On March 15, 2023, the Securities and Exchange Commission (SEC) announced a proposal to introduce new requirements for various Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, and national securities exchanges, to address cybersecurity risks.
Due to the increased reliance of Market Entities on information systems, they have become targets for threat actors seeking to disrupt their functions or access sensitive data for financial gain. Additionally, cybersecurity risks can arise from employee errors or the actions of service providers and business partners. The interconnectedness of these entities further increases the risk of a significant cybersecurity incident that can impact multiple Market Entities simultaneously, resulting in systemic harm to the US securities markets.
Under the proposed regulations, all Market Entities would be required to implement policies and procedures that address cybersecurity risks, conduct an annual review and assessment of the effectiveness of their cybersecurity policies, and update them in response to changes in cybersecurity risks. The proposal also introduces new notification and reporting requirements to improve the SEC’s ability to obtain information on significant cybersecurity incidents affecting Covered Entities.
Furthermore, Covered Entities would be required to disclose cybersecurity risks publicly, increasing transparency and awareness about potential threats to the US securities markets. The proposal will be published in the Federal Register, and the public comment period will be open for 60 days after its publication.
