Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, 20212-20354 [2023-05767]
Download as PDF
<![CDATA[
20212
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
SECURITIES AND EXCHANGE
COMMISSION
17 CFR Parts 232, 240, 242 and 249
[Release No. 34–97142; File No. S7–06–23]
RIN 3235–AN15
Cybersecurity Risk Management Rule
for Broker-Dealers, Clearing Agencies,
Major Security-Based Swap
Participants, the Municipal Securities
Rulemaking Board, National Securities
Associations, National Securities
Exchanges, Security-Based Swap Data
Repositories, Security-Based Swap
Dealers, and Transfer Agents
Securities and Exchange
Commission.
ACTION: Proposed rule.
AGENCY:
The Securities and Exchange
Commission (‘‘Commission’’) is
proposing a new rule and form and
amendments to existing recordkeeping
rules to require broker-dealers, clearing
agencies, major security-based swap
participants, the Municipal Securities
Rulemaking Board, national securities
associations, national securities
exchanges, security-based swap data
repositories, security-based swap
dealers, and transfer agents to address
cybersecurity risks through policies and
procedures, immediate notification to
the Commission of the occurrence of a
significant cybersecurity incident and,
as applicable, reporting detailed
information to the Commission about a
significant cybersecurity incident, and
public disclosures that would improve
transparency with respect to
cybersecurity risks and significant
cybersecurity incidents. In addition, the
Commission is proposing amendments
to existing clearing agency exemption
orders to require the retention of records
that would need to be made under the
proposed cybersecurity requirements.
Finally, the Commission is proposing
amendments to address the potential
availability to security-based swap
dealers and major security-based swap
participants of substituted compliance
in connection with those requirements.
DATES: Comments should be received on
or before June 5, 2023.
ADDRESSES: Comments may be
submitted by any of the following
methods:
lotter on DSK11XQN23PROD with PROPOSALS2
SUMMARY:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/submitcomments.htm); or
• Send an email to rule-comments@
sec.gov. Please include File Number S7–
06–23 on the subject line.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Paper Comments
• Send paper comments to Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to File
Number S7–06–23. The file number
should be included on the subject line
if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method of submission. The
Commission will post all comments on
the Commission’s website (https://
www.sec.gov/rules/proposed.shtml).
Comments are also available for website
viewing and printing in the
Commission’s Public Reference Room,
100 F Street NE, Washington, DC 20549,
on official business days between the
hours of 10 a.m. and 3 p.m. Operating
conditions may limit access to the
Commission’s Public Reference Room.
All comments received will be posted
without change; the Commission does
not edit personal identifying
information from submissions. You
should submit only information that
you wish to make available publicly.
Studies, memoranda, or other
substantive items may be added by the
Commission or staff to the comment file
during this rulemaking. A notification of
the inclusion in the comment file of any
such materials will be made available
on the Commission’s website. To ensure
direct electronic receipt of such
notifications, sign up through the ‘‘Stay
Connected’’ option at www.sec.gov to
receive notifications by email.
FOR FURTHER INFORMATION CONTACT:
Randall W. Roy, Deputy Associate
Director and Nina Kostyukovsky,
Special Counsel, Office of Broker-Dealer
Finances (with respect to the proposed
cybersecurity rule and form and the
aspects of the proposal unique to
broker-dealers); Matthew Lee, Assistant
Director and Stephanie Park, Senior
Special Counsel, Office of Clearance and
Settlement (with respect to aspects of
the proposal unique to clearing agencies
and security-based swap data
repositories); John Guidroz, Assistant
Director and Russell Mancuso, Special
Counsel, Office of Derivatives Policy
(with respect to aspects of the proposal
unique to major security-based swap
participants and security-based swap
dealers); Michael E. Coe, Assistant
Director and Leah Mesfin, Special
Counsel, Office of Market Supervision
(with respect to aspects of the proposal
unique to national securities
associations and national securities
exchanges); Moshe Rothman, Assistant
Director, Office of Clearance and
Settlement (with respect to aspects of
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
the proposal unique to transfer agents)
at (202) 551–5500, Division of Trading
and Markets; and Dave Sanchez,
Director, Adam Wendell, Deputy
Director, and Adam Allogramento,
Special Counsel, Office of Municipal
Securities (with respect to aspects of the
proposal unique to the Municipal
Securities Rulemaking Board) at (202)
551–5680, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–7010.
SUPPLEMENTARY INFORMATION: The
Commission is proposing to add the
following new rule and form under the
Securities Exchange Act of 1934
(‘‘Exchange Act’’): (1) 17 CFR 242.10
(‘‘Rule 10’’); and (2) 17 CFR 249.642
(‘‘Form SCIR’’). The Commission also is
proposing related amendments to the
following rules: (1) 17 CFR 232.101; (2)
17 CFR 240.3a71–6; (3) 17 CFR 240.17a–
4; (4) 17 CFR 240.17Ad–7; (5) 17 CFR
240.18a–6; and (6) 17 CFR 240.18a–10.
Further, the Commission is proposing to
amend certain orders that exempt
clearing agencies from registration.
Commission reference
Regulation S–T ..........
Rule 3a71–6 ..............
Rule 17a–4 ................
Rule 17Ad–7 ..............
Rule 18a–6 ................
Rule 18a–10 ..............
Rule 10 ......................
Form SCIR ................
CFR citation
(17 CFR)
§ 232.101
§ 240.3a71–6
§ 240.17a–4
§ 240.17Ad–7
§ 240.18a–6
§ 240.18a–10
§ 242.10
§ 249.624
Table of Contents
I. Introduction
A. Cybersecurity Risk Poses a Threat the
U.S. Securities Markets
1. In General
2. Critical Operations of Market Entities
Are Exposed to Cybersecurity Risk
B. Overview of the Proposed Cybersecurity
Requirements
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
1. ‘‘Covered Entity’’
2. ‘‘Cybersecurity Incident’’
3. ‘‘Significant Cybersecurity Incident’’
4. ‘‘Cybersecurity Threat’’
5. ‘‘Cybersecurity Vulnerability’’
6. ‘‘Cybersecurity Risk’’
7. ‘‘Information’’
8. ‘‘Information Systems’’
9. ‘‘Personal Information’’
10. Request for Comment
B. Proposed Requirements for Covered
Entities
1. Cybersecurity Risk Management Policies
and Procedures
2. Notification and Reporting of Significant
Cybersecurity Incidents
3. Disclosure of Cybersecurity Risks and
Incidents
4. Filing Parts I and II of Proposed Form
SCIR in EDGAR Using a Structured Data
Language
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
5. Recordkeeping
C. Proposed Requirements for Non-Covered
Broker-Dealers
1. Cybersecurity Policies and Procedures,
Annual Review, Notification, and
Recordkeeping
2. Request for Comment
D. Cross-Border Application of the
Proposed Cybersecurity Requirements to
SBS Entities
1. Background on the Cross-Border
Application of Title VII Requirements
2. Proposed Entity-Level Treatment
3. Availability of Substituted Compliance
E. Amendments to Rule 18a–10
1. Proposal
2. Request for Comment
F. Market Entities Subject to Regulation
SCI, Regulation S–P, Regulation ATS,
and Regulation S–ID
1. Discussion
2. Request for Comment
G. Cybersecurity Risk Related to Crypto
Assets
III. General Request for Comment
IV. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Cybersecurity Risks and Current
Relevant Regulations
2. Market Structure
D. Benefits and Costs of Proposed Rule 10,
Form SCIR, and Rule Amendments
1. Benefits and Costs of the Proposals to
the U.S. Securities Markets
2. Policies and Procedures and Annual
Review Requirements for Covered
Entities
3. Regulatory Reporting of Cybersecurity
Incidents by Covered Entities
4. Public Disclosure of Cybersecurity Risks
and Significant Cybersecurity Incidents
5. Record Preservation and Maintenance by
Covered Entities
6. Policies and Procedures, Annual
Review, Immediate Notification of
Significant Cybersecurity Incidents, and
Record Preservation Requirements for
Non-Covered Broker-Dealers
7. Substituted Compliance for Non-U.S.
SBS Entities
E. Effects on Efficiency, Competition, and
Capital Formation
F. Reasonable Alternatives
1. Alternatives to the Policies and
Procedures Requirements of Proposed
Rule 10
2. Alternatives to the Requirements of
Proposed Form SCIR and Related
Notification and Disclosure
Requirements of Proposed Rule 10
3. General Request for Comment
V. Paperwork Reduction Act Analysis
A. Summary of Collections of Information
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a–4, 17ad–7, 18a–6 and Clearing
Agency Exemption Orders
4. Substituted Compliance (Rule 3a71–6)
B. Proposed Use of Information
C. Respondents
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and
National Securities Associations
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Total Initial and Annual Reporting
Burdens
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a–4, 17ad–7, 18a–6, and
Clearing Agency Exemption Orders (and
Existing Rules 13n–7 and 17a–1)
4. Substituted Compliance (Rule 3a71–6)
E. Collection of Information is Mandatory
F. Confidentiality of Responses to
Collection of Information
G. Retention Period for Recordkeeping
Requirements
H. Request for Comment
VI. Initial Regulatory Flexibility Act Analysis
A. Reasons for, and Objectives of, Proposed
Action
1. Proposed Rule 10 and Parts I and II of
Proposed Form SCIR
2. Rules 17a–4, 17ad–7, 18a–6 and Clearing
Agency Exemption Orders
B. Legal Basis
C. Small Entities Subject to Proposed Rule,
Form SCIR, and Recordkeeping Rule
Amendments
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and
National Securities Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Reporting, Recordkeeping, and Other
Compliance Requirements
1. Proposed Rule 10 and Parts I and II of
Proposed Form SCIR
2. Rules 17a–4, 17ad–7, and 18a–6
E. Duplicative, Overlapping, or Conflicting
Federal Rules
1. Proposed Rule 10 and Parts I and II of
Proposed Form SCIR
2. Rules 17a–4, 17ad–7, 18a–6 and Clearing
Agency Exemption Orders
F. Significant Alternatives
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and
National Securities Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
G. Request for Comment
VII. Small Business Regulatory Enforcement
Fairness Act
VIII. Statutory Authority
I. Introduction
A. Cybersecurity Risk Poses a Threat the
U.S. Securities Markets
1. In General
Cybersecurity risk has been described
as ‘‘an effect of uncertainty on or within
information and technology.’’ 1 This risk
1 See the National Institute of Standards and
Technology (‘‘NIST’’), U.S. Department of
Commerce, Computer Security Resource Center
Glossary, available at https://csrc.nist.gov/glossary
(‘‘NIST Glossary’’) (definition of ‘‘cybersecurity
risk’’). The NIST Glossary consists of terms and
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
20213
can lead to ‘‘the loss of confidentiality,
integrity, or availability of information,
data, or information (or control) systems
and [thereby to] potential adverse
impacts to organizational operations
(i.e., mission, functions, image, or
reputation) and assets, individuals,
other organizations, and the Nation.’’ 2
The U.S. Financial Stability Oversight
Counsel (‘‘FSOC’’) in its 2021 annual
report stated that a destabilizing
cybersecurity incident could potentially
threaten the stability of the U.S.
financial system through at least three
channels:
• First, the incident could disrupt a
key financial service or utility for which
there is little or no substitute. This
could include attacks on central banks;
exchanges; sovereign and subsovereign
creditors, including U.S. state and local
governments; custodian banks; payment
clearing and settlement systems; or
other firms or services that lack
substitutes or are sole service providers.
• Second, the incident could
compromise the integrity of critical
definitions extracted verbatim from NIST’s
cybersecurity and privacy-related publications (i.e.,
Federal Information Processing Standards (FIPS),
NIST Special Publications (SPs), and NIST Internal/
Interagency Reports (IRs)) and from the Committee
on National Security Systems (CNSS) Instruction
CNSSI–4009. The NIST Glossary may be expanded
to include relevant terms in external or
supplemental sources, such as applicable laws and
regulations. The Cybersecurity Enhancement Act of
2014 (‘‘CEA’’) updated the role of NIST to include
identifying and developing cybersecurity risk
frameworks for voluntary use by critical
infrastructure owners and operators. The CEA
required NIST to identify ‘‘a prioritized, flexible,
repeatable, performance based, and cost-effective
approach, including information security measures
and controls that may be voluntarily adopted by
owners and operators of critical infrastructure to
help them identify, assess, and manage cyber risks.’’
See 15 U.S.C. 272(e)(1)(A)(iii). In response, NIST
has published the Framework for Improving Critical
Infrastructure Cybersecurity (‘‘NIST Framework’’).
See also NIST, Integrating Cybersecurity and
Enterprise Risk Management (ERM) (Oct. 2020),
available at https://nvlpubs.nist.gov/nistpubs/ir/
2020/NIST.IR.8286.pdf (‘‘All types of organizations,
from corporations to federal agencies, face a broad
array of risks. For federal agencies, the Office of
Management and Budget (OMB) Circular A–11
defines risk as ‘the effect of uncertainty on
objectives’. The effect of uncertainty on enterprise
mission and business objectives may then be
considered an ‘enterprise risk’ that must be
similarly managed . . . Cybersecurity risk is an
important type of risk for any enterprise.’’)
(footnotes omitted).
2 See NIST Glossary (definition of ‘‘cybersecurity
risk’’). See also The Board of the International
Organization of Securities Commissions (‘‘IOSCO’’),
Cyber Security in Securities Markets—An
International Perspective (Apr. 2016), available at
https://www.iosco.org/library/pubdocs/pdf/
IOSCOPD528.pdf (‘‘IOSCO Cybersecurity Report’’)
(‘‘In essence, cyber risk refers to the potential
negative outcomes associated with cyber attacks. In
turn, cyber attacks can be defined as attempts to
compromise the confidentiality, integrity and
availability of computer data or systems.’’) (footnote
omitted).
E:\FR\FM\05APP2.SGM
05APP2
20214
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
data. Accurate and usable information is
critical to the stable functioning of
financial firms and the system; if such
data is corrupted on a sufficiently large
scale, it could disrupt the functioning of
the system. The loss of such data also
has privacy implications for consumers
and could lead to identity theft and
fraud, which in turn could result in a
loss of confidence.
• Third, a cybersecurity incident that
causes a loss of confidence among a
broad set of customers or market
participants could cause customers or
participants to question the safety or
liquidity of their assets or transactions,
and lead to significant withdrawal of
assets or activity.3
The U.S. securities markets are part of
the Financial Services Sector, one of the
sixteen critical infrastructure sectors
‘‘whose assets, systems, and networks,
whether physical or virtual, are
considered so vital to the United States
that their incapacitation or destruction
would have a debilitating effect on
security, national economic security,
national public health or safety, or any
combination thereof.’’ 4 These markets
are over $100 trillion in total size, and
more than a trillion dollars’ worth of
transactions flow through them each
day. For example, the market
capitalization of the U.S. equities
market was valued at $49 trillion as of
the first quarter of 2022,5 and as of May
2022, the average daily trading dollar
volume in the U.S. equities market was
$659 billion.6 The market capitalization
of the U.S. fixed income market was
valued at $52.9 trillion as of the fourth
quarter of 2021,7 and as of May 2022,
the average daily trading dollar volume
in the U.S. fixed income market was
$897.8 billion.8
3 FSOC, Annual Report (2021), at 168, available
at https://home.treasury.gov/system/files/261/
FSOC2021AnnualReport.pdf (‘‘FSOC 2021 Annual
Report’’).
4 Cybersecurity and Infrastructure Security
Agency (‘‘CISA’’), U.S. Department of Homeland
Security, Critical Infrastructure Sectors, available at
https://www.cisa.gov/critical-infrastructure-sectors.
See also Presidential Policy Directive—Critical
Infrastructure Security and Resilience, Presidential
Policy Directive, PPD–21 (Feb. 12 2013).
5 See Securities Industry and Financial Markets
Association (‘‘SIFMA’’), Research Quarterly:
Equities (Apr. 27, 2022), available at https://
www.sifma.org/resources/research/researchquarterly-equities/.
6 See SIFMA, US Equity and Related Statistics
(June 1, 2022), available at https://www.sifma.org/
resources/research/us-equity-and-related-securitiesstatistics/.
7 See SIFMA, Research Quarterly: Fixed Income—
Outstanding (Mar. 14, 2022), available at https://
www.sifma.org/resources/research/researchquarterly-fixed-income-outstanding/.
8 See SIFMA, US Fixed Income Securities
Statistics (June 9, 2022), available at https://
www.sifma.org/resources/research/us-fixed-incomesecurities-statistics/.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
The sizes of these markets are
indicative of the central role they play
in the U.S. economy in terms of the flow
of capital, including the savings of
individual investors who are
increasingly relying on them to, for
example, build wealth to fund their
retirement, purchase a home, or pay for
college for themselves or their family.
Therefore, it is critically important to
the U.S. economy, investors, and capital
formation that the U.S. securities
markets function in a fair, orderly, and
efficient manner.9
The fair, orderly, and efficient
operation of the U.S. securities markets
depends on different types of entities
performing various functions to support,
among other things, disseminating
market information, underwriting
securities issuances, making markets in
securities, trading securities, providing
liquidity to the securities markets,
executing securities transactions,
clearing and settling securities
transactions, financing securities
transactions, recording and transferring
securities ownership, maintaining
custody of securities, paying dividends
and interest on securities, repaying
principal on securities investments,
supervising regulated market
participants, and monitoring market
activities. Collectively, these functions
are performed by entities regulated by
the Commission: broker-dealers, brokerdealers that operate an alternative
trading system (‘‘ATS’’), clearing
agencies, major security-based swap
participants (‘‘MSBSPs’’), the Municipal
Securities Rulemaking Board (‘‘MSRB’’),
national securities associations, national
securities exchanges, security-based
swap data repositories (‘‘SBSDRs’’),
security-based swap dealers (‘‘SBSDs’’
or collectively with MSBSPs, ‘‘SBS
Entities’’), and transfer agents
(collectively, ‘‘Market Entities’’).10
To perform their functions, Market
Entities rely on an array of electronic
information, communication, and
computer systems (or similar systems)
(‘‘information systems’’) and networks
of interconnected information systems.
While Market Entities have long relied
on information systems to perform their
various functions, the acceleration of
technical innovation in recent years has
exponentially expanded the role these
systems play in the U.S. securities
9 The Commission’s tripartite mission is to: (1)
protect investors; (2) maintain, fair, orderly, and
efficient markets; and (3) facilitate capital
formation. See, e.g., Commission, Our Goals,
available at https://www.sec.gov/our-goals.
10 Currently, there are no MSBSPs registered with
the Commission.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
markets.11 This expansion has been
driven by the greater efficiencies and
lower costs that can be achieved
through the use of information
systems.12 It also has been driven by
newer entrants (financial technology
(Fintech) firms) that have developed
business models that rely heavily on
information systems (e.g., applications
on mobile devices) to provide services
to investors and other participants in
the securities markets and more
established Market Entities adopting the
use of similar technologies.13 The
COVID–19 pandemic also has
contributed to the greater reliance on
information systems.14
11 See, e.g., Bank of International Settlements,
Erik Feyen, Jon Frost, Leonardo Gambacorta, Harish
Natarajan, and Mathew Saal, Fintech and the digital
transformation of financial services: implications
for market structure and public policy, BIS Papers
No. 117 (July 2021), available at https://
www.bis.org/publ/bppdf/bispap117.pdf (‘‘BIS
Papers 117’’) (‘‘Significant technology advances
have taken place in two key areas that have
contributed to the current wave of technology-based
finance:’’ Increased connectivity . . . [and] Lowcost computing and data storage . . .’’).
12 Id. (‘‘Technology has reduced the costs of, and
need for, much of the traditional physical
infrastructure that drove fixed costs for the direct
financial services provider . . . Financial
intermediaries can reduce marginal costs through
technology-enabled automation and ‘straight
through’ processing, which are accelerating with
the expanded use of data and [artificial
intelligence]-based processes. Digital innovation
can also help to overcome spatial (geographical)
barriers, and even to bridge differences across legal
jurisdictions . . .’’). See also United Nations, Office
for Disaster Risk Reduction, Constantine Toregas
and Joost Santos, Cybersecurity and its cascading
effect on societal systems (2019), available at
https://www.undrr.org/publication/cybersecurityand-its-cascading-effect-societal-systems
(‘‘Cybersecurity and its Cascading Effect on Societal
Systems’’) (‘‘Modern society has benefited from the
additional efficiency achieved by improving the
coordination across interdependent systems using
information technology (IT) solutions. IT systems
have significantly contributed to enhancing the
speed of communication and reducing geographic
barriers across consumers and producers, leading to
a more efficient and cost-effective exchange of
products and services across an economy.’’).
13 BIS Papers 117 (‘‘Internet and mobile
technology have rapidly increased the ability to
transfer information and interact remotely, both
between businesses and directly to the consumer.
Through mobile and smartphones, which are nearubiquitous, technology has increased access to, and
the efficiency of, direct delivery channels and
promises lower-cost, tailored financial services . . .
Incumbents large and small are embracing digital
transformation across the value chain to compete
with fintechs and big techs. Competitive pressure
on traditional financial institutions may force even
those that are lagging to transform or risk erosion
of their customer base, income, and margins.’’).
14 Id. (‘‘The COVID–19 pandemic has accelerated
the digital transformation. In particular, the need
for digital connectivity to replace physical
interactions between consumers and providers, and
in the processes that produce financial services,
will be even more important as economies,
financial services providers, businesses and
individuals navigate the pandemic and the eventual
post-COVID–19 world.’’). See also McKinsey &
Company, How Covid–19 has pushed companies
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
This increased reliance on
information systems by Market Entities
has caused a corresponding increase in
their cybersecurity risk.15 This risk can
be caused by the actions of external
threat actors, including organized or
individual threat actors seeking
financial gain, nation states conducting
espionage operations, or individuals
engaging in protest, acting on grudges or
personal offenses, or seeking thrills.16
over the technology tipping point—and transformed
business forever (Oct. 5, 2020), available at https://
www.mckinsey.com/capabilities/strategy-andcorporate-finance/our-insights/how-covid-19-haspushed-companies-over-the-technology-tippingpoint-and-transformed-business-forever#/ (noting
that due to the COVID–19 pandemic, ‘‘companies
have accelerated the digitization of their customer
and supply-chain interactions and of their internal
operations by three to four years [and] the share of
digital or digitally enhanced products in their
portfolios has accelerated by a shocking seven
years’’).
15 See, e.g., Financial Services Information
Sharing and Analysis Center (‘‘FS–ISAC’’),
Navigating Cyber 2022 (Mar. 2022), available at:
www.fsisac.com/navigatingcyber2022-report
(detailing cyber threats that emerged in 2021 and
predictions for 2022); Danny Brando, Antonis
Kotidis, Anna Kovner, Michael Lee, and Stacey L.
Schreft, Implications of Cyber Risk for Financial
Stability, FEDS Notes, Washington: Board of
Governors of the Federal Reserve System (May 12,
2022), available at https://doi.org/10.17016/23807172.3077 (‘‘Implications of Cyber Risk for
Financial Stability’’) (‘‘Cyber risk in the financial
system has grown over time as the system has
become more digitized, as evidenced by the
increase in cyber incidents. That growth has
brought to light unique features of cyber risk and
the potentially greater scope for cyber events to
affect financial stability.’’); United States
Government Accountability Office (‘‘GAO’’),
Critical Infrastructure Protection: Treasury Needs to
Improve Tracking of Financial Sector Cybersecurity
Risk Mitigation Efforts, GAO–20–631 (Sept. 2020),
available at https://www.gao.gov/assets/gao-20631.pdf (‘‘GAO Cybersecurity Report’’) (‘‘The
federal government has long identified the financial
services sector as a critical component of the
nation’s infrastructure. The sector includes
commercial banks, securities brokers and dealers,
and providers of the key financial systems and
services that support these functions. Altogether,
the sector holds about $108 trillion in assets and
faces a variety of cybersecurity-related risks. Key
risks include (1) an increase in access to financial
data through information technology service
providers and supply chain partners; (2) a growth
in sophistication of malware—software meant to do
harm—and (3) an increase in interconnectivity via
networks, the cloud, and mobile applications.’’);
Cybersecurity and its Cascading Effect on Societal
Systems (‘‘Nonetheless, IT dependence has also
exposed critical infrastructure and industry systems
to a myriad of cyber security risks, ranging from
accidental causes, technological glitches, to
malevolent willful attacks.’’).
16 See, e.g., Verizon, Data Breach Investigations
Report (2022) available at https://
www.verizon.com/business/resources/Tba/reports/
dbir/2022-data-breach-investigations-reportdbir.pdf (‘‘Verizon DBIR’’) (finding that 73% of the
data breaches analyzed in the report were caused
by external actors). The Verizon DBIR is an annual
report that analyzes cyber security incidents
(defined as a security event that compromises the
integrity, confidentiality or availability of an
information asset) and breaches (defined as an
incident that results in the confirmed disclosure—
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Internal threat actors (e.g., disgruntled
employees or employees seeking
financial gain) also can be sources of
cybersecurity risk.17 Threat actors may
target Market Entities because they
handle financial assets or proprietary
information about financial assets and
transactions.18 In addition to threat
actors, errors of employees, service
providers, or business partners can
create cybersecurity risk (e.g.,
mistakenly exposing confidential or
personal information by, for example,
sending it through an unencrypted
email to unintended recipients).19
Another factor increasing the
cybersecurity risk to Market Entities is
the growing sophistication of the tactics,
techniques, and procedures employed
by threat actors.20 This trend is further
not just potential exposure—of data to an
unauthorized party). To perform the analysis, data
about the cybersecurity incidents included in the
report are catalogued using the Vocabulary for
Event Recording and Incident Sharing (VERIS).
VERIS is a set of metrics designed to provide a
common language for describing security incidents
in a structured and repeatable manner. More
information about VERIS is available at: https://
veriscommunity.net/. See also Microsoft,
Microsoft Digital Defense Report (Oct. 2021),
available at https://query.prod.cms.
rt.microsoft.com/cms/api/am/binary/RWMFIi
(‘‘Microsoft Report’’) (‘‘The last year has been
marked by significant historic geopolitical events
and unforeseen challenges that have changed the
way organizations approach daily operations.
During this time, nation state actors have largely
maintained their operations at a consistent pace
while creating new tactics and techniques to evade
detection and increase the scale of their attacks’’).
17 See, e.g., Verizon DBIR (finding that 18% of the
data breaches analyzed in the report were caused
by internal actors). But see id. (‘‘Internal sources
accounted for the fewest number of incidents (18
percent), trailing those of external origin by a ratio
of four to one. The relative infrequency of data
breaches attributed to insiders may be surprising to
some. It is widely believed and commonly reported
that insider incidents outnumber those caused by
other sources. While certainly true for the broad
range of security incidents, our caseload showed
otherwise for incidents resulting in data
compromise. This finding, of course, should be
considered in light of the fact that insiders are adept
at keeping their activities secret.’’).
18 See, e.g., GAO Cybersecurity Report (‘‘The
financial services sector faces significant risks due
to its reliance on sophisticated technologies and
information systems, as well as the potential
monetary gain and economic disruption that can
occur by attacking the sector’’); IOSCO
Cybersecurity Report (‘‘[T]he financial sector is one
of the prime targets of cyber attacks. It is easy to
understand why: the sector is ‘where the money is’
and it can represent a nation or be a symbol of
capitalism for some politically motivated
activists.’’).
19 See Verizon DBIR (finding that error (defined
as anything done (or left undone) incorrectly or
inadvertently) as one of action types leading to
cybersecurity incidents and breaches).
20 See, e.g., Bank of England, CBEST IntelligenceLed Testing: Understanding Cyber Threat
Intelligence Operations (Version 2.0), available at
https://www.bankofengland.co.uk/-/media/boe/
files/financial-stability/financial-sector-continuity/
understanding-cyber-threat-intelligenceoperations.pdf (‘‘Bank of England CBEST Report’’)
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
20215
exacerbated by the ability of threat
actors to purchase tools to engage in
cyber-crime.21 Threat actors employ a
number of tactics to cause harmful
cybersecurity incidents.22 One tactic is
the use of malicious software
(‘‘malware’’) that is uploaded into a
computer system and used by threat
actors to compromise the confidentiality
of information stored or operations
performed (e.g., monitoring key strokes)
on the system or the integrity or
availability of the system (e.g.,
command and control attacks where a
threat actor is able to infiltrate a system
to install malware to enable it to
remotely send commands to infected
devices).23 There are a number of
different forms of malware, including
adware, botnets, rootkit, spyware,
Trojans, viruses, and worms.24
(‘‘The threat actor community, once dominated by
amateur hackers, has expanded to include a broad
range of professional threat actors, all of whom are
strongly motivated, organised and funded. They
include: state-sponsored organisations stealing
military, government and commercial intellectual
property; organised criminal gangs committing
theft, fraud and money laundering which they
perceive as low risk and high return; non-profit
hacktivists and for-profit mercenary organisations
attempting to disrupt or destroy their own or their
client’s perceived enemies.’’); Microsoft Report
(‘‘Sophisticated cybercriminals are also still
working for governments conducting espionage and
training in the new battlefield’’).
21 See, e.g., Microsoft Report (‘‘Through our
investigations of online organized crime networks,
frontline investigations of customer attacks, security
and attack research, nation state threat tracking, and
security tool development, we continue to see the
cybercrime supply chain consolidate and mature. It
used to be that cybercriminals had to develop all
the technology for their attacks. Today they rely on
a mature supply chain, where specialists create
cybercrime kits and services that other actors buy
and incorporate into their campaigns. With the
increased demand for these services, an economy of
specialized services has surfaced, and threat actors
are increasing automation to drive down their costs
and increase scale.’’).
22 See, e.g., Financial Industry Regulatory
Authority (‘‘FINRA’’), Common Cybersecurity
Threats, available at: www.finra.org/rules-guidance/
guidance/common-cybersecurity-threats (‘‘FINRA
Common Cybersecurity Threats’’) (summarizing
common cybersecurity threats faced by brokerdealers to include phishing, imposter websites,
malware, ransomware, distributed denial-of-service
attacks, and vendor breaches, among others).
23 See CISA, Malware Tip Card, available at
https://www.cisa.gov/sites/default/files/
publications/Malware_1.pdf (‘‘CISA Malware Tip
Card’’) (‘‘Malware, short for ‘‘malicious software,’’
includes any software (such as a virus, Trojan, or
spyware) that is installed on your computer or
mobile device. The software is then used, usually
covertly, to compromise the integrity of your
device. Most commonly, malware is designed to
give attackers access to your infected computer.
That access may allow others to monitor and
control your online activity or steal your personal
information or other sensitive data.’’).
24 See, e.g., CISA Malware Tip Card (‘‘Adware [is]
a type of software that downloads or displays
unwanted ads when a user is online or redirects
search requests to certain advertising websites.
Botnets [are] networks of computers infected by
E:\FR\FM\05APP2.SGM
Continued
05APP2
20216
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
A second tactic is a variation of
malware known as ‘‘ransomware.’’ 25 In
this scheme, the threat actor encrypts
the victim’s data making it unusable and
then demands payment to decrypt it.26
Ransomware schemes have become
more prevalent with the widespread
adoption and use of crypto assets.27 It is
a common tactic used against the
financial sector.28 Commission staff has
observed that this tactic has increasingly
malware and controlled remotely by
cybercriminals, usually for financial gain or to
launch attacks on websites or networks. Many
botnets are designed to harvest data, such as
passwords, Social Security numbers, credit card
numbers, and other personal information . . .
Rootkit [is] a type of malware that opens a
permanent ‘‘back door’’ into a computer system.
Once installed, a rootkit will allow additional
viruses to infect a computer as various hackers find
the vulnerable computer exposed and compromise
it. Spyware [is] a type of malware that quietly
gathers a user’s sensitive information (including
browsing and computing habits) and reports it to
unauthorized third parties. Trojan [is] a type of
malware that disguises itself as a normal file to trick
a user into downloading it in order to gain
unauthorized access to a computer. Virus [is] a
program that spreads by first infecting files or the
system areas of a computer or network router’s hard
drive and then making copies of itself. Some viruses
are harmless, others may damage data files, and
some may destroy files entirely. Worm [is] a type
of malware that replicates itself over and over
within a computer.’’).
25 See CISA, Ransomware 101, available at
https://www.cisa.gov/stopransomware/ransomware101 (‘‘Ransomware is an ever-evolving form of
malware designed to encrypt files on a device,
rendering any files and the systems that rely on
them unusable. Malicious actors then demand
ransom in exchange for decryption. Ransomware
actors often target and threaten to sell or leak
exfiltrated data or authentication information if the
ransom is not paid. In recent years, ransomware
incidents have become increasingly prevalent
among the Nation’s state, local, tribal, and territorial
(SLTT) government entities and critical
infrastructure organizations.’’).
26 See, e.g., Federal Bureau of Investigation
(‘‘FBI’’), internet Crime Report (2021), available at
https://www.ic3.gov/Media/PDF/AnnualReport/
2021_IC3Report.pdf (‘‘FBI internet Crime Report’’)
(‘‘Ransomware is a type of malicious software, or
malware, that encrypts data on a computer, making
it unusable. A malicious cyber criminal holds the
data hostage until the ransom is paid. If the ransom
is not paid, the victim’s data remains unavailable.
Cyber criminals may also pressure victims to pay
the ransom by threatening to destroy the victim’s
data or to release it to the public.’’).
27 See, e.g., Institute for Security and Technology,
Combating Ransomware: A Comprehensive
Framework For Action: Key Recommendations from
the Ransomware Task Force (Apr. 2021), available
at https://securityandtechnology.org/ransomware
taskforce/report (‘‘The explosion of ransomware as
a lucrative criminal enterprise has been closely tied
to the rise of Bitcoin and other cryptocurrencies,
which use distributed ledgers, such as blockchain,
to track transactions.’’).
28 See, e.g., FBI internet Crime Report (stating that
it received 649 complaints that indicated
organizations in the sixteen U.S. critical
infrastructure sectors were victims of a ransomware
attack, with the financial sector being the source of
the second largest number of complaints).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
been employed against certain Market
Entities.29
Another group of tactics are various
social engineering schemes. In a social
engineering attack, the threat actor uses
social skills to convince an individual to
provide access or information that can
be used to access an information
system.30 ‘‘Phishing’’ is a variation of a
social engineering attack in which an
email is used to convince an individual
to provide information (e.g., personal or
account information or log-in
credentials) that can be used to gain
unauthorized access to an information
system.31 Threat actors also use
websites to perform phishing attacks.32
‘‘Spear phishing’’ is a variation of
phishing that targets a specific
individual or group.33 ‘‘Vishing’’ and
29 See, Office of Compliance, Inspections and
Examinations (now the Division of Examinations
(‘‘EXAMS’’)), Commission, Risk Alert,
Cybersecurity: Ransomware Alert (July 10, 2020),
available at https://www.sec.gov/files/
Risk%20Alert%20-%20Ransomware.pdf (‘‘EXAMS
Ransomware Risk Alert’’) (observing an apparent
increase in sophistication of ransomware attacks on
Commission registrants, including broker-dealers).
Any staff statements represent the views of the staff.
They are not a rule, regulation, or statement of the
Commission. Furthermore, the Commission has
neither approved nor disapproved their content.
These staff statements, like all staff statements, have
no legal force or effect: they do not alter or amend
applicable law; and they create no new or
additional obligations for any person.
30 See, e.g., CISA, Security Tip (ST04–014)—
Avoiding Social Engineering and Phishing Attacks,
available at https://www.cisa.gov/uscert/ncas/tips/
ST04-014 (‘‘CISA Security Tip (ST04–014)’’).
31 See, e.g., CISA Security Tip (ST04–014);
Microsoft Report (‘‘Phishing is the most common
type of malicious email observed in our threat
signals. These emails are designed to trick an
individual into sharing sensitive information, such
as usernames and passwords, with an attacker. To
do this, attackers will craft emails using a variety
of themes, such as productivity tools, password
resets, or other notifications with a sense of urgency
to lure a user to click on a link.’’).
32 See, e.g., Microsoft Report (‘‘The phishing web
pages used in these attacks may utilize malicious
domains, such as those purchased and operated by
the attacker, or compromised domains, where the
attacker abuses a vulnerability in a legitimate
website to host malicious content. The phishing
sites frequently copy well-known, legitimate login
pages, such as Office 365 or Google, to trick users
into inputting their credentials. Once the user
inputs their credentials, they will often be
redirected to a legitimate final site—such as the real
Office 365 login page—leaving the user unaware
that actors have obtained their credentials.
Meanwhile, the entered credentials are stored or
sent to the attacker for later abuse or sale.’’).
33 See, e.g., U.S. Office of the Director of National
Intelligence, Spear Phishing and Common Cyber
Attacks, available at https://www.dni.gov/files/
NCSC/documents/campaign/Counterintelligence_
Tips_Spearphishing.pdf (‘‘ODNI Spear Phishing
Alert’’) (‘‘A spear phishing attack is an attempt to
acquire sensitive information or access to a
computer system by sending counterfeit messages
that appear to be legitimate. ‘Spear phishing’ is a
type of phishing campaign that targets a specific
person or group and often will include information
known to be of interest to the target, such as current
events or financial documents. Like other social
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
‘‘smishing’’ are variations of social
engineering that use phone
communications or text messages,
respectively, for this purpose.34 These
social engineering tactics also are used
to deceive the recipient of an electronic
communication (e.g., an email or text
message) to open a link or attachment in
the communication that uploads
malware on to the recipient’s
information systems.35
In addition to malware and social
engineering, threat actors may try to
circumvent or thwart the information
system’s logical security mechanisms
(i.e., to ‘‘hack’’ the system).36 There are
many variations of hacking.37 One tactic
is a ‘‘brute force’’ attack in which the
threat actor attempts to determine an
unknown value (e.g., log-in credentials)
using an automated process that tries a
large number of possible values.38 The
Commission staff has observed that a
variation of this tactic has increasingly
been employed by threat actors against
certain Market Entities to access their
customers’ accounts.39 The ability of
engineering attacks, spear phishing takes advantage
of our most basic human traits, such as a desire to
be helpful, provide a positive response to those in
authority, a desire to respond positively to someone
who shares similar tastes or views, or simple
curiosity about contemporary news and events.’’).
34 See, e.g., CISA Security Tip (ST04–014).
35 See, e.g., ODNI Spear Phishing Alert (‘‘The goal
of spear phishing is to acquire sensitive information
such as usernames, passwords, and other personal
information. When a link in a phishing email is
opened, it may open a malicious site, which could
download unwanted information onto a user’s
computer. When the user opens an attachment,
malicious software may run which could
compromise the security posture of the host. Once
a connection is established, the attacker is able to
initiate actions that could compromise the integrity
of your computer, the network it resides on, and
data.’’).
36 See Verizon DBIR (definition of ‘‘hacking’’); see
also NIST Glossary (defining a ‘‘hacker’’ as an
‘‘unauthorized user who attempts to or gains access
to an information system’’).
37 See, e.g., Web Application Security
Consortium, WASC Threat Classification: Version
2.00 (1/1/2010), available at https://
projects.webappsec.org/f/WASC-TC-v2_0.pdf
(‘‘WASC Classification Report’’).
38 See, e.g., WASC Classification Report (‘‘The
most common type of a brute force attack in web
applications is an attack against log-in credentials.
Since users need to remember passwords, they
often select easy to memorize words or phrases as
passwords, making a brute force attack using a
dictionary useful. Such an attack attempting to login to a system using a large list of words and
phrases as potential passwords is often called a
‘word list attack’ or a ‘dictionary attack.’ ’’).
39 See EXAMS, Commission, Risk Alert,
Cybersecurity: Safeguarding Client Accounts
against Credential Compromise (Sept. 15, 2020),
available at https://www.sec.gov/files/
Risk%20Alert%20-%20Credential%20Compromise.
pdf (‘‘EXAMS Safeguarding Client Accounts Risk
Alert’’) (‘‘The Office of Compliance Inspections and
Examinations (‘OCIE’) has observed in recent
examinations an increase in the number of cyberattacks against SEC-registered investment advisers
(‘advisers’) and brokers and dealers (‘broker-
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
threat actors to hack into information
systems can be facilitated by
vulnerabilities in information systems,
including for example the software run
on the systems.40
Threat actors also cause harmful
cybersecurity incidents through denialof-service (‘‘DoS’’) attacks.41 This type
of attack may involve botnets or
compromised servers sending ‘‘junk’’
data or messages to an information
system that a Market Entity uses to
provide services to investors, market
participants, or other Market Entities
causing the system to fail or be unable
to process operations in a timely
manner. DoS attacks are a commonly
used tactic.42
The tactics, techniques, and
procedures employed by threat actors
dealers,’ and together with advisers, ‘registrants’ or
‘firms’) using credential stuffing. Credential stuffing
is an automated attack on web-based user accounts
as well as direct network login account credentials.
