The Securities and Exchange Commission on Wednesday approved a number of proposals for new rules and amendments to existing regulations, to toughen cyber defenses at a range of financial institutions.
The proposals, which effectively cover most major market participants aside from the smallest broker-dealers, contain significant new requirements for reporting cyber incidents to the agency and the public.
The SEC also reopened the comment period for proposals covering similar areas for investment-management companies and advisers published in February 2022, allowing an additional 60 days for interested parties to weigh in.
More disclosures: Wednesday’s proposals include rules to require financial companies to develop written cybersecurity processes and review them regularly. Those that suffer a cyberattack would be required to immediately notify the SEC and provide updates as details are uncovered. Companies also must make public disclosures about their cyber risks and previous significant incidents.
Who's affected? Broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, stock exchanges, data repositories and transfer agents are among the organizations that would have to comply.
“Investors, issuers and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age, and the proposal, if adopted, would help promote every part of our mission, particularly regarding investor protection and orderly markets,” said Gary Gensler, the agency’s chair, before the vote.
Commissioners voted three-to-two to pass the proposal for the new rule, with Hester Peirce and Mark Uyeda, the two Republican commissioners, voting against.
Objection: “I could not help but wonder, as I read through the more than 500 pages that make up this proposal, whether we at the Commission are living up to the proposed standards,” Ms. Peirce said, adding that she believes the SEC should correct cyber issues with existing projects before issuing new rules.
—James Rundle
|