or process information, or are otherwise permitted to access
the covered entity's information systems and any of the covered
entity's information residing on those systems, and assess the
cybersecurity risks associated with the covered entity's use of these
service providers.
(B) Require written documentation of the risk assessments.
(ii) User security and access. Require controls designed to
minimize user-related risks and prevent unauthorized access to the
covered entity's information systems and the information residing on
those systems, including:
(A) Requiring standards of behavior for individuals authorized to
access the covered entity's information systems and the information
residing on those systems, such as an acceptable use policy;
(B) Identifying and authenticating individual users, including but
not limited to implementing authentication measures that require users
to present a combination of two or more credentials for access
verification;
(C) Establishing procedures for the timely distribution,
replacement, and revocation of passwords or methods of authentication;
(D) Restricting access to specific information systems of the
covered entity or components thereof and the information residing on
those systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the covered entity; and
(E) Securing remote access technologies.
(iii) Information protection. (A) Require measures designed to
monitor the covered entity's information systems and protect the
information residing on those systems from unauthorized access or use,
based on a periodic assessment of the covered entity's information
systems and the information that resides on the systems that takes into
account:
(1) The sensitivity level and importance of the information to the
covered entity's business operations;
(2) Whether any of the information is personal information;
(3) Where and how the information is accessed, stored and
transmitted, including the monitoring of information in transmission;
(4) The information systems' access controls and malware
protection; and
(5) The potential effect a cybersecurity incident involving the
information could have on the covered entity and its customers,
counterparties, members, or users, including the potential to cause a
significant cybersecurity incident.
(B) Require oversight of service providers that receive, maintain,
or process the covered entity's information, or are otherwise permitted
to access the covered entity's information systems and the information
residing on those systems, pursuant to a written contract between the
covered entity and the service provider, through which the service
providers are required to implement and maintain appropriate measures,
including the practices described in paragraphs (b)(1)(i) through (v)
of this section, that are designed to protect the covered entity's
information systems and information residing on those systems.
(iv) Cybersecurity threat and vulnerability management. Require
measures designed to detect, mitigate, and remediate any cybersecurity
threats and vulnerabilities with respect to the covered entity's
information systems and the information residing on those systems;
(v) Cybersecurity incident response and recovery. (A) Require
measures designed to detect, respond to, and recover from a
cybersecurity incident, including policies and procedures that are
reasonably designed to ensure:
(1) The continued operations of the covered entity;
(2) The protection of the covered entity's information systems and
the information residing on those systems;
(3) External and internal cybersecurity incident information
sharing and communications; and
(4) The reporting of significant cybersecurity incidents pursuant
to paragraph (c) of this section.
(B) Require written documentation of any cybersecurity incident,
including the covered entity's response to and recovery from the
cybersecurity incident.
(2) Annual Review. A covered entity must, at least annually:
(i) Review and assess the design and effectiveness of the
cybersecurity policies and procedures required by paragraph (b)(1) of
this section, including whether the policies and procedures reflect
changes in cybersecurity risk over the time period covered by the
review; and
(ii) Prepare a written report that describes the review, the
assessment, and any control tests performed, explains their results,
documents any cybersecurity incident that occurred since the date of
the last report, and discusses any material changes to the policies and
procedures since the date of the last report.
(c) Notification and reporting of significant cybersecurity
incidents--(1) Immediate notice. A covered entity must give the
Commission immediate
[[Page 20345]]
written electronic notice of a significant cybersecurity incident upon
having a reasonable basis to conclude that the significant
cybersecurity incident has occurred or is occurring. The notice must
identify the covered entity, state that the notice is being given to
alert the Commission of a significant cybersecurity incident impacting
the covered entity, and provide the name and contact information of an
employee of the covered entity who can provide further details about
the significant cybersecurity incident. The notice also must be given
to:
(i) In the case of a broker or dealer, the examining authority of
the broker or dealer; and
(ii) In the case of a transfer agent, the ARA of the transfer
agent.
(2) Report. (i) A covered entity must report a significant
cybersecurity incident, promptly, but no later than 48 hours, upon
having a reasonable basis to conclude that the significant
cybersecurity incident has occurred or is occurring by filing Part I of
Form SCIR with the Commission electronically through the Electronic
Data Gathering, Analysis, and Retrieval System (``EDGAR system'') in
accordance with the EDGAR Filer Manual, as defined in Rule 11 of
Regulation S-T (17 CFR 232.11), and Part I of Form SCIR must be filed
in accordance with the requirements of Regulation S-T.
(ii) A covered entity must file an amended Part I of Form SCIR with
the Commission electronically through the EDGAR system in accordance
with the EDGAR Filer Manual, as defined in Rule 11 of Regulation S-T
(17 CFR 232.11), and Part I of Form SCIR must be filed in accordance
with the requirements of Regulation S-T promptly, but no later than 48
hours after each of the following circumstances:
(A) Any information previously reported to the Commission on Part I
of Form SCIR pertaining to a significant cybersecurity incident
becoming materially inaccurate;
(B) Any new material information pertaining to a significant
cybersecurity incident previously reported to the Commission on Part I
of Form SCIR being discovered;
(C) A significant cybersecurity incident is resolved; or
(D) An internal investigation pertaining to a significant
cybersecurity incident is closed.