Cyber attackers obtain lists of usernames, email
addresses, and corresponding passwords from the
dark web and then use automated scripts to try the
compromised user names and passwords on other
websites, such as a registrant’s website, in an
attempt to log in and gain unauthorized access to
customer accounts.’’).
40 See, e.g., CISA, Alert (AA22–117A): 2021 Top
Routinely Exploited Vulnerabilities, available at
https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
(‘‘CISA 2021 Vulnerability Report’’) (‘‘Globally, in
2021, malicious cyber actors targeted internet-facing
systems, such as email servers and virtual private
network (VPN) servers, with exploits of newly
disclosed vulnerabilities. For most of the top
exploited vulnerabilities, researchers or other actors
released proof of concept (POC) code within two
weeks of the vulnerability’s disclosure, likely
facilitating exploitation by a broader range of
malicious actors. To a lesser extent, malicious cyber
actors continued to exploit publicly known, dated
software vulnerabilities—some of which were also
routinely exploited in 2020 or earlier. The
exploitation of older vulnerabilities demonstrates
the continued risk to organizations that fail to patch
software in a timely manner or are using software
that is no longer supported by a vendor.’’). To
address this risk, CISA maintains a Known
Exploited Vulnerability (KEV) catalogue that
identifies known vulnerabilities. See, e.g., CISA,
Reducing The Significant Risk of Known Exploited
Vulnerabilities, available at https://www.cisa.gov/
known-exploited-vulnerabilities (‘‘CISA strongly
recommends all organizations review and monitor
the KEV catalog and prioritize remediation of the
listed vulnerabilities to reduce the likelihood of
compromise by known threat actors.’’).
41 See CISA, Security Tip (ST04–015)—
Understanding Denial-of-Service Attacks, available
at https://www.cisa.gov/uscert/ncas/tips/ST04-015
(‘‘A denial-of-service (DoS) attack occurs when
legitimate users are unable to access information
systems, devices, or other network resources due to
the actions of a malicious threat actor. Services
affected may include email, websites, online
accounts (e.g., banking), or other services that rely
on the affected computer or network. A denial-ofservice condition is accomplished by flooding the
targeted host or network with traffic until the target
cannot respond or simply crashes, preventing
access for legitimate users. DoS attacks can cost an
organization both time and money while their
resources and services are inaccessible.’’).
42 See Verizon DBIR (finding that DoS attacks
represented 46% of the total cybersecurity incidents
analyzed).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
can impact the information systems a
Market Entity operates directly (e.g., a
web application or email system).43
They also can adversely impact the
Market Entity and its information
systems through its connection to
information systems operated by thirdparties such as service providers (e.g.,
cloud service providers), business
partners, customers, counterparties,
members, registrants, or users.44
Further, the tactics, techniques, and
procedures employed by threat actors
can adversely impact the Market Entity
and its information systems through its
connection to information systems
operated by utilities or central platforms
to which the Market Entity is connected
(e.g., a securities exchange, securities
trading platform, securities clearing
agency, or a payment processor).45
If cybersecurity risk materializes into
a significant cybersecurity incident, a
Market Entity may lose its ability to
perform a key function causing harm to
the Market Entity, investors, or other
market participants. Moreover, given the
interconnectedness of Market Entities’
information systems, a significant
cybersecurity incident at one Market
Entity has the potential to spread to
other Market Entities in a cascading
process that could cause widespread
disruptions threatening the fair, orderly,
and efficient operation of the U.S.
securities markets.46 Further, the
43 See, e.g., Verizon DBIR (finding that the top
assets breached in cyber security incidents are
servers hosting web applications and emails, and
stating that because they are ‘‘internet-facing’’ they
‘‘provide a useful venue for attackers to slip through
the organization’s ‘perimeter’ ’’).
44 See, e.g., Ponemon Institute LLC, The Cost of
Third-Party Cybersecurity Risk Management (Mar.
2019), available at https://info.cybergrx.com/
ponemon-report (‘‘Third-party breaches remain a
dominant security challenge for organizations, with
over 63% of breaches linked to a third party.’’).
45 See, e.g., Financial Markets Authority, New
Zealand, Market Operator Obligations Targeted
Review—NZX (January 2021), available at https://
www.fma.govt.nz/assets/Reports/Market-OperatorObligations-Targeted-Review-NZX.pdf (‘‘New
Zealand FMA Report’’) (describing an August 2020
cybersecurity incident at New Zealand’s only
regulated financial product market that caused a
trading halt of approximately four days).
46 See, e.g., Implications of Cyber Risk for
Financial Stability (‘‘Cyber shocks can lead to losses
hitting many firms at the same time because of
correlated risk exposures (sometimes called the
popcorn effect), such as when firms load the same
malware-infected third-party software update.’’);
The Bank for International Settlements, Committee
on Payments and Market Infrastructures (‘‘CPMI’’)
and IOSCO, Guidance on cyber resilience for
financial market infrastructures (June 2016),
available at https://www.bis.org/cpmi/publ/
d146.pdf (‘‘[T]here is a broad range of entry points
through which a [financial market intermediary
(‘‘FMI’’)] could be compromised. As a result of their
interconnectedness, cyber attacks could come
through an FMI’s participants, linked FMIs, service
providers, vendors and vendor products . . . .
Because an FMI’s systems and processes are often
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
20217
disruption of a Market Entity that
provides critical services to other
Market Entities through connected
information systems could cause
cascading disruptions to those other
Market Entities to the extent they cannot
obtain those critical services from
another source.47
A significant cybersecurity incident
also can result in unauthorized access to
and use of personal, confidential, or
proprietary information.48 In the case of
personal information, this can cause
harm to investors and others whose
personal information was accessed or
used (e.g., identity theft).49 This could
lead to theft of investor assets. In the
case of confidential or proprietary
information, this can cause harm to the
business of the person whose
proprietary information was accessed or
used (e.g., public exposure of trading
positions or business strategies) or
provide the unauthorized user with an
unfair advantage over other market
participants (e.g., trading based on
confidential business information).
Unauthorized access to proprietary
information also can lead to theft of a
Market Entity’s valuable intellectual
property.
Cybersecurity incidents affecting
Market Entities can cause substantial
harm to other market participants,
including investors. For example,
significant cybersecurity incidents
caused by malware can cause the loss of
the Market Entity’s data, or the data of
other market participants.50 These
interconnected with the systems and processes of
other entities within its ecosystem, in the event of
a large-scale cyber incident it is possible for an FMI
to pose contagion risk (i.e., propagation of malware
or corrupted data) to, or be exposed to contagion
risk from, its ecosystem.’’).
47 See, e.g., Implications of Cyber Risk for
Financial Stability (‘‘And the interconnectedness of
the financial system means that an event at one or
more firms may spread to others (the domino
effect). For example, a cyber event at a single bank
can disrupt the bank’s ability to send payments and
have cascading effects on other banks’ liquidity and
operations.’’).
48 See, e.g., Bank of England CBEST Report (‘‘One
class of targeted attack is Computer Network
Exploitation (CNE) where the goal is to steal (or
exfiltrate) confidential information from the target.
This is effectively espionage in cyberspace or, in
information security terms, compromising
confidentiality.’’).
49 The NIST Glossary defines ‘‘identity fraud or
theft’’ as ‘‘all types of crime in which someone
wrongfully obtains and uses another person’s
personal data in some way that involves fraud or
deception, typically for economic gain.’’
50 CISA, Cyber Essentials Starter Kit—The Basics
for Building a Culture of Cyber Readiness (Spring
2021), available at https://www.cisa.gov/sites/
default/files/publications/Cyber%20Essentials%20
Starter%20Kit_03.12.2021_508_0.pdf (‘‘CISA Cyber
Essentials Starter Kit’’) (‘‘Malware is designed to
spread quickly. A lack of defense against it can
completely corrupt, destroy or render your data
inaccessible.’’).
E:\FR\FM\05APP2.SGM
05APP2
20218
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
incidents also can lead to business
disruptions that are not just costly to the
Market Entity but also the other market
participants that rely on the Market
Entity’s services.
A Market Entity also may incur
substantial remediation costs due to a
significant cybersecurity incident.51 For
example, the incident may result in
reimbursement to other market
participants for cybersecurity-related
losses and payment for their use of
identity protection services. A Market
Entity’s failure to protect itself
adequately against a significant
cybersecurity incident also may increase
its insurance premiums. In addition, a
significant cybersecurity incident may
expose a Market Entity to litigation costs
(e.g., to defend lawsuits brought by
individuals whose personal information
was stolen), regulatory scrutiny,
reputational damage, and, if a result of
a compliance failure, penalties. Finally,
a sufficiently severe significant
cybersecurity incident could cause the
failure of a Market Entity. Given the
interconnectedness of Market Entities, a
significant cybersecurity incident that
degrades or disrupts the critical
functions of one Market Entity could
cause harm to other Market Entities
(e.g., by cutting off their access to a
critical service such as securities
clearance or by exposing them to the
same malware that degraded or
disrupted the critical functions of the
first Market Entity). This could lead to
market-wide outages that compromise
the fair, orderly, and efficient
functioning of the U.S. securities
markets.
For these reasons, the Commission is
proposing new rule requirements that
are designed to protect the U.S.
securities markets and investors in these
markets from the threat posed by
cybersecurity risks.52
51 See, e.g., IBM Security, Cost of Data Breach
Report 2022, available at https://www.ibm.com/
security/data-breach (noting the average cost of a
data breach in the financial industry is $5.97
million); FBI internet Crime Report (noting that
cybercrime victims lost approximately $6.9 billion
in 2021).
52 The Commission has pending proposals to
address cybersecurity risk with respect to
investment advisers, investment companies, and
public companies. See Cybersecurity Risk
Management for Investment Advisers, Registered
Investment Companies, and Business Development
Companies, Release Nos. 33–11028, 34–94917, IA–
5956, IC–34497 (Feb. 9, 2022) [87 FR 13524, (Mar.
9, 2022)] (‘‘Investment Management Cybersecurity
Release’’); Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure,
Release Nos. 33–11038, 34–94382, IC–34529 (Mar.
9, 2022) [87 FR 16590 (Mar. 23, 2022)]. In addition,
as discussed in more detail below in section II.F.
of this release, the Commission is proposing to
amend Regulation SCI (17 CFR 242.1000 through
1007) and Regulation S–P (17 CFR 248.1 through
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
2. Critical Operations of Market Entities
Are Exposed to Cybersecurity Risk
The fair, orderly, and efficient
operation of the U.S. securities markets
depends on Market Entities performing
various functions without disruption.
Market Entities rely on information
systems and networks of interconnected
information systems to perform their
functions. This exposes them to the
harms that can be caused by threat
actors using the tactics, techniques, and
procedures discussed above (among
others) and by errors of employees or
third-party service providers (among
others). The GAO has stated that the
primary cybersecurity risks identified
by financial sector firms are: (1) internal
248.30) concurrent with this release. See Regulation
Systems Compliance and Integrity, Release No. 34–
97143 (Mar. 15, 2023) (File No. S7–07–23)
(‘‘Regulation SCI 2023 Proposing Release’’);
Regulation S–P: Privacy of Consumer Financial
Information and Safeguarding Customer
Information, Release Nos. 34–97141, IA–6262, IC–
34854 (Mar. 15, 2023) (File No. S7–05–23)
(‘‘Regulation S–P 2023 Proposing Release’’). The
Commission encourages commenters to review the
proposals with respect to Regulation SCI and
Regulation S–P to determine whether they might
affect their comments on this proposing release. See
also section II.F. of this release (seeking specific
comment on how the proposals in this release
would interact with Regulation SCI and Regulation
S–P as they currently exist and would be amended).
Further, the Commission has reopened the
comment period for the Investment Management
Cybersecurity Release to allow interested persons
additional time to analyze the issues and prepare
their comments in light of other regulatory
developments, including the proposed rules and
amendments regarding this proposal, the Regulation
SCI 2023 Proposing Release and the Regulation S–
P 2023 Proposing Release that the Commission
should consider in connection with the Investment
Management Cybersecurity Release. See
Cybersecurity Risk Management for Investment
Advisers, Registered Investment Companies, and
Business Development Companies; Reopening of
Comment Period, Release Nos. 33–11167, 34–
97144, IA–6263, IC–34855 (Mar. 15, 2023), [88 FR
16921 (Mar. 31, 2023)]. The Commission
encourages commenters to review the Investment
Management Cybersecurity Release and the
comments on that proposal to determine whether
they might affect their comments on this proposing
release. The comments on the Investment
Management Cybersecurity Release are available at:
https://www.sec.gov/comments/s7-04-22/
s70422.htm. Lastly, the Commission also proposed
rules and amendments regarding an investment
adviser’s obligations with respect to outsourcing
certain categories of ‘‘covered functions,’’ including
cybersecurity. See Outsourcing by Investment
Advisers, Release No. IA–6176 (Oct. 26, 2022), [87
FR 68816 (Nov. 16, 2022)]. The Commission
encourages commenters to review that proposal to
determine whether it might affect comments on this
proposing release.
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
actors; 53 (2) malware; 54 (3) social
engineering; 55 and (4)
interconnectivity.56 As discussed below,
a significant cybersecurity incident can
cause serious harm to Market Entities
and others who use their services or are
connected to them through information
systems and, if severe enough,
negatively impact the fair, orderly, and
efficient operations of the U.S. securities
markets.
a. Common Uses of Information Systems
by Market Entities
Market Entities need accurate and
accessible books and records, among
other things, to manage and conduct
their operations, manage and mitigate
their risks, monitor the progress of their
business, track their financial condition,
prepare financial statements, prepare
regulatory filings, and prepare tax
returns. Increasingly, these records are
made and preserved on information
systems.57 These recordkeeping
information systems also store personal,
confidential, and proprietary business
information about the Market Entity and
its customers, counterparties, members,
registrants, or users.
The complexity and scope of these
books and records systems ranges from
ones used by large Market Entities that
comprise networks of systems that track
thousands of different types of daily
transactions (e.g., securities trades and
movements of assets) to ones used by
small Market Entities comprising off53 See GAO Cybersecurity Report (‘‘Risks due to
insider threats involve careless, poorly trained, or
disgruntled employees or contractors hired by an
organization who may intentionally or
inadvertently introduce vulnerabilities or malware
into information systems. Insiders may not need a
great deal of knowledge about computer intrusions
because their knowledge of a target system often
allows them to gain unrestricted access to cause
damage to the system or to steal system data.
Results of insider threats can include data
destruction and account compromise.’’).
54 Id. (‘‘The risk of malware exploits impacting
the [financial] sector has increased as malware
exploits have grown in sophistication’’).
55 Id. (‘‘The financial services sector is at risk due
to social engineering attacks, which include a broad
range of malicious activities accomplished through
human interaction that enable attackers to gain
access to sensitive data by convincing a legitimate,
authorized user to give them their credentials and/
or other personal information’’).
56 Id. (‘‘Interconnectivity involves
interdependencies throughout the financial services
sector and the sharing of data and information via
networks, the cloud, and mobile applications.
Organizations in the financial services sector utilize
data aggregation hubs and cloud service providers,
and new financial technologies such as algorithms
based on consumers’ data and risk preferences to
provide digital services for investment and financial
advice.’’).
57 Some Market Entities may store certain or all
of their records in paper format. This discussion
pertains to recordkeeping systems that store records
electronically on information systems.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
the-shelf accounting software and
computer files on a desktop computer.
In either case, the impact on the
confidentiality, integrity, or availability
of the information system being
compromised as a consequence of a
significant cybersecurity incident can be
devastating to the Market Entity and its
customers, counterparties, members,
registrants or users. For example, it
could cause the Market Entity to cease
operations or allow threat actors to use
personal information about the
customers of the Market Entity to steal
their identities.
Market Entities also use information
systems so that their employees can
communicate with each other and with
external persons. These include email,
text messaging, and virtual meeting
applications. The failure of these
information systems as a result of a
significant cybersecurity incident can
seriously disrupt the Market Entity’s
ability to carry out its functions.
Moreover, these outward facing
information systems are vectors that
threat actors use to cause harmful
cybersecurity incidents by, for example,
tricking an employee through social
engineering into downloading malware
in an attachment to an email.
lotter on DSK11XQN23PROD with PROPOSALS2
b. Broker-Dealers
Broker-dealers perform a number of
functions in the U.S. securities markets,
including underwriting the issuance of
securities for publicly and privately
held companies, making markets in
securities, brokering securities
transactions, dealing securities,
operating an ATS, executing securities
transactions, clearing and settling
securities transactions, and maintaining
custody of securities for investors. Some
broker-dealers may perform multiple
functions; whereas others may perform
a single function. Increasingly, these
functions are performed through the use
of information systems. For example,
broker-dealers use information systems
to connect to securities exchanges,
ATSs, and other securities markets in
order to transmit purchase and sell
orders. Broker-dealers also use
information systems to connect to
clearing agencies or clearing brokerdealers to transmit securities settlement
instructions and transfer funds. They
use information systems to
communicate and transact with other
broker-dealers. In addition, they use
information systems to provide
securities services to investors,
including information systems that
investors use to access their securities
accounts and transmit orders to
purchase or sell securities.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Depending on the functions
undertaken by a broker-dealer, a
significant cybersecurity incident could
affect customers, including retail
investors. For example, a significant
cybersecurity incident could result in
the broker-dealer experiencing a
systems outage, which in turn could
leave customers unable to purchase or
sell securities held in their account and
the broker-dealer unable to trade for
itself. In addition, broker-dealers
maintain records and information
related to their customers that include
personal information, such as names,
addresses, phone numbers, employer
information, tax identification
information, bank information, and
other detailed and individualized
information related to broker-dealer
obligations under applicable statutory
and regulatory provisions.58 If personal
information held by a broker-dealer is
accessed or stolen by unauthorized
users, it could result in harm (e.g.,
identity theft or conversion of financial
assets) to many individuals, including
retail investors.
Further, a significant cybersecurity
incident at a broker-dealer could
provide a gateway for threat actors to
attack the self-regulatory organizations
(‘‘SROs’’)—such as national securities
exchanges and registered clearing
agencies—ATSs, and other brokerdealers to which the firm is connected
through information systems and
networks of interconnected information
systems.59 This could cause a cascading
effect where a significant cybersecurity
incident initially impacting one brokerdealer spreads to other Market Entities.
Moreover, the information systems that
link a broker-dealer to other Market
Entities, its customers, and other service
providers are vectors that expose the
broker-dealer to cybersecurity risk
arising from threats that originate in
information systems outside the brokerdealer’s control.
In addition, some broker-dealers
operate ATSs. An ATS is a trading
system for securities that meets the
definition of ‘‘exchange’’ under federal
58 See, e.g., 17 CFR 240.17a–3(a)(17) (requiring
broker-dealers to make account records of the
customer’s or owner’s name, tax identification
number, address, telephone number, date of birth,
employment status, annual income, net worth, and
the account’s investment objectives). Broker-dealers
also must comply with relevant anti-money
laundering (AML) laws, rules, orders, and guidance.
See, e.g., Commission, Anti-Money Laundering
(AML) Source Tool for Broker-Dealers, (May 16,
2022), available at https://www.sec.gov/about/
offices/ocie/amlsourcetool.
59 Section 3(a)(26) of the Exchange Act defines a
self-regulatory organization as any national
securities exchange, registered securities
association, registered clearing agency, or (with
limitations) the MSRB. See 15 U.S.C. 78c(a)(26).
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
20219
securities laws but is not required to
register with the Commission as a
national securities exchange if it
complies with the conditions to an
exemption provided under Regulation
ATS, which includes registering as a
broker-dealer.60 Registering as a brokerdealer requires becoming a member of
an SRO, such as FINRA, and
membership in FINRA subjects an ATS
to FINRA’s rules and oversight. Since
Regulation ATS was adopted in 1998,
ATSs’ operations have increasingly
relied on complex automated systems to
bring together buyers and sellers for
various securities, which include—for
example—electronic limit order books
and auction mechanisms. These
developments have made ATSs
significant sources of orders and trading
interest for securities. ATSs employ
information systems to accept, store,
and match orders pursuant to preprogrammed methods and to
communicate the execution of these
orders for trade reporting purposes and
for clearance and settlement of the
transactions. ATSs, in particular ATSs
that are ‘‘NMS Stock ATSs,’’ 61 use
information systems to connect to
various trading centers in order to
receive market data that ATSs use to
price and execute orders that are
entered on the ATS. A significant cyber
security incident could disrupt the
ATS’s critical infrastructure and
significantly impede the ability of the
ATS to (among other things): (1) receive
market data; (2) accept, price, and match
orders; or (3) report transactions. This,
in turn, could negatively impact the
ability of ATS subscribers to trade and
execute the orders of their investors or
purchase certain securities at favorable
or predictable prices or in a timely
manner to the extent the ATS provides
60 17 CFR 242.300 through 242.304. Exchange Act
Rule 3a1–1(a)(2) exempts from the definition of
‘‘exchange’’ under Section 3(a)(1) of the Exchange
Act an organization, association, or group of
persons that complies with Regulation ATS. See 17
CFR 240.3a1–1(a)(2). Regulation ATS requires an
ATS to, among other things, register as a brokerdealer, file a Form ATS with the Commission to
notice its operations, and establish written
safeguards and procedures to protect subscribers’
confidential trading information. See 17 CFR
242.301(b)(1), (2), and (10), respectively. The
broker-dealer operator of the ATS controls all
aspects of the ATS’s operations and is legally
responsible for its operations and for ensuring that
the ATS complies with applicable federal securities
laws and the rules and regulations thereunder,
including Regulation ATS. See Regulation of NMS
Stock Alternative Trading Systems, Exchange Act
Release No. 83663 (July 18, 2018) [83 FR 38768,
38819–20 (Aug. 7, 2018)] (‘‘Regulation of NMS
Stock Alternative Trading Systems Release’’).
61 See 17 CFR 242.300(k) (defining the term
‘‘NMS Stock ATS’’).
E:\FR\FM\05APP2.SGM
05APP2
20220
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
liquidity to the market for those
securities.
c. Clearing Agencies
Clearing agencies are broadly defined
in the Exchange Act and undertake a
variety of functions.62 An entity that
meets the definition of a ‘‘clearing
agency’’ is required to register with the
Commission or obtain from the
Commission an exemption from
registration prior to performing the
functions of a clearing agency.63
Two common functions of registered
clearing agencies are operating as a
central counterparty (‘‘CCP’’) or a
central securities depository (‘‘CSD’’).
Registered clearing agencies that
provide these services are ‘‘covered
clearing agencies’’ under Commission
regulations.64 A CCP acts as the buyer
to every seller and the seller to every
buyer, providing a trade guaranty with
respect to transactions submitted for
clearing by the clearing agency’s
participants.65 A CSD acts as a
depository for handling securities,
whereby all securities of a particular
class or series of any issuer deposited
within the system are treated as
fungible. Market Entities may use a CSD
to transfer, loan, or pledge securities by
bookkeeping entry without the physical
delivery of certificates. A CSD also may
permit or facilitate the settlement of
securities transactions more generally.66
Currently, all clearing agencies
registered with the Commission that are
actively providing clearance and
settlement services are covered clearing
agencies.67
62 See
15 U.S.C. 78c(a)(23)(A).
15 U.S.C. 78q–1(b); 17 CFR 240.17Ab2–1.
17 CFR 240.17Ad–22. See also Standards
for Covered Clearing Agencies, Exchange Act
Release No. 78961 (Sept. 28, 2016) [81 FR 70786,
70793 (Oct. 13, 2016)] (‘‘CCA Standards Adopting
Release’’). As discussed below, some clearing
agencies operate pursuant to Commission
exemptions from registration.
65 See 17 CFR 240.17Ad–22 (‘‘Rule 17Ad–22’’);
Definition of ‘‘Covered Clearing Agency’’, Exchange
Act Release No. 88616 (Apr. 9, 2020) [85 FR 28853,
28855–56 (May 14, 2020)] (‘‘CCA Definition
Adopting Release’’).
66 See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad–
22; CCA Definition Adopting Release, 81 FR at
28856.
67 The active covered clearing agencies are: (1)
The Depository Trust Company (‘‘DTC’’); (2) Fixed
Income Clearing Corporation (‘‘FICC’’); (3) National
Securities Clearing Corporation (‘‘NSCC’’); (4)
Intercontinental Exchange, Inc. (‘‘ICE’’) Clear Credit
LLC (‘‘ICC’’); (5) ICE Clear Europe Limited
(‘‘ICEEU’’); (6) The Options Clearing Corporation
(‘‘Options Clearing Corp.’’); and (7) LCH SA. Certain
clearing agencies are registered with the
Commission but are not covered clearing agencies.
See CCA Standards Adopting Release, 81 FR at
70793. In particular, although subject to paragraph
(d) of Rule 17Ad–22, the Boston Stock Exchange
Clearing Corporation (‘‘BSECC’’) and Stock Clearing
Corporation of Philadelphia (‘‘SCCP’’) are currently
registered with the Commission as clearing agencies
63 See
lotter on DSK11XQN23PROD with PROPOSALS2
64 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Registered clearing agencies also are
SROs under section 19 of the Exchange
Act, and their proposed rules are subject
to Commission review and published
for notice and comment. While certain
types of proposed rules are effective
upon filing, others are subject to
Commission approval before they can go
into effect.
Additionally, section 17A(b)(1) of the
Exchange Act provides the Commission
with authority to exempt a clearing
agency or any class of clearing agencies
(‘‘exempt clearing agencies’’) from any
provision of section 17A or the rules or
regulations thereunder.68 An exemption
may be effected by rule or order, upon
the Commission’s own motion or upon
application, and conditionally or
unconditionally.69 The Commission has
provided exemptions from registration
as a clearing agency for clearing
agencies that provide matching
services.70 Matching services centrally
but conduct no clearance or settlement operations.
See Self-Regulatory Organizations; The Boston
Stock Clearing Corporation; Notice of Filing and
Immediate Effectiveness of Proposed Rule Change
To Amend the Articles of Organization and ByLaws, Exchange Act Release No. 63629 (Jan. 3,
2011) [76 FR 1473, 1474 (Jan. 10, 2011)] (‘‘BSECC
Notice’’); Self-Regulatory Organizations; Stock
Clearing Corporation of Philadelphia; Notice of
Filing and Immediate Effectiveness of Proposed
Rule Change Relating to the Suspension of Certain
Provisions Due to Inactivity, Exchange Act Release
No. 63268 (Nov. 8, 2010) [75 FR 69730, 69731 (Nov.
15, 2010)] (‘‘SCCP Notice’’).
68 15 U.S.C. 78q–1(b)(1). See also 15 U.S.C. 78mm
(providing the Commission with general exemptive
authority).
69 See 15 U.S.C. 78q–1(b)(1). The Commission’s
exercise of authority to grant exemptive relief must
be consistent with the public interest, the
protection of investors, and the purposes of Section
17A of the Exchange Act, including the prompt and
accurate clearance and settlement of securities
transactions and the safeguarding of securities and
funds.
70 See Global Joint Venture Matching Services—
US, LLC; Order Granting Exemption from
Registration as a Clearing Agency, Exchange Act
Release No. 44188 (Apr. 17, 2001) [66 FR 20494
(Apr. 23, 2001)] (granting an exemption to provide
matching services to Global Joint Venture Matching
Services US LLC, now known as DTCC ITP
Matching U.S. LLC) (‘‘DTCC ITP Matching Order’’);
Bloomberg STP LLC; SS&C Technologies, Inc.;
Order of the Commission Approving Applications
for an Exemption From Registration as a Clearing
Agency, Exchange Act Release No. 76514 (Nov. 25,
2015) [80 FR 75388 (Dec. 1, 2015)] (granting an
exemption to provide matching services to each of
Bloomberg STP LLC and SS&C Technologies, Inc.)
(‘‘BSTP SS&C Order’’). In addition, on July 1, 2011,
the Commission published a conditional, temporary
exemption from clearing agency registration for
entities that perform certain post-trade processing
services for security-based swap transactions. See
Order Pursuant to Section 36 of the Securities
Exchange Act of 1934 Granting Temporary
Exemptions From Clearing Agency Registration
Requirements Under Section 17A(b) of the
Exchange Act for Entities Providing Certain
Clearing Services for Security-Based Swaps,
Exchange Act Release No. 34–64796 (July 1, 2011)
[76 FR 39963 (July 7, 2011)]. The order facilitated
the Commission’s identification of entities that
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
match trade information between a
broker-dealer and its institutional
customer. The Commission also has
provided exemptions for non-U.S.
clearing agencies to perform the
functions of a clearing agency with
respect to transactions of U.S.
participants involving U.S. government
and agency securities.71
Registered and exempt clearing
agencies rely on information systems to
perform the functions described above.
Given their central role, the information
systems operated by clearing agencies
are critical to the operations of the U.S.
securities markets. For registered
clearing agencies, in particular, these
information systems include those that
set and calculate margin obligations and
other charges, perform netting and
calculate payment obligations, facilitate
the movement of funds and securities,
or effectuate end-of-day settlement.
operate in that area and that accordingly may fall
within the clearing agency definition. Recently, the
Commission indicated that the 2011 Temporary
Exemption may no longer be necessary. See Rules
Relating to Security-Based Swap Execution and
Registration and Regulation of Security-Based Swap
Execution Facilities, Release No. 34–94615 (Apr. 6,
2022) [87 FR 28872, 28934 (May 11, 2022)] (stating
that the ‘‘Commission preliminarily believes that, if
it adopts a framework for the registration of
[security-based swap execution facilities
(‘‘SBSEFs’’)], the 2011 Temporary Exemption would
no longer be necessary because entities carrying out
the functions of SBSEFs would be able to register
with the Commission as such, thereby falling
within the exemption from the definition of
‘clearing agency’ in existing Rule 17Ad–24.’’).
71 See Euroclear Bank SA/NV; Order of the
Commission Approving an Application To Modify
an Existing Exemption From Clearing Agency
Registration, Exchange Act Release No. 79577 (Dec.
16, 2016) [81 FR 93994 (Dec. 22, 2016)] (providing
an exemption to Euroclear Bank SA/NV (successor
in name to Morgan Guaranty Trust Company of
NY)) (‘‘Euroclear Bank Order’’); Self-Regulatory
Organizations; Cedel Bank; Order Approving
Application for Exemption From Registration as a
Clearing Agency, Exchange Act Release No. Release
No. 38328 (Feb. 24, 1997) [62 FR 9225 (Feb. 28,
1997)] (providing an exemption to Clearstream
Banking, S.A. (successor in name to Cedel Bank,
societe anonyme, Luxembourg)) (‘‘Clearstream
Banking Order’’). Furthermore, pursuant to the
Commission’s statement on CCPs in the European
Union (‘‘EU’’) authorized under the European
Markets Infrastructure Regulation (‘‘EMIR’’), an EU
CCP may request an exemption from the
Commission where it has determined that the
application of Commission requirements would
impose unnecessary, duplicative, or inconsistent
requirements in light of EMIR requirements to
which it is subject. See Statement on Central
Counterparties Authorized under the European
Markets Infrastructure Regulation Seeking to
Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the
Securities Exchange Act of 1934, Exchange Act
Release No. 34–90492 (Nov. 23, 2020) [85 FR 76635,
76639 (Nov. 30, 2020)], https://www.govinfo.gov/
content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf
(stating that in seeking an exemption, an EU CCP
could provide ‘‘a self-assessment . . . [to] explain
how the EU CCP’s compliance with EMIR
corresponds to the requirements in the Exchange
Act and applicable SEC rules thereunder, such as
Rule 17Ad–22 and Regulation SCI.’’).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Certain exempt clearing agencies (e.g.,
Euroclear and Clearstream) may provide
CSD functions like covered clearing
agencies while other exempt clearing
agencies (e.g., DTCC ITP) may not
provide such functions. Nonetheless,
any entity that falls within the
definition of a clearing agency
centralizes technology functions in a
manner that increases its potential to
become a single point of failure in the
case of a significant cybersecurity
incident.72
The technology behind clearing
agency information systems is subject to
growing innovation and
interconnectedness, with multiple
clearing agencies sharing links among
their systems and with the systems of
other Market Entities. This growing
interconnectivity means that a
significant cybersecurity incident at a
registered clearing agency could, for
example, prevent it from acting timely
to carry out its functions, which, in
turn, could negatively impact other
Market Entities that utilize the clearing
agency’s services.73 Further, a
significant cybersecurity incident at a
registered or exempt clearing agency
could provide a gateway for threat
actors to attack the members of the
clearing agency and other financial
institutions that connect to it through
information systems. Moreover, the
information systems that link the
clearing agency to its members are
vectors that expose the clearing agency
to cybersecurity risk.
The records stored by clearing
agencies on their information systems
include proprietary information about
their members, including confidential
business information (e.g., information
about the financial condition of the
members used by the clearing agency to
manage credit risk). Each clearing
72 See generally Board of Governors of the Federal
Reserve System (‘‘Federal Reserve Board’’),
Commission, Commodity Futures Trading
Commission (‘‘CFTC’’), Risk Management of
Designated Clearing Entities (July 2011), available
at https://www.federalreserve.gov/publications/
other-reports/files/risk-management-supervisionreport-201107.pdf (report to the Senate Committees
on Banking, Housing, and Urban Affairs and
Agriculture, Nutrition, and Forestry and the House
Committees on Financial Services and Agriculture
stating that a designated clearing entity (‘‘DCE’’)
‘‘faces two types of non-financial risks—operational
and legal—that may disrupt the functioning of the
DCE. . . . DCEs face operational risk from both
internal and external sources, including human
error, system failures, security breaches, and natural
or man-made disasters.’’).
73 See also EXAMS, Commission, Staff Report on
the Regulation of Clearing Agencies (Oct. 1, 2020),
available at https://www.sec.gov/files/regulationclearing-agencies-100120.pdf (staff stating that
‘‘consolidation among providers of clearance and
settlement services concentrates clearing activity in
fewer providers and has increased the potential for
providers to become single points of failure.’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
agency also is required to keep all
records made or received by it in the
course of its business and in the
conduct of its self-regulatory activity. A
significant cybersecurity incident at a
clearing agency could lead to the
improper use of this information to
harm the members (e.g., public exposure
of confidential financial information) or
provide the unauthorized user with an
unfair advantage over other market
participants (e.g., trading based on
confidential business information).
Moreover, a disruption to a registered
clearing agency’s operations as a result
of a significant cybersecurity incident
could interfere with its ability to
perform its responsibilities as an SRO
(e.g., interrupting its oversight of
clearing member activities for
compliance with its rules and the
federal securities laws), and, therefore,
materially impact the fair, orderly, and
efficient functioning of the U.S.
securities markets.
d. The Municipal Securities Rulemaking
Board
The MSRB is an SRO that serves as a
regulator of the U.S. municipal
securities market with a mandate to
protect municipal securities investors,
municipal entities, obligated persons,
and the public interest.74 Pursuant to
the Exchange Act, the MSRB shall
propose and adopt rules with respect to
transactions in municipal securities
effected by broker-dealers and
municipal securities dealers and with
respect to advice provided to or on
behalf of municipal entities or obligated
persons by broker-dealers, municipal
securities dealers, and municipal
advisors with respect to municipal
financial products, the issuance of
municipal securities, and solicitations
of municipal entities or obligated
persons undertaken by broker-dealers,
municipal securities dealers, and
municipal advisors.75 Pursuant to the
Exchange Act, the MSRB’s rules shall be
designed to prevent fraudulent and
manipulative acts and practices, to
promote just and equitable principles of
trade, to foster cooperation and
coordination with persons engaged in
regulating, clearing, settling, processing,
information with respect to, and
facilitating transactions in municipal
securities and municipal financial
products, to remove impediments to and
perfect the mechanism of a free and
open market in municipal securities and
municipal products, and in general, to
74 See 15 U.S.C. 78o–4. Information about the
MSRB and its functions is available at:
www.msrb.org.
75 See 15.U.S.C. 78o–4(b)(2).
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
20221
protect investors, municipal entities,
obligated persons, and the public
interest.76 As an SRO, the MSRB’s
proposed rules are subject to
Commission review and published for
notice and comment. While certain
types of proposed rules are effective
upon filing, others are subject to
Commission approval before they can go
into effect.
The MSRB relies on information
systems to carry out its mission
regulating broker-dealers, municipal
securities dealers, and municipal
advisors. For example, the MSRB
operates the Electronic Municipal
Market Access website (‘‘EMMA’’).
EMMA provides transparency to the
U.S. municipal bond market by
disclosing free information on virtually
all municipal bond offerings, including
real-time trade prices, bond disclosure
documents, and certain market
statistics.77 The MSRB also provides
data to the Commission, broker-dealer
examining authorities, and banking
supervisors to assist in their
examination and enforcement efforts
involving participants in the municipal
securities markets. The MSRB also
maintains other data on the U.S.
municipal securities markets. This data
can be used by the public and others to
understand better these markets. The
MSRB is also required to keep all
records made or received by it in the
course of its business and in the
conduct of its self-regulatory activity.
A significant cybersecurity incident
could disrupt the operation of EMMA
and could negatively impact the fair,
orderly, and efficient operation of the
U.S. municipal securities market. For
example, the loss or corruption of
transparent price information could
cause investors to stop purchasing or
selling municipal securities or
negatively impact the ability of
investors to liquidate or purchase
municipal securities at favorable or
predictable prices or in a timely
manner. In addition, the unauthorized
access or use of personal or proprietary
76 See
15.U.S.C. 78o–4(b)(2)(C).
and municipal securities
dealers that trade municipal securities are subject
to transaction reporting obligations under MSRB
Rule G–14. EMMA, established by the MSRB in
2009, is currently designated by the Commission as
the official repository of municipal securities
disclosure providing the public with free access to
relevant municipal securities data, and is the
central database for information about municipal
securities offerings, issuers, and obligors.
Additionally, the MSRB’s Real-Time Transaction
Reporting System (‘‘RTRS’’), with limited
exceptions, requires broker-dealers and municipal
securities dealers to submit transaction data to the
MSRB within 15 minutes of trade execution, and
such near real-time post-trade transaction data can
be accessed through the MSRB’s EMMA website.
77 Broker-dealers,
E:\FR\FM\05APP2.SGM
05APP2
20222
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
information of the persons who are
registered with the MSRB could cause
them harm through identity theft or the
disclosure of confidential business
information.
Further, a significant cybersecurity
incident impacting the MSRB could
provide a gateway for threat actors to
attack registrants that connect to the
MRSB through information systems and
networks of interconnected information
systems. Moreover, the information
systems that link the MSRB to its
registrants are vectors that expose the
MSRB to cybersecurity risk.
e. National Securities Associations
lotter on DSK11XQN23PROD with PROPOSALS2
A national securities association is an
SRO created to regulate broker-dealers
and the off-exchange broker-dealer
market.78 Currently, FINRA is the only
national securities association registered
under section 15A of the Exchange Act.
As a national securities association,
FINRA must have rules for its members
that, among other things, are designed to
prevent fraudulent and manipulative
acts and practices, to promote just and
equitable principles of trade, to foster
cooperation and coordination with
persons engaged in regulating, clearing,
settling, or processing information with
respect to (and facilitating transactions
in) securities, to remove impediments to
and perfect the mechanism of a free and
open market and a national market
system, and, in general, to protect
investors and the public interest.79
FINRA’s rules also must provide for
discipline of its members for violations
of any provision of the Exchange Act,
Exchange Act rules, the rules of the
MSRB, or its own rules.80 A national
securities association is an SRO under
section 19 of the Exchange Act, and its
proposed rules are subject to
Commission review and are published
for notice and comment. While certain
types of proposed FINRA rules are
effective upon filing, others are subject
to Commission approval before they can
go into effect.
FINRA also performs other functions
of vital importance to the U.S. securities
markets. It developed and operates the
Trade Reporting and Compliance Engine
(‘‘TRACE’’), which facilitates the
mandatory reporting of over-the-counter
transactions in eligible fixed-income
78 See 15 U.S.C. 78o–3(a); Exemption for Certain
Exchange Members, Exchange Act Release No.
95388 (July 29, 2022) [87 FR 49930 (Aug. 12, 2022)]
(proposing amendments to national securities
association membership exemption for certain
exchange members).
79 See 15 U.S.C. 78o–3(b)(6).
80 See 15 U.S.C. 78o–3(b)(7).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
securities.81 In addition, FINRA
operates the Trade Reporting Facility
(‘‘TRF’’). FINRA members report overthe-counter transactions in national
market system (‘‘NMS’’) stocks to the
TRF, which are then included in
publicly disseminated consolidated
equity market data pursuant to an NMS
plan.82 Further, pursuant to plans
declared effective by the Commission
under Exchange Act Rule 17d–2 (‘‘Rule
17d–2’’),83 FINRA frequently acts as the
sole SRO with regulatory responsibility
with respect to certain applicable laws,
rules, and regulations for its members
that are also members of other SROs
(e.g., national securities exchanges).84
Some of these Rule 17d–2 plans
facilitate the conduct of market-wide
surveillance, including for insider
trading.85 The disruption of these
FINRA activities by a significant
cybersecurity incident could interfere
with its ability to carry out its regulatory
responsibilities (e.g., disclosing
confidential information pertaining to
its surveillance of trading activity), and,
81 FINRA members are subject to transaction
reporting obligations under FINRA Rule 6730. This
rule requires FINRA members to report transactions
in TRACE-Eligible Securities, which the rule
defines to include a range of fixed-income
securities.
82 In addition, FINRA operates the Alternative
Display Facility (‘‘ADF’’), which allows members to
display quotations and report trades in NMS stocks.
Although there are currently no users of the ADF,
FINRA has issued a pre-quotation notice advising
that a new participant intends to begin using the
ADF, subject to regulatory approval. See SelfRegulatory Organizations; Financial Industry
Regulatory Authority, Inc.; Notice of Filing of a
Proposed Rule Change Relating to Alternative
Display Facility New Entrant, Exchange Act Release
No. 96550 (Dec. 20, 2022) [87 FR 79401 (Dec. 27,
2022)].
83 17 CFR 240.17d–2. Pursuant to a plan declared
effective by the Commission under Rule 17d–2, the
Commission relieves an SRO of those regulatory
responsibilities allocated by the plan to another
SRO.
84 See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d–2; Notice of
Filing and Order Approving and Declaring Effective
an Amended Plan for the Allocation of Regulatory
Responsibilities Between the Financial Industry
Regulatory Authority, Inc. and MEMX LLC,
Exchange Act Release No. 96101 (Oct. 18, 2022) [87
FR 64280 (Oct. 24, 2022)].
85 See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d–2; Notice of
Filing and Order Approving and Declaring Effective
an Amendment to the Plan for the Allocation of
Regulatory Responsibilities Among Cboe BZX
Exchange, Inc., Cboe BYX Exchange, Inc., NYSE
Chicago, Inc., Cboe EDGA Exchange, Inc., Cboe
EDGX Exchange, Inc., Financial Industry
Regulatory Authority, Inc., MEMX LLC, MIAX
PEARL, LLC, Nasdaq BX, Inc., Nasdaq PHLX LLC,
The Nasdaq Stock Market LLC, NYSE National,
Inc., New York Stock Exchange LLC, NYSE
American LLC, NYSE Arca, Inc., Investors’
Exchange LLC, and Long-Term Stock Exchange, Inc.
Relating to the Surveillance, Investigation, and
Enforcement of Insider Trading Rules, Exchange
Act Release No. 89972 (Sept. 23, 2020) [85 FR
61062 (Sept. 29, 2020)].
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
therefore, materially impact the fair,
orderly, and efficient functioning of the
U.S. securities markets.
FINRA uses other information
systems to perform its responsibilities as
an SRO. For example, it operates a
number of information systems that its
members use to make regulatory
filings.86 These systems include the
FINRA’s eFOCUS system through which
its broker-dealer members file periodic
(monthly or quarterly) confidential
financial and operational reports.87
FINRA Gateway is another information
system that it uses as a compliance
portal for its members to file and access
information. A disruption of FINRA’s
business operations caused by a
significant cybersecurity incident could
disrupt its ability to carry out its
responsibilities as an SRO (e.g., by
disrupting its oversight of broker-dealer
activities for compliance with its rules
and the federal securities laws or its
review of broker-dealers’ financial
condition), and could therefore
materially impact the fair, orderly, and
efficient functioning of the U.S.
securities markets.
Further, a significant cybersecurity
incident at FINRA could provide a
gateway for threat actors to attack
members that connect to it through
information systems and networks of
interconnected information systems.
Moreover, the information systems that
link FINRA to its members are vectors
that expose FINRA to cybersecurity risk.
Additionally, the records stored by
FINRA on its information systems
include proprietary information about
its members, including confidential
business information (e.g., information
about the operational and financial
condition of its broker-dealer members)
and confidential personal information
about registered persons affiliated with
member firms. FINRA also is required to
keep all records made or received by it
in the course of its business and in the
conduct of its self-regulatory activity. A
significant cybersecurity incident at
FINRA could lead to the improper use
of this information to harm the members
86 Further information about these filing systems
is available at: https://www.finra.org/filingreporting/regulatory-filing-systems.
87 The eFOCUS system provides firms with the
capability to electronically submit their Financial
and Operational Combined Uniform Single
(FOCUS) Reports to FINRA. FINRA member brokerdealers are required to prepare and submit FOCUS
reports pursuant to Exchange Rule 17a–5 (17 CFR
240.17a–5) (‘‘Rule 17a–5’’) and FINRA’s FOCUS
Report filing plan. See, e.g., Self-Regulatory
Organizations; Notice of Filing and Order Granting
Accelerated Approval of Proposed Rule Change by
the National Association of Securities Dealers, Inc.
Relating to the Association’s FOCUS Filing Plan,
Exchange Act Release No. 36780, (Jan. 26, 1996) [61
FR 3743 (Feb. 1, 1996)].
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
(e.g., public exposure of confidential
financial information) or their registered
persons (e.g., public exposure of
personal information). Further, it could
provide the unauthorized user with an
unfair advantage over other market
participants (e.g., trading based on
confidential financial information about
its members).
f. National Securities Exchanges
Under the Exchange Act, an
‘‘exchange’’ is any organization,
association, or group of persons,
whether incorporated or
unincorporated, that constitutes,
maintains, or provides a market place or
facilities for bringing together
purchasers and sellers of securities or
for otherwise performing with respect to
securities the functions commonly
performed by a stock exchange (as that
term is generally understood), and
includes the market place and the
market facilities maintained by that
exchange.88 Section 5 of the Exchange
Act 89 requires an organization,
association, or group of persons that
meets the definition of ‘‘exchange’’
under section 3(a)(1) of the Exchange
Act, unless otherwise exempt, to register
with the Commission as a national
securities exchange pursuant to section
6 of the Exchange Act. Registered
lotter on DSK11XQN23PROD with PROPOSALS2
88 See
15 U.S.C. 78c(a)(1). Exchange Act Rule 3b–
16 (‘‘Rule 3b–16’’) defines terms used in the
statutory definition of ‘‘exchange’’ under section
3(a)(1) of the Exchange Act. Under paragraph (a) of
Rule 3b–16, an organization, association, or group
of persons is considered to constitute, maintain, or
provide such a marketplace or facilities if they
‘‘[b]ring[ ] together the orders for securities of
multiple buyers and sellers’’ and use ‘‘established
non-discretionary methods (whether by providing a
trading facility or by setting rules) under which
such orders interact with each other, and the buyers
and sellers entering such orders agree to the terms
of a trade.’’ See 17 CFR 240.3b–16(a). In January
2022, the Commission: (1) proposed amendments to
Rule 3b–16 to include systems that offer the use of
non-firm trading interest and provide
communication protocols to bring together buyers
and sellers of securities; (2) re-proposed
amendments to Regulation ATS for ATSs that trade
government securities or repurchase and reverse
repurchase agreements on government securities;
(3) re-proposed amendments to Regulation SCI to
apply to ATSs that meet certain volume thresholds
in U.S. Treasury securities or in a debt security
issued or guaranteed by a U.S. executive agency or
government-sponsored enterprise; and (4) proposed
amendments to, among other things, Form ATS–N,
Form ATS–R, Form ATS, and the fair access rule
under Regulation ATS. See Amendments Regarding
the Definition of ‘‘Exchange’’ and Alternative
Trading Systems (ATSs) That Trade U.S. Treasury
and Agency Securities, National Market System
(NMS) Stocks, and Other Securities, Exchange Act
Release No. 94062 (Jan. 26, 2022) [87 FR 15496
(Mar. 18, 2022)] (‘‘Amendments Regarding the
Definition of ‘Exchange’ and ATSs Release’’). The
Commission encourages commenters to review that
proposal with respect to ATSs and the comments
on that proposal to determine whether they might
affect comments on this proposing release.
89 15 U.S.C. 78e.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
national securities exchanges also are
SROs, and must comply with regulatory
requirements applicable to both national
securities exchanges and SROs.90
Section 6 of the Exchange Act requires,
among other things, that the rules of a
national securities exchange be
designed to prevent fraudulent and
manipulative acts and practices; to
promote just and equitable principles of
trade; to foster cooperation and
coordination with persons engaged in
facilitating transactions in securities; to
remove impediments to, and perfect the
mechanism of, a free and open market
and a national market system; and, in
general, to protect investors and the
public interest; and that the rules of a
national securities exchange not be
designed to permit unfair
discrimination between customers,
issuers, brokers, or dealers.91 As SROs
under section 19 of the Exchange Act,
the proposed rules of national securities
exchanges are subject to Commission
review and are published for notice and
comment.92 While certain types of
proposed exchange rules are effective
upon filing, others are subject to
Commission approval before they can go
into effect.
National securities exchanges use
information systems to operate their
marketplaces and facilities for bringing
together purchasers and sellers of
securities. In particular, national
securities exchanges rely on automated,
complex, and interconnected
information systems for trading, routing,
market data, regulatory, and
surveillance purposes. They also use
information systems to connect to
members, other national securities
exchanges, plan processors, and clearing
agencies to facilitate order routing,
trading, trade reporting, and the clearing
of securities transactions. They also
provide quotation, trade reporting, and
regulatory information to the securities
information processors to ensure that
current market data information is
available to market participants.93 A
90 See,
e.g., 15 U.S.C. 78f and 78s.
15 U.S.C. 78f(b)(5).
92 See 15 U.S.C. 78s.
93 The national securities exchanges will provide
quotation, trade reporting, and regulatory
information to competing consolidators and selfaggregators after the market data infrastructure rules
have been implemented. See Market Data
Infrastructure, Exchange Act Release No. 90610
(Dec. 9, 2020) [86 FR 18596 (Apr. 9, 2021)] (‘‘MDI
Adopting Release’’). In July 2012, the Commission
adopted Rule 613 of Regulation NMS, which
required national securities exchanges and national
securities associations (the ‘‘Participants’’) to jointly
develop and submit to the Commission a national
market system plan to create, implement, and
maintain a consolidated audit trail (the ‘‘CAT’’). See
Consolidated Audit Trail, Exchange Act Release No.
67457 (July 18, 2012) [77 FR 45722 (Aug. 1, 2012)];
91 See
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
20223
significant cyber security incident at a
national securities exchange could
disrupt or disable its ability to provide
these market functions, causing broader
disruptions to the securities markets.94
For example, a significant cyber security
incident could severely impede the
ability to trade securities, or could
disrupt the public dissemination of
consolidated market data, impacting
investors and the maintenance of fair,
orderly, and efficient markets. In
addition, the information systems that
link national securities exchanges to
their members are vectors that expose
the exchange to cybersecurity risk.
Similarly, proprietary market data
systems of exchanges are widely used
and relied upon by a wide swath of
market participants for detailed
information about quoting and trading
activity on an exchange. A significant
cybersecurity incident that disrupts the
availability or integrity of these feeds
could have a significant impact on the
trading of securities because market
participants may withdraw from trading
without access to current quotation and
trade information. This could interfere
with the maintenance of fair, orderly,
and efficient markets.
National securities exchanges also use
information systems to perform their
17 CFR 242.613. In November 2016, the
Commission approved the national market system
plan required by Rule 613 (the ‘‘CAT NMS Plan’’).
See Joint Industry Plan; Order Approving the
National Market System Plan Governing the
Consolidated Audit Trail, Exchange Act Release No.
78318 (Nov. 15, 2016) [81 FR 84696 (Nov. 23, 2016)]
(the ‘‘CAT NMS Plan Approval Order’’). The
Participants conduct the activities related to the
CAT in a Delaware limited liability company,
Consolidated Audit Trail, LLC (the ‘‘Company’’).
The Participants jointly own on an equal basis the
Company. As such, the CAT’s Central Repository is
a facility of each of the Participants. See CAT NMS
Plan Approval Order, 81 FR at 84758. It would also
qualify as an ‘‘information system’’ of each national
securities exchange and each national securities
association under proposed Rule 10. FINRA CAT,
LLC—a wholly-owned subsidiary of FINRA—has
entered into an agreement with the Company to act
as the plan processor for the CAT. However,
because the CAT System is operated by FINRA
CAT, LLC on behalf of the national securities
exchanges and FINRA, the Participants remain
ultimately responsible for the performance of the
CAT and its compliance with any statutes, rules,
and regulations. The goal of the CAT NMS Plan is
to create a modernized audit trail system that
provides regulators with more timely access to a
more comprehensive set of trading data, thus
enabling regulators to more efficiently and
effectively analyze and reconstruct broad-based
market events, conduct market analysis in support
of regulatory decisions, and to conduct market
surveillance, investigations, and other enforcement
activities. The CAT accepts data that are submitted
by the Participants and broker-dealers, as well as
data from certain market data feeds like SIP and
OPRA.
94 See, e.g., New Zealand FMA Report (describing
an August 2020 cybersecurity incident at New
Zealand’s only regulated financial product market
that caused a trading halt of approximately four
days).
E:\FR\FM\05APP2.SGM
05APP2
20224
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
responsibilities as SROs. In particular,
exchanges employ market-regulation
systems to assist with obligations such
as enforcing their rules and the federal
securities laws with respect to their
members. A disruption of a national
securities exchange’s business
operations caused by a significant
cybersecurity incident could disrupt its
ability to carry out its regulatory
responsibilities as an SRO and,
therefore, materially impact the fair,
orderly, and efficient functioning of the
U.S. securities markets.
Each exchange also is required to
keep all records made or received by it
in the course of its business and in the
conduct of its self-regulatory activity.
The records stored by national securities
exchanges on their information systems
include proprietary information about
their members, including confidential
business information (e.g., information
about the financial condition of their
members). The records also include
information relating to trading, routing,
market data, and market surveillance,
among other areas.95 A significant
cybersecurity incident at a national
securities exchange could lead to the
improper use of this information to
harm exchange members (e.g., public
exposure of confidential financial
information) or provide the
unauthorized user with an unfair
advantage over other market
participants (e.g., trading based on
confidential business information).
lotter on DSK11XQN23PROD with PROPOSALS2
g. Security-Based Swap Data
Repositories
Title VII of the Dodd-Frank Wall
Street Reform and Consumer Protection
Act (‘‘Title VII of the Dodd-Frank Act’’),
enacted in 2010, provided for a
comprehensive, new regulatory
framework for swaps and security-based
swaps, including regulatory reporting
and public dissemination of
transactions in security-based swaps.96
In 2015, the Commission established a
regulatory framework for SBSDRs to
provide improved transparency to
regulators and help facilitate price
discovery and efficiency in the SBS
market.97 Under this framework,
95 For example, as discussed above, the national
securities exchanges and FINRA jointly operate the
CAT System, which collects and stores information
relating market participants, and their order and
trading activities.
96 Public Law 111–203, 124 Stat. 1376 (2010),
section 761(a) (adding Exchange Act section
3(a)(75) (defining SBSDR)) and section 763(i)
(adding Exchange Act section 13(n) (establishing a
regulatory regime for SBSDRs)).
97 See Security-Based Swap Data Repository
Registration, Duties, and Core Principles, Exchange
Act Release No. 74246 (Feb. 11, 2015) [80 FR 14438
(Mar. 19, 2015)] (‘‘SBSDR Adopting Release’’);
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
SBSDRs are registered securities
information processors and
disseminators of market data in the
security-based swap market,98 thereby
supporting the Dodd-Frank Act’s goal of
public dissemination for all securitybased swaps to enhance price discovery
to market participants.99 The collection
and dissemination of security-based
swap data by SBSDRs provide
transparency in the security-based swap
market for regulators and market
participants.
In addition, as centralized repositories
for security-based swap transaction data
that is used by regulators, SBSDRs
provide an important infrastructure
assisting relevant authorities in
performing their market oversight.100
Data maintained by SBSDRs can assist
regulators in addressing market abuses,
performing supervision, and resolving
issues and positions if an institution
fails.101 SBSDRs are required to collect
and maintain accurate security-based
swap transaction data so that relevant
authorities can access and analyze the
data from secure, central locations,
thereby putting the regulators in a better
position to monitor for potential market
abuse and risks to financial stability.102
SBSDRs also have the potential to
reduce operational risk and enhance
operational efficiency, such as by
maintaining transaction records that
would help counterparties to ensure
Regulation SBSR—Reporting and Dissemination of
Security-Based Swap Information, Exchange Act
Release No. 74244 (Feb. 11, 2015) [80 FR 14563
(Mar. 19, 2015)] (‘‘SBSR Adopting Release’’).
98 See 17 CFR 242.909 (‘‘A registered securitybased swap data repository shall also register with
the Commission as a securities information
processor on Form SDR’’); see also Form SDR
(‘‘With respect to an applicant for registration as a
security-based swap data repository, Form SDR also
constitutes an application for registration as a
securities information processor.’’).
99 See, e.g., SBSDR Adopting Release, 80 FR at
14604.
100 See Security-Based Swap Data Repository
Registration, Duties, and Core Principles, Exchange
Act Release No. 63347 (Nov. 19, 2010) [75 FR
77306, 77307 (Dec. 10, 2010)], corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13,
2011) (‘‘SBSDR Proposing Release’’) (‘‘The data
maintained by an [SBSDR] may also assist
regulators in (i) preventing market manipulation,
fraud, and other market abuses; (ii) performing
market surveillance, prudential supervision, and
macroprudential (systemic risk) supervision; and
(iii) resolving issues and positions after an
institution fails.’’).
101 See SBSDR Proposing Release at 77307.
102 See SBSDR Adopting Release, 80 FR at 14440
(stating that ‘‘[SBSDRs] are required to collect and
maintain accurate [security-based swap] transaction
data so that relevant authorities can access and
analyze the data from secure, central locations,
thereby putting them in a better position to monitor
for potential market abuse and risks to financial
stability.’’).
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
that their records reconcile on all of the
key economic details.
SBSDRs use information systems to
perform these functions, including to
disseminate market data and provide
price transparency in the security-based
swap market. They also use information
systems to operate centralized
repositories for security-based swap
data for use by regulators. These
information systems provide an
important market infrastructure that
assists relevant authorities in
performing their market oversight.103 As
discussed above, data maintained by
SBSDRs may, for example, assist
regulators in addressing market abuses,
performing supervision, and resolving
issues and positions if an institution
fails.
SBSDRs are subject to certain
cybersecurity risks that if realized could
impede their ability to meet the goals set
out in Title VII of the Dodd-Frank Act
and the Commission’s rules.104 For
example, SBSDRs process and
disseminate trade data using
information systems. If these
information systems suffer from a
significant cybersecurity incident,
public access to timely and reliable
trade data for the derivatives markets
could potentially be compromised.105
Also, if the data stored at an SBSDR is
corrupted by a threat actor through a
cybersecurity attack, the SBSDR would
not be able to provide accurate data to
relevant regulatory authorities, which
could hinder the oversight of the
derivatives markets. Moreover, SBSDRs
103 See Committee on Payments and Settlement
Systems (‘‘CPSS’’), Technical Committee of IOSCO,
Principles for financial markets intermediaries
(Apr. 2012), available at https://www.bis.org/cpmi/
publ/d101a.pdf (‘‘FMI Principles’’) (Principle for
financial markets intermediaries (‘‘PFMI’’) 1.14
stating that ‘‘[b]y centralising the collection, storage,
and dissemination of data, a well-designed [trade
repository (‘‘TR’’)] that operates with effective risk
controls can serve an important role in enhancing
the transparency of transaction information to
relevant authorities and the public, promoting
financial stability, and supporting the detection and
prevention of market abuse.’’). In 2014, the CPSS
became the Committee on Payments and Market
Infrastructures (‘‘CPMI’’).
104 See SBSDR Adopting Release, 80 FR at 14450
(‘‘[SBSDRs] themselves are subject to certain
operational risks that may impede the ability of
[SBSDRs] to meet these goals, and the Title VII
regulatory framework is intended to address these
risks.’’).
105 See FMI Principles (PFMI 1.14, Box 1 stating
that ‘‘[t]he primary public policy benefits of a TR,
which stem from the centralisation and quality of
the data that a TR maintains, are improved market
transparency and the provision of this data to
relevant authorities and the public in line with their
respective information needs. Timely and reliable
access to data stored in a TR has the potential to
improve significantly the ability of relevant
authorities and the public to identify and evaluate
the potential risks posed to the broader financial
system.’’).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
use information systems to receive and
maintain personal, confidential, and
proprietary information and data. The
unauthorized use or access of this
information could be used to create
unfair business or trading advantages
and, in the case of personal information,
to steal identities.
Further, a significant cybersecurity
incident at an SBSDR could provide a
gateway for threat actors to attack
Market Entities and others that connect
to it through information systems.
Moreover, the links established between
an SBSDR and other entities, including
unaffiliated clearing agencies and other
SBSDRs, are vectors that expose the
SBSDR to cybersecurity risk arising
from threats that originate in
information systems outside the
SBSDR’s control.106
h. SBS Entities
lotter on DSK11XQN23PROD with PROPOSALS2
The SBS Entities covered by the
proposed rulemaking are SBSDs and
MSBSPs. An SBSD generally refers to
any person who: (1) holds itself out as
a dealer in security-based swaps; (2)
makes a market in security-based swaps;
(3) regularly enters into security-based
swaps with counterparties as an
ordinary course of business for its own
account; or (4) engages in any activity
causing it to be commonly known in the
trade as a dealer or market maker in
security-based swaps.107 An SBSD does
not, however, include a person that
enters into security-based swaps for
such person’s own account, either
106 See FMI Principles (PFMI at 3.20.20 stating
that ‘‘[a] TR should carefully assess the additional
operational risks related to its links to ensure the
scalability and reliability of IT and related
resources. A TR can establish links with another TR
or with another type of FMI. Such links may expose
the linked [financial market infrastructures
(‘‘FMIs’’)] to additional risks if not properly
designed. Besides legal risks, a link to either
another TR or to another type of FMI may involve
the potential spillover of operational risk. The
mitigation of operational risk is particularly
important because the information maintained by a
TR can support bilateral netting and be used to
provide services directly to market participants,
service providers (for example, portfolio
compression service providers), and other linked
FMIs.’’). The CPMI and IOSCO issued guidance for
cyber resilience for FMIs, including CSDs,
securities settlement systems (‘‘SSSs’’), CCPs, and
trade repositories. See CPMI–IOSCO, Guidance on
cyber resilience for financial market infrastructures
(June 2016), available at https://www.iosco.org/
library/pubdocs/pdf/IOSCOPD535.pdf; see also
CPMI–IOSCO, Implementation monitoring of the
PFMI: Level 3 assessment on Financial Market
Infrastructures’ Cyber Resilience (Nov. 2022),
available at https://www.iosco.org/library/pubdocs/
pdf/IOSCOPD723.pdf (presenting the results of an
assessment of the state of cyber resilience (as of
February 2021) of FMIs from 29 jurisdictions that
participated in the exercise in 2020 to 2022).
107 See 15 U.S.C. 78c(a)(71); 17 CFR 240.3a71–1
et seq.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
individually or in a fiduciary capacity,
but not as a part of regular business.108
An MSBSP generally includes any
person that is not a security-based swap
dealer and that satisfies one of the
following three alternative statutory
tests: (1) it maintains a ‘‘substantial
position’’ in security-based swaps,
excluding positions held for hedging or
mitigating commercial risk and
positions maintained by any employee
benefit plan (or any contract held by
such a plan) for the primary purpose of
hedging or mitigating any risk directly
associated with the operation of the
plan, for any of the major security-based
swap categories determined by the
Commission; (2) its outstanding
security-based swaps create substantial
counterparty exposure that could have
serious adverse effects on the financial
stability of the U.S. banking system or
financial markets; or (3) it is a ‘‘financial
entity’’ that is ‘‘highly leveraged’’
relative to the amount of capital it holds
(and that is not subject to capital
requirements by an appropriate federal
banking agency) and maintains a
‘‘substantial position’’ in outstanding
security-based swaps in any major
category as determined by the
Commission.109 Currently, there are no
MSBSPs registered with the
Commission.
SBS Entities play (or, in the case of
MSBSPs, could play) a critical role in
the U.S. security-based swap market.110
SBS Entities rely on information
systems to transact in security-based
swaps with other market participants, to
receive and deliver collateral, to create
and maintain books and records, and to
obtain market information to update
books and records, and manage risk.
A disruption to an SBS Entity’s
operations caused by a significant
cybersecurity incident could have a
large negative impact on the U.S.
security-based swap market given the
concentration of dealers in this market.
Further, a disruption in the securitybased swap market could negatively
impact the broader securities markets
by, for example, causing participants to
liquidate positions related to, or
referenced by, the impacted securitybased swaps to mitigate losses to
participants’ positions or portfolios or
due to loss of trading confidence. A
disruption in the security-based swap
market also could negatively impact the
broader securities markets by causing
108 See
15 U.S.C. 78c(a)(71)(C); 17 CFR 240.3a71–
1(b).
109 See 15 U.S.C. 78c(a)(67); 17 CFR 240.3a67–1
et seq.
110 Currently, this role is fulfilled by SBSDs, given
there are no MSBSPs registered with the
Commission.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
20225
participants to liquidate the collateral
margining the security-based swaps for
similar reasons or to cover margin calls.
The consequences of a business
disruption to an SBS Entity’s
functions—such as those that may be
caused by a significant cybersecurity
incident—may be amplified because,
unlike many other securities
transactions, securities-based swap
transactions give rise to an ongoing
obligation between transaction
counterparties during the life of the
transaction.111 This means that each
counterparty bears the risk of its
counterparty’s ability to perform under
the terms of a security-based swap until
the transaction is terminated. A
disruption of an SBS Entity’s normal
business activities because of a
significant cybersecurity incident could
produce spillover or contagion by
negatively affecting the willingness or
the ability of market participants to
extend credit to each other, and could
substantially reduce liquidity and
valuations for particular types of
financial instruments.112 The securitybased swap market is large 113 and thus
a disruption of an SBS Entity’s
operations due to a significant
cybersecurity incident could negatively
impact sectors of the U.S. economy.114
Further, a significant cybersecurity
incident at an SBS Entity could provide
a gateway for threat actors to attack the
exchanges, SBSDRs, clearing agencies,
counterparties, and other SBS Entities to
111 See Further Definition of ‘‘Swap Dealer,’’
‘‘Security-Based Swap Dealer,’’ ‘‘Major Swap
Participant,’’ ‘‘Major Security-Based Swap
Participant’’ and ‘‘Eligible Contract Participant’’,
Exchange Act Release No. 66868 (Apr. 27, 2012) [77
FR 30596, 30616–17 (May 23, 2012)] (‘‘Further
Definition Release’’) (noting that ‘‘[i]n contrast to a
secondary market transaction involving equity or
debt securities, in which the completion of a
purchase or sale transaction can be expected to
terminate the mutual obligations of the parties to
the transaction, the parties to a security-based swap
often will have an ongoing obligation to exchange
cash flows over the life of the agreement’’).
112 See Cross-Border Security-Based Swap
Activities; Re-Proposal of Regulation SBSR and
Certain Rules and Forms Relating to the
Registration of Security-Based Swap Dealers and
Major Security-Based Swap Participants, Exchange
Act Release No. 69490 (May 1, 2013) [78 FR 30967,
30980–81 (May 23, 2013)] (‘‘Cross-Border Proposing
Release’’).
113 See, e.g., Commission, Report on SecurityBased Swaps Pursuant to Section 13(m)(2) of the
Securities Exchange Act of 1934 (July 15, 2022)
available at https://www.sec.gov/files/report-onsecurity-based-swaps-071522.pdf.
114 See Cross-Border Proposing Release, 78 FR at
30972 (‘‘The Dodd-Frank Act was enacted, among
other reasons, to promote the financial stability of
the United States by improving accountability and
transparency in the financial system. The 2008
financial crisis highlighted significant issues in the
over-the-counter (‘OTC’) derivatives markets, which
. . . are capable of affecting significant sectors of
the U.S. economy.’’) (footnotes omitted).
E:\FR\FM\05APP2.SGM
05APP2
20226
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
which the firm is connected through
information systems and networks of
interconnected information systems.
Moreover, the information systems that
link SBS Entities to other Market
Entities are vectors that expose the SBS
Entity to cybersecurity risk arising from
threats that originate in information
systems outside the SBS Entity’s
control. SBS Entities also store
proprietary and confidential
information about their counterparties
on their information systems, including
financial information they use to
perform credit analysis. A significant
cybersecurity incident at an SBS Entity
could lead to the improper use of this
information to harm the counterparties
(e.g., public exposure of confidential
financial information) or provide the
unauthorized user with an unfair
advantage over other market
participants (e.g., trading based on
confidential business information).
of issuers. A significant cybersecurity
incident that impacts these systems
could cause harm to investors by, for
example, preventing the transfer agent
from transferring ownership of
securities or preventing investors from
receiving dividend, interest, or principal
payments.
Further, a significant cybersecurity
incident at a transfer agent could
provide a gateway for threat actors to
attack other Market Entities that connect
to it through information systems and
networks of interconnected information
systems. Moreover, the information
systems that link transfer agents to other
Market Entities expose the transfer agent
to cybersecurity risk arising from threats
that originate in information systems
outside the transfer agent’s control. The
records stored by transfer agents on
their information systems include
proprietary information about securities
ownership and corporate actions. A
significant cybersecurity incident at a
transfer agent could lead to the
improper use of this information to
harm securities holders (e.g., public
exposure of their confidential financial
information or the use of that
information to steal their identities) or
provide the unauthorized user with an
unfair advantage over other market
participants (e.g., trading based on
confidential business information).
i. Transfer Agents
A transfer agent is any person who
engages on behalf of an issuer of
securities or on behalf of itself as an
issuer of securities in (among other
functions): (1) tracking, recording, and
maintaining the official record of
ownership of each issuer’s securities; (2)
canceling old certificates, issuing new
ones, and performing other processing
and recordkeeping functions that
facilitate the issuance, cancellation, and
transfer of those securities; (3)
facilitating communications between
issuers and registered securityholders;
and (4) making dividend, principal,
interest, and other distributions to
securityholders.115 To perform these
functions, transfer agents maintain
records and information related to
securityholders that may include names,
addresses, phone numbers, email
addresses, employers, employment
history, bank and specific account
information, credit card information,
transaction histories, securities
holdings, and other detailed and
individualized information related to
the transfer agents’ recordkeeping and
transaction processing on behalf of
issuers. With advances in technology
and the expansion of book-entry
ownership of securities, transfer agents
today increasingly rely on technology
and automation to perform the core
recordkeeping, processing, and transfer
services described above, including the
use of computer systems to store, access,
and process the information related to
securityholders they maintain on behalf
B. Overview of the Proposed
Cybersecurity Requirements
As discussed above, the U.S.
securities markets are part of the critical
infrastructure of the United States.116 In
this regard, they play a central role in
the U.S. economy in terms of facilitating
the flow of capital, including the
savings of individual investors. The fair,
orderly, and efficient operation of the
U.S. securities markets depends on
Market Entities being able to perform
their critical functions, and Market
Entities are increasingly relying on
information systems and interconnected
networks of information systems to
perform these functions. These
information systems are targets of threat
actors. Moreover, Market Entities—as
financial institutions—are choice targets
for threat actors seeking financial gain
or to inflict economic harm. Further,
threat actors are using increasingly
sophisticated and constantly evolving
tactics, techniques, and procedures to
attack information systems. In addition
to threat actors, cybersecurity risk also
can be caused by the errors of
employees, service providers, or
115 See Transfer Agent Regulations, Exchange Act
Release No. 76743 (Dec. 22, 2015) [80 FR 81948,
81949 (Dec. 31, 2015)].
116 See section I.A. of this release (discussing
cybersecurity risk and how critical operations of
Market Entities are exposed to cybersecurity risk).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
business partners. The
interconnectedness of Market Entities
increases the risk that a significant
cybersecurity incident can
simultaneously impact multiple Market
Entities causing harm to the U.S.
securities markets.
For these reasons, it is critically
important that Market Entities take steps
to protect their information systems and
the information residing on those
systems from cybersecurity risk. A
Market Entity that fails to do so is more
vulnerable to succumbing to a
significant cybersecurity incident. As
discussed above, a significant
cybersecurity incident can cause serious
harm not only to the Market Entity but
also to its customers, counterparties,
members, registrants, or users, or to any
other market participants (including
other Market Entities) that interact with
the Market Entity. Therefore, it is vital
to the U.S. securities markets and the
participants in those markets that all
Market Entities address cybersecurity
risk, which, as discussed above, is
increasingly threatening the financial
sector.
Consequently, the Commission is
proposing new Rule 10 and new Form
SCIR to require that Market Entities
address cybersecurity risks, to improve
the Commission’s ability to obtain
information about significant
cybersecurity incidents impacting
Market Entities, and to improve
transparency about the cybersecurity
risks that can cause adverse impacts to
the U.S. securities markets.117 Under
proposed Rule 10, certain brokerdealers, the MSRB, and all clearing
agencies, national securities
associations, national securities
exchanges, SBSDRs, SBS Entities, and
transfer agents would be defined as a
‘‘covered entity’’ (collectively, ‘‘Covered
Entities’’).118
117 In designing the requirements of proposed
Rule 10, the Commission considered several
cybersecurity sources (which are cited in the
relevant sections below), including the NIST
Framework, the NIST Glossary, and CISA’s Cyber
Essentials Starter Kit (information about CISA’s
Cyber Essentials Starter Kit is available at: https://
www.cisa.gov/publication/cisa-cyber-essentials).
The Commission also considered definitions in
relevant federal statutes including the Federal
Information Security Modernization Act of 2014,
Public Law 113–283 (Dec. 18, 2014); 44 U.S.C. 3551
et seq. (‘‘FISMA’’) and the Cyber Incident Reporting
for Critical Infrastructure Act of 2022, H.R. 2471,
117th Cong. (2021–2022); 6 U.S.C. 681 et seq.
(‘‘CIRCIA’’).
118 The following broker-dealers would be
Covered Entities: (1) broker-dealers that maintain
custody of securities and cash for customers or
other broker-dealers (‘‘carrying broker-dealers’’); (2)
broker-dealers that introduce their customer
accounts to a carrying broker-dealer on a fully
disclosed basis (‘‘introducing broker-dealers’’); (3)
broker-dealers with regulatory capital equal to or
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Proposed Rule 10 would require all
Market Entities (Covered Entities and
Non-Covered Entities) to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks.119 All Market Entities also, at least
annually, would be required to review
and assess the design and effectiveness
of their cybersecurity policies and
procedures, including whether the
policies and procedures reflect changes
in cybersecurity risk over the time
period covered by the review.120 They
also would be required to prepare a
report (in the case of Covered Entities)
and a record (in the case of NonCovered Entities) with respect to the
annual review. CISA states that
organizations should ‘‘approach cyber
as business risk.’’ 121 Like other business
risks (e.g., market, credit, or liquidity
risk), cybersecurity risk can be
addressed through policies and
procedures that are reasonably designed
to manage the risk. Finally, all Market
Entities would need to give the
Commission immediate written
electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
exceeding $50 million; (4) broker-dealers with total
assets equal to or exceeding $1 billion; (5) brokerdealers that operate as market makers; and (6)
broker-dealers that operate an ATS (sometimes
collectively referred to as ‘‘Covered BrokerDealers’’). Broker-dealers that do not fall into one
of these six categories (sometimes collectively
referred to as ‘‘Non-Covered Entities’’ or ‘‘NonCovered Broker-Dealers’’) would not be Covered
Entities for the purposes of proposed Rule 10. See
also section II.A.1.b. of this release (discussing the
categories of broker-dealers that would be ‘‘Covered
Entities’’ in greater detail).
119 See paragraphs (b) through (d) of proposed
Rule 10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e)(1) of proposed Rule 10
(setting forth the requirements for Market Entities
that are not Covered Entities (i.e., Non-Covered
Broker-Dealers)). See also sections II.B.1. and II.C.
of this release (discussing these proposed
requirements in more detail). As discussed in
sections II.F. and IV.C.1.b. of this release, certain
categories of Market Entities are subject to existing
requirements to address aspects of cybersecurity
risk or that may relate to cybersecurity. These other
requirements, however, do not address
cybersecurity risk as directly, broadly, or
comprehensively as the requirements of proposed
Rule 10.
120 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10. See also
sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
121 See CISA Cyber Essentials Starter Kit (‘‘Ask
yourself what type of impact would be catastrophic
to your operations? What information if
compromised or breached would cause damage to
employees, customers, or business partners? What
is your level of risk appetite and risk tolerance?
Raising the level of awareness helps reinforce the
culture of making informed decisions and
understanding the level of risk to the
organization.’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
20227
significant cybersecurity incident has
occurred or is occurring.122
Market Entities that meet the
definition of ‘‘covered entity’’ would be
subject to certain additional
requirements under proposed Rule
10.123 First, as discussed in more detail
below, the written policies and
procedures that Covered Entities would
need to establish, maintain, and enforce
would need to include the following
elements:
• Periodic assessments of
cybersecurity risks associated with the
Covered Entity’s information systems
and written documentation of the risk
assessments;
• Controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems;
• Measures designed to monitor the
Covered Entity’s information systems
and protect the Covered Entity’s
information from unauthorized access
or use, and oversee service providers
that receive, maintain, or process
information, or are otherwise permitted
to access the Covered Entity’s
information systems;
• Measures to detect, mitigate, and
remediate any cybersecurity threats and
vulnerabilities with respect to the
Covered Entity’s information systems;
and
• Measures to detect, respond to, and
recover from a cybersecurity incident
and written documentation of any
cybersecurity incident and the response
to and recovery from the incident.124
Second, Covered Entities—in addition
to providing the Commission with
immediate written electronic notice of a
significant cybersecurity incident—
would need to report and update
information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission.125 The form would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s efforts to respond to, and
recover from, the incident.
Third, Covered Entities would need to
disclose publicly summary descriptions
of their cybersecurity risks and the
significant cybersecurity incidents they
experienced during the current or
previous calendar year on Part II of
proposed Form SCIR.126 The form
would need to be filed with the
Commission and posted on the Covered
Entity’s business internet website.
Covered Entities that are carrying or
introducing broker-dealers also would
need to provide the form to customers
at account opening, when information
on the form is updated, and annually.
Covered Entities and Non-Covered
Entities would need to preserve certain
records relating to the requirements of
proposed Rule 10 in accordance with
amended or existing recordkeeping
requirements applicable to them or, in
the case of exempt clearing agencies,
pursuant to conditions in relevant
exemption orders.127
Finally, the Commission is proposing
amendments to address the potential
availability of substituted compliance to
non-U.S. SBS Entities with respect to
the proposed cybersecurity
requirements.128
In developing the proposed
requirements summarized above with
regard to SBSDRs and SBS Entities, the
Commission consulted and coordinated
with the CFTC and the prudential
regulators in accordance with section
712(a)(2) of Title VII of the Dodd-Frank
Act. In accordance with section 752 of
Title VII of the Dodd-Frank Act, the
Commission has consulted and
coordinated with foreign regulatory
authorities through Commission staff
participation in numerous bilateral and
multilateral discussions with foreign
regulatory authorities addressing the
regulation of OTC derivatives markets.