(iii)(A) If the covered entity is a broker or dealer, it must
promptly transmit a copy of each Part I of Form SCIR it files with the
Commission to its examining authority; and
(B) If the covered entity is a transfer agent, it must promptly
transmit a copy of each Part I of Form SCIR it files with the
Commission to its ARA.
(d) Disclosure of cybersecurity risks and incidents--(1) Content of
the disclosure--(i) Cybersecurity risks. A covered entity must provide
a summary description of the cybersecurity risks that could materially
affect the covered entity's business and operations and how the covered
entity assesses, prioritizes, and addresses those cybersecurity risks.
(ii) Significant cybersecurity incidents. A covered entity must
provide a summary description of each significant cybersecurity
incident that has occurred during the current or previous calendar
year. The description of each significant cybersecurity incident must
include the following information to the extent known:
(A) The person or persons affected;
(B) The date the incident was discovered and whether it is ongoing;
(C) Whether any data was stolen, altered, or accessed or used for
any other unauthorized purpose;
(D) The effect of the incident on the covered entity's operations;
and
(E) Whether the covered entity, or service provider, has remediated
or is currently remediating the incident.
(2) Methods of disclosure. A covered entity must make the
disclosures required pursuant to paragraph (d)(1) of this section by:
(i) Filing Part II of Form SCIR with the Commission electronically
through the EDGAR system in accordance with the EDGAR Filer Manual, as
defined in Rule 11 of Regulation S-T (17 CFR 232.11), and in accordance
with the requirements of Regulation S-T; and
(ii) Posting a copy of the Part II of Form SCIR most recently filed
pursuant to paragraph (d)(2)(i) of this section on an easily accessible
portion of its business internet website that can be viewed by the
public without the need of entering a password or making any type of
payment or providing any other consideration.
(3) Additional methods of disclosure required for certain brokers
or dealers. In addition to the method of disclosure required by
paragraph (d)(2) of this section, a broker or dealer described in
paragraph (a)(1)(i) or (ii) of this section must provide a copy of the
Part II of Form SCIR most recently filed pursuant to paragraph
(d)(2)(i) of this section to a customer as part of the account opening
process and, thereafter, annually and as required by paragraph (d)(4)
of this section using the same means that the customer elects to
receive account statements.
(4) Disclosure updates. The covered entity must promptly provide an
updated disclosure through the methods required by paragraphs (d)(2)
and (3) of this section if the information required to be disclosed
pursuant to paragraphs (d)(1)(i) or (ii) of this section materially
changes, including, in the case of paragraph (d)(1)(ii) of this
section, after the occurrence of a new significant cybersecurity
incident or when information about a previously disclosed significant
cybersecurity incident materially changes.
(e) Requirements for brokers or dealers that are not covered
entities. (1) A broker or dealer that is not a ``covered entity'' as
defined in this section must establish, maintain, and enforce written
policies and procedures that are reasonably designed to address the
cybersecurity risks of the broker or dealer taking into account the
size, business, and operations of the broker or dealer. The broker or
dealer must annually review and assess the design and effectiveness of
the cybersecurity policies and procedures, including whether the
policies and procedures reflect changes in cybersecurity risk over the
time period covered by the review. The broker or dealer must make a
written record that documents the steps taken in performing the annual
review and the conclusions of the annual review.
(2) A broker or dealer that is not a ``covered entity'' as defined
in this section must give the Commission immediate written electronic
notice of a significant cybersecurity incident upon having a reasonable
basis to conclude that the significant cybersecurity incident has
occurred or is occurring. The notice must identify the broker or
dealer, state that the notice is being given to alert the Commission of
a significant cybersecurity incident impacting the broker or dealer,
and provide the name and contact information of an employee of the
broker or dealer who can provide further details about the significant
cybersecurity incident. The notice also must be given to the examining
authority of the broker or dealer.
* * * * *
PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934
0
12. The authority citation for part 249 continues to read, in part, as
follows:
Authority: 15 U.S.C. 78a, et seq., unless otherwise noted.
* * * * *
0
13. Section 249.624 is added to read as follows:
[[Page 20346]]
Sec. 249.624 Form SCIR.
Form SCIR shall be filed by a covered entity to report a
significant cybersecurity incident pursuant to the requirements of 17
CFR 242.10.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP05AP23.000
[[Page 20347]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.001
[[Page 20348]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.002
[[Page 20349]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.003
[[Page 20350]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.004
[[Page 20351]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.005
[[Page 20352]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.006
[[Page 20353]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.007
[[Page 20354]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.008
[FR Doc. 2023-05767 Filed 4-4-23; 8:45 am]
BILLING CODE 8011-01-C