122 See paragraph (c)(1) of proposed Rule 10;
paragraph (e)(2) of proposed Rule 10. See also
sections II.B.2.a. and II.C. of this release (discussing
these proposed requirements in more detail).
123 Compare paragraphs (b) through (d) of
proposed Rule 10 (setting forth the requirements for
Covered Entities), with paragraph (e) of proposed
Rule 10 (setting forth the requirements for NonCovered Entities).
124 See sections II.B.1.a. through II.B.1.e. of this
release (discussing these proposed requirements in
more detail). In the case of Non-Covered Entities,
as discussed in more detail below in section II.C.
of this release, the design of the cybersecurity risk
management policies and procedures would need to
take into account the size, business, and operations
of the broker-dealer. See paragraph (e) of proposed
Rule 10.
125 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
II. Discussion of Proposed
Cybersecurity Rule
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
A. Definitions
Proposed Rule 10 would define a
number of terms for the purposes of its
requirements.129 These definitions also
would be used for the purposes of Parts
126 See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more
detail).
127 See sections II.B.5. and II.C. of this release
(discussing these proposed requirements in more
detail).
128 See sections II.D. of this release (discussing
these proposed amendments in more detail).
129 See paragraph (a) of proposed Rule 10.
E:\FR\FM\05APP2.SGM
05APP2
20228
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
I and II of proposed Form SCIR.130 The
defined terms are intended to tailor the
risk management, notification,
reporting, and disclosure requirements
of proposed Rule 10 to the distinctive
aspects of cybersecurity risk as
compared with other risks Market
Entities face (e.g., market, credit, or
liquidity risk).131
1. ‘‘Covered Entity’’
lotter on DSK11XQN23PROD with PROPOSALS2
a. Market Entities That Meet the
Definition of ‘‘Covered Entity’’ Would
Be Subject to Additional Requirements
Proposed Rule 10 would define the
term ‘‘covered entity’’ to identify the
types of Market Entities that would be
subject to certain additional
requirements under the rule.132 As
discussed above, proposed Rule 10
would require all Market Entities to
establish, maintain, and enforce written
policies and procedures that are
reasonably designed to address their
cybersecurity risks.133 All Market
Entities also, at least annually, would be
required to review and assess the design
and effectiveness of their cybersecurity
risk management policies and
procedures, including whether the
policies and procedures reflect changes
in cybersecurity risk over the time
period covered by the review.134 They
also would be required to prepare a
report (in the case of Covered Entities)
or a record (in the case of Non-Covered
Entities) with respect to the annual
review. Further, all Market Entities
would need to give the Commission
immediate written electronic notice of a
130 See sections II.B.2. and II.B.3. of this release
(discussing Parts I and II of proposed Form SCIR in
more detail).
131 See paragraphs (a)(2) through (9) of proposed
Rule 10 (defining, respectively, the terms
‘‘cybersecurity incident,’’ ‘‘cybersecurity risk,’’
‘‘cybersecurity threat,’’ ‘‘cybersecurity
vulnerability,’’ ‘‘information,’’ ‘‘information
systems,’’ ‘‘personal information,’’ and ‘‘significant
cybersecurity incident’’).
132 See paragraphs (a)(1)(i) through (ix) of
proposed Rule 10 (defining these Market Entities as
‘‘covered entities’’). A Market Entity that falls
within the definition of ‘‘covered entity’’ for
purposes of proposed Rule 10 may not necessarily
meet the definition of a ‘‘covered entity’’ for
purposes of certain federal statutes, such as, but not
limited to, CIRCIA and any regulations promulgated
thereunder. CIRCIA, among other things, requires
the Director of CISA to issue and implement
regulations defining the term ‘‘covered entity’’ and
requiring covered entities to report covered cyber
incidents and ransom payments as the result of
ransomware attacks to CISA in certain instances.
133 See paragraph (b)(1) of proposed Rule 10
(setting forth the requirement for Market Entities
that meet the definition of ‘‘covered entity’’);
paragraph (e)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that do not meet
the definition of ‘‘covered entity,’’ which, as
discussed above, would be certain smaller brokerdealers).
134 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
significant cybersecurity incident upon
having a reasonable basis to conclude
that the significant cybersecurity
incident has occurred or is occurring.135
As discussed above, Market Entities use
information systems that expose them to
cybersecurity risk and that risk is
increasing due to the
interconnectedness of the information
systems and the sophistication of the
tactics used by threat actors. Therefore,
regardless of their function,
interconnectedness, or size, all Market
Entities would be subject to these
requirements designed to address
cybersecurity risks.
Market Entities that are Covered
Entities would be subject to certain
additional requirements under proposed
Rule 10.136 In particular, they would be
required to: (1) include certain elements
in their cybersecurity risk management
policies and procedures; 137 (2) file Part
I of proposed Form SCIR with the
Commission and, for some Covered
Entities, other regulators to report
information about a significant
cybersecurity incident; 138 and (3) make
public disclosures on Part II of proposed
Form SCIR about their cybersecurity
risks and the significant cybersecurity
incidents they experienced during the
current or previous calendar year.139
In determining which Market Entities
would be Covered Entities subject to the
additional requirements, the
Commission considered: (1) how the
type of Market Entity supports the fair,
orderly, and efficient operation of the
U.S. securities markets and the
consequences if that type of Market
Entity’s critical functions were
disrupted or degraded by a significant
cybersecurity incident; (2) the harm that
could befall investors, including retail
investors, if that type of Market Entity’s
functions were disrupted or degraded by
a significant cybersecurity incident; (3)
135 See paragraph (c)(1) of proposed Rule 10
(setting forth the requirement for Market Entities
that meet the definition of ‘‘covered entity’’);
paragraph (e)(2) of proposed Rule 10 (setting forth
the requirement for Market Entities that do not meet
the definition of ‘‘covered entity’’).
136 See paragraphs (b) through (d) of proposed
Rule 10 (setting forth the requirements for Covered
Entities); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Non-Covered Entities).
As discussed above, Covered Entities would need
to prepare a report with respect to their review and
assessment of the policies and procedures. See
paragraph (b)(2) of proposed Rule 10. Non-Covered
Entities would need to make a record with the
respect to the annual review and assessment of their
policies and procedures. See paragraph (e) of
proposed Rule 10.
137 See paragraphs (b)(1)(i) through (v) of
proposed Rule 10.
138 See paragraph (c)(2) of proposed Rule 10. See
also paragraph (a)(10) of proposed Rule 10 (defining
the term ‘‘significant cybersecurity risk’’).
139 See paragraph (d) of proposed Rule 10.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
the extent to which that type of Market
Entity poses cybersecurity risk to other
Market Entities through information
system connections, including the
number of connections; (4) the extent to
which the that type of Market Entity
would be an attractive target for threat
actors; and (5) the personal,
confidential, and proprietary business
information about the type of Market
Entity and other persons (e.g., investors)
stored on the Market Entity’s
information systems and the harm that
could be caused if that information was
accessed or used by threat actors.
b. Broker-Dealers
The following broker-dealers
registered with the Commission would
be Covered Entities: (1) broker-dealers
that maintain custody of securities and
cash for customers or other brokerdealers (i.e., carrying broker-dealers); (2)
broker-dealers that introduce their
customers’ accounts to a carrying
broker-dealer on a fully disclosed basis
(i.e., introducing broker-dealers); 140 (3)
broker-dealers with regulatory capital
equal to or exceeding $50 million; (4)
broker-dealers with total assets equal to
or exceeding $1 billion; (5) brokerdealers that operate as market makers;
and (6) broker-dealers that operate an
ATS. Thus, under proposed Rule 10,
these six categories of broker-dealers
would be subject to the additional
requirements.141 All other types of
140 When a broker-dealer introduces a customer to
a carrying broker-dealer on a fully disclosed basis,
the carrying broker-dealer knows the identity of the
customer and holds cash and securities in an
account for the customer that identifies the
customer as the accountholder. This is
distinguishable from a broker-dealer that introduces
its customers to another carrying broker-dealer on
an omnibus basis. In this scenario, the carrying
broker-dealer does not know the identities of the
customers and holds their cash and securities in an
account that identifies the broker-dealer
introducing the customers on an omnibus basis as
the accountholder. A broker-dealer that introduces
customers to another broker-dealer on an omnibus
basis is, itself, a carrying broker-dealer for purposes
of the Commission’s financial responsibility rules,
including, the broker-dealer net capital and
customer protection rules. See, e.g., 17 CFR
240.15c3–1 and 17 CFR 240.15c3–3. This category
of broker-dealer would be a carrying broker-dealer
for purposes of proposed Rule 10 and therefore
subject to the rule’s requirements for Covered
Entities.
141 See paragraphs (a)(1)(i)(A) through (F) of
proposed Rule 10. Certain of the definitions in
proposed Rule 10 would be used for the purposes
of the requirements in the rule for broker-dealers
that are not Covered Entities. Specifically,
paragraph (e)(1) of proposed Rule 10 would require
broker-dealers that are not Covered Entities to
establish, maintain, and enforce written policies
and procedures that are reasonably designed to
address the cybersecurity risks of the broker-dealer
taking into account the size, business, and
operations of the broker-dealer. The term
‘‘cybersecurity risk’’ is defined in paragraph (a)(3)
of proposed Rule 10 and that definition
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
broker-dealers would not meet the
definition of Covered Entity.142
The first category of broker-dealers
included as Covered Entities would be
carrying broker-dealers. Specifically,
proposed Rule 10 would define
‘‘covered entity’’ to include any brokerdealer that maintains custody of cash
and securities for customers or other
broker-dealers and is not exempt from
the requirements of Exchange Act Rule
15c3–3 (i.e., a carrying broker-dealer).143
Some carrying broker-dealers are large
in terms of their assets and dealing
activities or the number of their
accountholders. For example, they may
engage in a variety of order handling,
trading, and/or clearing activities, and
thereby play a significant role in U.S.
securities markets, often through
multiple business lines and/or in
multiple asset classes. Consequently, if
their critical functions were disrupted
or degraded by a significant
cybersecurity incident it could have a
potential negative impact on the U.S.
securities markets by, for example,
reducing liquidity in the markets or
sectors of the markets due to the firm’s
inability to continue dealing and trading
activities. A broker-dealer in this
situation could lose its ability to provide
liquidity to other market participants for
an indeterminate length of time, which
could lead to unfavorable market
conditions for investors, such as higher
buy prices and lower sell prices or even
the inability to execute a trade within a
reasonable amount of time. Further,
some carrying broker-dealers hold
millions of accounts for investors. If a
incorporates the terms ‘‘cybersecurity incident,’’
‘‘cybersecurity threat,’’ and ‘‘cybersecurity
vulnerability,’’ which are defined, respectively, in
paragraphs (a)(2), (a)(4), and (a)(5) of proposed Rule
10. In addition, paragraph (e)(2) of proposed Rule
10 would require broker-dealers that are not
Covered Entities to provide immediate written
electronic notice to the Commission and their
examining authority if they experience a
‘‘significant cybersecurity incident’’ as that term is
defined in the rule. Therefore, paragraph (a)(8) of
proposed Rule 10 would define the term ‘‘market
entity’’ to mean a Covered Entity and a brokerdealer registered with the Commission that is not
a Covered Entity. Further, the definitions in
proposed Rule 10 would refer to ‘‘market entities’’
(rather than ‘‘covered entities’’) in order to not limit
the application of these definitions to paragraphs
(b) through (d) of proposed Rule 10, which set forth
the requirements for Covered Entities (but not for
Non-Covered Entities).
142 As discussed below in section IV.C.2. of this
release, of the 3,510 broker-dealers registered with
the Commission as of the third quarter of 2022,
1,541 would meet the definition of ‘‘covered entity’’
under proposed Rule 10, leaving 1,969 brokerdealers as Non-Covered Entities.
143 See paragraph (a)(1)(i)(A) of proposed Rule 10.
See also 17 CFR 240.15c3–3 (‘‘Rule 15c3–3’’). Rule
15c3–3 sets forth requirements for broker-dealers
that maintain custody of customer securities and
cash that are designed to protect those assets and
ensure their prompt return to the customers.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
significant cybersecurity incident
prevented this investor-base from
accessing the securities markets, it
could impact liquidity as well.
Also, the dealing activities of carrying
broker-dealers may make them attractive
targets for threat actors seeking to access
proprietary and confidential
information about the broker-dealer’s
trading positions and strategies to use
for financial advantage. In addition, the
size and financial resources of carrying
broker-dealers may make them attractive
targets for threat actors employing
ransomware schemes.
Because carrying broker-dealers hold
cash and securities for customers and
other broker-dealers, a significant
cybersecurity incident could put these
assets in peril or make them
unavailable. For example, a significant
cybersecurity incident could cause harm
to the investors that own these assets—
including retail investors—if it causes
the investors to lose access to their
securities accounts (and, therefore, the
ability to purchase or sell securities),
causes the failure of the carrying brokerdealer (which could tie up the assets in
a liquidation proceeding under the
Securities Investor Protection Act), or,
in the worst case, results in the assets
being stolen. The fact that carrying
broker-dealers hold cash and securities
for investors also may make them
attractive targets for threat actors
seeking to steal those assets through
hacking the accounts or using stolen
credentials and log-in information. In
addition, carrying broker-dealers with
large numbers of customers might be
attractive targets for threat actors
because of the volume of personal
information they maintain. Threat actors
may seek to access and download this
information in order to sell it to other
threat actors. If this information is
accessed or stolen by threat actors, it
could result in harm (e.g., identity theft
or conversion of financial assets) to
many individuals, including retail
investors. Carrying broker-dealers
typically are connected to a number of
different Market Entities through
information systems, including national
securities exchanges, clearing agencies,
and other broker-dealers (including
introducing broker-dealers).
The second category of broker-dealers
included as Covered Entities would be
introducing broker-dealers.144 These
broker-dealers introduce customer
accounts on a fully disclosed basis to a
carrying broker-dealer. In this
arrangement, the carrying broker-dealer
knows the identities of the fully
disclosed customers and maintains
144 See
PO 00000
paragraph (a)(1)(i)(B) of proposed Rule 10.
Frm 00019
Fmt 4701
Sfmt 4702
20229
custody of their securities and cash. The
introducing broker-dealer typically
interacts directly with the customers by,
for example, making securities
recommendations and accepting their
orders to purchase or sell securities. An
introducing broker-dealer must enter
into an agreement with a carrying
broker-dealer to which it introduces
customer accounts on a fully disclosed
basis.145
These broker-dealers would be
included as Covered Entities because
they are a conduit to their customers’
accounts at the carrying broker-dealer
and have access to information and
trading systems of the carrying brokerdealer. Consequently, a significant
cybersecurity incident could harm their
customers to the extent it causes the
customers to lose access to their
securities accounts at the carrying
broker-dealer. Further, a significant
cybersecurity incident at an introducing
broker-dealer could spread to the
carrying broker-dealer given the
information systems that connect the
two firms. These connections also may
make introducing broker-dealers
attractive targets for threat actors
seeking to access the information
systems of the carrying broker-dealer to
which the introducing broker-dealer is
connected.
In addition, introducing brokerdealers may store personal information
about their customers on their
information systems or be able to access
this information on the carrying brokerdealer’s information systems. The fact
that they store this information also may
make them attractive targets for threat
actors seeking to use the information to
steal identities or assets, or to sell the
personal information to other bad actors
who will seek to use it for these
purposes.
The third category of broker-dealers
included as Covered Entities would be
broker-dealers that have regulatory
capital equal to or exceeding $50
million.146 Regulatory capital is the total
capital of the broker-dealer plus
allowable subordinated liabilities of the
broker-dealer and is reported on the
FOCUS reports broker-dealers file
145 See FINRA Rule 4311. Pursuant to FINRA
requirements, the carrying agreement must specify
the responsibilities of the carrying broker-dealer
and the introducing broker-dealer, including, at a
minimum, the responsibilities for: (1) opening and
approving accounts; (2) accepting of orders; (3)
transmitting of orders for execution; (4) executing
of orders; (5) extending credit; (6) receiving and
delivering of funds and securities; (7) preparing and
transmitting confirmations; (8) maintaining books
and records; and (9) monitoring of accounts. See
FINRA Rule 4311(c)(1).
146 See paragraph (a)(1)(i)(C) of proposed Rule 10.
E:\FR\FM\05APP2.SGM
05APP2
20230
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
pursuant to Rule 17a–5.147 The fourth
category would be a broker-dealer with
total assets equal to or exceeding $1
billion.148 The $50 million and $1
billion thresholds are modeled on the
thresholds that trigger enhanced
recordkeeping and reporting
requirements for certain broker-dealers
pursuant to Exchange Act Rules 17h–1T
and 17h–2T.149
These thresholds are designed to
include as Covered Entities brokerdealers that are large in terms of their
assets and dealing activities (and that
would not otherwise be Covered BrokerDealers under the definitions in
proposed Rule 10).150 For example,
larger broker-dealers that exceed these
thresholds often engage in proprietary
trading (including high frequency
trading) and are sources of liquidity in
certain securities. Consequently, if their
critical functions were disrupted or
degraded by a significant cybersecurity
incident it could have a potential
negative impact on those securities
markets if it reduces liquidity in the
markets through the inability to
continue dealing and trading activities.
For example, a broker-dealer in this
situation could lose its ability to provide
liquidity to other market participants for
an indeterminate length of time, which
could lead to unfavorable market
conditions for investors, such as higher
buy prices and lower sell prices or even
the ability to execute a trade within a
reasonable amount of time.
In addition, the size and dealing
activities of these broker-dealers could
make them attractive targets for threat
actors seeking to access proprietary and
confidential information about the
broker-dealer’s trading positions and
147 See 17 CFR 240.17a–5; Form X–17A–5, Line
Item 3550.
148 See paragraph (a)(1)(i)(D) of proposed Rule 10.
149 See 17 CFR 240.17h–1T and 17h–1T. See also
Order Under Section 17(h)(4) of the Securities
Exchange Act of 1934 Granting Exemption from
Rule 17h–1T and Rule 17h–2T for Certain BrokerDealers Maintaining Capital, Including
Subordinated Debt of Greater Than $20 Million But
Less Than $50 Million, Exchange Act Release No.
89184 (June 29, 2020) [85 FR 40356 (July 6, 2020)]
(‘‘17h Release’’) (setting forth the $50 million and
$1 billion thresholds).
150 Size has been recognized as a proxy for
substantial market activity relative to other
registrants of the same type and therefore a firm’s
relative risk to the financial markets. See 17h
Release (noting that broker-dealers that have less
than $50 million in regulatory capital and less than
$1 billion in total assets are ‘‘relatively small in
size,’’ and ‘‘because of their relative size’’ and to the
extent they are not carrying firms, these entities
‘‘present less risk to the financial markets,’’ while
stating that with respect to broker-dealers with at
least $50 million in regulatory capital or at least $1
billion in total assets ‘‘the Commission believes
. . . those broker-dealers . . . pose greater risk to
the financial markets, investors, and other market
participants’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
strategies to use for financial advantage.
This also may make them attractive
targets for threat actors employing
ransomware schemes. Further, given
their size and trading activities, these
broker-dealers may be connected to a
number of different Market Entities
through information systems, including
national securities exchanges, clearing
agencies, other broker-dealers, and
ATSs.
The fifth category of broker-dealers
included as Covered Entities would be
broker-dealers that operate as market
makers. Specifically, proposed Rule 10
would define ‘‘covered entity’’ to
include a broker-dealer that operates as
a market maker under the Exchange Act
or the rules thereunder (which includes
a broker-dealer that operates pursuant to
Exchange Act Rule 15c3–1(a)(6)) or is a
market maker under the rules of an SRO
of which the broker-dealer is a
member.151 The proposed rule’s
definition of ‘‘market maker’’ is tied to
securities laws that confer benefits or
impose requirements on market makers
and, consequently, covers brokerdealers that take advantage of those
benefits or are subject to those
requirements. The objective is to rely on
these other securities laws to define a
market maker rather than set forth a new
definition of ‘‘market maker’’ in
proposed Rule 10, which could conflict
with these other laws.
Market makers would be included as
Covered Entities because disruptions to
their operations caused by a significant
cybersecurity incident could have a
material impact on the fair, orderly, and
efficient functioning of the U.S.
securities markets. For example, a
significant cybersecurity incident could
imperil a market maker’s operations and
ability to facilitate transactions in
particular securities between buyers and
sellers. In addition, market makers
typically are connected to a number of
different Market Entities through
information systems, including national
securities exchanges and other brokerdealers.
The sixth category of broker-dealers
included as Covered Entities would be
broker-dealers that operate an ATS.152
Since Regulation ATS was adopted in
1998, ATSs have become increasingly
important venues for trading securities
in a fast and automated manner. ATSs
perform exchange-like functions such as
offering limit order books and other
order types. These developments have
made ATSs significant sources of orders
and trading interest for securities. ATSs
use data feeds, algorithms, and
connectivity to perform these functions.
ATSs rely heavily on information
systems to perform these functions,
including to connect to other Market
Entities such as broker-dealers and
principal trading firms.
A significant cybersecurity incident
that disrupts an ATS could negatively
impact the ability of investors to
liquidate or purchase certain securities
at favorable or predictable prices or in
a timely manner to the extent it
provides liquidity to the market for
those securities. Further, a significant
cybersecurity incident at an ATS could
provide a gateway for threat actors to
attack other Market Entities that connect
to it through information systems and
networks of interconnected information
systems. In addition, ATSs are
connected to a number of different
Market Entities through information
systems, including national securities
exchanges and other broker-dealers.
Finally, the records stored by ATSs on
their information systems include
proprietary information about the
Market Entities that use their services,
including confidential business
information (e.g., information about
their trading activities).
For the foregoing reasons, the
categories of broker-dealers discussed
above would be Covered Entities under
proposed Rule 10. All other categories
of broker-dealers would be Non-Covered
Entities.
Generally, the types of broker-dealers
that would be Non-Covered Entities
under proposed Rule 10 are smaller
firms whose functions do not play as
significant a role in promoting the fair,
orderly, and efficient operation of the
U.S. securities markets, as compared to
broker-dealers that would be Covered
Entities.153 For example, they tend to
offer a more focused and limited set of
services such as facilitating private
placements of securities, selling mutual
funds and variable contracts,
underwriting securities, and
participating in direct investment
151 See paragraph (a)(1)(i)(E) of proposed Rule 10.
See also 17 CFR 240.15c3–1 (‘‘Rule 15c3–1’’).
Paragraph (a)(6) of Rule 15c3–1 permits a market
maker to avoid taking capital charges for its
proprietary positions provided, among other things,
its carrying firm takes the capital charges instead.
See also, e.g., Rule 103 of the New York Stock
Exchange (setting forth requirements for Designated
Market Makers and Designated Market Maker
Units).
152 See paragraph (a)(1)(i)(F) of proposed Rule 10.
153 For example, as discussed below in section
IV.C.2. of this release, the 1,541 broker-dealers that
would be Covered Entities had average total assets
of $3.5 billion and average regulatory equity of $325
million; whereas the 1,969 that would be NonCovered Entities had average total assets of $4.7
million and average regulatory equity of $3 million.
This means that Non-Covered Broker-Dealers under
proposed Rule 10 accounted for about 0.2% of the
total assets of all broker-dealers and 0.1% of total
capital for all broker-dealers.
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
offerings.154 Further, they do not act as
custodians for customer securities and
cash or serve as a conduit (i.e., an
introducing broker-dealer) for customers
to access their accounts at a carrying
broker-dealer that does maintain
custody of securities and cash.
Therefore, they do not pose the risk that
a significant cybersecurity incident
could lead to investors losing access to
their securities or cash or having those
assets stolen. In addition, Non-Covered
Broker-Dealers likely are less connected
to other Market Participants through
information systems than Covered
Broker-Dealers. For these reasons, the
additional policies and procedures,
reporting, and disclosure requirements
would not apply to Non-Covered
Broker-Dealers.
At the same time, Non-Covered
Broker-Dealers are part of the financial
sector and exposed to cybersecurity risk.
Further, certain Non-Covered BrokerDealers maintain personal information
about their customers that if accessed by
threat actors or mistakenly exposed to
unauthorized users could result in harm
to the customers. For these reasons,
Non-Covered Broker-Dealers—among
other things—would be required under
proposed Rule 10 to: (1) establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks taking into account their size,
business, and operations; (2) review and
assess the design and effectiveness of
their cybersecurity policies and
procedures annually, including whether
the policies and procedures reflect
changes in cybersecurity risk over the
time period covered by the review; (3)
make a written record that documents
the steps taken in performing the annual
review and the conclusions of the
annual review; and (4) give the
Commission and their examining
authority immediate written electronic
notice of a significant cybersecurity
incident upon having a reasonable basis
to conclude that the significant
cybersecurity incident has occurred or
is occurring.155 The Commission’s
objective in proposing Rule 10 is to
address the cybersecurity risks faced by
all Market Entities but apply a more
limited set of requirements to NonCovered Broker-Dealers commensurate
with the level of risk they pose to
investors, the U.S. securities markets,
154 See section IV.C.2. of this release (discussing
the activities of broker-dealers that would not meet
the definition of ‘‘covered entity’’ in proposed Rule
10).
155 See section II.C. of this release (discussing the
requirements for these broker-dealers in more
detail).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
and the U.S. financial sector more
generally.
c. Market Entities Other Than BrokerDealers
The MSRB and all clearing agencies,
national securities associations, national
securities exchanges, SBSDRs, SBS
Entities,156 and transfer agents would be
Covered Entities and, therefore, subject
to the additional requirements regarding
the minimum elements that must be
included in their cybersecurity risk
management policies and procedures,
reporting, and public disclosure.157 In
particular, proposed Rule 10 would
define Covered Entity to include: (1) a
clearing agency (registered or exempt)
under section 3(a)(23)(A) of the
Exchange Act; 158 (2) an MSBSP that is
registered pursuant to section 15F(b) of
the Exchange Act; 159 (3) the Municipal
Securities Rulemaking Board; 160 (4) a
national securities association under
section 15A of the Exchange Act; 161 (5)
a national securities exchange under
section 6 of the Exchange Act; 162 (6) a
security-based swap data repository
under section 3(a)(75) of the Exchange
Act; 163 (7) a security-based swap dealer
that is registered pursuant to section
15F(b) of the Exchange Act; 164 and (8)
a transfer agent as defined in section
3(a)(25) of the Exchange Act that is
registered or required to be registered
with an appropriate regulatory agency
156 In addition to the requirements proposed in
Rule 10 itself, the scope of certain existing
regulations applicable to SBS Entities would
include proposed Rule 10 if adopted; see, e.g., 17
CFR 240.15Fk–1(b)(2)(i) (which establishes the
scope of specified chief compliance officer duties
by reference to Section 15F of the Exchange Act (15
U.S.C. 78o–10) and the rules and regulations
thereunder); 17 CFR 240.15Fh–3(h)(2)(iii)(I) (which
establishes the scope of specified supervisory
requirements by reference to Section 15F(j) of the
Exchange Act (15 U.S.C. 78o–10(j)).
157 See paragraphs (a)(1)(ii) through (ix) of
proposed Rule 10 (defining these Market Entities as
‘‘covered entities’’).
158 See paragraph (a)(1)(ii) of proposed Rule 10.
See also 15 U.S.C. 78c(a)(23)(A) (defining the term
‘‘clearing agency’’).
159 See paragraph (a)(1)(iii) of proposed Rule 10.
See also 15 U.S.C. 78o–10(b). Registered MSBSPs
include both MSBSPs that are conditionally
registered pursuant to paragraph (d) of Exchange
Act Rule 15Fb2–1 (‘‘Rule 15Fb2–1’’) (17 CFR
240.15Fb2–1) and MSBSPs that have been granted
ongoing registration pursuant to paragraph (e) of
Rule 15Fb2–1.
160 See paragraph (a)(1)(iv) of proposed Rule 10.
161 See paragraph (a)(1)(v) of proposed Rule 10.
See also 15 U.S.C. 78o–3.
162 See paragraph (a)(1)(vi) of proposed Rule 10.
See also 15 U.S.C. 78f.
163 See paragraph (a)(1)(vii) of proposed Rule 10.
164 See paragraph (a)(1)(viii) of proposed Rule 10.
See also 15 U.S.C. 78o–10(b). Registered SBSDs
include both SBSDs that are conditionally
registered pursuant to paragraph (d) of Rule 15Fb2–
1 and SBSDs that have been granted ongoing
registration pursuant to paragraph (e) of Rule
15Fb2–1.
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
20231
(‘‘ARA’’) as defined in section
3(a)(34)(B) of the Exchange Act.165
SROs play a critical role in setting and
enforcing rules for their members or
registrants that govern trading, fair
access, transparency, operations, and
business conduct, among other things.
SROs and SBSDRs also play a critical
role in ensuring fairness in the
securities markets through the
transparency they provide about
securities transactions and pricing, and
the information about securities
transactions they can provide to
regulators. National securities
exchanges play a critical role in
ensuring the orderly and efficient
operation of the U.S. securities markets
through the marketplaces they operate.
Clearing agencies are critical to the
orderly and efficient operation of the
U.S. securities markets through the
centralized clearing and settlement
services they provide as well as their
role as securities depositories, with
exempt clearing agencies serving an
important role as part of this process.
Market liquidity is critical to the orderly
and efficient operation of the U.S.
securities markets. In this regard, SBS
Entities play a critical role in providing
liquidity to the security-based swap
market.
The disruption or degradation of the
functions of an SRO (including
functions that support securities
marketplaces and the oversight of
market participants) could cause harm
to investors to the extent it negatively
impacted the fair, orderly, and efficient
operations of the U.S. securities
markets. For example, it could prevent
investors from purchasing or selling
securities or doing so at fair or
reasonable prices. Investors also would
face harm if a transfer agent’s functions
were disrupted or degraded by a
significant cybersecurity incident.
Transfer agents provide services such as
stockholder recordkeeping, processing
of securities transactions and corporate
actions, and paying agent activities.
Their core recordkeeping systems
provide a direct conduit to their issuer
clients’ master records that document
and, in many instances provide the legal
underpinning for, registered
securityholders’ ownership of the
issuer’s securities. If these functions
were disrupted, investors might not be
able to transfer ownership of their
securities or receive dividends and
165 See paragraph (a)(1)(ix) of proposed Rule 10.
See also 15 U.S.C. 78q–1(c)(1) (registration
requirements for transfer agents); 15 U.S.C.
78c(a)(25) (definition of transfer agent) and
(a)(34)(B) (definition of appropriate regulatory
agency).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20232
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
interest due on their securities
positions.
SROs, exempt clearing agencies, and
SBSDRs connect to multiple members,
registrants, users, or others though
networks of information systems. The
interconnectedness of these Market
Entities with other Market Entities
through information systems creates the
potential that a significant cybersecurity
incident at one Market Entity (e.g., one
caused by malware) could spread to
other Market Entities in a cascading
process that could cause widespread
disruptions threatening the fair, orderly,
and efficient operation of the U.S.
securities markets.166 Additionally, the
disruption of a Market Entity that
provides critical services to other
Market Entities through information
system connections could disrupt the
activities of these other Market Entities
if they cannot obtain the services from
another source.
SROs, exempt clearing agencies,
SBSDRs, SBS Entities, and transfer
agents could be prime targets of threat
actors because of the central roles they
play in the securities markets. For
example, threat actors could seek to
disrupt their functions for geopolitical
purposes. Threat actors also could seek
to gain unauthorized access to their
information systems to conduct
espionage operations on their internal
non-public activities. Moreover, because
they hold financial assets (e.g., clearing
deposits in the case of clearing agencies)
and/or store substantial confidential and
proprietary information about other
Market Entities or financial transactions,
they may be choice targets for threat
actors seeking to steal the assets or use
the financial information to their
advantage.
SROs, exempt clearing agencies, and
SBSDRs store confidential and
proprietary information about their
members, registrants, and users,
including confidential business
information, and personal information.
A significant cybersecurity incident at
any of these types of Market Entities
could lead to the improper use of this
information to harm the members,
registrants, and users or provide the
unauthorized user with an unfair
advantage over other market
participants and, in the case of personal
information, to steal identities.
Moreover, given the volume of
information stored by these Market
Entities about different persons, the
harm caused by a cybersecurity incident
166 See, e.g., Implications of Cyber Risk for
Financial Stability (‘‘[T]he interconnectedness of
the financial system means that an event at one or
more firms may spread to others (the domino
effect).’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
could be widespread, negatively
impacting many victims.
SBS Entities also store proprietary
and confidential information about their
counterparties on their information
systems, including financial information
they use to perform credit analysis. A
significant cybersecurity incident at an
SBS Entity could lead to the improper
use of this information to harm the
counterparties or provide the
unauthorized user with an unfair
advantage over other market
participants. Transfer agents store
proprietary information about securities
ownership and corporate actions. A
significant cybersecurity incident at a
transfer agent could lead to the
improper use of this information to
harm securities holders. Transfer agents
also may store personal information
including names, addresses, phone
numbers, email addresses, employers,
employment history, bank and specific
account information, credit card
information, transaction histories,
securities holdings, and other detailed
and individualized information related
to the transfer agents’ recordkeeping and
transaction processing on behalf of
issuers. Threat actors breaching the
transfer agent’s information systems
could use this information to steal
identities or financial assets of the
persons to whom this information
pertains. They also could sell it to other
threat actors.
In light of these considerations, the
MSRB and all clearing agencies,
national securities associations, national
securities exchanges, SBSDRs, SBS
Entities, and transfer agents would be
Covered Entities under proposed Rule
10 and, therefore, subject to the
additional requirements regarding the
minimum elements that must be
included in their cybersecurity risk
management policies and procedures,
reporting, and public disclosure.167
2. ‘‘Cybersecurity Incident’’
Proposed Rule 10 would define the
term ‘‘cybersecurity incident’’ to mean
an unauthorized occurrence on or
conducted through a Market Entity’s
information systems that jeopardizes the
confidentiality, integrity, or availability
of the information systems or any
information residing on those
systems.168 The objective is to use a
167 See paragraphs (a)(1)(ii) through (ix) of
proposed Rule 10 (defining these Market Entities as
‘‘covered entities’’).
168 See paragraph (a)(2) of proposed Rule 10. See
generally, NIST Glossary (defining ‘‘cybersecurity
risk’’ as ‘‘an effect of uncertainty on or within
information and technology’’ and defining
‘‘incident’’ as ‘‘an occurrence that actually or
potentially jeopardizes the confidentiality, integrity,
PO 00000
Frm 00022
Fmt 4701
Sfmt 4702
term that is broad enough to encompass
within the definition of ‘‘cybersecurity
incident’’ the various categories of
unauthorized occurrences that can
impact an information system (e.g.,
unauthorized access, use, disclosure,
downloading, disruption, modification,
or destruction). As discussed earlier, the
sources of cybersecurity risk are myriad
as are the tactics, techniques, and
procedures employed by threat
actors.169
The definition of ‘‘cybersecurity
incident’’ in proposed Rule 10 is
designed to include any unauthorized
incident impacting an information
system or the information residing on
the system. An information system can
experience an unauthorized occurrence
without a threat actor itself directly
obtaining unauthorized access to the
system. For example, a social
engineering tactic could cause an
employee to upload ransomware
unintentionally that encrypts the
information residing on the system or a
DoS attack could cause the information
system to shut down. In either case, the
threat actor did not need to access the
information system to cause harm.
While the definition is intended to be
broad, the occurrence must be one that
jeopardizes (i.e., places at risk) the
confidentiality, integrity, or availability
of the information systems or any
information residing on those systems.
Confidentiality would be jeopardized if
the unauthorized occurrence resulted in
or could result in persons accessing an
information system or the information
residing on the system who are not
permitted or entitled to do so or resulted
in or could result in the disclosure of
the information residing on the
information system to the public or to
any person not permitted or entitled to
view it.170 Integrity would be
jeopardized if the unauthorized
occurrence resulted in or could result
in: (1) an unpermitted or unintended
modification or destruction of the
or availability of an information system or the
information the system processes, stores, or
transmits or that constitutes a violation or imminent
threat of violation of security policies, security
procedures, or acceptable use policies’’); FISMA
(defining ‘‘incident’’ as an ‘‘occurrence’’ that: (1)
actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or
availability of information or an information
system; or (2) constitutes a violation or imminent
threat of violation of law, security policies, security
procedures, or acceptable use policies. 44 U.S.C.
3552(b)(2).
169 See section I.A.1. of this release (discussing
the sources of the cybersecurity risk).
170 See generally NIST Glossary (defining
‘‘confidentiality’’ as ‘‘preserving authorized
restrictions on information access and disclosure,
including means for protecting personal privacy
and proprietary information’’).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
information system or the information
residing on the system; or (2) otherwise
resulted in or could result in a
compromise of the authenticity of the
information system (including its
operations and output) and the
information residing on the system.171
Availability would be jeopardized if the
unauthorized occurrence resulted in or
could result in the Market Entity or
other authorized users being unable to
access or use the information system or
information residing on the system or
being unable access or use the
information system or information
residing on the system in a timely or
reliable manner.172
lotter on DSK11XQN23PROD with PROPOSALS2
3. ‘‘Significant Cybersecurity Incident’’
Proposed Rule 10 would have a twopronged definition of ‘‘significant
cybersecurity incident.’’ 173 The first
prong of the definition would be a
cybersecurity incident, or a group of
related cybersecurity incidents, that
significantly disrupts or degrades the
ability of the Market Entity to maintain
critical operations.174 As discussed
earlier, significant cybersecurity
incidents can negatively impact
information systems and the
information residing on information
systems in two fundamental ways. First,
they can disrupt or degrade the
information system or the information
residing on the information system in a
manner that prevents the Market Entity
from performing functions that rely on
the system operating as designed (e.g.,
an order routing system of an national
securities exchange or a margin
calculation and collection system of a
clearing agency) or that rely on the
Market Entity being able to process or
access information on the system (e.g.,
a general ledger of a broker-dealer or
SBS Entity that tracks and records
securities transactions).175 This type of
harm can be caused by, for example, a
ransomware attack that encrypts the
171 See generally NIST Glossary (defining
‘‘integrity’’ as ‘‘guarding against improper
information modification or destruction, and
includes ensuring information non-repudiation and
authenticity’’).
172 See generally NIST Glossary (defining
‘‘availability’’ as ‘‘ensuring timely and reliable
access to and use of information’’).
173 See paragraphs (a)(10)(i) and (ii) of proposed
Rule 10.
174 See paragraph (a)(10)(i) of proposed Rule 10.
175 See sections I.A.1. and I.A.2. of this release
(discussing the consequences of these types of
information system degradations and disruptions).
This type of impact would compromise the integrity
or availability of the information system. See
generally NIST Glossary (defining ‘‘integrity’’ as
‘‘guarding against improper information
modification or destruction, and includes ensuring
information non-repudiation and authenticity’’ and
‘‘availability’’ as ‘‘ensuring timely and reliable
access to and use of information’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
information stored on the system, a DoS
attack that overwhelms the information
system, or hackers taking control of a
the system or shutting it down.
Generally, critical operations would be
activities, processes, and services that if
disrupted could prevent the Market
Entity from continuing to operate or
prevent it from performing a service that
supports the fair, orderly, and efficient
functioning of the U.S. securities
markets.176
The second fundamental way that a
significant cybersecurity incident can
negatively impact an information
system or the information residing on
the information system is when
unauthorized persons are able to access
and use the information stored on the
information system (e.g., proprietary
business information or personal
information).177 Therefore, the second
prong of the definition would be a
cybersecurity incident, or a group of
related cybersecurity incidents, that
leads to the unauthorized access or use
of the information or information
systems of the Market Entity, where the
unauthorized access or use of such
information or information systems
results in or is reasonably likely to
result in: (1) substantial harm to the
Market Entity; or (2) substantial harm to
a customer, counterparty, member,
registrant, or user of the Market Entity,
or to any other person that interacts
with the Market Entity.178 As discussed
earlier, this kind of significant
cybersecurity incident could lead to the
improper use of this information to
harm persons to whom it pertains (e.g.,
public exposure of their confidential
financial information or the use of that
information to steal their identities) or
176 See, e.g., Basel Committee on Banking
Supervision, Principles for Operational Resilience
(Mar. 2021) (‘‘The term critical operations is based
on the Joint Forum’s 2006 high-level principles for
business continuity. It encompasses critical
functions as defined by the FSB and is expanded
to include activities, processes, services and their
relevant supporting assets the disruption of which
would be material to the continued operation of the
bank or its role in the financial system.’’) (footnotes
omitted).
177 See sections I.A.1. and I.A.2. of this release
(discussing the consequences of this type of
compromise of an information system). This type of
impact would compromise the confidentiality of the
information system. See generally NIST Glossary
(defining ‘‘confidentiality’’ as ‘‘preserving
authorized restrictions on information access and
disclosure, including means for protecting personal
privacy and proprietary information’’).
178 See paragraph (a)(10)(ii) of proposed Rule 10.
There could be instances where a significant
cybersecurity incident meets both prongs. For
example, an unauthorized user that is able to access
the Market Entity’s internal computer systems
could shut down critical operations of the Market
Entity and use information on the systems to steal
assets of the Market Entity or assets or identities of
the Market Entity’s customers.
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
20233
provide the unauthorized user with an
unfair advantage over other market
participants (e.g., trading based on
confidential business information).179
4. ‘‘Cybersecurity Threat’’
Proposed Rule 10 would define the
term ‘‘cybersecurity threat’’ to mean any
potential occurrence that may result in
an unauthorized effort to affect
adversely the confidentiality, integrity,
or availability of a Market Entity’s
information systems or any information
residing on those systems.180 As
discussed earlier, threat actors use a
number of different tactics, techniques,
and procedures (e.g., malware, social
engineering, hacking, DoS attacks) to
commit cyber-related crime.181 These
threat actors may be nation states,
individuals (acting alone or as part of
organized syndicates) seeking financial
gain, or individuals seeking to cause
harm for a variety of reasons. Further,
the threat actors may be external or
internal actors. Also, as discussed
earlier, errors can pose a cybersecurity
threat (e.g., accidentally providing
access to confidential information to
individuals that are not authorized to
view or use it). The definition of
‘‘cybersecurity threat’’ in proposed Rule
10 is designed to include the potential
actions of threat actors (e.g., seeking to
install malware on or hack into an
information system or engaging in social
engineering tactics) and potential errors
(e.g., an employee failing to secure
confidential, proprietary, and personal
information) that may result in an
unauthorized effort to affect adversely
the confidentiality, integrity, or
availability of a Market Entity’s
information systems or any information
residing on those systems.
5. ‘‘Cybersecurity Vulnerability’’
Proposed Rule 10 would define the
term ‘‘cybersecurity vulnerability’’ to
mean a vulnerability in a Market
Entity’s information systems,
information system security procedures,
or internal controls, including, for
example, vulnerabilities in their design,
179 See sections I.A.1. and I.A.2. of this release
(discussing the consequences of this type of
compromise of an information system).
180 See paragraph (a)(4) of proposed Rule 10. See
generally NIST Glossary (defining ‘‘threat’’ as any
circumstance or event with the potential to
adversely impact organizational operations
(including mission, functions, image, or reputation),
organizational assets, or individuals through an
information system via unauthorized access,
destruction, disclosure, modification of
information, and/or denial of service and also the
potential for a threat-source to successfully exploit
a particular information system vulnerability).
181 See section I.A.1. of this release (discussing
the various tactics, techniques, and procedures used
by threat actors).
E:\FR\FM\05APP2.SGM
05APP2
20234
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
configuration, maintenance, or
implementation that, if exploited, could
result in a cybersecurity incident.182
Cybersecurity vulnerabilities are
weaknesses in the Covered Entity’s
information systems that threat actors
could exploit, for example, to hack into
the system or install malware.183 One
example would be an information
system that uses outdated software that
is no longer updated to address known
flaws that could be exploited by threat
actors to access the system.
Cybersecurity vulnerabilities also are
weaknesses in the procedures and
controls the Market Entity uses to
protect its information systems and the
information residing on them such as
procedures and controls that do not
require outdated software to be replaced
or that do not adequately restrict access
to the system. Cybersecurity
vulnerabilities can also include lack of
training opportunities for employees to
increase their cybersecurity awareness,
such as how to properly secure sensitive
data and recognize harmful files. The
definition of ‘‘cybersecurity
vulnerability’’ in proposed Rule 10 is
designed to include weaknesses in the
information systems themselves and
weaknesses in the measures the Covered
Entity takes to protect the systems and
the information residing on the systems.
lotter on DSK11XQN23PROD with PROPOSALS2
6. ‘‘Cybersecurity Risk’’
Proposed Rule 10 would define the
term ‘‘cybersecurity risk’’ to mean
financial, operational, legal,
reputational, and other adverse
consequences that could stem from
cybersecurity incidents, cybersecurity
threats, and cybersecurity
vulnerabilities.184 As discussed earlier,
cybersecurity incidents have the
182 See paragraph (a)(5) of proposed Rule 10. See
generally NIST Glossary (defining ‘‘vulnerability’’
as a weakness in an information system, system
security procedures, internal controls, or
implementation that could be exploited or triggered
by a threat source’’).
183 See section I.A.1. of this release (discussing
information system vulnerabilities). See generally
CISA 2021 Vulnerability Report (‘‘Globally, in 2021,
malicious cyber actors targeted internet-facing
systems, such as email servers and virtual private
network (VPN) servers, with exploits of newly
disclosed vulnerabilities.’’).
184 See paragraph (a)(3) of proposed Rule 10. See
also paragraphs (a)(4) and (5) of proposed Rule 10
(defining, respectively, ‘‘cybersecurity threat’’ to
mean ‘‘any potential occurrence that may result in
an unauthorized effort to affect adversely the
confidentiality, integrity, or availability of a Market
Entity’s information systems or any information
residing on those systems’’ and ‘‘cybersecurity
vulnerability’’ to mean ‘‘a vulnerability in a Market
Entity’s information systems, information system
security procedures, or internal controls, including,
for example, vulnerabilities in their design,
configuration, maintenance, or implementation
that, if exploited, could result in a cybersecurity
incident’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
potential to cause harm to Market
Entities and others who use their
services or are connected to them
through information systems and, if
severe enough, negatively impact the
fair, orderly, and efficient operations of
the U.S. securities markets.185 The
definition of ‘‘cybersecurity risk’’ in
proposed Rule 10 is designed to
encompass the types of harm and
damage that can befall a Market Entity
that experiences a cybersecurity
incident.
7. ‘‘Information’’
As discussed in more detail below, a
Market Entity would be required under
proposed Rule 10 to establish, maintain,
and enforce written policies and
procedures that are reasonably designed
to address the Market Entity’s
cybersecurity risks.186 Cybersecurity
risks—as discussed above—would be
financial, operational, legal,
reputational, and other adverse
consequences that could result from
cybersecurity incidents, cybersecurity
threats, and cybersecurity
vulnerabilities.187 Cybersecurity
incidents would be unauthorized
occurrences on or conducted through a
market entity’s information systems that
jeopardize the confidentiality, integrity,
or availability of the information
systems or any information residing on
those systems.188 Cybersecurity threats
would be any potential occurrences that
may result in an unauthorized effort to
affect adversely the confidentiality,
integrity, or availability of a market
entity’s information systems or any
information residing on those
systems.189 Finally, cybersecurity
vulnerabilities would be a vulnerability
in a Market Entity’s information
systems, information system security
procedures, or internal controls,
including, for example, vulnerabilities
in their design, configuration,
maintenance, or implementation that, if
exploited, could result in a
185 See sections I.A.1. and I.A.2. of this release
(discussing, respectively, the harms that can be
caused by significant cybersecurity incidents
generally and with respect to each category of
Market Entity).
186 See paragraphs (b)(1) and (e) of proposed Rule
10 (requiring Covered Entities and Non-Covered
Entities, respectively, to have policies and
procedures to address their cybersecurity risks);
sections II.B.1. and II.C. of this release (discussing
the requirements of paragraphs (b)(1) and (e) of
proposed Rule 10, respectively, in more detail).
187 See paragraph (a)(3) of proposed Rule 10
(defining ‘‘cybersecurity risk’’).
188 See paragraph (a)(2) of proposed Rule 10
(defining ‘‘cybersecurity incident’’).
189 See paragraph (a)(4) of proposed Rule 10
(defining ‘‘cybersecurity threat’’).
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
cybersecurity incident.190
Consequently, the policies and
procedures required under proposed
Rule 10 would need to cover all of the
Market Entity’s information systems and
information residing on those systems
in order to address the Market Entity’s
cybersecurity risks.
Proposed Rule 10 would define the
term ‘‘information’’ to mean any records
or data related to the Market Entity’s
business residing on the Market Entity’s
information systems, including, for
example, personal information received,
maintained, created, or processed by the
Market Entity.191 The definition is
designed to cover the full range of
information stored by Market Entities on
their information systems regardless of
the digital format in which the
information is stored.192 As discussed
earlier, Market Entities create and
maintain a wide range of information on
their information systems.193 This
includes information used to manage
and conduct their operations, manage
and mitigate their risks, monitor the
progress of their business, track their
financial condition, prepare financial
statements, prepare regulatory filings,
and prepare tax returns. They also store
personal, confidential, and proprietary
business information about their
customers, counterparties, members,
registrants or users. This includes
information maintained by clearing
agencies, the MSRB, the national
securities exchanges, and SBSDRs about
market activity and about their
members, registrants, and users.
The information maintained by
Market Entities on their information
systems is an attractive target for threat
actors, particularly confidential,
proprietary, and personal
information.194 Also, it also can be
190 See paragraph (a)(5) of proposed Rule 10
(defining ‘‘cybersecurity vulnerability’’).
191 See paragraph (a)(6) of proposed Rule 10.
192 See generally NIST Glossary (defining
‘‘information’’ as any communication or
representation of knowledge such as facts, data, or
opinions in any medium or form, including textual,
numerical, graphic, cartographic, narrative, or
audiovisual. Id. (defining ‘‘data’’ (among other
things) as: (1) pieces of information from which
‘‘understandable information’’ is derived; (2)
distinct pieces of digital information that have been
formatted in a specific way; and (3) a subset of
information in an electronic format that allows it to
be retrieved or transmitted. Id. (defining ‘‘records’’
(among other things) as units of related data fields
(i.e., groups of data fields that can be accessed by
a program and that contain the complete set of
information on particular items).
193 See section I.A.2. of this release.
194 See sections I.A.1. and I.A.2 of this release
(discussing how threat actors seek unauthorized
access to and use of confidential, proprietary, and
personal information to, among other reasons,
conduct espionage operations, steal identities, use
it for business advantage, hold it hostage (in effect)
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
critical to performing their various
functions, and the inability to access
and use their information could disrupt
or degrade their ability to operate in
support of the fair, orderly, and efficient
operation of the U.S. securities
markets.195 Consequently, protecting the
confidentiality, integrity, and
availability of information residing on a
Market Entity’s information systems is
critical to avoiding the harms that can
be caused by cybersecurity risk. The
definition of ‘‘information’’ in proposed
Rule 10 is designed to encompass this
information and, therefore, to extend the
proposed protections of the rule to it.
lotter on DSK11XQN23PROD with PROPOSALS2
8. ‘‘Information Systems’’
The policies and procedures required
under proposed Rule 10 also would
need to cover the Market Entity’s
information systems in order to address
the Market Entity’s cybersecurity risks.
Proposed Rule 10 would define the term
‘‘information systems’’ to mean the
information resources owned or used by
the Market Entity, including, for
example, physical or virtual
infrastructure controlled by the
information resources, or components
thereof, organized for the collection,
processing, maintenance, use, sharing,
dissemination, or disposition of the
Market Entity’s information to maintain
or support the Market Entity’s
operations.196
As discussed earlier, Market Entities
use information systems to perform a
wide range of functions.197 For example,
they use information systems to
maintain books and records to manage
and conduct their operations, manage
and mitigate their risks, monitor the
progress of their business, track their
financial condition, prepare financial
statements, prepare regulatory filings,
and prepare tax returns. Market Entities
also use information systems so that
their employees can communicate with
each other and with external persons.
These include email, text messaging,
and virtual meeting applications. They
also use internet websites to
communicate information to their
customers, counterparties, members,
registrants, or users. They use
information systems to perform the
functions associated with their status
and obligations as a broker-dealer,
registered or exempt clearing agency,
national securities association, national
through a ransomware attack, or sell it to other
threat actors).
195 Id.
196 See paragraph (a)(7) of proposed Rule 10.
197 See section I.A.2. of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
20235
securities exchange, SBSDR, SBS Entity,
SRO, or transfer agent.
Information systems are targets that
threat actors attack to access and use
information maintained by Market
Entities related to their business
(particularly confidential, proprietary,
and personal information).198 In
addition, the interconnectedness of
Market Entities through information
systems creates channels through which
malware, viruses, and other destructive
cybersecurity threats can spread
throughout the financial system.
Moreover, the disruption or degradation
of a Market Entity’s information systems
could negatively impact the entity’s
ability to operate in support of the U.S.
securities markets.199 Consequently,
protecting the confidentiality, integrity,
and availability of a Market Entity’s
information systems is critical to
avoiding the harms that can be caused
by cybersecurity risk. The definition of
the term ‘‘information systems’’ in
proposed Rule 10 is designed to be
broad enough to encompass all the
electronic information resources owned
or used by a Market Entity to carry out
its various operations. Accordingly, the
definition of ‘‘information systems’’
would require a Market Entity’s policies
and procedures to address cybersecurity
risks to cover all of its information
systems.
definition of ‘‘personal information’’
was guided by a number of established
sources and aims to capture a broad
array of information that can reside on
a Market Entity’s information systems
that may be used alone, or with other
information, to identify an individual.
The definition is designed to encompass
information that if compromised could
cause harm to the individuals to whom
the information pertains (e.g., identity
theft or theft of assets).
Personal information is an attractive
target for threat actors because they can
use it to steal a person’s identity and
then use the stolen identity to
appropriate the person’s assets through
unauthorized transactions or to make
unlawful purchases on credit or to effect
other unlawful transactions in the name
of the person.201 They also can sell
personal information they obtain
through unauthorized access to an
information system to criminals who
will seek to use the information for
these purposes. Moreover, the victims of
identity theft can be the more
vulnerable members of society (e.g.,
individuals on fixed-incomes, including
retirees). Consequently, proposed Rule
10 would have a provision that
specifically addresses protecting
personal information.202
9. ‘‘Personal Information’’
The Commission requests comment
on all aspects of the proposed
definitions. In addition, the Commission
is requesting comment on the following
specific aspects of the proposals:
1. In designing the definitions of
proposed Rule 10, the Commission
considered a number of sources cited in
the sections above, including, in
particular, the NIST Glossary and
certain Federal statutes and regulations.
Are these appropriate sources to
consider? If so, explain why. If not,
explain why not. Are there other
sources the Commission should use? If
so, identify them and explain why they
should be considered and how they
Proposed Rule 10 would define the
term ‘‘personal information’’ to mean
any information that can be used, alone
or in conjunction with any other
information, to identify a person,
including, but not limited to, name, date
of birth, place of birth, telephone
number, street address, mother’s maiden
name, Social Security number,
government passport number, driver’s
license number, electronic mail address,
account number, account password,
biometric records, or other non-public
authentication information.200 The
198 See
sections I.A.1. and I.A.2. of this release.
10. Request for Comment
199 Id.
200 See paragraph (a)(9) of proposed Rule 10. See
generally NIST Glossary (defining ‘‘personal
information’’ as information that can be used to
distinguish or trace an individual’s identity, either
alone or when combined with other information
that is linked or linkable to a specific individual
and defining ‘‘personally identifying information’’
(among other things) as information that can be
used to distinguish or trace an individual’s
identity—such as name, social security number,
biometric data records—either alone or when
combined with other personal or identifying
information that is linked or linkable to a specific
individual (e.g., date and place of birth, mother’s
maiden name, etc.)); 17 CFR 248.201(b)(8)
((defining ‘‘identifying information’’ as any name or
number that may be used, alone or in conjunction
with any other information, to identify a specific
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
person, including any: (1) name, Social Security
number, date of birth, official State or government
issued driver’s license or identification number,
alien registration number, government passport
number, employer or taxpayer identification
number; (2) unique biometric data, such as
fingerprint, voice print, retina or iris image, or other
unique physical representation; (3) unique
electronic identification number, address, or
routing code; or (4) telecommunication identifying
information or access device (as defined in 18
U.S.C. 1029(e))).
201 See sections I.A.1. and I.A.2. of this release.
202 See paragraph (b)(1)(iii)(A)(2) of proposed
Rule 10. See also proposed Form SCIR, which
would elicit information about whether personal
information was compromised in a significant
cybersecurity incident.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20236
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
could inform potential modifications to
the definitions.
2. In determining which categories of
Market Entities would be Covered
Entities subject to the additional
requirements of proposed Rule 10, the
Commission considered: (1) how the
category of Market Entity supports the
fair, orderly, and efficient operation of
the U.S. securities markets and the
consequences if that type of brokerdealer’s critical functions were
disrupted or degraded by a significant
cybersecurity incident; (2) the harm that
could befall investors, including retail
investors, if that category of Market
Entity’s functions were disrupted or
degraded by a significant cybersecurity
incident; (3) the extent to which the
category of Market Entity poses
cybersecurity risk to other Market
Entities though information system
connections, including the number of
connections; (4) the extent to which the
category of Market Entity would be an
attractive target for threat actors; and (5)
the personal, confidential, and
proprietary business information about
the category of Market Entity and other
persons (e.g., investors) stored on the
Market Entity’s information systems and
the harm that could be caused if that
information was accessed or used by
threat actors through a cybersecurity
breach. Are these appropriate factors to
consider? If so, explain why. If not,
explain why not. Are there other factors
the Commission should take into
account? If so, identify them and
explain why they should be considered.
3. Should proposed Rule 10 be
modified to include other categories of
broker-dealers as Covered Entities? If so,
identify the category of broker-dealers
and explain how to define brokerdealers within that category and why it
would be appropriate to apply the
additional policies and procedures,
reporting, and disclosure requirements
of the proposed rule to that category of
broker-dealers. For example, should the
$50 million regulatory capital threshold
be lowered (e.g., to $25 million or some
other amount) or should the $1 billion
total assets threshold be lowered (e.g., to
$500 million or some other amount) to
include more broker-dealers as Covered
Entities? If so, identify the threshold
and explain why it would be
appropriate to apply the additional
requirements to broker-dealers that fall
within that threshold.
4. Should proposed Rule 10 be
modified to include as a Covered Entity
any broker-dealer that is an SCI entity
for the purposes of Regulation SCI?
Currently, under Regulation SCI, an
ATS that trades certain stocks exceeding
specific volume thresholds is an SCI
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
entity? 203 As discussed above, a brokerdealer that operates an ATS would be a
Covered Entity under proposed Rule 10
and, therefore, subject to the additional
policies and procedures, reporting, and
disclosure requirements of the proposed
rule. However, the Commission is
proposing to amend Regulation SCI to
broaden the definition of ‘‘SCI entity’’ to
include, among other Commission
registrants, a broker-dealer that exceeds
an asset-based size threshold or a
volume-based trading threshold in NMS
stocks, exchange-listed options, agency
securities, or U.S. treasury securities.204
A broker-dealer that exceeds the assetbased size threshold under the proposed
amendments to Regulation SCI (which
would be several hundred billion
dollars) would be subject to the
requirements of proposed Rule 10
applicable to Covered Entities, as it
would exceed the $1 billion total assets
threshold in the broker-dealer definition
of ‘‘covered entity.’’ 205 Further, a
broker-dealer that exceeds one or more
of the volume-based trading thresholds
under the proposed amendments to
Regulation SCI likely would meet one of
the broker-dealer definitions of
‘‘covered entity’’ in proposed Rule 10
given its size and activities. For
example, it may be carrying brokerdealer, have regulatory capital equal to
or exceeding $50 million, have total
assets equal to or exceeding $1 billion,
or operate as a market maker.206
Nonetheless, should the definition of
‘‘covered entity’’ in proposed Rule 10 be
modified to include any broker-dealer
that is an SCI entity under Regulation
SCI? If so, explain why. If not, explain
why not.
5. Should proposed Rule 10 be
modified to narrow the categories of
broker-dealers that would be Covered
Entities? If so, explain how the category
should be narrowed and why it would
be appropriate not to apply the
additional requirements to brokerdealers that would no longer be
included as Covered Entities. For
example, are there certain types of
carrying broker-dealers, introducing
broker-dealers, market makers, or ATSs
that should not be included as Covered
203 See 17 CFR 242.1000 (defining the term ‘‘SCI
alternative trading system’’ and including that
defined term in the definition of ‘‘SCI Entity’’).
204 Regulation SCI 2023 Proposing Release.
205 See paragraph (a)(1)(i)(D) of proposed Rule 10.
See also section II.F.1.c. of this release (discussing
why this type of broker-dealer would be a Covered
Entity).
206 See paragraphs (a)(1)(i)(A), (C), (D), and (E) of
proposed Rule 10 (defining these categories of
broker-dealers as ‘‘covered entities’’). See also
section II.F.1.c. of this release (discussing why this
type of broker-dealer likely would be a Covered
Entity).
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
Entities? If so, identify the type of
broker-dealer and explain why it would
be appropriate not to impose the
additional policies and procedures,
reporting, and disclosure requirements
of the proposed rule on that type of
broker-dealer. Similarly, should the
proposed $50 million regulatory capital
threshold be increased (e.g., to $100
million or some other amount) or
should the $1 billion total assets
threshold be increased (e.g., to $5
billion or some other amount) to
exclude more broker-dealers from the
definition of ‘‘covered entity’’? If so,
identify the threshold and explain why
it would be appropriate not to apply the
additional requirements on the brokerdealers that would not be Covered
Entities under the narrower definition.
6. Should proposed Rule 10 be
modified to divide other categories of
Market Entities into Covered Entities
and Non-Covered Entities? If so, identify
the category of Market Entity and
explain how to define Covered Entity
and Non-Covered Entity within that
category and explain why it would be
appropriate not to impose the additional
policies and procedures, reporting, and
disclosure requirements on the Market
Entities that would be Non-Covered
Entities. For example, are there types of
clearing agencies (registered or exempt),
MSBSPs, national securities exchanges,
SBSDRs, SBSDs, or transfer agents that
pose a level of cybersecurity risk to the
U.S. securities markets and the
participants in those markets that is no
greater than the cybersecurity risk posed
by the categories of broker-dealers that
would be Non-Covered Entities? If so,
explain why it would be appropriate not
to apply the additional requirements of
proposed Rule 10 to these types of
Market Entities.
7. Should proposed Rule 10 be
modified so that it applies to other
participants in the U.S. securities
markets that are registered with the
Commission? If so, identify the
registrant type and explain why it
should be subject to the requirements of
proposed Rule 10. For example, should
competing consolidators or plan
processors be subject to the
requirements of proposed Rule 10? 207 If
so, explain why. If not, explain why not.
If competing consolidators or plan
processors should be subject to
proposed Rule 10, should they be
treated as Covered Entities or NonCovered Entities? If Covered Entities,
207 See 17 CFR 242.600(16) and (67) (defining the
terms ‘‘competing consolidator’’ and ‘‘plan
processor,’’ respectively). See also 17 CFR 242.1000
(defining ‘‘SCI competing consolidator’’ and
defining ‘‘SCI entity’’ to include SCI competing
consolidator).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
explain why. If Non-Covered Entities,
explain why. Should certain competing
consolidators or plan processors be
treated as Covered Entities and others be
treated as Non-Covered Entities? If so,
explain how to define Covered Entity
and Non-Covered Entity within that
category and explain why it would be
appropriate not to apply the additional
policies and procedures, reporting, and
disclosure requirements of the proposed
rule to the competing consolidators or
plan processors in that category that
would not be Covered Entities.
8. Should proposed Rule 10 be
modified to revise the broker-dealer
definitions of ‘‘covered entity’’? For
example, in order to include carrying
broker-dealers as Covered Entities,
paragraph (a)(1)(i)(A) of proposed Rule
10 would define the term ‘‘covered
entity’’ to include a broker-dealer that
maintains custody of cash and securities
for customers or other brokers-dealers
and is not exempt from the
requirements of Rule 15c3–3. In
addition, in order to include
introducing broker-dealers as Covered
Entities, paragraph (a)(1)(i)(B) of
proposed Rule 10 would define the term
‘‘covered entity’’ to include a brokerdealer that introduces customer
accounts on a fully disclosed basis to
another broker-dealer that is a carrying
broker-dealer under paragraph
(a)(1)(i)(A) of the proposed rule. Would
these broker-dealer definitions of
‘‘covered entity’’ work as designed? If
not, explain why and suggest
modifications to improve their design.
9. In order to include market makers
as Covered Entities, paragraph
(a)(1)(i)(E) of proposed Rule 10 would
define the term ‘‘covered entity’’ to
include a broker-dealer that is a market
maker under the Exchange Act or the
rules thereunder (which includes a
broker-dealer that operates pursuant to
paragraph (a)(6) of Rule 15c3–1) or is a
market maker under the rules of an SRO
of which the broker-dealer is a member.
Would the definition work as designed?
If not, explain why and suggest
modifications to improve its design. For
example, should the definition be based
on a list of the functions and activities
of a market maker as distinct from the
functions and activities of other
categories of broker-dealers? If so,
identify the relevant functions and
activities and explain how they could be
incorporated into a definition.
10. Should paragraph (a)(2) of
proposed Rule 10 be modified to revise
the definition of ‘‘cybersecurity
incident’’? For example, as discussed
above, the definition is designed to
include any unauthorized occurrence
that impacts an information system or
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the information residing on the system.
Would the definition work as designed?
If not, explain why and suggest
modifications to improve its design. Is
this design objective appropriate? If not,
explain why and suggest an alternative
design objective for the definition. Is the
definition of ‘‘cybersecurity incident’’
overly broad in that it refers to an
incident that jeopardizes the
confidentiality, integrity, or availability
of the information systems or any
information residing on those systems?
If so, explain why and suggest
modifications to appropriately narrow
its scope without undermining the
objective of the rule to address
cybersecurity risks facing Market
Entities. Is the definition of
‘‘cybersecurity incident’’ too narrow? If
so, how should it be broadened?
11. Should paragraph (a)(3) of
proposed Rule 10 be modified to revise
definition of ‘‘cybersecurity risk’’? For
example, the NIST definition of
‘‘cybersecurity risk’’ focuses on how this
risk can cause harm: it can adversely
impact organizational operations (i.e.,
mission, functions, image, or reputation)
and assets, individuals, other
organizations, and the Nation. The
definition of ‘‘cybersecurity risk’’ in
proposed Rule 10 was guided by this
aspect of cybersecurity risk. Does the
definition appropriately incorporate this
aspect of cybersecurity risk? If not,
explain why and suggest modifications
to improve its design. Is this design
objective appropriate? If not, explain
why and suggest an alternative design
objective for the definition.
12. Should paragraph (a)(4) of
proposed Rule 10 be modified to revise
the definition of ‘‘cybersecurity threat’’?
For example, as discussed above, the
definition is designed to include the
potential actions of threat actors and
errors that may result in an
unauthorized effort to affect adversely
the confidentiality, integrity, or
availability of a Market Entity’s
information systems or any information
residing on those systems. Would the
definition work as designed? If not,
explain why and suggest modifications
to improve its design. Is the definition
of ‘‘cybersecurity threat’’ overly broad in
that it includes any ‘‘potential
occurrence’’? If so, explain why and
suggest modifications to appropriately
narrow its scope without undermining
the objective of the rule to address
cybersecurity risks facing Market
Entities. Is the definition of
‘‘cybersecurity threat’’ too narrow? If so,
how should it be broadened?
13. Should paragraph (a)(5) of
proposed Rule 10 be modified to revise
the definition of ‘‘cybersecurity
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
20237
vulnerability’’? For example, as
discussed above, the definition is
designed to include weaknesses in the
information systems themselves and
weaknesses in the measures the Covered
Entity takes to protect the systems and
the information residing on the systems.
Would the definition work as designed?
If not, explain why and suggest
modifications to improve its design. Is
this design objective appropriate? If not,
explain why and suggest an alternative
design objective for the definition. Is the
definition of ‘‘cybersecurity
vulnerability’’ overly broad? If so,
explain why and suggest modifications
to appropriately narrow its scope
without undermining the objective of
the rule to address cybersecurity risks
facing Market Entities. Is the definition
of ‘‘cybersecurity vulnerability’’ too
narrow? If so, how should it be
broadened?
14. Should paragraph (a)(6) of
proposed Rule 10 be modified to revise
the definition of ‘‘information’’? For
example, as discussed above, the
definition is designed to be broad
enough to encompass the wide range of
information that resides on the
information systems of Market Entities.
Would the definition work as designed?
If not, explain why and suggest
modifications to improve its design. Is
this design objective appropriate? If not,
explain why and suggest an alternative
design objective for the definition. For
example, should the definition focus on
information that, if compromised, could
cause harm to the Market Entity or
others and exclude information that, if
compromised, would not cause harm? If
so, explain why and suggest rule text to
implement this modification.
15. Should paragraph (a)(7) of
proposed Rule 10 be modified to revise
the definition of ‘‘information systems’’?
For example, as discussed above, the
definition is designed to be broad
enough to encompass all the electronic
information resources owned or used by
a Market Entity to carry out its various
operations. Would the definition work
as designed? If not, explain why and
suggest modifications to improve its
design. Is this design objective
appropriate? If not, explain why and
suggest an alternative design objective
for the definition. Is the definition of
‘‘information systems’’ overly broad in
that it includes any information
resource ‘‘used by’’ the Market Entity,
which may include information
resources developed and maintained by
a third party (other than a service
provider that that receives, maintains, or
processes information, or is otherwise
permitted to access the Market Entity’s
information systems and any of the
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20238
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Market Entity’s information residing on
those systems)? If so, explain why and
suggest modifications to improve its
design. Is this design objective
appropriate? If not, explain why and
suggest an alternative design objective
for the definition. Is the definition of
‘‘information system’’ overly narrow? If
so, how should it be broadened?
16. Should paragraph (a)(9) of
proposed Rule 10 be modified to revise
the definition of ‘‘personal
information’’? For example, as
discussed above, the definition is
designed to encompass information that
if compromised could cause harm to the
individuals to whom the information
pertains (e.g., identity theft or theft of
assets). Would the definition work as
designed? If not, explain why and
suggest modifications to improve its
design. Is this design objective
appropriate? If not, explain why and
suggest an alternative design objective
for the definition.
17. Should paragraph (a)(10) of
proposed Rule 10 be modified to revise
the definition of ‘‘significant
cybersecurity incident’’? For example,
as discussed above, the definition
would have two prongs: the first relating
to incidents that significantly disrupt or
degrade the ability of the Market Entity
to maintain critical operations and the
second relating to the unauthorized
access or use of the information or
information systems of the Market
Entity. Are these the fundamental ways
that significant cybersecurity incidents
can negatively impact information
systems and the information residing on
information systems? If not, explain
why and identify other fundamental
ways that information and information
systems can be negatively impacted by
significant cybersecurity incidents that
should be incorporated into the
definition of ‘‘significant cybersecurity
incident.’’ Should the term ‘‘significant’’
be defined separately? If so, explain
why and suggest potential definitions
for this term. Instead, of ‘‘significant’’
should the definition use the word
‘‘material.’’ If so, explain why and how
that would change the meaning of the
definition.
18. Should paragraph (a)(10)(i) of
proposed Rule 10 be modified to revise
the first prong of the definition of
‘‘significant cybersecurity incident’’?
For example, as explained above, the
first prong is designed to address how
a ‘‘significant cybersecurity incident’’
can disrupt or degrade the information
system or the information residing on
the system in a manner that prevents the
Market Entity from performing
functions that rely on the system
operating as designed or that rely on the
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Market Entity being able to process or
access information on the system.
Would the first prong of the definition
work as designed? If not, explain why
and suggest modifications to improve its
design. Is this design objective
appropriate? If not, explain why and
suggest an alternative design objective
for the first prong of the definition. For
example, should the first prong of the
definition be limited to cybersecurity
incidents that ‘‘disrupt’’ the ability of
the Market Entity to maintain critical
operations (i.e., not include incidents
that ‘‘degrade’’ that ability)? If so,
explain why and also explain how to
distinguish between an incident that
degrades the ability of the Market Entity
to maintain critical operations and an
incident that disrupts that ability. Also,
explain why reporting to the
Commission and other regulators (as
applicable) and publicly disclosing
incidents that degrade the ability of the
Market Entity to maintain critical
operations would not be necessary
because they would no longer be
significant cybersecurity incidents.208
19. Should paragraph (a)(10)(ii) of
proposed Rule 10 be modified be to
revise the second prong of the definition
of ‘‘significant cybersecurity incident’’?
For example, as explained above, the
second prong is designed to address
how a ‘‘significant cybersecurity
incident’’ can cause harm if
unauthorized persons are able to access
and use the information system or the
information residing on the system.
Would the definition work as designed?
If not, explain why and suggest
modifications to improve its design. Is
this design objective appropriate? If not,
explain why and suggest an alternative
design objective for the second prong of
the definition. For example, should the
second prong of the definition be
limited to cybersecurity incidents that
‘‘result’’ in substantial harm to the
Market Entity or substantial harm to a
customer, counterparty, member,
registrant, or user of the Market entity,
or to any other person that interacts
with the Market Entity (i.e., not include
incidents that are ‘‘reasonably likely’’ to
result in these consequences)? If so,
explain why and also explain why
reporting to the Commission and other
regulators (as applicable) and publicly
disclosing incidents that are reasonably
likely to result in these consequences
would not be necessary because they
would no longer be significant
208 See paragraphs (c) and (d) of proposed Rule
10 (requiring, respectively, immediate notification
and subsequent reporting of significant
cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
cybersecurity incidents.209
Alternatively, should the second prong
of the definition be limited to an
incident of unauthorized access or use
that leads to ‘‘substantial harm’’ to a
customer, counterparty, member,
registrant or user of the Covered Entity,
or should ‘‘inconvenience’’ to a
customer, counterparty, member,
registrant or user be enough? If yes,
explain why. Should the second prong
of the definition be modified so that it
is limited to cybersecurity incidents that
result in or are reasonably likely to
result in substantial harm to more than
one customer, counterparty, member,
registrant, or user of the Market Entity,
or to any other market participant that
interacts with the Market Entity? If so,
explain why.
20. Should proposed Rule 10 be
modified to define additional terms for
the purposes of the rule and Parts I and
II of proposed Form SCIR? If so, identify
the term, suggest a definition, and
explain why including the definition
would be appropriate. For example,
would including additional defined
terms improve the clarity of the
requirements of proposed Rule 10 and
Parts I and II of proposed Form SCIR?
If so, explain why. Should proposed
Rule 10 be modified to define the terms
‘‘confidentiality,’’ ‘‘integrity’’, and
‘‘availability’’? If so, explain why and
suggest definitions.
B. Proposed Requirements for Covered
Entities
1. Cybersecurity Risk Management
Policies and Procedures
Risk management is the ongoing
process of identifying, assessing, and
responding to risk.210 To manage risk
generally, Market Entities should
understand the likelihood that an event
will occur and the potential resulting
impacts.211 Cybersecurity risk—like
other business risks (e.g., market, credit,
or liquidity risk)—can be addressed
through policies and procedures that are
reasonably designed to manage the
risk.212
Accordingly, proposed Rule 10 would
require Covered Entities to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address the Covered Entity’s
209 See paragraphs (c) and (d) of proposed Rule
10 (requiring, respectively, immediate notification
and subsequent reporting of significant
cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
210 See generally NIST Framework.
211 Id.
212 See generally CISA Cyber Essentials Starter Kit
(stating that organizations should ‘‘approach cyber
as business risk’’).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
cybersecurity risks.213 Further,
proposed Rule 10 would set forth
minimum elements that would need to
be included in the policies and
procedures.214 In particular, the policies
and procedures would need to address:
(1) risk assessment; (2) user security and
access; (3) information protection; (4)
cybersecurity threat and vulnerability
management; and (5) cybersecurity
incident response and recovery. As
discussed in more detail below, the
inclusion of these elements is designed
to enumerate the core areas that Covered
Entities would need to address when
designing, implementing, and assessing
their policies and procedures. Proposed
Rule 10 also would require Covered
Entities to review annually and assess
their policies and procedures and
prepare a written report describing the
review and other related matters. Taken
together, these requirements are
designed to position Covered Entities to
be better prepared to protect themselves
against cybersecurity risks, to mitigate
cybersecurity threats and
vulnerabilities, and to recover from
cybersecurity incidents. They are also
designed to help ensure that Covered
Entities focus their efforts and resources
on the cybersecurity risks associated
with their operations and business
practices.
The policies and procedures that
would be required by proposed Rule
10—because they would need to address
the Covered Entity’s cybersecurity
risks—generally should be tailored to
the nature and scope of the Covered
Entity’s business and address the
Covered Entity’s specific cybersecurity
risks. Thus, proposed Rule 10 is not
intended to impose a one-size-fits-all
approach to addressing cybersecurity
risks. In addition, cybersecurity threats
are constantly evolving and measures to
address those threats continue to evolve.
Therefore, proposed Rule 10 is designed
to provide Covered Entities with the
flexibility to update and modify their
policies and procedures as needed so
that that they continue to be reasonably
designed to address the Covered Entity’s
cybersecurity risks over time.
a. Risk Assessment
Proposed Rule 10 would specify that
the Covered Entity’s cybersecurity risk
management policies and procedures
must include policies and procedures
that require periodic assessments of
cybersecurity risks associated with the
213 See
paragraph (b)(1) of proposed Rule 10.
paragraphs (b)(1)(i) through (v) of
proposed Rule 10. Covered Entities may wish to
consult a number of resources in connection with
these elements. See generally NIST Framework;
CISA Cyber Essentials Starter Kit.
214 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
20239
Covered Entity’s information systems
systems; (4) the software that operates
and information residing on those
on their information systems, including
systems.215 Further, with respect to the
whether it is proprietary or venderperiodic assessments, the policies and
supplied software; (5) the nature and
procedures would need to include two
volume of the information they store on
components.
information systems (e.g., personal,
First, the policies and procedures
confidential, and/or proprietary
would need to provide that the Covered information); (6) the complexity and
Entity will categorize and prioritize
scale of their information systems (i.e.,
cybersecurity risks based on an
the size of their IT footprint); (7) the
inventory of the components of the
location of their information systems;
Covered Entity’s information systems
(8) the number of users authorized to
and information residing on those
access their information systems; (9) the
systems and the potential effect of a
types of devices permitted to access
cybersecurity incident on the Covered
their information systems (e.g.,
Entity.216 As discussed earlier, proposed company-owned or personal desktop
Rule 10 would define the term
computers, laptop computers, or smart
‘‘cybersecurity risk’’ to mean financial,
phones); (10) the extent to which they
operational, legal, reputational, and
conduct international operations and
other adverse consequences that could
allow access to their information
result from cybersecurity incidents,
systems from international locations;
cybersecurity threats, and cybersecurity and (11) the extent to which employees
vulnerabilities.217 For example, Covered access their information systems from
Entities may be subject to different
remote locations, including
cybersecurity risks as a result of, among international locations. In categorizing
other things: (1) the functions they
and prioritizing cybersecurity risks, the
perform and the extent to which they
Covered Entity generally should
use information systems to perform
consider consulting with, among others,
those functions; (2) the criticality of the
personnel familiar with the Covered
functions they perform that rely on
Entity’s operations, its business
information systems; (3) the
partners, and third-party cybersecurity
interconnectedness of their information experts.218 In addition, a Covered Entity
systems with third-party information
could consider an escalation protocol in
its risk assessment plan to ensure that
215 See paragraph (b)(1)(i)(A) of proposed Rule 10.
its senior officers, including appropriate
See generally NIST Framework (providing that the
legal and compliance personnel, receive
first core element of the framework is ‘‘identify’’—
meaning develop an organizational understanding
necessary information regarding
to manage cybersecurity risk to systems, people,
cybersecurity risks on a timely basis.219
assets, data, and capabilities); IOSCO Cybersecurity
Only
after assessing, categorizing, and
Report (‘‘A key component of the risk management
prioritizing its cybersecurity risks can a
program is the identification of critical assets,
information and systems, including order routing
Covered Entity establish, maintain, and
systems, risk management systems, execution
enforce reasonably designed
systems, data dissemination systems, and
cybersecurity policies and procedures
surveillance systems. Practices supporting the
under proposed Rule 10 to address
identification function include the establishment
and maintenance of an inventory of all hardware
those risks.
and software. This risk management program
A Covered Entity also would need to
should also typically include third-party and
technology providers’ security assessments. Finally, reassess and re-prioritize its
accessing information about the evolving threat
cybersecurity risks periodically. The
landscape is important in identifying the changing
Covered Entity would need to determine
nature of cyber risk.’’).
the frequency of these assessments and
216 See paragraph (b)(1)(i)(A)(1) of proposed Rule
the types of developments in
10. See generally CISA Cyber Essentials Starter Kit
(‘‘Consider how much your organization relies on
information technology to conduct business and
make it a part of your culture to plan for
contingencies in the event of a cyber incident.
Identify and prioritize your organization’s critical
assets and the associated impacts to operations if
an incident were to occur. Ask the questions that
are necessary to understanding your security
planning, operations, and security-related goals.
Develop an understanding of how long it would
take to restore normal operations. Resist the ‘‘it
can’t happen here’’ pattern of thinking. Instead,
focus cyber risk discussions on ‘‘what-if’’ scenarios
and develop an incident response plan to prepare
for various cyber events and scenarios.’’).
217 See paragraph (a)(3) of proposed Rule 10; see
also paragraphs (a)(2), (a)(4), and (a)(5) of proposed
Rule 10 (defining, respectively, the terms
‘‘cybersecurity incident,’’ cybersecurity threat,’’ and
‘‘cybersecurity vulnerability,’’ which are used in the
definition of ‘‘cybersecurity risk’’).
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
218 See generally CISA Cyber Essentials Starter Kit
(‘‘[H]ave conversations with your staff, business
partners, vendors, managed service providers, and
others within your supply chain. . . . Maintain
situational awareness of cybersecurity threats and
explore available communities of interest. These
may include sector-specific Information Sharing
and Analysis Centers, government agencies, law
enforcement, associations, vendors, etc.’’).
219 See generally id. (stating that organizational
leaders drive cybersecurity strategy, investment,
and culture, and that leaders should, among other
things: (1) use risk assessments to identify and
prioritize allocation of resources and cyber
investments; (2) perform a review of all current
cybersecurity and risk policies and identify gaps or
weaknesses; and (3) develop a policy roadmap,
prioritize policy creation and updates based on the
risk to the organization as determined by business
leaders and technical staff).
E:\FR\FM\05APP2.SGM
05APP2
20240
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
cybersecurity risk that would trigger an
assessment based on its particular
circumstances. Consequently, the
Covered Entity generally should
consider whether to reassess its
cybersecurity risks to reflect internal
changes as they arise, such as changes
to its business, online presence, or
customer website access, or external
changes, such as changes in the
evolving technology and cybersecurity
threat landscape.220 The Covered Entity
generally should also consider raising
any material changes in its risk
assessment plan to senior officers, as
appropriate. In assessing ongoing and
emerging cybersecurity threats, a
Covered Entity could monitor and
consider updates and guidance from
private sector and governmental
resources, such as the FS–ISAC and
CISA.221
Second, the policies and procedures
would need to require the Covered
Entity to identify its service providers
that receive, maintain, or process
information, or are otherwise permitted
to access its information systems and
the information residing on those
systems, and assess the cybersecurity
risks associated with its use of these
service providers.222 Covered Entities
are exposed to cybersecurity risks
through the technology of their service
providers.223 Having identified the
220 See generally id. (‘‘Maintain awareness of
current events related to cybersecurity. Be
proactive; alert staff to hazards that the organization
may encounter. Maintain vigilance by asking
yourself: what types of cyber attack[s] are hitting
my peers or others in my industry? What tactics
were successful in helping my peers limit damage?
What does my staff need to know to help protect
the organization and each other? On a nationallevel, are there any urgent cyber threats my staff
need to know about?’’).
221 The FS–ISAC is a global private industry cyber
intelligence sharing community solely focused on
financial services. Additional information about
FS–ISAC is available at https://www.fsisac.com.
Often, private industry groups maintain
relationships and information sharing agreements
with government cybersecurity organizations, such
as CISA. Private sector companies, such as
information technology and cybersecurity
consulting companies, may have insights on
cybersecurity (given the access their contractual
status gives them to customer networks) that the
government initially does not. See, e.g., Verizon
DBIR; Microsoft Report. For example, private-sector
cybersecurity firms may often be in the position to
spot new malicious cybersecurity trends before they
become more widespread and common.
222 See paragraph (b)(1)(i)(A)(2) of proposed Rule
10; paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ‘‘information’’ and
‘‘information systems’’). Oversight of third-party
service provider or vendor risk is a component of
many cybersecurity frameworks. See, e.g., NIST
Framework (discussing supply chain risks
associated with products and services an
organization uses).
223 See GAO Cyber Security Report (‘‘Increased
connectivity with third-party providers and the
potential for increased cyber risk is a concern in the
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
relevant service providers, the Covered
Entity would need to assess how they
expose it to cybersecurity risks. In
identifying these cybersecurity risks, the
service provider’s cybersecurity
practices would be relevant, including:
(1) how the service provider protects
itself against cybersecurity risk; and (2)
its ability to respond to and recover
from cybersecurity incidents.
A Covered Entity generally should
take into account whether a
cybersecurity incident at a service
provider could lead to process failures
or the unauthorized access to or use of
information or information systems. For
example, a Covered Entity may use a
cloud service provider to maintain
required books and records. If all of the
Covered Entity’s books and records were
concentrated at this cloud service
provider and a cybersecurity incident
disrupts or degrades the cloud service
provider’s information systems, there
could potentially be detrimental data
loss affecting the ability of the Covered
Entity to provide services and comply
with regulatory obligations.
Accordingly, as part of identifying the
cybersecurity risks associated with
using a cloud service provider, a
Covered Entity should consider how the
service provider will secure and
maintain data and whether the service
provider has response and recovery
procedures in place such that any
compromised or lost data in the event
of a cybersecurity incident can be
recovered and restored.
Finally, the Covered Entity’s risk
assessment policies and procedures
would need to require written
documentation of these risk
assessments.224 This documentation
would be relevant to the reviews
performed by the Covered Entity to
analyze whether the policies and
procedures need to be updated, to
inform the Covered Entity of risks
specific to it, and to support responses
to cybersecurity risks by identifying
cybersecurity threats to information
systems that, if compromised, could
financial industry as core systems and critical data
are moved offsite to third parties.’’). For purposes
of proposed Rule 10, the Covered Entity’s
assessment of service providers should not be
limited to only certain service providers, such as
those that provide core functions or services for the
Covered Entity. Rather, the cybersecurity risk of any
service provider that receives, maintains, or
processes information, or is otherwise permitted to
access the information systems of the Covered
Entity and the information residing on those
systems should be evaluated. Furthermore, it is
possible that a service provider for a Covered Entity
may itself be a Covered Entity under proposed Rule
10. For example, a carrying broker-dealer may be a
service provider for a number of introducing brokerdealers.
224 See paragraph (b)(1)(i)(B) of proposed Rule 10.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
result in significant cybersecurity
incidents.225 It also could be used by
Commission and SRO staff and possibly
internal auditors of the Covered Entity
to examine for adherence to the risk
assessment policies and procedures.
b. User Security and Access
Proposed Rule 10 would specify that
the Covered Entity’s cybersecurity risk
management policies and procedures
must include controls designed to
minimize user-related risks and prevent
unauthorized access to the Covered
Entity’s information systems and the
information residing on those
systems.226 Further, the rule would
require that these policies and
procedures include controls addressing
five specific aspects relating to user
security and access.
First, there would need to be controls
requiring standards of behavior for
individuals authorized to access the
Covered Entity’s information systems
and the information residing on those
systems, such as an acceptable use
policy.227 Second, there would need to
be controls for identifying and
authenticating individual users,
including but not limited to
implementing authentication measures
that require users to present a
combination of two or more credentials
for access verification.228 Third, there
would need to be controls for
establishing procedures for the timely
distribution, replacement, and
revocation of passwords or methods of
225 See paragraph (b)(2) of proposed Rule 10
(which would require a Covered Entity to review
and assess the design and effectiveness of the
cybersecurity policies and procedures, including
whether the policies and procedures reflect changes
in cybersecurity risk over the time period covered
by the review). See also section II.B.1.f. of this
release (discussing the review proposal in more
detail).
226 See paragraph (b)(1)(ii) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ‘‘information’’ and
‘‘information systems’’). See generally NIST
Framework (providing that the second core element
of the framework is ‘‘protect’’—meaning develop
and implement appropriate safeguards to ensure
delivery of critical services); CISA Cyber Essentials
Starter Kit (stating with respect to user security and
access that (among other things): (1) the authority
and access granted employees, managers, and
customers into an organization’s digital
environment needs limits; (2) setting approved
access privileges requires knowing who operates on
an organization’s systems and with what level of
authorization and accountability; and (3)
organizations should ensure only those who belong
on their ‘‘digital workplace have access’’); IOSCO
Cybersecurity Report (stating that network access
controls are one of the types of controls trading
venues use as the protection function).
227 See paragraph (b)(1)(ii)(A) of proposed Rule
10.
228 See paragraph (b)(1)(ii)(B) of proposed Rule
10.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
authentication.229 Fourth, there would
need to be controls for restricting access
to specific information systems of the
Covered Entity or components thereof
and the information residing on those
systems solely to individuals requiring
access to the systems and information as
is necessary for them to perform their
responsibilities and functions on behalf
of the Covered Entity.230 Fifth, there
would need to be controls for securing
remote access technologies.231
The objective of these policies,
procedures, and controls would be to
protect the Covered Entity’s information
systems from unauthorized access and
improper use. There are a variety of
controls that a Covered Entity, based on
its particular circumstances, could
include in these policies and procedures
to make them reasonably designed to
achieve this objective. For example,
access to information systems could be
controlled through the issuance of user
credentials, digital rights management
with respect to proprietary hardware
and copyrighted software,
authentication and authorization
methods (e.g., multi-factor
authentication and geolocation), and
tiered access to personal, confidential,
and proprietary information and data
and network resources.232 Covered
Entities may wish to consider multifactor authentication methods that are
not based solely on SMS-delivery (e.g.,
text message delivery) of authentication
codes, because SMS-delivery methods
may provide less security than other
non-SMS based multi-factor
authentication methods. Furthermore,
Covered Entities could require
employees to attend cybersecurity
training on how to secure sensitive data
and recognize harmful files prior to
obtaining access to certain information
systems. The training generally could
address best practices in creating new
229 See
paragraph (b)(1)(ii)(C) of proposed Rule
10.
230 See
paragraph (b)(1)(ii)(D) of proposed Rule
lotter on DSK11XQN23PROD with PROPOSALS2
10.
231 See paragraph (b)(1)(ii)(E) of proposed Rule
10; paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ‘‘information’’ and
‘‘information systems’’).
232 See generally CISA Cyber Essentials Starter Kit
(stating that organizations should (among other
things): (1) learn who is on their networks and
maintain inventories of network connections (e.g.,
user accounts, vendors, and business partners); (2)
leverage multi-factor authentication for all users,
starting with privileged, administrative and remote
access users; (3) grant access and administrative
permissions based on need-to-know basis; (4)
leverage unique passwords for all user accounts;
and (5) develop IT policies and procedures
addressing changes in user status (e.g., transfers and
terminations).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
passwords, filtering through suspicious
emails, or browsing the internet.233
Further, a Covered Entity could use
controls to monitor user access regularly
in order to remove users that are no
longer authorized. These controls
generally should address the Covered
Entity’s employees (e.g., removing
access for employees that leave the firm)
and external users of the Covered
Entity’s information systems (e.g.,
customers that no longer use the firm’s
services or external service providers
that no longer are under contract with
the firm to provide it with any services).
In addition, controls to monitor for
unauthorized login attempts and
account lockouts, and the handling of
customer requests, including for user
name and password changes, could be
a part of reasonably designed policies
and procedures. Similarly, controls to
assess the need to authenticate or
investigate any unusual customer,
member, or user requests (e.g., wire
transfer or withdrawal requests) could
be a part of reasonably designed policies
and procedures.
A Covered Entity also generally
should take into account the types of
technology through which its users
access the Covered Entity’s information
systems. For example, mobile devices
(whether firm-issued or personal
devices) that allow employees to access
information systems and personal,
confidential, or proprietary information
residing on these systems may create
additional and unique vulnerabilities,
including when such devices are used
internationally. Consequently, controls
limiting mobile or other devices
approved for remote access to those
issued by the firm or enrolled through
a mobile device manager could be part
of reasonably designed policies and
procedures.
In addition, a Covered Entity could
consider controls with respect to its
network perimeter such as securing
remote network access used by
teleworking and traveling employees.
This could include controls to identify
threats on a network’s endpoints. For
example, Covered Entities could
consider using software that monitors
and inspects all files on an endpoint,
such as a mobile phone or remote
laptop, and identifies and blocks
incoming unauthorized
communications. Covered Entities
generally would need to consider
potential user-related and access risks
233 See generally CISA Cyber Essentials Starter Kit
(stating that organizations should (among other
things) leverage basic cybersecurity training to
improve exposure to cybersecurity concepts,
terminology, and activates associated with
implementing cybersecurity best practices).
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
20241
relating to the remote access
technologies used at their remote work
and telework locations to include
controls designed to secure such
technologies. For example, a Covered
Entity’s personnel working remotely
from home or a co-working space may
create unique cybersecurity risks—such
as unsecured or less secure Wi-Fi—that
threat actors could exploit to access the
Covered Entity’s information systems
and the information residing on those
systems. Accordingly, a Covered Entity
could consider whether its user security
and access policies, procedures, and
controls should have controls requiring
approval of mobile or other devices for
remote access, and whether training on
device policies would be appropriate.
The training for remote workers in
particular could focus on phishing,
social engineering, compromised
passwords, and the consequences of
weak network security.
c. Information Protection
Information protection is a key aspect
of managing cybersecurity risk.234
Therefore, proposed Rule 10 would
specify that the Covered Entity’s
cybersecurity risk management policies
and procedures would need to address
information protection in two ways.235
First, the policies and procedures would
need to include measures designed to
protect the Covered Entity’s information
systems and protect the information
residing on those systems from
unauthorized access or use, based on a
periodic assessment of the Covered
234 See generally NIST Framework (‘‘The Protect
Function supports the ability to limit or contain the
impact of a potential cybersecurity event. Examples
of outcome Categories within this Function include:
Identity Management and Access Control;
Awareness and Training; Data Security; Information
Protection Processes and Procedures; Maintenance;
and Protective Technology.’’); IOSCO Cybersecurity
Report (‘‘There are numerous controls and
protection measures that regulated entities may
wish to consider in enhancing their cyber security.
Such measures can be organizational (like the
establishment of security operations centers) or
technical (like anti-virus and intrusion prevention
systems). Risk assessments help determine the
minimum level of controls to be implemented
within a project, an application or a database. In
addition, employee training and awareness
initiatives are critical parts of any cyber security
program, including induction programs for
newcomers, general training, as well as more
specific training (for instance, social engineering
awareness). Proficiency tests could be conducted to
demonstrate staff understanding and third party
training could also be organized. Other initiatives
which contribute to raising employees’ awareness
of cyber security threats include monthly security
bulletins emailed to all employees, regular
communications regarding new issues and
discovered vulnerabilities, use of posters and screen
savers, and regular reminders sent to employees.
Mock tests can also be conducted to assess
employees’ preparedness. Employees are also often
encouraged to report possible attacks.’’).
235 See paragraph (b)(1)(iii) of proposed Rule 10.
E:\FR\FM\05APP2.SGM
05APP2
20242
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Entity’s information systems and the
information that resides on the
systems.236 The periodic assessment
would need to take into account: (1) the
sensitivity level and importance of the
information to the Covered Entity’s
business operations; (2) whether any of
the information is personal
information; 237 (3) where and how the
information is accessed, stored and
transmitted, including the monitoring of
information in transmission; (4) the
information systems’ access controls
and malware protection; 238 and (5) the
potential effect a cybersecurity incident
involving the information could have on
the Covered Entity and its customers,
counterparties, members, registrants, or
users, including the potential to cause a
significant cybersecurity incident.239
By performing these assessments, a
Covered Entity should be able to
determine the measures it would need
to implement to prevent the
unauthorized access or use of
information residing on its information
systems. Measures that could be used
for this purpose include encryption,
network segmentation, and access
controls to ensure that only authorized
users have access to personal,
confidential, and proprietary
information and data or critical systems.
Measures to identify suspicious
behavior also could be used for this
purpose. These measures could include
consistent monitoring of systems and
personnel, such as the generation and
review of activity logs, identification of
236 See paragraph (b)(1)(iii)(A) of proposed Rule
10; paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ‘‘information’’ and
‘‘information systems’’). See generally CISA Cyber
Essentials Starter Kit (‘‘Learn what information
resides on your network. Inventory critical or
sensitive information. An inventory of information
assets provides an understanding of what you are
protecting, where that information resides, and who
has access. The inventory can be tracked in a
spreadsheet, updated quickly and frequently’’).
237 See paragraph (a)(9) of proposed Rule 10
(defining the term ‘‘personal information’’).
238 See generally CISA Cyber Essentials Starter Kit
(‘‘Leverage malware protection capabilities.
Malware is designed to spread quickly. A lack of
defense against it can completely corrupt, destroy
or render your data inaccessible.’’).
239 See paragraphs (b)(1)(iii)(A)(1) through (5) of
proposed Rule 10. See generally CISA Cyber
Essentials Starter Kit (‘‘Learn how your data is
protected. Data should be handled based on its
importance to maintaining critical operations in
order to understand what your business needs to
operate at a basic level. For example, proprietary
research, financial information, or development
data need protection from exposure in order to
maintain operations. Understand the means by
which your data is currently protected; focus on
where the protection might be insufficient.
Guidance from the Cyber Essentials Toolkits,
including authentication, encryption, and data
protection help identify methods and resources for
how to best secure your business information and
devices.’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
potential anomalous activity, and
escalation of issues to senior officers, as
appropriate. Further data loss
prevention measures could include
processes to identify personal,
confidential, or proprietary information
and data (e.g., account numbers, Social
Security numbers, trade information,
and source code) and block its
transmission to external parties.
Additional measures could include
testing of systems, including penetration
tests. A Covered Entity also could
consider measures to track the actions
taken in response to findings from
testing and monitoring, material
changes to business operations or
technology, or any other significant
events. Appropriate measures for
preventing the unauthorized use of
information may differ depending on
the circumstances of a Covered Entity,
such as the systems used by the Covered
Entity, the Covered Entity’s relationship
with service providers, or the level of
access granted by the Covered Entity to
employees or contractors. Appropriate
measures generally should evolve with
changes in technology and the increased
sophistication of cybersecurity attacks.
Second, the policies and procedures
for protecting information would need
to require oversight of service providers
that receive, maintain, or process the
Covered Entity’s information, or are
otherwise permitted to access the
Covered Entity’s information systems
and the information residing on those
systems, pursuant to a written contract
between the covered entity and the
service provider.240 Further, pursuant to
that written contract, the service
provider would be required to
implement and maintain appropriate
measures, including the practices
described in paragraphs (b)(1)(i) through
(v) of proposed Rule 10, that are
designed to protect the Covered Entity’s
information systems and information
residing on those systems. These
policies and procedures could include
measures to perform due diligence on a
service provider’s cybersecurity risk
management prior to using the service
provider and periodically thereafter
during the relationship with the service
provider. Covered Entities also could
consider including periodic contract
review processes that allow them to
assess whether, and help to ensure that,
their agreements with service providers
contain provisions that require service
providers to implement and maintain
appropriate measures designed to
240 See paragraph (b)(1)(iii)(B) of proposed Rule
10; paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ‘‘information’’ and
‘‘information systems’’).
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
protect the Covered Entity’s information
systems and information residing on
those systems.
d. Cybersecurity Threat and
Vulnerability Management
Rule 10 would specify that the
Covered Entity’s cybersecurity risk
management policies and procedures
must include measures designed to
detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities
with respect to the Covered Entity’s
information systems and information
residing on those systems.241 Because
Covered Entities depend on information
systems to process, store, and transmit
personal, confidential, and proprietary
information and data and to conduct
critical business functions, it is essential
that they manage cybersecurity threats
and vulnerabilities effectively.242
Moreover, detecting, mitigating, and
remediating threats and vulnerabilities
is essential to preventing significant
cybersecurity incidents.
Measures to detect cybersecurity
threats and vulnerabilities could
include ongoing monitoring (e.g.,
comprehensive examinations and risk
management processes), including, for
example, conducting network, system,
and application vulnerability
assessments. This could include scans
or reviews of internal systems,
externally facing systems, new systems,
and systems used by service providers.
Further, measures could include
monitoring industry and government
241 See paragraph (b)(1)(iv) of proposed Rule 10;
paragraphs (a)(4) through (7) of proposed Rule 10
(defining, respectively, the terms ‘‘cybersecurity
threat,’’ ‘‘cybersecurity vulnerability,’’
‘‘information,’’ and ‘‘information systems’’). See
generally NIST Framework (providing that the third
core element of the framework is ‘‘detect’’—
meaning develop and implement appropriate
activities to identify the occurrence of a
cybersecurity event); CISA Cyber Essentials Starter
Kit (stating regarding detection that organizations
should (among other things): (1) learn what is
happening on their networks; (2) manage network
and perimeter components, host and device
components, data at rest and in transit, and user
behavior and activities: and (3) actively maintain
information as it will provide a baseline for security
testing, continuous monitoring, and making
security-based decisions); IOSCO Cybersecurity
Report (‘‘External and internal monitoring of traffic
and logs generally should be used to detect
abnormal patterns of access (e.g., abnormal user
activity, odd connection durations, and unexpected
connection sources) and other anomalies. Such
detection is crucial as attackers can use the period
of presence in the target’s systems to expand their
footprint and their access gaining elevated
privileges and control over critical systems. Many
regulated entities have dedicated cyber threat teams
and engage in file servers integrity and database
activity monitoring to prevent unauthorized
modification of critical servers within their
organization’s enterprise network. Different alarm
categories and severity may be defined.’’).
242 See section I.A.2. of this release (discussing
how Covered Entities use information systems).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
sources for new threat and vulnerability
information that may assist in detecting
cybersecurity threats and
vulnerabilities.243
Measures to mitigate and remediate
an identified threat or vulnerability are
more effective if they minimize the
window of opportunity for attackers to
exploit vulnerable hardware and
software. These measures could include,
for example, implementing a patch
management program to ensure timely
patching of hardware and software
vulnerabilities and maintaining a
process to track and address reports of
vulnerabilities.244 Covered Entities also
generally should consider the
vulnerabilities associated with ‘‘end of
life systems’’ (i.e., systems in which
software is no longer supported by the
particular vendor and for which security
patches are no longer issued). These
measures also could establish
accountability for handling
vulnerability reports by, for example,
establishing processes for their intake,
assignment, escalation, remediation,
and remediation testing. For example, a
Covered Entity could use a vulnerability
tracking system that includes severity
ratings, and metrics for measuring the
time it takes to identify, analyze, and
remediate vulnerabilities.
Covered Entities also could consider
role-specific cybersecurity threat and
vulnerability response training.245 For
example, training could include secure
system administration courses for IT
professionals, vulnerability awareness
and prevention training for web
application developers, and social
engineering awareness training for
employees and executives. Covered
Entities that do not proactively address
threats and discovered vulnerabilities
face an increased likelihood of having
their information systems—including
the Covered Entity’s information
243 See generally CISA, National Cyber Awareness
System—Alerts, available at https://uscert.cisa.gov/ncas/alerts (providing information
about current security issues, vulnerabilities, and
exploits).
244 See generally CISA Cyber Essentials Starter Kit
(stating that organizations should: (1) enable
automatic updates whenever possible; (2) replace
unsupported operating systems, applications and
hardware; and (3) test and deploy patches quickly).
245 See generally CISA Cyber Essentials Starter Kit
(‘‘Leverage basic cybersecurity training. Your staff
needs a basic understanding of the threats they
encounter online in order to effectively protect your
organization. Regular training helps employees
understand their role in cybersecurity, regardless of
technical expertise, and the actions they take help
keep your organization and customers secure.
Training should focus on threats employees
encounter, like phishing emails, suspicious events
to watch for, and simple best practices individual
employees can adopt to reduce risk. Each aware
employee strengthens your network against attack,
and is another ‘sensor’ to identify an attack.’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
residing on those systems—accessed or
disrupted by threat actors or otherwise
compromised. The requirement for
Covered Entities to include
cybersecurity threats and vulnerabilities
measures in their cybersecurity policies
and procedures is designed to address
this risk and help ensure threats and
vulnerabilities are adequately and
proactively addressed by Covered
Entities.
e. Cybersecurity Incident Response and
Recovery
Proposed Rule 10 would specify that
the Covered Entity’s cybersecurity risk
management policies and procedures
must include measures designed to
detect, respond to, and recover from a
cybersecurity incident.246 Further, the
rule would require that these measures
include policies and procedures that are
reasonably designed to ensure: (1) the
continued operations of the Covered
Entity; (2) the protection of the Covered
Entity’s information systems and the
information residing on those
systems; 247 (3) external and internal
cybersecurity incident information
sharing and communications; and (4)
the reporting of significant cybersecurity
incidents pursuant to the requirements
of paragraph (c) of proposed Rule 10
discussed below.248
246 See paragraph (b)(1)(v) of proposed Rule 10;
paragraph (c)(2) of proposed Rule 10 (defining the
term ‘‘cybersecurity incident’’). See generally NIST
Framework (providing that the fourth core element
of the framework is ‘‘respond’’—meaning develop
and implement appropriate activities to take action
regarding a detected cybersecurity incident; and
providing that the fifth core element of the
framework is ‘‘recover’’—meaning develop and
implement appropriate activities to maintain plans
for resilience and to restore any capabilities or
services that were impaired due to a cybersecurity
incident).
247 See paragraphs (a)(6) and (7) of proposed Rule
10 (defining, respectively, the terms ‘‘information’’
and ‘‘information systems’’).
248 See section II.B.2. of this release (discussing
the requirements to report significant cybersecurity
incidents); paragraph (a)(10) of proposed Rule 10
(defining the term ‘‘significant cybersecurity
incident’’). See generally CISA Cyber Essentials
Starter Kit (stating regarding response and recovery
that the objective is to limit damage and accelerate
restoration of normal operations and, to this end,
organizations (among other things) can: (1) leverage
business impact assessments to prioritize resources
and identify which systems must be recovered first;
(2) ‘‘learn who to call for help (e.g., outside
partners, vendors, government/industry responders,
technical advisors and law enforcement);’’ (3)
develop an internal reporting structure to detect,
communicate and contain attacks; and (4) develop
in-house containment measures to limit the impact
of cyber incidents when they occur); IOSCO
Cybersecurity Report (‘‘Regulated entities generally
should consider developing response plans for
those types of incidents to which the organization
is most likely to be subject. Elements associated
with response plans may include: preparing
communication/notification plans to inform
relevant stakeholders; conducting forensic analysis
to understand the anatomy of a breach or an attack;
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
20243
Cybersecurity incidents can lead to
significant business disruptions,
including losing the ability to send
internal or external communications,
transmit information, or connect to
internal or external systems necessary to
carry out the Covered Entity’s critical
functions and provide services to
customers, counterparties, members,
registrants, or users.249 They also can
lead to the inability to access accounts
holding cash or other financial assets of
the Covered Entity or its customers,
counterparties, members, registrants, or
users.250 Therefore, the proposed
incident response and recovery policies
and procedures are designed to place
the Covered Entity in a position to
respond to a cybersecurity incident,
which should help to reduce business
disruptions and other harms the
incident may cause the Covered Entity
or its customers, counterparties,
members, registrants, or users. A
cybersecurity program with a clear
incident response plan designed to
ensure continued operational capability,
and the protection of, and access to,
personal, confidential, or proprietary
information and data, even if a Covered
Entity loses access to its systems, would
assist in mitigating the effects of a
cybersecurity incident.251 A Covered
Entity, therefore, may wish to consider
maintaining physical copies of its
incident response plan—and other
cybersecurity policies and procedures—
to help ensure they can be accessed and
implemented during a cybersecurity
incident.
Covered Entities generally should
focus on operational capability in
creating reasonably designed policies
and procedures to ensure their
continued operations in the event of a
cybersecurity incident (e.g., the ability
to withstand a DoS attack). The
objective is to place Covered Entities in
a position to be able to continue
providing services to other Market
Entities and other participants in the
U.S. securities markets (including
investors) and, thereby, continue to
support the fair, orderly, and efficient
maintaining a database recording cyber attacks; and
conducting cyber drills, firm specific simulation
exercises as well as industry-wide scenario
exercises.’’).
249 See sections I.A.1. and I.A.2. of this release
(discussing these consequences).
250 Id.
251 See generally CISA Cyber Essentials Starter Kit
(‘‘Plan, prepare, and conduct drills for cyber-attacks
and incidents as you would a fire or robbery. Make
your reaction to cyber incidents or system outages
an extension of your other business contingency
plans. This involves having incident response plans
and procedures, trained staff, assigned roles and
responsibilities, and incident communications
plans.’’).
E:\FR\FM\05APP2.SGM
05APP2
20244
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
operation of the U.S. securities markets.
For example, this requirement is
designed to place Covered Entities in a
position to be able to continue to
perform market and member
surveillance and oversight in the case of
SROs, clearance and settlement in the
case of clearing agencies, and brokerage
or dealing activities in the case of
broker-dealers and SBSDs.
The ability of Covered Entities to
recover from a cybersecurity incident in
a timeframe that minimizes disruptions
to their business or regulatory activities
is critically important to the fair,
orderly, and efficient operations of the
U.S. securities markets and, therefore, to
the U.S. economy, investors, and capital
formation. A Covered Entity generally
should consider implementing
safeguards, such as backing up data,
which can help facilitate a prompt
recovery that allows the Covered Entity
to resume operations following a
cybersecurity incident.252 A Covered
Entity also generally should consider
whether to designate personnel to
perform specific roles in the case of a
cybersecurity incident. This could entail
identifying and/or hiring personnel or
third parties who have the requisite
cybersecurity and recovery expertise (or
are able to coordinate effectively with
outside experts) as well as identifying
personnel who should be kept informed
throughout the response and recovery
process. In addition, a Covered Entity
could consider an escalation protocol in
its incident response plan to ensure that
its senior officers, including appropriate
legal and compliance personnel, receive
necessary information regarding
cybersecurity incidents on a timely
basis.253
252 See generally CISA Cyber Essentials Starter Kit
(‘‘Leverage protections for backups, including
physical security, encryption and offline copies.
Ensure the backed-up data is stored securely offsite
or in the cloud and allows for at least seven days
of incremental rollback. Backups should be stored
in a secure location, especially if you are prone to
natural disasters. Periodically test your ability to
recover data from backups. Online and cloud
storage backup services can help protect against
data loss and provide encryption as an added level
of security. Identify key files you need access to if
online backups are unavailable to access your files
when you do not have an internet connection.’’).
253 See generally CISA Cyber Essentials Starter Kit
(stating that: (1) organizations should develop an
internal reporting structure to detect, communicate,
and contain attacks and that effective
communication plans focus on issues unique to
security breaches; (2) a standard reporting
procedure will reduce confusion and conflicting
information between leadership, the workforce, and
stakeholders; and (3) communication should be
continuous, since most data breaches occur over a
long period of time and not instantly and that it
should come from top leadership to show
commitment to action and knowledge of the
situation).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Moreover, as discussed in further
detail below, under proposed Rule 10, a
Covered Entity would need to give the
Commission immediate written
electronic notice of a significant
cybersecurity incident after having a
reasonable basis to conclude that the
incident has occurred or is occurring.254
Further, the Covered Entity would need
to report information about the
significant cybersecurity incident
promptly, but no later than 48 hours,
after having a reasonable basis to
conclude that the incident has occurred
or is occurring by filing Part I of
proposed Form SCIR with the
Commission.255 Thereafter, the Covered
Entity would need to file an amended
Part I of proposed Form SCIR with the
Commission under certain
circumstances.256 Accordingly,
proposed Rule 10 would require the
Covered Entity to include in its incident
response and recovery policies and
procedures measures designed to ensure
compliance with these notification and
reporting requirements.257 The Covered
Entity also may wish to implement a
process to determine promptly whether
and how to contact local and Federal
law enforcement authorities, such as the
FBI, about an incident.258
A Covered Entity also could consider
including periodic testing requirements
in its incident response and recovery
policies and procedures.259 These tests
254 See paragraph (c)(1) of proposed Rule 10. See
also section II.B.2. of this release (discussing this
proposed notification requirement in more detail).
255 See paragraph (c)(2) of proposed Rule 10. See
also section II.B.2. of this release (discussing this
proposed reporting requirement in more detail).
256 The circumstances under which an amended
Part I of proposed Form SCIR would need to be
filed are discussed below in section II.B.2. of this
release.
257 See paragraph (b)(1)(v)(A)(4) of proposed Rule
10.
258 For example, the FBI has instructed
individuals and organizations to contact their
nearest FBI field office to report cybersecurity
incidents or to report them online at https://
www.ic3.gov/Home/FileComplaint. See FBI, What
We Investigate, Cyber Crime, available at https://
www.fbi.gov/investigate/cyber. See also CISA Cyber
Essentials Starter Kit (‘‘As part of your incident
response, disaster recovery, and business continuity
planning efforts, identify and document partners
you will call on to help. Consider building these
relationships in advance and understand what is
required to obtain support. CISA and the Federal
Bureau of Investigation (FBI) provide dedicated
hubs for helping respond to cyber and critical
infrastructure attacks. Both have resources and
guidelines on when, how, and to whom an incident
is to be reported in order to receive assistance. You
should also file a report with local law enforcement,
so they have an official record of the incident.’’).
259 See generally CISA Cyber Essentials Starter Kit
(‘‘Lead development of an incident response and
disaster recovery plan outlining roles and
responsibilities. Test it often. Incident response
plans and disaster recovery plans are crucial to
information security, but they are separate plans.
Incident response mainly focuses on information
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
could assess the efficacy of the policies
and procedures to determine whether
any changes are necessary, for example,
through tabletop or full-scale exercises.
Relatedly, proposed Rule 10 would
require that the incident response and
recovery policies and procedures
include written documentation of a
cybersecurity incident, including the
Covered Entity’s response to and
recovery from the incident.260 This
record could be used by the Covered
Entity to assess the efficacy of, and
adherence to, its incident response and
recovery policies and procedures. It
further could be used as a ‘‘lessonslearned’’ document to help the Covered
Entity respond more effectively the next
time it experiences a cybersecurity
incident. The Commission staff and
SRO staff also would use the records to
review compliance with this aspect of
proposed Rule 10.
f. Annual Review and Required Written
Reports
In addition to requiring a Covered
Entity to establish, maintain, and
enforce written policies and procedures
to address cybersecurity risk, proposed
Rule 10 would require the Covered
Entity, at least annually, to: (1) review
and assess the design and effectiveness
of the cybersecurity policies and
procedures, including whether the
policies and procedures reflect changes
in cybersecurity risk over the time
period covered by the review; and (2)
prepare a written report that describes
the review, the assessment, and any
control tests performed, explains their
results, documents any cybersecurity
incident that occurred since the date of
the last report, and discusses any
material changes to the policies and
procedures since the date of the last
report.261 The annual review
requirement is designed to require the
Covered Entity to evaluate whether its
cybersecurity policies and procedures
continue to work as designed. In making
this assessment, Covered Entities
generally should consider whether
changes are needed to ensure their
continued effectiveness, including
oversight of any delegated
responsibilities. As discussed earlier,
the sophistication of the tactics,
asset protection, while disaster recovery plans focus
on business continuity. Once you develop a plan,
test the plan using realistic simulations (known as
‘‘war-gaming’’), where roles and responsibilities are
assigned to the people who manage cyber incident
responses. This ensures that your plan is effective
and that you have the appropriate people involved
in the plan. Disaster recovery plans minimize
recovery time by efficiently recovering critical
systems.’’).
260 See paragraph (b)(1)(v)(B) of proposed Rule 10.
261 See paragraph (b)(2) of proposed Rule 10.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
techniques, and procedures employed
by threat actors is increasing.262 The
review requirement is designed to
impose a discipline on Covered Entities
to be vigilant in assessing whether their
cybersecurity risk management policies
and procedures continue to be
reasonably designed to address this risk.
The review would need to be
conducted no less frequently than
annually. As discussed above, one of the
required elements that would need to be
included in the policies and procedures
is the requirement to perform periodic
assessments of cybersecurity risks
associated with the covered entity’s
information systems and information
residing on those systems.263 Based on
the findings of those risk assessments, a
Covered Entity could consider whether
to perform a review prior to the one-year
anniversary of the last review. In
addition, the occurrence of a
cybersecurity incident or significant
cybersecurity incident impacting the
Covered Entity or other entities could
cause the Covered Entity to consider
performing a review before the next
annual review is required.
The Covered Entity would need to
document the review in a written
report.264 The required written report
generally should be prepared or
overseen by the persons who administer
the Covered Entity’s cybersecurity
program. This report requirement is
designed to assist the Covered Entity in
evaluating the efficacy of organization’s
cybersecurity risk management policies
and procedures. Additionally, the
requirement to review and assess the
design and effectiveness of the
cybersecurity policies and procedures
includes whether they reflect changes in
cybersecurity risk over the time period
covered by the review. Therefore, the
Covered Entity generally would need to
take into account the periodic
assessments of cybersecurity risks
performed pursuant to the requirements
of paragraphs (b)(1)(i)(A) and
(b)(1)(iii)(A) of proposed Rule. This
could provide Covered Entities with
valuable insights into potential
enhancements to the policies and
procedures to keep them up-to-date (i.e.,
reasonably designed to address
emerging cybersecurity threats). For
262 See section I.A.1. of this release (discussing,
for example, how cybersecurity threats are
evolving); see also Bank of England CBEST Report
(stating that ‘‘[t]he threat actor community, once
dominated by amateur hackers, has expanded to
include a broad range of professional threat actors,
all of whom are strongly motivated, organised and
funded’’).
263 See paragraph (b)(1)(i) of proposed Rule 10.
See also section II.B.1.a. of this release (discussing
the assessment proposal in more detail).
264 See paragraph (b)(2)(ii) of proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
example, incorporating the
cybersecurity risk assessments into the
required written report could provide
senior officers who review the report
with information on the specific risks
identified in the assessments. This
could lead them to ask questions and
seek relevant information regarding the
effectiveness of the Covered Entity’s
cybersecurity risk management policies
and procedures and its implementation
in light of those risks. This could
include questions as to whether the
Covered Entity has adequate resources
with respect to cybersecurity matters,
including access to cybersecurity
expertise.
g. Request for Comment
The Commission requests comment
on all aspects of the requirements that
Covered Entities establish, maintain,
and enforce written policies and
procedures to address their
cybersecurity risks, the elements that
would need to be included in the
cybersecurity risk management policies
and procedures, and the required (at
least) annual review of the cybersecurity
risk management policies and procedure
under paragraph (b) of proposed Rule
10. In addition, the Commission is
requesting comment on the following
specific aspects of the proposals:
21. In designing the cybersecurity risk
management policies and procedures
requirements of proposed Rule 10, the
Commission considered a number of
sources cited in the sections above,
including, in particular, the NIST
Framework and the CISA Cyber
Essentials Starter Kit. Are there other
sources the Commission should use? If
so, identify them and explain why they
should be considered and how they
could inform potential modifications to
the cybersecurity risk management
policies and procedures requirements.
22. Should the policies and
procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified?
For example, are there other elements
that should be included in cybersecurity
risk management policies and
procedures? If so, identify them and
explain why they should be included.
Should any of the minimum required
elements be eliminated? If so, identify
them and explain why it would be
appropriate to eliminate them from the
rule.
23. Should the policies and
procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified
to provide more flexibility in how a
Covered Entity implements them? If so,
identify the requirements that are too
prescriptive and explain why and
suggest ways to make them more
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
20245
flexible without undermining the
objective of having Covered Entities
adequately address cybersecurity risks.
24. Should the policies and
procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified
to provide less flexibility in how a
Covered Entity had to implement them?
If so, identify the requirements that
should be more prescriptive and explain
why and suggest ways to make them
more prescriptive without undermining
the objective of having Covered Entities
implement cybersecurity risk
management policies and procedures
that address their particular
circumstances.
25. Should the policies and
procedures requirements of paragraph
(b)(1) of proposed Rule 10 be deemed to
be reasonably designed if they are
consistent with industry standards
comprised of cybersecurity risk
management practices that are widely
available to cybersecurity professionals
in the financial sector and issued by an
authoritative body that is a U.S.
governmental entity or agency,
association of U.S. governmental
entities or agencies, or widely
recognized organization? If so, identify
the standard or standards and explain
why it would be appropriate to deem
the policies and procedures
requirements of paragraph (b)(1) of
proposed Rule 10 reasonably designed if
they are consistent with the standard or
standards.
26. The policies and procedures
requirements of paragraph (b)(1) of
proposed Rule 10 would require
Covered Entities to cover ‘‘information’’
and ‘‘information systems’’ as defined,
respectively, in paragraphs (a)(6) and (7)
of proposed Rule 10 without limitation.
Should the proposed policies and
procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified
to address a narrower set of information
and information systems? If so, describe
how the narrower set of information and
information systems should be defined
and why it would be appropriate to
limit the policies and procedures
requirements to this set of information
and information systems. For example,
should the policies and procedures
requirements of paragraph (b)(1) of
proposed Rule 10 be limited to
information and information systems
that, if compromised, would result in, or
would be reasonably likely to result in,
harm to the Covered Entity or others? If
so, explain why. If not, explain why not.
Is there another way to limit the
application of the policies and
procedures requirements to certain
information and information systems
that would not undermine the objective
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20246
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
that Covered Entities implement
policies and procedures that adequately
address their cybersecurity risks? If so,
explain how.
27. Should the requirements of
paragraph (b)(1)(i) of proposed Rule 10
relating to periodic assessments of the
cybersecurity risks associated with the
Covered Entity’s information systems
and information residing on those
systems be modified? If so, explain why.
If not, explain why not.
28. Should the requirements of
paragraph (b)(1)(i)(A)(1) of proposed
Rule 10 relating to categorizing and
prioritizing cybersecurity risks based on
an inventory of the components of the
Covered Entity’s information systems
and information residing on those
systems and the potential effect of a
cybersecurity incident on the Covered
Entity be modified? If so, explain why.
If not, explain why not.
29. Should the requirements of
paragraph (b)(1)(i)(A)(2) of proposed
Rule 10 relating to identifying the
Covered Entity’s service providers that
receive, maintain, or process
information, or are otherwise permitted
to access the Covered Entity’s
information systems and any of the
Covered Entity’s information residing
on those systems, and assess the
cybersecurity risks associated with the
Covered Entity’s use of these service
providers be modified? If so, explain
why. If not, explain why not. Certain
Covered Entities may use data feeds
from third-party providers that do not
receive, maintain, or process
information for the Covered Entity but
that could nonetheless cause significant
disruption for the Covered Entity if they
were the subject of a cybersecurity
incident. For example, broker-dealers
may subscribe to third-party data feeds
to satisfy their obligations for best
execution under the federal securities
laws. If a third-party provider of data
feeds experienced a cybersecurity
breach, it could lead to faulty market
information being shared with the
broker-dealer, which could in turn
impact the broker-dealer’s ability to
operate and execute trades for its
customers. Likewise, SBS Entities might
rely on data from counterparties. Should
the Commission require the risk
assessment to include service providers
that provide data feeds to Covered
Entities but do not otherwise have
access to the Covered Entities’
information systems? If so, should the
risk assessment be limited to only those
third parties who provide data critical to
the Covered Entity’s business
operations? Are there other
cybersecurity risks associated with
utilizing a third party who provides data
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
feeds that should be addressed? If so,
identify the risks and explain how they
could be addressed.
30. Should the requirements of
paragraph (b)(1)(i)(B) of proposed Rule
10 relating to requiring written
documentation of the risk assessments
required by paragraph (b)(1)(i)(A) of
proposed Rule 10 be modified? If so,
explain why. If not, explain why not.
31. Should the requirements of
paragraph (b)(1)(ii) of proposed Rule 10
relating to controls designed to
minimize user-related risks and prevent
unauthorized access to the Covered
Entity’s information systems and the
information residing on those systems?
If so, explain why. If not, explain why
not. Should requirements of paragraph
(b)(1)(ii) of proposed Rule 10 be
modified to revise the requirement to
include the following identified
controls: (1) controls requiring
standards of behavior for individuals
authorized to access the Covered
Entity’s information systems and the
information residing on those systems,
such as an acceptable use policy; (2)
controls identifying and authenticating
individual users, including but not
limited to implementing authentication
measures that require users to present a
combination of two or more credentials
for access verification; (3) controls
establishing procedures for the timely
distribution, replacement, and
revocation of passwords or methods of
authentication; (4) controls restricting
access to specific information systems of
the Covered Entity or components
thereof and the information residing on
those systems solely to individuals
requiring access to the systems and
information as is necessary for them to
perform their responsibilities and
functions on behalf of the Covered
Entity; and (5) securing remote access
technologies? If so, explain why. If not,
explain why not. For example, should
this paragraph of the proposed rule be
modified to include any additional type
of controls? If so, identify the controls
and explain why they should be
included. Should the text of the
proposed controls be modified? For
example, should the control pertaining
to the timely distribution, replacement,
and revocation of passwords or methods
of authentication use a word other than
‘‘distribution’’? If so, explain why and
suggest an alternative word that would
be more appropriate. Would
‘‘establishment’’ or ‘‘setting up’’ be more
appropriate in this context? Should this
paragraph of the proposed rule be
modified to eliminate any of the
identified controls? If so, identify the
control and explain why it should be
eliminated. For example, could the
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
control pertaining to implementing
authentication measures requiring users
to present a combination of two or more
credentials for access verification
potentially become obsolete? If so,
explain why and suggest an alternative
control that could incorporate this
requirement as well as other
authentication controls that may
develop in the future.
32. CISA has developed a catalog of
cyber ‘‘bad practices’’ that are
exceptionally risky and can increase
risk to an organization’s critical
infrastructure.265 These bad practices
include the use of unsupported (or endof-life) software, use of known or default
passwords and credentials, and the use
of single-factor authentication. In
addition, the Federal Financial
Institutions Examination Council
(‘‘FFIEC’’) has issued guidance on
authentication and access to financial
institution services and systems, and
suggests that the use of single-factor
authentication as a control mechanism
has shown to be inadequate against
certain cyber threats and adverse
impacts from ransomware, customer
account fraud, and identity theft.266
Instead, the FFIEC guidance suggests the
use of multi-factor authentication and
other measures, such as specific
authentication solutions, password
controls, and access and transaction
controls. Should paragraph (b)(1)(ii) of
proposed Rule 10 be modified to
specifically require controls that users
provide multi-factor authentication
before they can access an information
system of the Covered Entity? If so,
explain why. If not, explain why not.
Would it be appropriate to require
multi-factor authentication for all of the
Covered Entity’s information systems or
for a more limited set of information
systems? For example, should multifactor authentication be required for
public-facing information systems such
as applications that provide users access
to their accounts at the Covered Entity
and not required for internal
information systems used by the
Covered Entity’s employees? If so,
explain why. If not, explain why not.
265 See CISA, Bad Practices, available at https://
www.cisa.gov/BadPractices.
266 See FFIEC, Authentication and Access to
Financial Institution Services and Systems (Aug.
2021), available at https://www.ffiec.gov/guidance/
Authentication-and-Access-to-Financial-InstitutionServices-and-Systems.pdf. See also FDIC and the
Office of the Comptroller of the Currency (‘‘OCC’’),
Joint Statement on Heightened Cybersecurity Risk
(Jan. 16, 2020), available at https://www.occ.gov/
news-issuances/bulletins/2020/bulletin-2020-5a.pdf
(noting that identity and access management
controls include multifactor authentication to
segment and safeguard access to critical systems
and data on an organization’s network).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Should multi-factor authentication be
required regardless of whether the
information system is public facing if
personal, confidential, or proprietary
information resides on the information
system? If so, explain why. If not,
explain why not. Should the rule
require phishing-resistant multi-factor
authentication? If so, explain why. If
not, explain why not.
33. Should the requirements of
paragraph (b)(1)(iii)(A) of proposed Rule
10 relating to measures designed to
monitor the Covered Entity’s
information systems and protect the
information residing on those systems
from unauthorized access or use be
modified? For example, should the
requirements of paragraph (b)(1)(iii)(A)
of proposed Rule 10 specifically require
encryption of certain information
residing on the Covered Entity’s
information systems? If so, explain why.
If not, explain why not.
34. The measures discussed in
paragraph (b)(1)(iii)(A) of proposed Rule
10 designed to monitor the Covered
Entity’s information systems and protect
the information residing on those
systems from unauthorized access or
use would need to be based on a
periodic assessment of the Covered
Entity’s information systems and the
information that resides on the systems
that takes into account: (1) the
sensitivity level and importance of the
information to Covered Entity’s business
operations; (2) whether any of the
information is personal information; (3)
where and how the information is
accessed, stored and transmitted,
including the monitoring of information
in transmission; (4) the information
systems’ access controls and malware
protection; and (5) the potential effect a
cybersecurity incident involving the
information could have on the Covered
Entity and its customers, counterparties,
members, or users, including the
potential to cause a significant
cybersecurity incident. Should this
paragraph of the proposed rule be
modified to include any additional
factors that would need to be taken into
account? If so, identify the factors and
explain why they should be taken into
account. Should this paragraph of the
proposed rule be modified to eliminate
any of the identified factors that should
be taken into account? If so, identify the
factors and explain why they should be
eliminated.
35. Should the requirements of
paragraph (b)(1)(iii)(A) of proposed Rule
10 relating periodic assessments of the
Covered Entity’s information systems
and information residing of the systems
be modified to specifically require
periodic (e.g., semi-annual or annual)
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
penetration tests? If so, explain why. If
not, explain why not. If proposed Rule
10 should be modified to require
periodic penetration tests, should the
rule specify the information systems
and information to be tested? If so,
explain why. If not, explain why not.
For example, should the penetration
tests be performed on all information
systems and information of the Covered
Entity? Alternatively, should the
penetration tests be performed: (1) on a
random selection of information
systems and information; (2) on a
prioritized selection of the information
systems and information residing on
them that are most critical to the
Covered Entity’s functions or that
maintain information that if accessed by
or disclosed to persons not authorized
to view it could cause the most harm to
the Covered Entity or others; and/or (3)
on information systems for which the
Covered Entity has identified
vulnerabilities pursuant to the
requirements of paragraph (b)(1)(iv) of
proposed Rule 10? Please explain the
advantages and disadvantages of each
potential approach to requiring
penetration tests.
36. Should the requirements of
paragraph (b)(1)(iii)(B) of proposed Rule
10 relating to the oversight of service
providers that receive, maintain, or
process the Covered Entity’s
information, or are otherwise permitted
to access the Covered Entity’s
information systems and the
information residing on those systems,
pursuant to a written contract between
the covered entity and the service
provider, through which the service
providers are required to implement and
maintain appropriate measures,
including the practices described in
paragraphs (b)(1)(i) through (v) of
proposed Rule 10, that are designed to
protect the Covered Entity’s information
systems and information residing on
those systems be modified? If so,
explain why. If not, explain why not.
For example, would there be practical
difficulties with implementing the
requirement to oversee the service
providers through a written contract? If
so, explain why. If not, explain why not.
Are there alternative approaches to
addressing the cybersecurity risk that
arises when Covered Entities use service
providers? If so, describe them and
explain why they would be appropriate
in terms of addressing this risk. For
example, rather than addressing this
risk through written contract, could it be
addressed through policies and
procedures to obtain written assurances
or certifications from service providers
that the service provider manages
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
20247
cybersecurity risk in a manner that
would be consistent with how the
Covered Entity would need to manage
this risk under paragraph (b) of
proposed Rule 10? If so, explain why
and describe the type of assurances or
certifications Covered Entities could
reasonably obtain to ensure that their
service providers are taking appropriate
measures to manage cybersecurity risk?
In responding, please explain how
assurances or certifications would be an
appropriate alternative to written
contracts in terms of addressing the
cybersecurity risk caused by the use of
service providers.
37. Should the requirements of
paragraph (b)(1)(iv) of proposed Rule 10
relating to measures designed to detect,
mitigate, and remediate any
cybersecurity threats and vulnerabilities
with respect to the Covered Entity’s
information systems and the
information residing on those systems
be modified? If so, explain why. If not,
explain why not.
38. Should the requirements of
paragraph (b)(1)(v)(A) of proposed Rule
10 relating to measures designed to
detect, respond to, and recover from a
cybersecurity incident be modified? If
so, explain why. If not, explain why not.
For example, these measures would
need to include policies and procedures
that are reasonably designed to ensure:
(1) the continued operations of the
covered entity; (2) the protection of the
Covered Entity’s information systems
and the information residing on those
systems; (3) external and internal
cybersecurity incident information
sharing and communications; and (4)
the reporting of significant cybersecurity
incidents pursuant to paragraph (c) of
proposed Rule 10. Would these four
specific design objectives required of
the policies and procedures place the
Covered Entity in a position to
effectively detect, respond to, and
recover from a cybersecurity incident? If
so, explain why. If not, explain why not.
Should this paragraph of the proposed
rule be modified to include any
additional design objectives for these
policies and procedures? If so, identify
the design objectives and explain why
they should be included. For example,
should the rule require policies and
procedures that are designed to recover
from a cybersecurity incident within a
specific timeframe such as 24, 48, or 72
hours or some other period? If so,
identify the recovery period and explain
why it would be appropriate. Should
this paragraph of the proposed rule be
modified to eliminate any of the
specified design objectives? If so,
identify the design objectives and
explain why they should be eliminated.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20248
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
39. Should the requirements of
paragraph (b)(1)(v)(B) of proposed Rule
10 relating to written documentation of
any cybersecurity incidents be
modified? If so, explain why. If not,
explain why not. For example, should
the written documentation requirements
apply to a narrower set of incidents than
those that would meet the definition of
‘‘cybersecurity incident’’ under
proposed Rule 10? If so, describe the
narrower set of incidents and explain
why it would be appropriate to limit the
written documentation requirements to
them.
40. Should the requirements of
paragraph (b)(2) of proposed Rule 10
relating to the review and assessment of
the policies and procedures and a
written report of the review by
modified? If so, explain why. If not,
explain why not. For example, this
paragraph would require: (1) a review
and assessment of the design and
effectiveness of the cybersecurity risk
management policies and procedures,
including whether the policies and
procedures reflect changes in
cybersecurity risk over the time period
covered by the review; and (2) the
preparation of a written report that
describes the review, the assessment,
and any control tests performed,
explains their results, documents any
cybersecurity incident that occurred
since the date of the last report, and
discusses any material changes to the
policies and procedures since the date
of the last report. Should the review
requirement be modified to provide
greater flexibility based on the Covered
Entity’s assessment of what it believes
would be most effective in light of its
cybersecurity risks? If so, explain why.
If not, explain why not. Should the
review, assessment, and report be
required on a more frequent basis such
as quarterly? If so, explain why. If not,
explain why not. Should the review,
assessment, and report requirement be
triggered after certain events regardless
of when the previous review was
conducted? If so, explain why. If not,
explain why not. For example, should
the requirement be triggered if the
Covered Entity experiences a significant
cybersecurity incident or undergoes a
significant business event such as a
merger, acquisition, or the
commencement of a new business line
that relies on information systems? If so,
explain why and suggest how a
‘‘significant business event’’ should be
defined for the purposes of the review
and assessment requirement. If not,
explain why not. Should the rule
require that persons with a minimum
level of cybersecurity expertise or
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
experience must perform the review and
assessment or that the review and
assessment must be performed by a
senior officer of the Covered Entity? If
so, explain why. If not, explain why not.
Should the rule require that the review
and assessment be performed by
personnel who are not involved in
designing and implementing the
cybersecurity policies and procedures?
If so, explain why. If not, explain why
not. Should the rule require that the
annual report be subject to periodic
third-party audits or reviews? If so,
explain why. If not, explain why not.
Should the Commission provide
guidance to clarify how the review and
report requirements of paragraph (b)(2)
proposed Rule 10 interact with the
requirements that SBS Entities perform
assessments under 17 CFR 240.15Fk–1
or reviews under 17 CFR 250.15c3–
4(c)(3)? If so, explain why. If not,
explain why not.
2. Notification and Reporting of
Significant Cybersecurity Incidents
a. Timing and Manner of Notification
and Reporting
FSOC observed that ‘‘[s]haring timely
and actionable cybersecurity
information can reduce the risk that
cybersecurity incidents occur and can
mitigate the impacts of those that do
occur.’’ 267 The Commission is
proposing to require that Covered
Entities provide immediate notice and
subsequent reports about significant
cybersecurity incidents to the
Commission and, in the case of certain
Covered Entities, other regulators. The
objective is to improve the
Commission’s ability to monitor and
evaluate the effects of a significant
cybersecurity incident on Covered
Entities and their customers,
counterparties, members, registrants, or
users, as well as assess the potential
risks affecting financial markets more
broadly.
For these reasons, proposed Rule 10
would require a Covered Entity to
provide immediate written electronic
notice to the Commission of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the incident has occurred or is
occurring.268 The Commission would
267 FSOC
2021 Annual Report.
paragraph (c)(1) of proposed Rule 10. See
also paragraph (a)(10) of proposed Rule 10 (defining
the term ‘‘significant cybersecurity incident’’). As
discussed below in section II.C. of this release, NonCovered Broker-Dealers would be subject to an
identical immediate written electronic notice
requirement. See paragraph (e)(2) of proposed Rule
10. If proposed Rule 10 is adopted, it is anticipated
that a dedicated email address would be set up to
receive the notices from Covered Entities and Non268 See
PO 00000
Frm 00038
Fmt 4701
Sfmt 4702
keep the notices nonpublic to the extent
permitted by law. The notice would
need to identify the Covered Entity,
state that the notice is being given to
alert the Commission of a significant
cybersecurity incident impacting the
Covered Entity, and provide the name
and contact information of an employee
of the Covered Entity who can provide
further details about the nature and
scope of the significant cybersecurity
incident.
The immediate notice would need to
be submitted by the Covered Entity
electronically in written form (as
opposed to permitting the notice to
made telephonically).269 The
Commission is proposing a written
notification requirement because of the
number of Market Entities that would be
subject to the requirement and because
of the different types of Market
Entities.270 A written notification would
also facilitate the Commission in
identifying patterns and trends across
Market Entities experiencing significant
cybersecurity incidents.
The notice requirement would be
triggered when the Covered Entity has
a reasonable basis to conclude that a
significant cybersecurity incident has
occurred or is occurring.271 This does
not mean that the Covered Entity can
wait until it definitively concludes that
Covered Broker-Dealers. See, e.g., Staff Guidance
for Filing Broker-Dealer Notices, Statements and
Reports, available at https://www.sec.gov/divisions/
marketreg/bdnotices; Staff Statement on Submitting
Notices, Statements, Applications, and Reports for
Security-Based Swap Dealers and Major SecurityBased Swap Participants Pursuant to the Financial
Responsibility Rules (Exchange Act Rules 18a–1
through 18a–10), available at https://www.sec.gov/
tm/staff-statement-on-submissions.
269 See paragraph (c)(1) of proposed Rule 10. But
see 17 CFR 242.1002(b)(1) (requiring an SCI entity
to provide the Commission with immediate notice
after having a reasonable basis to conclude that an
SCI event has occurred without specifying that the
notice be written); OCC, Federal Reserve Board,
FDIC, Computer-Security Incident Notification
Requirements for Banking Organizations and Their
Bank Service Providers, 86 FR 66424 (Nov. 23,
2021) (requiring a banking organization to provide
notice to a designated point of contact of a
computer-security incident through telephone,
email, or similar methods).
270 Non-Covered Broker-Dealers also would be
subject to an immediate written electronic notice
requirement under paragraph (e)(2) of proposed
Rule 10 and, therefore, the Commission potentially
could receive notices from all types of Market
Entities. As discussed in section V.C. of this release,
it is estimated that 1,989 Market Entities would be
Covered Entities and 1,969 broker-dealers would be
Non-Covered Entities resulting in a 3,958 total
Market Entities. This is a far larger number of
entities than the 47 entities that currently are SCI
entities.
271 The notice requirement for Non-Covered
Broker-Dealers also would be triggered when the
broker-dealer has a reasonable basis to conclude
that a significant cybersecurity incident has
occurred or is occurring. See paragraph (e)(2) of
proposed Rule 10.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
a significant cybersecurity incident has
occurred or is occurring. In the early
stages of discovering the existence of a
cybersecurity incident, it may not be
possible for the Covered Entity to
conclude definitively that it is a
significant cybersecurity incident. For
example, the Covered Entity may need
to assess which information systems
have been subject to the cybersecurity
incident and the impact that the
incident has had on those systems
before definitively concluding that it is
a significant cybersecurity incident.272
The objective of the notification
requirement is to alert the Commission
staff as soon as the Covered Entity
detects the existence of a cybersecurity
incident that it has a reasonable basis to
conclude is a significant cybersecurity
incident and not to wait until the
Covered Entity definitively concludes it
is a significant cybersecurity incident.
This would provide the Commission
staff with the ability to begin to assess
the situation at an earlier stage of the
cybersecurity incident.
This proposed immediate written
notification requirement is modelled on
other notification requirements that
apply to broker-dealers and SBSDs
pursuant to other Exchange Act rules.
Under these existing requirements,
broker-dealers and certain SBSDs must
provide the Commission with same-day
written notification if they undergo
certain adverse events, including falling
below their minimum net capital
requirements or failing to make and
keep current required books and
records.273 The objective of these
requirements is to provide the
Commission staff with the opportunity
to respond when a broker-dealer or
SBSD is in financial or operational
difficulty.274 Similarly, the written
notification requirements of proposed
Rule 10 are designed to provide the
Commission staff with the opportunity
to begin assessing the situation
promptly when a Covered Entity is
experiencing a significant cybersecurity
incident by, for example, assessing the
272 See paragraph (a)(2) of proposed Rule 10
(defining ‘‘cybersecurity incident’’ to mean an
unauthorized occurrence on or conducted through
a Market Entity’s information systems that
jeopardizes the confidentiality, integrity, or
availability of the information systems or any
information residing on those systems).
273 See 17 CFR 240.17a–11 (notification rule for
broker-dealers); 17 CFR 240.18a–8 (notification rule
for SBS Entities).
274 See Recordkeeping and Reporting
Requirements for Security-Based Swap Dealers,
Major Security-Based Swap Participants, and
Broker-Dealers; Capital Rule for Certain SecurityBased Swap Dealers, Exchange Act Release No.
71958 (Apr. 17, 2014) [79 FR 25194, 25247 (May 2,
2014)] (‘‘SBS Entity Recordkeeping and Reporting
Proposing Release’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Covered Entity’s operating status and
engaging in discussions with the
Covered Entity to understand better
what steps it is taking to protect its
customers, counterparties, members,
registrants, or users. In addition, a
Covered Entity that is a broker-dealer
would need to provide the written
notice to its examining authority, and a
transfer agent would need to provide the
written notice to its ARA.275 The
objective is to notify other supervisory
authorities to allow them the
opportunity to respond to the significant
cybersecurity incident impacting the
Covered Entity.
As discussed above, the immediate
written electronic notice is designed to
alert the Commission on a confidential
basis to the existence of a significant
cybersecurity incident impacting a
Covered Entity so the Commission staff
can begin to assess the event. It is not
intended as a means to report written
information about the significant
cybersecurity incident. Therefore, in
addition to the immediate written
electronic notice, a Covered Entity
would be required to report detailed
information about the significant
cybersecurity incident by filing, on a
confidential basis, Part I of proposed
Form SCIR with the Commission
through the Electronic Data Gathering,
Analysis, and Retrieval System
(‘‘EDGAR’’ or ‘‘EDGAR system’’).276
Because of the sensitive nature of the
information and the fact that threat
actors could potentially use it to cause
more harm, the Commission would not
make the filings available to the public
to the extent permitted by law.
As with the notice, the requirement to
file Part I of proposed Form SCIR would
be triggered when the Covered Entity
has a reasonable basis to conclude that
a significant cybersecurity incident has
occurred or is occurring. Therefore, the
notification and reporting requirements
would be triggered at the same time.
However, in order to provide the
Covered Entity time to gather the
information that would be elicited by
Part I of proposed Form SCIR, the
Covered Entity would need to file the
275 See paragraphs (c)(1)(i) and (ii) of proposed
Rule 10. Non-Covered Broker-Dealers also would be
required to provide the written notice to their
examining authority. See paragraph (e)(2) of
proposed Rule 10.
276 See paragraph (c)(2) of proposed Rule 10. As
discussed below, Part II of proposed Form SCIR
would be used by Covered Entities to make public
disclosures about the cybersecurity risks they face
and the significant cybersecurity incidents they
experienced during the current or previous calendar
year. See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements). NonCovered Broker-Dealers would not be subject to the
requirements to file Part I and Part II of proposed
Form SCIR.
PO 00000
Frm 00039
Fmt 4701
Sfmt 4702
20249
form promptly, but no later than 48
hours, upon having a reasonable basis to
conclude that a significant cybersecurity
incident has occurred or is occurring.
Proposed Rule 10 also would require
the Covered Entity to file an amended
Part I of proposed Form SCIR with
updated information about the
significant cybersecurity incident in
four circumstances.277 In each case, the
amended Part I of proposed Form SCIR
would need to be filed promptly, but no
later than 48 hours, after the update
requirement is triggered. First, the
Covered Entity would need to file an
amended Part I of proposed Form SCIR
if any information previously reported
to the Commission on the form
pertaining to the significant
cybersecurity incident becomes
materially inaccurate.278 Second, the
Covered Entity would need to file an
amended Part I of proposed Form SCIR
if any new material information
pertaining to the significant
cybersecurity incident previously
reported to the Commission on the form
is discovered.279 The Commission staff
generally would use the information
reported on Part I of proposed Form
SCIR to assess the operating status of the
Covered Entity and assess the impact
that the significant cybersecurity
incident could have on other
participants in the U.S. securities
markets. The requirement to file an
amended Part I of proposed Form SCIR
under the first and second
circumstances is designed to ensure the
Commission and Commission staff have
reasonably accurate and complete
information when undertaking these
activities.
Third, the Covered Entity would need
to file an amended Part I of proposed
Form SCIR after the significant
cybersecurity incident is resolved.280 A
significant cybersecurity incident
impacting a Covered Entity would be
resolved when the situation no longer
meets the definition of ‘‘significant
cybersecurity incident.’’ 281 The
resolution of a significant cybersecurity
incident would be a material
development in the situation and,
therefore, would be a reporting trigger
under proposed Rule 10.
277 See paragraphs (c)(2)(ii)(A) through (D) of
proposed Rule 10.
278 See paragraph (c)(2)(ii)(A) of proposed Rule
10.
279 See paragraph (c)(2)(ii)(B) of proposed Rule
10.
280 See paragraph (c)(2)(ii)(C) of proposed Rule
10.
281 See paragraph (a)(10) of proposed Rule 10
(defining the term ‘‘significant cybersecurity
incident’’).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20250
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Finally, if the Covered Entity
conducted an internal investigation
pertaining to the significant
cybersecurity incident, it would need to
file an amended Part I of proposed Form
SCIR after the investigation is closed.282
This would be an investigation of the
significant cybersecurity incident that
seeks to determine the cause of the
incident or to examine whether there
was a failure to adhere to the Covered
Entity’s policies and procedures to
address cybersecurity risk or whether
those policies and procedures are
effective. An internal investigation
could be conducted by the Covered
Entity’s own personnel (e.g., internal
auditors) or by external consultants
hired by the Covered Entity. The closure
of an internal investigation would be a
reporting trigger under proposed Rule
10 because it could yield material new
information about the incident that had
not been reported in a previously filed
Part I of proposed Form SCIR.
As with the immediate written
electronic notice, a Covered BrokerDealer would need to promptly transmit
a copy of each Part I of proposed Form
SCIR it files with the Commission to its
examining authority, and a transfer
agent would need to promptly transmit
a copy of each Part I of proposed Form
SCIR it files with the Commission to its
ARA.283 The objective is to provide
these other supervisory authorities with
the same information about the
significant cybersecurity incident that
the Commission receives.
In this regard, the reporting
requirements under proposed Rule 10
would provide the Commission and its
staff with information to understand
better the nature and extent of a
particular significant cybersecurity
incident and the efficacy of the Covered
Entity’s response to mitigate the
disruption and harm caused by the
incident. The Commission staff could
use the reports to focus on the Covered
Entity’s operating status and to facilitate
their outreach to, and discussions with,
personnel at the Covered Entity who are
addressing the significant cybersecurity
incident. For example, certain
information provided in a report may be
sufficient to address any questions the
staff has about the incident; and in other
instances staff may want to ask followup questions to get a better
understanding of the matter. In
addition, the reporting would provide
the staff with a view into the Covered
Entity’s understanding of the scope and
282 See
paragraph (c)(2)(ii)(D) of proposed Rule
10.
283 See paragraphs (c)(2)(iii)(A) and (B) of
proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
impact of the significant cybersecurity
incident. All of this information would
be used by the Commission and its staff
in assessing the impact of the significant
cybersecurity incident on the Covered
Entity.
The information provided to the
Commission under the proposed
reporting requirements also would be
used to assess the potential
cybersecurity risks affecting U.S.
securities markets more broadly. This
information could be useful in assessing
other and future significant
cybersecurity incidents. For example,
these reports could assist the
Commission in identifying patterns and
trends across Covered Entities,
including widespread cybersecurity
incidents affecting multiple Covered
Entities at the same time. Further, the
reports could be used to evaluate the
effectiveness of various approaches to
respond to and recover from a
significant cybersecurity incident.
b. Part I of Proposed Form SCIR
Proposed Rule 10 would require a
Covered Entity to report information
about a significant cybersecurity
incident confidentially on Part I of
proposed Form SCIR.284 The form
would elicit certain information about
the significant cybersecurity incident
through check boxes, date fields, and
narrative fields. Covered Entities would
file Part I of proposed Form SCIR
electronically with the Commission
using the EDGAR system in accordance
with the EDGAR Filer Manual, as
defined in Rule 11 of Regulation S–T,285
and in accordance with the
requirements of Regulation S–T.286
A Covered Entity would need to
indicate on Part I of proposed Form
SCIR whether the form is being filed
with respect to a significant
cybersecurity incident as an initial
report, amended report, or final
amended report by checking the
appropriate box. As discussed above,
proposed Rule 10 would require a
Covered Entity to file Part I of proposed
Form SCIR upon having a reasonable
basis to conclude that a significant
cybersecurity incident has occurred or
is occurring.287 This would be the initial
Part I of proposed Form SCIR with
respect to the significant cybersecurity
284 See
paragraph (c)(2) of proposed Rule 10.
17 CFR 232.11.
286 See paragraphs (c)(2)(i) and (ii) of proposed
Rule 10. As discussed below in section II.B.4. of
this release, the Covered Entity would need to file
Part I of proposed Form SCIR using a structured
data language.
287 See paragraph (c)(2)(i) of proposed Rule 10.
See also section II.B.2.a. of this release (discussing
the proposed filing requirements in more detail).
285 See
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
incident.288 Thereafter, a Covered Entity
would be required to file an amended
Part I of proposed Form SCIR with
respect to the significant cybersecurity
incident after: (1) any information
previously reported to the Commission
on Part I of proposed Form SCIR
pertaining to the significant
cybersecurity incident becomes
materially inaccurate; (2) any new
material information pertaining to the
significant cybersecurity incident
previously reported to the Commission
on Part I of proposed Form SCIR is
discovered; (3) the significant
cybersecurity incident is resolved; or (4)
an internal investigation pertaining to a
significant cybersecurity incident is
closed.289 If a Covered Entity checks the
box indicating that the filing is a final
Part I of proposed Form SCIR, the firm
also would need to check the
appropriate box to indicate why a final
form was being filed: either the
significant cybersecurity incident was
resolved or an internal investigation
pertaining to the incident was closed.
Part I of proposed Form SCIR would
elicit information about the Covered
Entity that would be used to identify the
filer.290 In particular, the Covered Entity
would need to provide its full legal
name and business name (if different
from its legal name), tax identification
number, unique identification code
(‘‘UIC’’) (if the filer has a UIC), central
index key (‘‘CIK number’’),291 and main
address.292 The instructions to proposed
Form SCIR (which would be applicable
to Parts I and II) would provide that a
UIC is an identification number that has
been issued by an internationally
recognized standards-setting system
(‘‘IRSS’’) that has been recognized by
the Commission pursuant to Rule 903(a)
of Regulation SBSR.293 Currently, the
Commission has recognized only the
Global Legal Entity Identifier
Foundation (‘‘GLEIF’’)—which is
responsible for overseeing the Global
Legal Entity Identifier System
(‘‘GLEIS’’)—as an IRSS.294 Part I of
288 See
Instruction B.1. of proposed Form SCIR.
paragraphs (c)(2)(ii)(A) through (D) of
proposed Rule 10.
290 See Line Items 1.A. through 1.E. of Part I of
proposed Form SCIR.
291 A CIK number is used on the Commission’s
computer systems to identify persons who have
filed disclosures with the Commission.
292 See Line Items 1.A. through 1.C. of Part I of
proposed Form SCIR.
293 See Instruction A.5.g. of proposed Form SCIR.
See also, e.g., Form SBSE available at https://
www.sec.gov/files/form-sbse.pdf (providing a
similar definition of UIC).
294 See Regulation SBSR—Reporting and
Dissemination of Security-Based Swap Information,
Exchange Act Release No. 74244 (Feb. 11, 2015), 80
FR 14563, 14632 (Mar. 19, 2015) (‘‘Regulation SBSR
Release’’). LEIs are unique alphanumeric codes that
289 See
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
proposed Form SCIR also would elicit
the name, phone number, and email
address of the contact employee of the
Covered Entity.295 The contact
employee would need to be an
individual authorized by the Covered
Entity to provide the Commission with
information about the significant
cybersecurity incident (i.e., information
the individual can provide directly) and
make information about the incident
available to the Commission (e.g.,
information the individual can provide
by, for example, making other
employees of the Covered Entity
available to answer questions of the
Commission staff).296 The Covered
Entity also would need to indicate the
type of Market Entity it is by checking
the appropriate box or boxes.297 For
example, if the Covered Entity is dually
registered as a broker-dealer and SBSD,
it would need to check the box for each
of those entity types.
Page 1 of Part I of proposed Form
SCIR also would contain fields for the
individual executing the form to sign
and date the form. By signing the form,
the individual would: (1) certify that the
form was executed on behalf of, and
with the authority of, the Covered
Entity; (2) represent individually, and
on behalf of the Covered Entity, that the
information and statements contained in
the form are current, true and complete;
and (3) represent individually, and on
behalf of the Covered Entity, that to the
extent any information previously
submitted is not amended such
information is current, true, and
complete. The form of the certification
is designed to ensure that the Covered
Entity, through the individual executing
the form, provides information that the
Commission and Commission staff can
rely on to evaluate the operating status
of the Covered Entity, assess the impact
the significant cybersecurity incident
may have on other participants in the
identify legal entities in financial transactions in
international markets. See Financial Stability Board
(‘‘FSB’’), Options to Improve Adoption of the LEI,
in Particular for Use in Cross-Border Payments (July
7, 2022). Information associated with the LEI,
which is a globally-recognized digital identifier that
is not specific to the Commission, includes the
‘‘official name of the legal entity as recorded in the
official registers[,]’’ the entity’s address, country of
incorporation, and the ‘‘legal form of the entity.’’ Id.
Accordingly, in proposing to require each Covered
Entity to provide its UIC if it has a UIC, the
Commission is proposing to require each Covered
Entity identify itself with an LEI if it has an LEI.
295 See Line Item 1.D. of Part I of proposed Form
SCIR.
296 See Instruction B.4. of proposed Form SCIR.
297 See Line Item 1.E. of Part I of proposed Form
SCIR (setting forth check boxes to indicate whether
the Covered Entity is a broker-dealer, clearing
agency, MSBSP, the MRSB, a national securities
association, a national securities exchange, SBSD,
SBSDR, or transfer agent).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
U.S. securities markets, and formulate
an appropriate response to the incident.
Line Items 2 through 14 of Part I of
proposed Form SCIR would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s response to the incident. After
discovering the existence of a significant
cybersecurity incident, a Covered Entity
may need time to determine the scope
and impact of the incident in order to
provide meaningful responses to these
questions. For example, the Covered
Entity may be working diligently to
investigate and resolve the significant
cybersecurity incident at the same time
it would be required to complete and
file Part I of proposed Form SCIR. The
Covered Entity’s priorities in the early
stages after detecting the significant
cybersecurity incident may be to devote
its staff resources to mitigating the
harms caused by the incident or that
could be caused by the incident if
necessary corrective actions are not
promptly implemented. Moreover,
during this period, the Covered Entity
may not have a complete understanding
of the cause of the significant
cybersecurity incident, all the
information systems impacted by the
incident, the harm caused by the
incident, or how to best resolve and
recover from the incident (among other
relevant information).
Therefore, the first form filed with
respect to a given significant
cybersecurity incident should include
information that is known to the
Covered Entity at the time of filing and
not include speculative information. If
information is unknown at the time of
filing, the Covered Entity should
indicate that on the form.
Understanding the aspects of the
significant cybersecurity incident that
are not yet known would inform the
Commission’s assessment. The process
of filing an amended Part I of proposed
Form SCIR is designed to update earlier
filings as information becomes known to
the Covered Entity. In particular,
proposed Rule 10 would require the
Covered Entity to file an amended Part
I of proposed Form SCIR if information
reported on a previously filed form
pertaining to the significant
cybersecurity incident becomes
materially incomplete because new
information is discovered.298 Therefore,
as the Covered Entity reasonably
concludes that additional information
about the significant cybersecurity
incident is necessary to make its filing
not materially inaccurate, it would need
to file amended forms. In this way, the
298 See
paragraph (c)(2)(ii)(B) of proposed Rule
10.
PO 00000
Frm 00041
Fmt 4701
Sfmt 4702
20251
reporting requirements of proposed Rule
10 are designed to provide the
Commission and Commission staff with
current known information and provide
a means for the Covered Entity to report
information as it becomes known.
This does not mean that the Covered
Entity can refrain from providing known
information in Part I of proposed Form
SCIR. As discussed above, the Covered
Entity must certify through the
individual executing the form that the
information and statements in the form
are current, true, and complete, among
other things. A failure to provide
current, true, and complete information
that is known to the Covered Entity
would be inconsistent with this
required certification. In addition,
failing to investigate the significant
cybersecurity incident would be
inconsistent with the policies and
procedures required by proposed Rule
10. As discussed above, the
cybersecurity incident response and
recovery policies and procedures that
would be required by proposed Rule 10
would need to include policies and
procedures that are reasonably designed
to ensure the reporting of significant
cybersecurity incidents as required by
the rule.299 The failure to diligently
investigate the significant cybersecurity
incident could indicate that the Covered
Entity’s incident response and recovery
policies and procedures are not
reasonably designed or are not being
enforced by the Covered Entity as
required by proposed Rule 10.300
Moreover, reasonably designed policies
and procedures to detect, respond to,
and recover from a cybersecurity
incident, as required by proposed Rule
10 generally should require diligent
investigation of the significant
cybersecurity incident.301 Further,
diligently investigating the significant
cybersecurity incident would be in the
interest of the Covered Entity as it could
lead to a quicker resolution of the
incident by revealing—for example—its
cause and impact.
In terms of the information about the
significant cybersecurity incident
elicited in Part I of proposed Form SCIR,
the Covered Entity first would be
required to provide the approximate
299 See paragraph (b)(1)(v)(A)(4) of proposed Rule
10. See also section II.B.1.e. of this release
(discussing these proposed required policies and
procedures in more detail).
300 See paragraph (b)(1) of proposed Rule 10
(requiring that the Covered Entity establish,
maintain, and enforce written policies and
procedures that are reasonably designed to address
the covered entity’s cybersecurity risks).
301 See paragraph (b)(1)(v)(A) of proposed Rule
10. See also section II.B.1.e. of this release
(discussing these proposed required policies and
procedures in more detail).
E:\FR\FM\05APP2.SGM
05APP2
20252
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
date that it discovered the significant
cybersecurity incident.302 As discussed
above, a Covered Entity would be
required to provide the Commission
with immediate written electronic
notice of a significant cybersecurity
incident upon having a reasonable basis
to conclude that the incident has
occurred or is occurring.303 This can be
based on, for example, the Covered
Entity reviewing or receiving a record,
alert, log, or notice about the incident.
In addition, reaching this conclusion
would trigger the requirement to file
promptly (but within 48 hours) an
initial Part I of proposed Form SCIR
with the Commission to first report the
significant cybersecurity incident using
the form.304 The date that would need
to be reported on proposed Part I of
Form SCIR is the date the Covered
Entity has a reasonable basis to
conclude that the incident has occurred
or is occurring.305
Line Item 3 of Part I of proposed Form
SCIR would elicit information about the
approximate duration of the significant
cybersecurity incident.306 First, the
Covered Entity would need to indicate
whether the significant cybersecurity
incident is ongoing.307 The form would
provide the option of answering yes, no,
or unknown. Second, the Covered Entity
would need to provide the approximate
start date of the cybersecurity incident
or indicate that it does not know the
start date.308 The start date may be well
before the date the Covered Entity
discovered the significant cybersecurity
incident. Therefore, the start date of the
incident reported on Line Item 3 may be
different than the discovery date
reported on Line Item 2. Third, the
Covered Entity would need to provide
the approximate date the significant
cybersecurity incident is resolved.309
This would be the date the Covered
Entity was no longer undergoing a
significant cybersecurity incident.310 As
discussed above, the resolution of the
302 See Line Item 2 of Part I of proposed Form
SCIR.
303 See paragraph (c)(1) of proposed Rule 10. See
also section II.B.2.a. of this release (discussing the
proposed notification requirement in more detail).
304 See paragraph (c)(2)(i) of proposed Rule 10.
See also section II.B.2.a. of this release (discussing
the proposed reporting trigger in more detail).
305 See Instruction B.5.a. of proposed Form SCIR.
306 See Line Items 3.A. through 3.C. of Part I of
proposed Form SCIR.
307 See Line Item 3.A. of Part I of proposed Form
SCIR.
308 See Line Item 3.B. of Part I of proposed Form
SCIR.
309 See Line Item 3.C. of Part I of proposed Form
SCIR.
310 See Instruction B.5.b. of proposed Form SCIR.
See also paragraph (a)(10) of proposed Rule 10
(defining the term ‘‘significant cybersecurity
incident’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
significant cybersecurity incident
triggers the requirement to file an
amended Part I of proposed Form SCIR
under proposed Rule 10.311
Line Item 4 of Part I of proposed Form
SCIR would require the Covered Entity
to indicate whether an internal
investigation pertaining to the
significant cybersecurity incident was
being conducted. An ‘‘internal
investigation’’ would be defined as a
formal investigation of the significant
cybersecurity incident by internal
personnel of the Covered Entity or
external personnel hired by the Covered
Entity that seeks to determine any of the
following: the cause of the significant
cybersecurity incident; whether there
was a failure to adhere to the Covered
Entity’s policies and procedures to
address cybersecurity risk; or whether
the Covered Entity’s policies and
procedures to address cybersecurity are
effective.312 If an internal investigation
is conducted, the Covered Entity also
would need to provide the date the
investigation was closed. As discussed
above, the closure of an internal
investigation pertaining to the
significant cybersecurity incident
triggers the requirement to file an
amended Part I of Form SCIR under
proposed Rule 10.313
Line Item 5 of Part I of proposed Form
SCIR would require the Covered Entity
to indicate whether a law enforcement
or government agency (other than the
Commission) had been notified of the
significant cybersecurity incident.314 If
so, the Covered Entity would need to
identify each law enforcement or
government agency. The Commission
and Commission staff could use this
information to coordinate with other
law enforcement and government
agencies if needed both to assess the
incident and to share information as
appropriate to understand the impact of
the incident better.
Line Item 6 of Part I of proposed Form
SCIR would require the Covered Entity
to describe the nature and scope of the
significant cybersecurity incident,
including the information systems
affected by the incident and any effect
on the Covered Entity’s critical
operations.315 This item would enable
the Commission to obtain information
311 See paragraph (c)(2)(ii)(C) of proposed Rule
10. See section II.B.2.a. of this release (discussing
the notification requirements in more detail).
312 See Instruction A.5.d. of proposed Form SCIR.
313 See paragraph (c)(2)(ii)(D) of proposed Rule
10. See also section II.B.2.a. of this release
(discussing the notification requirement in more
detail).
314 See Line Item 5 of Part I of proposed Form
SCIR.
315 See Line Item 6 of Part I of proposed Form
SCIR.
PO 00000
Frm 00042
Fmt 4701
Sfmt 4702
about the incident to understand better
how it is impacting the Covered Entity’s
operating status and whether the
Covered Entity can continue to provide
services to its customers, counterparties,
members, registrants, or users. This
would include understanding which
services and systems have been
impacted and whether the incident was
the result of a cybersecurity incident
that occurred at a service provider.
Line Item 7 of Part I of proposed Form
SCIR would require the Covered Entity
to indicate whether the threat actor(s)
causing the significant cybersecurity
incident has been identified.316 If so, the
Covered Entity would be required to
identify the threat actor(s). In addition,
the Covered Entity would need to
indicate in Line Item 7 whether there
has been communication(s) from or with
the threat actor(s) that caused or claims
to have caused the significant cyber
security incident.317 The Covered Entity
would need to answer the question even
if the threat actor(s) has not been
identified. If there had been
communications, the Covered Entity
would need to describe them. This
information would help the
Commission staff to assess whether the
same threat actor(s) had sought to access
information systems of other
Commission registrants and to warn
other registrants (as appropriate) about
the threat posed by the actor(s). It also
could help in developing measures to
protect against the risk to Commission
registrants posed by the threat actor. In
addition, the information would help
the Commission assess the impact on
the Covered Entity experiencing the
significant cybersecurity incident to the
extent other Commission registrants has
been attacked by the same threat actor(s)
using similar tactics, techniques, and
procedures.
Line Item 8 of Part I of proposed Form
SCIR would require the Covered Entity
to describe the actions taken or planned
to respond to and recover from the
significant cybersecurity incident.318
The objective is to obtain information to
assess the Covered Entity’s operating
status, including its critical operations.
This information also could assist the
Commission and Commission staff in
considering if the response measures are
effective or ineffective in addressing the
Covered Entity’s significant
cybersecurity incident.
Line Item 9 of Part I of proposed Form
SCIR would require the Covered Entity
316 See Line Item 7.A. of Part I of proposed Form
SCIR.
317 See Line Item 7.B. of Part I of proposed Form
SCIR.
318 See Line Item 8 of Part I of proposed Form
SCIR.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
to indicate whether any data was stolen,
altered, or accessed or used for any
other unauthorized purpose.319 The
Covered Entity would have the option of
checking yes, no, or unknown. If yes,
the Covered Entity would need to
describe the nature and scope of the
data. This information would help the
Commission and its staff understand the
potential harm to the Covered Entity
and its customers, counterparties,
members, registrants, or users that could
result from the compromise of the data.
It also would provide insight into how
the significant cybersecurity incident
could impact other Market Entities.
Line Item 10 of Part I of proposed
Form SCIR would require the Covered
Entity to indicate whether any personal
information was lost, stolen, modified,
deleted, destroyed, or accessed without
authorization as a result of the
significant cybersecurity incident.320
The Covered Entity would have the
option of checking yes, no, or unknown.
If yes, the Covered Entity would need to
describe the nature and scope of the
information. Additionally, if the
Covered Entity answered yes, it would
need to indicate whether notification
has been provided to persons whose
personal information was lost, stolen,
damaged, or accessed without
authorization.321 If the answer is no, the
Covered Entity would need to indicate
whether this notification is planned.322
For the purposes of proposed Form
SCIR, the term ‘‘personal information’’
would have the same meaning as that
term is defined in proposed Rule 10.323
The compromise of personal
information can have severe
consequences on the persons to whom
the information relates. For example, it
potentially can be used to steal their
identities or access their accounts at
financial institutions to steal assets held
in those accounts. Consequently, this
information would help the
Commission assess the extent to which
the significant cybersecurity incident
319 See Line Item 9 of Part I of proposed Form
SCIR.
320 See Line Item 10.A. of Part I of proposed Form
SCIR.
321 See Line Item 10.B.i. of Part I of proposed
Form SCIR.
322 See Line Item 10.B.ii. of Part I of proposed
Form SCIR.
323 See Instruction A.5.e. of proposed Form SCIR.
See also paragraph (a)(9) of proposed Rule 10
(defining ‘‘personal information’’ to mean any
information that can be used, alone or in
conjunction with any other information, to identify
a person, such as name, date of birth, place of birth,
telephone number, street address, mother’s maiden
name, government passport number, Social Security
number, driver’s license number, electronic mail
address, account number, account password,
biometric records, or other non-public
authentication information).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
has created this risk and the potential
harm that could result from the
compromise of personal data.
Line Item 11 of Part I of proposed
Form SCIR would require the Covered
Entity to indicate whether any of its
assets were lost or stolen as a result of
the significant cybersecurity incident.324
The Covered Entity would have the
option of checking yes, no, or unknown.
If yes, the Covered Entity would need to
describe the types of assets that were
lost or stolen and include an
approximate estimate of their value, if
known. This question is not limited to
particular types of assets and, therefore,
the Covered Entity would need to
respond affirmatively if, among other
types of assets, financial assets such as
cash and securities were lost or stolen
or intellectual property was lost or
stolen. The loss or theft of the Covered
Entity’s assets could potentially cause
the entity to fail financially or put a
strain on its liquidity. Further, to the
extent counterparties become aware of
the loss or theft, it could cause them to
withdraw assets from the entity or stop
transacting with the entity further
straining its financial condition.
Consequently, the objective is to
understand whether the significant
cybersecurity incident has created this
risk and whether there may be other
spillover effects or consequences to the
U.S. securities markets.
Line Item 12 of Part I of proposed
Form SCIR would require the Covered
Entity to indicate whether any assets of
the Covered Entity’s customers,
counterparties, clients, members,
registrants, or users were lost or stolen
as a result of the significant
cybersecurity incident.325 The Covered
Entity would have the option of
checking yes, no, or unknown. If yes,
the Covered Entity would need to
describe the types of assets that were
lost or stolen and include an
approximate estimate of their value, if
known. Additionally, if the Covered
Entity answered yes, it would need to
indicate whether notification has been
provided to persons whose assets were
lost or stolen.326 If the answer is no, the
Covered Entity would need to indicate
whether this notification is planned.327
Certain types of Covered Entities hold
assets belonging to other persons or
maintain ownership records of the
324 See Line Item 11 of Part I of proposed Form
SCIR.
325 See Line Item 12.A. Part I of proposed Form
SCIR.
326 See Line Item 11.B.i. of Part I of proposed
Form SCIR.
327 See Line Item 12.B.ii. of Part I of proposed
Form SCIR.
PO 00000
Frm 00043
Fmt 4701
Sfmt 4702
20253
assets of other persons.328 For example,
certain broker-dealers maintain custody
of securities and cash for other persons
and clearing agencies hold clearing
deposits of their members. A significant
cybersecurity incident impacting a
Covered Entity that results in the loss or
theft of assets can cause severe financial
hardship to the owners of those assets.
It also can impact the financial
condition of the Covered Entity if it is
liable for the loss or theft. Consequently,
the objective is to understand whether
the significant cybersecurity incident
has created this risk.
As discussed in more detail below,
proposed Rule 10 would require a
Covered Entity to make a public
disclosure that generally describes each
significant cybersecurity incident that
has occurred during the current or
previous calendar year and promptly
update this disclosure after the
occurrence of a new significant
cybersecurity incident or when
information about a previously
disclosed significant cybersecurity
incident materially changes.329 The
Covered Entity would be required to
make the disclosure on the Covered
Entity’s business internet website and
by filing Part II of proposed Form SCIR
through the EDGAR system.330 In
addition, if the Covered Entity is a
carrying or introducing broker-dealer, it
would need to make the disclosure to its
customers using the same means that a
customer elects to receive account
statements.331
Line Item 13 of Part I of proposed
Form SCIR would require the Covered
Entity to indicate whether the
significant cybersecurity incident has
been disclosed pursuant to the
requirements of proposed Rule 10.332
The Covered Entity also would need to
indicate whether it made the required
disclosures of Part II of proposed Form
SCIR on its website and through EDGAR
and, if it had made the disclosure, it
would need to indicate the date of the
disclosure.333 A Covered Entity that is a
carrying or introducing broker-dealer
would need to indicate separately
328 See Section I.A.2. of this release (discussing
the functions of Market Entities).
329 See paragraph (d)(1)(ii) of proposed Rule 10.
See also sections II.B.3. and II.B.4. of this release
(discussing these proposed disclosure requirements
in more detail).
330 See paragraphs (d)(2)(i) and (ii) of proposed
Rule 10.
331 See paragraph (d)(3) of proposed Rule 10. See
section II.B.3.b. of this release (discussing the
broker-dealer disclosure requirement in more
detail).
332 See Line Items 13.A. through C. of proposed
Form SCIR.
333 See Line Items 13.A. through B. of proposed
Part I of Form SCIR.
E:\FR\FM\05APP2.SGM
05APP2
20254
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
whether it made the required disclosure
of Part II of proposed Form SCIR to its
customers.334 The Covered Entity would
not need to indicate a date for the
customer disclosure because it could be
made in a number of ways (e.g., by
email or mail) and that process could
span a number of days. If the Covered
Entity has not disclosed the significant
cybersecurity incident as required by
proposed Rule 10, it would need to
explain why. The requirement to report
this information is designed to promote
compliance with the disclosure
requirements of proposed Rule 10.
Line Item 14 of Part I of proposed
Form SCIR would elicit information
about any insurance coverage the
Covered Entity may have with respect to
the significant cybersecurity incident.335
First, the Covered Entity would need to
indicate whether the significant
cybersecurity incident is covered by an
insurance policy of the Covered
Entity.336 The Covered Entity would
have the option of checking yes, no, or
unknown. If yes, the Covered Entity
would need to indicate whether the
insurance company has been contacted.
The existence of insurance coverage to
cover losses could be relevant to
Commission staff in assessing the
potential magnitude of harm to the
Covered Entity’s customers,
counterparties, members, registrants, or
users and to the Covered Entity’s
financial condition. For example, the
existence of insurance coverage, to the
extent the significant cybersecurity
incident is covered by the policy, could
indicate a greater possibility that the
Covered Entity and/or any of its
customers, counterparties, members,
registrants, or users affected by the
incident are made whole.
Finally, Line Item 15 of Part I of
proposed Form SCIR would permit the
Covered Entity to include in the form
any additional information the entity
would want the Commission and
Commission staff to know as well as
provide any comments about the
information included in the report.337
c. Request for Comment
The Commission requests comment
on all aspects of the proposed
requirements to report significant
cybersecurity incidents on Part I of
proposed Form SCIR. In addition, the
Commission is requesting comment on
334 See Line Item 13.C. of Part I of proposed Form
SCIR.
335 See Line Items 14.A. and B. of Part I of
proposed Form SCIR.
336 See Line Item 14.A. of Part I of proposed Form
SCIR.
337 See Line Item 15 of proposed Part I of Form
SCIR.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the following specific aspects of the
proposals:
41. Should paragraph (c)(1) of
proposed Rule 10 be modified to revise
the immediate notification requirement?
For example, should the requirement
permit the notice to be made by
telephone or email? If so, explain why.
If not, explain why not. If telephone or
email notice is permitted, should the
rule specify the Commission staff,
Division, or Office to phone or email?
42. Should paragraph (c)(1) of
proposed Rule 10 be modified to revise
the requirement to provide immediate
written electronic notice to specify how
the notice must be transmitted to the
Commission? For example, should the
rule specify an email address or other
type of electronic portal to be used to
transmit the notice? If so, explain why.
If not, explain why not. Should the rule
be modified to require that the notice be
transmitted to the Commission through
the EDGAR system? If so, explain why.
If not, explain why not. Should the rule
be modified to require that the notice be
transmitted to the Commission through
the EDGAR system using a structured
data language other than custom XML
format?
43. Should paragraph (c)(1) of
proposed Rule 10 be modified to revise
the requirement to provide immediate
written electronic notice to require the
notice to be provided within a specific
timeframe such as on the same day the
requirement was triggered or within 24
hours? If so, explain why. If not, explain
why not.
44. Should paragraph (c)(1) of
proposed Rule 10 be modified to revise
the trigger for the immediate
notification and reporting requirements?
If so, explain why. If not, explain why
not. For example, should the trigger be
when the Covered Entity ‘‘detects’’ a
significant cybersecurity incident
(rather than when it has a reasonable
basis to conclude that the significant
cybersecurity incident has occurred or
is occurring)? If so, explain why. If not,
explain why not. For example, would a
detection standard be a less subjective
standard? If so, explain why. If not,
explain why not. Is there another trigger
standard that would be more
appropriate? If so, identify it and
explain why it would be more
appropriate.
45. If the immediate notification
requirement of paragraph (c)(1) is
adopted as proposed, it is anticipated
that a dedicated email address would be
established to receive these notices. Are
there other methods the Commission
should use for receiving these notices?
If so, identity them and explain why
they would be more appropriate than
PO 00000
Frm 00044
Fmt 4701
Sfmt 4702
email. For example, should the notices
be received through the EDGAR system?
If so, explain why. If not, explain why
not.
46. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the reporting requirements to
incorporate the cybersecurity reporting
program that CISA will implement
under recently adopted legislation
(‘‘CISA Reporting Program’’) to the
extent it will be applicable to Covered
Entities? 338 If so, explain why and
suggest modifications to the proposed
reporting requirements for Covered
Entities to incorporate the CISA
Reporting Program. For example, if a
Covered Entity would be required to file
a report under the CISA Reporting
Program, should that report satisfy the
obligations to report to the Commission
a significant cybersecurity incident
under paragraph (c) of proposed Rule
10? If so, explain why. If not, explain
why not.
47. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the timeframe for filing an initial Part I
of proposed Form SCIR? If so, explain
why. If not, explain why not. For
example, should the reporting
requirements be revised to permit
Covered Entities more than 48 hours to
file an initial Part I of proposed Form
SCIR with the Commission? If yes,
explain how long they should have to
file the initial Part I of proposed Form
SCIR and why that timeframe would be
appropriate. For example, should
Covered Entities have 72 or 96 hours to
file the initial Part I of proposed Form
SCIR? If so, explain why. If not, explain
why not. Would providing more time to
file the initial Part I of proposed Form
SCIR make the filing more useful
insomuch as the Covered Entity would
have more time to investigate the
significant cybersecurity incident? If so,
explain why and how to balance that
benefit against the delay in providing
this information to the Commission
within 48 hours. Would the immediate
notification requirement of paragraph
(c) of proposed Rule 10 make it
appropriate to lengthen the timeframe
for when the Covered Entity would need
to file the initial Part I of proposed Form
SCIR? If so, explain why. If not, explain
why not. For example, could the
immediate notification requirement and
the ability of the Commission staff to
follow-up with the contact person
identified on the notification serve as an
appropriate alternative to receiving the
initial Part I of proposed Form SCIR
within 48 hours. If so, explain why. If
not, explain why not. Conversely,
338 See
E:\FR\FM\05APP2.SGM
CIRCIA.
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
should the timeframe for filing an initial
Part I of proposed Form SCIR be
shortened to 24 hours or some other
period of time that is less than 48 hours?
If so, explain why. If not, explain why
not.
48. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the timeframe for filing an initial or
amended Part I of proposed Form SCIR
so the timeframes are expressed in
business days or calendar days instead
of hours? If so, explain why. If not,
explain why not. For example, should
Covered Entities have two, five, or some
other number business or calendar days
to file an initial or amended Part I of
proposed Form SCIR? Would business
or calendar days be more appropriate
given that Part I of proposed Form SCIR
would be filed through the EDGAR
system? 339 If so, explain why. If not,
explain why not.
49. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the timeframe for filing an initial or
amended Part I of proposed Form SCIR
so that it must be filed promptly after
the filing requirement is triggered
without specifying the 48 hour limit? If
so, explain why and describe how
‘‘promptly’’ should be interpreted for
purposes of the reporting requirements
of paragraph (c) of proposed Rule 10. If
not, explain why not.
50. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the reporting requirements to include
the filing of an initial Part I of proposed
Form SCIR and a final Part I of proposed
Form SCIR but not require the filing of
interim amended forms? If so, explain
why. If not, explain why not. For
example, could informal
communications between the
Commission staff and the Covered
Entity facilitated by the contact
employee identified in the immediate
notice that would be required under
paragraph (c)(1) of proposed Rule 10 be
an appropriate alternative to requiring
the filing of interim amended forms? If
so, explain why. If not, explain why not.
51. Should paragraph (c)(2) of
proposed Rule 10 be modified to revise
the reporting requirements to include
339 The Commission accepts electronic
submissions through the EDGAR system Monday
through Friday, except federal holidays, from 6:00
a.m. to 10:00 p.m. Eastern Time. See Chapter 2 of
the EDGAR Filer Manual (Volume I), version 41
(Dec. 2022). Further, filings submitted by direct
transmission commencing on or before 5:30 p.m.
Eastern Standard Time or Eastern Daylight Saving
Time, whichever is currently in effect, shall be
deemed filed on the same business day, and all
filings submitted by direct transmission
commencing after 5:30 p.m. Eastern Standard Time
or Eastern Daylight Saving Time, whichever is
currently in effect, shall be deemed filed as of the
next business day. 17 CFR 232.13.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the filing of interim amended forms on
a pre-set schedule? If so, explain why.
If not, explain why not. For example,
should Covered Entities be required to
file an initial Part I of proposed Form
SCIR and a final Part I of proposed Form
SCIR pursuant to the requirements of
paragraph (c) of proposed Rule 10 but
file interim amended forms on a pre-set
schedule? If so, explain why this would
be appropriate, including why a pre-set
reporting requirement would not
undermine the objectives of the
proposed reporting requirements, and
how often the interim reporting should
be required (e.g., weekly, bi-weekly,
monthly, quarterly). Would a pre-set
reporting cadence (e.g., weekly, biweekly, monthly, quarterly) undermine
the objectives of the proposed reporting
requirements by inappropriately
delaying the Commission’s receipt of
important information about a
significant cybersecurity incident? If so,
explain why. If not, explain why not.
Would the immediate notification
requirement and the ability of the
Commission staff to follow-up with the
contact person identified on the
notification mitigate this potential
consequence? If so, explain why. If not,
explain why not.
52. Should paragraph (c)(2)(ii)(D) of
proposed Rule 10 and Part I of proposed
Form SCIR be modified to revise the
reporting requirements relating to
internal investigations? If so, explain
why. If not, explain why not. For
example, would these reporting
requirements create a disincentive for
Covered Entities to perform internal
investigations in response to significant
cybersecurity incidents? If so, explain
why. If not, explain why not.
53. Should Part I of proposed Form
SCIR be modified? If so, explain why. If
not, explain why not. For example, does
the form strike an appropriate balance of
providing enough detail to the
Commission to be helpful while also not
being unduly burdensome to Covered
Entities? If so, explain why. If not,
explain why not. Is certain information
that would be elicited in Part I of Form
SCIR unnecessary? If so, identify the
information and explain why it would
be unnecessary. Is there additional
information that should be required to
be included in Part I of proposed Form
SCIR? If so, identify the information and
explain why it would be appropriate to
require a Covered Entity to report it in
the form.
54. Should Part I of proposed Form
SCIR be modified to require that
Covered Entities provide a UIC—such as
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
20255
an LEI 340 (which would require each
Covered Entity without a UIC (such as
an LEI) to obtain one to comply with the
rule)? If so, explain why. If not, explain
why not. For example, would a
requirement to provide a UIC allow the
Commission staff to better evaluate
cyber-threats to Covered Entities? If so,
explain why. If not, explain why not.
Should the form be modified to require
Covered Entities to provide another type
of standard identifier other than a CIK
number and UIC (if they have a UIC)?
If so, explain why. If not, explain why
not.
3. Disclosure of Cybersecurity Risks and
Incidents
a. Cybersecurity Risks and Incidents
Disclosure
Proposed Rule 10 would require a
Covered Entity to make two types of
public disclosures relating to
cybersecurity on Part II of proposed
Form SCIR.341 First, the Covered Entity
would need to, in plain English, provide
a summary description of the
cybersecurity risks that could materially
affect its business and operations and
how the Covered Entity assesses,
prioritizes, and addresses those
cybersecurity risks.342 A cybersecurity
risk would be material to a Covered
Entity if there is a substantial likelihood
that a reasonable person would consider
the information important based on the
total mix of facts and information.343
The facts and circumstances relevant to
determining materiality in this context
may include, among other things, the
likelihood and extent to which the
cybersecurity risk or resulting incident:
(1) could disrupt or degrade the Covered
Entity’s ability to maintain critical
operations; (2) could adversely affect the
confidentiality, integrity, or availability
of information residing on the Covered
Entity’s information systems, including
whether the information is personal,
confidential, or proprietary information;
and/or (3) could harm the Covered
Entity or its customers, counterparties,
members, registrants, users, or other
persons.
The second element of the disclosure
would be a summary description of each
340 The Commission approved a UIC (namely, the
LEI) in a previous rulemaking. See section II.B.2.b.
of this release; see also Regulation SBSR Release,
80 FR at 14632. The Commission is aware that
additional identifiers could be recognized as UICs
in the future, but for the purposes of this release,
the Commission is equating the UIC with the LEI.
341 See paragraph (d)(1) of proposed Rule 10.
342 See paragraph (d)(1)(i) of proposed Rule 10;
Line Item 2 of Part II proposed of Form SCIR.
343 See, e.g., SEC. v. Steadman, 967 F.2d 636, 643
(D.C. Cir. 1992); cf. Basic Inc. v. Levinson, 485 U.S.
224, 231–232 (1988); TSC Industries v. Northway,
Inc., 426 U.S. 438, 445, 449 (1976).
E:\FR\FM\05APP2.SGM
05APP2
20256
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
significant cybersecurity incident that
occurred during the current or previous
calendar year, if applicable.344 The lookback period of the current and previous
calendar years is designed to make the
disclosure period consistent across all
Covered Entities. The look-back period
also is designed to provide a short
history of significant cybersecurity
incidents affecting the Covered Entity
while not overburdening the firm with
a longer disclosure period. The
summary description of each significant
cybersecurity incident would need to
include: (1) the person or persons
affected; 345 (2) the date the incident was
discovered and whether it is ongoing;
(3) whether any data was stolen, altered,
or accessed or used for any other
unauthorized purpose; (4) the effect of
the incident on the Covered Entity’s
operations; and (5) whether the Covered
Entity, or service provider, has
remediated or is currently remediating
the incident.346 This disclosure—
because it addresses actual significant
cybersecurity incidents—would serve as
another way for market participants to
evaluate the Covered Entity’s
cybersecurity risks and vulnerabilities
apart from the general disclosure of its
cybersecurity risk. For example, a
Covered Entity’s disclosure of multiple
significant cybersecurity incidents
during the current or previous calendar
year (particularly, if they did not impact
other Covered Entities) would be useful
in assessing whether the Covered Entity
is adequately addressing cybersecurity
risk or is more vulnerable to that risk as
compared with other Covered Entities.
The objective of these disclosures is to
provide greater transparency to
customers, counterparties, registrants, or
members of the Covered Entity, or to
users of its services, about the Covered
Entity’s exposure to material harm as a
result of a cybersecurity incident,
which, in turn, could cause harm to
customers, counterparties, members,
registrants, or users. This information
could be used by these persons to
manage their own cybersecurity risk
and, to the extent they have choice,
select a Covered Entity with which to
344 See paragraph (d)(1)(ii) of proposed Rule 10;
Line Item 3 of Part II proposed of Form SCIR. See
also paragraph (a)(10) of proposed Rule 10 (defining
the term ‘‘significant cybersecurity incident’’).
345 This element of the disclosure would not need
to include the identities of the persons affected or
personal information about those persons. Instead,
the disclosure could use generic terms to identify
the person or persons affected. For example, the
disclosure could state that ‘‘customers of the brokerdealer,’’ ‘‘counterparties of the SBSD,’’ or ‘‘members
of the SRO’’ are affected (as applicable).
346 See paragraphs (d)(1)(ii)(A) through (E) of
proposed Rule 10; Line Item 3 of Part II proposed
of Form SCIR.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
transact or otherwise conduct business.
Information about prior attacks and
their degree of success is immensely
valuable in mounting effective
countermeasures.347
However, the intent of the disclosure
on Part II of proposed Form SCIR is to
avoid overly detailed disclosures that
could increase cybersecurity risk for the
Covered Entity and other persons.
Revealing too much information could
assist future attackers as well as lead to
loss of customers, reputational harm,
litigation, or regulatory scrutiny, which
would be a cost associated with public
disclosure.348 Therefore, under
proposed Rule 10, the Covered Entity
would be required to provide only a
summary description of its
cybersecurity risk and significant
cybersecurity incidents.349 The
requirement that the disclosures contain
summary descriptions only is designed
to produce meaningful disclosures but
not disclosures that would reveal
information (e.g., proprietary or
confidential methods of addressing
cybersecurity risk or known
cybersecurity vulnerabilities) that could
be used by threat actors to cause harm
to the Covered Entity or its customers,
counterparties, members, users, or other
persons. This requirement is also
designed to produce high-level
disclosures about the Covered Entity’s
cybersecurity risks and significant
cybersecurity incidents that can be
easily reviewed by interested parties in
order to give them a general
understanding of the Covered Entity’s
risk profile.
b. Disclosure Methods and Updates
Proposed Rule 10 would require a
Covered Entity to make the public
disclosures discussed above (i.e., the
information about cybersecurity risks
and significant cybersecurity incidents)
on Part II of proposed Form SCIR.350
Part II of proposed Form SCIR would
elicit information about the Covered
Entity that would be used to identify the
filer.351 In particular, the Covered Entity
would need to provide its full legal
name and business name (if different
from its legal name), UIC (if the filer has
347 See Peter W. Singer and Allan Friedman.
Cybersecurity and Cyberwar: What Everyone Needs
to Know. Oxford University Press 222 (2014).
348 See, e.g., Federal Trade Commission v.
Equifax, Inc., FTC Matter/File Number: 172 3203,
Civil Action Number: 1:19–cv–03297–TWT (2019),
available at https://www.ftc.gov/enforcement/casesproceedings/172-3203/equifax-inc (‘‘FTC Equifax
Civil Action’’).
349 See paragraphs (d)(1)(i) and (ii) of proposed
Rule 10.
350 See paragraph (d) of proposed Rule 10.
351 See Line Items 1.A. through 1.D. of Part II of
proposed Form SCIR.
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
a UIC),352 CIK number, and main
address.353 The Covered Entity also
would need to indicate the type of
Market Entity it is by checking the
appropriate box or boxes.354 For
example, if the Covered Entity is dually
registered as a broker-dealer and SBSD,
it would need to check the box for each
of those entity types.
Page 1 of Part II of proposed Form
SCIR also would contain fields for the
individual executing the form to sign
and date the form. By signing the form,
the individual would: (1) certify that the
form was executed on behalf of, and
with the authority of, the Covered
Entity; and (2) represent individually,
and on behalf of the Covered Entity, that
the information and statements
contained in the form are current, true
and complete. The form of the
certification is designed to ensure that
the Covered Entity, through the
individual executing the form, discloses
information that can be used by the
Covered Entity’s customers,
counterparties, members, registrants, or
users, or by other interested persons to
assess the Covered Entity’s
cybersecurity risk profile and compare it
with the risk profiles of other Covered
Entities.
As discussed above, proposed Rule 10
would require the Covered Entity to
publicly disclose a summary description
of the cybersecurity risks that could
materially affect the Covered Entity’s
business and operations and how the
Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks.355
Line Item 2 of Part II of proposed Form
SCIR would contain a narrative field in
which the Covered Entity would
provide this summary description.356 In
order to provide context to the meaning
of the disclosure, the beginning of Line
Item 2 would set forth the definition of
‘‘cybersecurity risk’’ in proposed Rule
10 as well as the definitions of
‘‘cybersecurity incident,’’ ‘‘cybersecurity
352 As mentioned previously, the Commission
approved a UIC—namely, the LEI—in a prior
rulemaking. See section II.B.2.b. of this release.
Therefore, for the purposes of this release, the
Commission is proposing to require those Covered
Entities that already have LEIs to identify
themselves with LEIs on Part II of Form SCIR.
353 See Line Items 1.A. through 1.C. of Part I of
proposed Form SCIR. See also section II.B.2.b. of
this release (discussing UIC and CIK numbers in
more detail with respect to Part I of proposed Form
SCIR).
354 See Line Item 1.D. of Part II of proposed Form
SCIR (setting forth check boxes to indicate whether
the Covered Entity is a broker-dealer, clearing
agency, MSBSP, the MRSB, a national securities
association, a national securities exchange, SBSD,
SBSDR, or transfer agent).
355 See paragraph (d)(1)(i) of proposed Rule 10.
356 See Line Item 2 of Part II of proposed Form
SCIR.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
threat,’’ and ‘‘cybersecurity
vulnerability’’ because these three terms
are used in the definition of
‘‘cybersecurity risk.’’357
Line Item 3 of Part II of proposed
Form SCIR would be used to make the
disclosure about each significant
cybersecurity incident that occurred
during the current and previous
calendar year.358 The definition of
‘‘significant cybersecurity incident’’
would be set forth at beginning of Line
Item 3 in order to provide context to the
meaning of the disclosure. To complete
the line item, the Covered Entity first
would need to indicate by checking
‘‘yes’’ or ‘‘no’’ whether it had
experienced one or more significant
cybersecurity incidents during the
current or previous calendar year. If the
answer is yes, the Covered Entity would
need to provide in a narrative field on
Line Item 3 the summary description of
each significant cybersecurity
incident.359
As discussed next, there would be
two methods of making the disclosure,
which would be required of all Covered
Entities under proposed Rule 10, and an
additional third method that would be
required of Covered Entities that are
carrying or introducing broker-dealers.
First, Covered Entities would be
required to file Part II of Form SCIR
with the Commission electronically
through the EDGAR system in
accordance with the EDGAR Filer
Manual, as defined in Rule 11 of
Regulation S–T,360 and in accordance
with the requirements of Regulation S–
T.361 The Commission would make
these filings available to the public. The
objective of requiring centralized
EDGAR-filing of Part II of proposed
Form SCIR is to facilitate the ability to
compare disclosures across different
Covered Entities or categories of
Covered Entities in the same manner
that EDGAR filing facilitates comparison
of financial statements, annual reports,
and other disclosures across
Commission registrants. By creating a
single location for all of the disclosures,
Commission staff, investors, market
participants, and analysts as well as
Covered Entities’ customers,
counterparties, members, registrants, or
users would be able to run search
queries to compare the disclosures of
357 Id. See also paragraphs (a)(2) through (5) of
proposed Rule 10 (defining, respectively,
‘‘cybersecurity incident,’’ ‘‘cybersecurity risk,’’
‘‘cybersecurity threat,’’ and ‘‘cybersecurity
vulnerability’’).
358 See Line Item 3 of Part II of proposed Form
SCIR.
359 See paragraph (d)(1)(ii) of proposed Rule 10.
360 See 17 CFR 232.11.
361 See paragraph (d)(2)(i) of proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
multiple Covered Entities. Centralized
EDGAR filing could make it easier for
Commission staff and others to assess
the cybersecurity risk profiles of
different types of Covered Entities and
could facilitate trend analysis of
significant cybersecurity incidents.
Thus, by providing a central location for
the cybersecurity disclosures, filing Part
II of proposed Form SCIR through
EDGAR could lead to greater
transparency of the cybersecurity risks
in the U.S. securities markets.
Second, proposed Rule 10 would
require the Covered Entity to post a
copy of the Part II of proposed Form
SCIR most recently filed on EDGAR on
an easily accessible portion of its
business internet website that can be
viewed by the public without the need
of entering a password or making any
type of payment or providing any other
consideration.362 Consequently, the
disclosures could not be located behind
a ‘‘paywall’’ or otherwise require a
person to pay a registration fee or
provide any other consideration to
access them. The purpose of requiring
the form to be posted on the Covered
Entity’s business internet website is that
individuals naturally may visit a
company’s business internet website
when seeking timely and updated
information about the company,
particularly if the company is
experiencing an incident that disrupts
or degrades the services it provides.
Therefore, requiring the form to be
posted on the website is designed to
make it available through this
commonly used method of obtaining
information. Additionally, individuals
may naturally visit a company’s
business internet website as part of their
due diligence process in determining
whether to use its services. Therefore,
posting the form on the Covered Entity’s
business internet website could provide
individuals with information about the
Covered Entity’s cybersecurity risks
before they elect to enter into an
arrangement with the firm. It could
362 See paragraph (d)(2)(ii) of proposed Rule 10.
In addition to the disclosure to be made available
to security-based swap counterparties as required
by paragraph (d)(2)(ii) of proposed Rule 10, current
Commission rules require that SBS Entities’ trading
relationship documentation between certain
counterparties address cybersecurity. Specifically,
an SBS Entity’s trading relationship documentation
must include valuation methodologies for purposes
of complying with specified risk management
requirements, which would include the risk
management requirements of proposed Rule 10 (if
it is adopted). See 17 CFR 250.15Fi–5(b)(4). This
documentation would include a dispute resolution
process or alternative methods for determining
value in the event of a relevant cybersecurity
incident. See also section IV.C.1.b.iii. of this release
(discussing disclosure requirements of Rule 15Fh3(b)).
PO 00000
Frm 00047
Fmt 4701
Sfmt 4702
20257
serve a similar purpose for individuals
considering whether to maintain an
ongoing business relationship with the
Covered Entity.
In addition to those two disclosure
methods, a Covered Entity that is either
a carrying or introducing broker-dealer
would be required to provide a copy of
the Part II of proposed Form SCIR most
recently filed on EDGAR to a customer
as part of the account opening
process.363 Thereafter, the Covered
Entity would need to provide the
customer with the most recently posted
form annually and when it is updated.
The broker-dealer would need to deliver
the form using the same means that the
customer elects to receive account
statements (e.g., by email or through the
postal service).364 This additional
method of disclosure is designed to
make the information readily available
to the broker-dealer’s customers (many
of whom may be retail investors)
through the same processes that other
important information (i.e., information
about their securities accounts) is
communicated to them. Requiring a
broker-dealer to deliver copies of the
form is designed to enhance investor
protection by enabling customers to take
protective or remedial measures to the
extent appropriate. It would also assist
customers in determining whether their
engagement of that particular brokerdealer remains appropriate and
consistent with their investment
objectives.
Finally, a Covered Entity would be
required to file on EDGAR an updated
Part II of proposed Form SCIR promptly
if the information required to be
disclosed about cybersecurity risks or
significant cybersecurity incidents
materially changes, including, in the
case of the disclosure about significant
cybersecurity incidents, after the
occurrence of a new significant
cybersecurity incident or when
363 See
paragraph (d)(3) of proposed Rule 10.
the disclosure requirements of proposed
Rule 10 are adopted, the Commission would
establish a compliance date by which a Covered
Entity would need to make its first public
disclosure on Part II of proposed Form SCIR. At a
minimum, the initial disclosure would need to
include a summary description of the cybersecurity
risks that could materially affect the Covered
Entity’s business and operations and how the
Covered Entity assesses, prioritizes, and addresses
those cybersecurity risks. In setting an initial
compliance date, the Commission could take a
bifurcated approach in which each method of
disclosure has a different compliance date. For
example, the compliance date for making the
website disclosure could come before the
compliance date for making the EDGAR disclosure
and the additional disclosure required of carrying
and introducing broker-dealers. The Commission
seeks comment below on a potential compliance
date or compliance dates for the disclosure
requirements.
364 If
E:\FR\FM\05APP2.SGM
05APP2
20258
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
information about a previously
disclosed significant cybersecurity
incident materially changes.365 The
Covered Entity also would need to post
a copy of the updated Part II of
proposed Form SCIR promptly on its
business internet website and, if it is a
carrying broker-dealer or introducing
broker-dealer, deliver copies of the form
to its customers. Given the potential
effect that significant cybersecurity
incidents could have on a Covered
Entity’s customers, counterparties,
members, registrants, or users—such as
exposing their personal or other
confidential information or resulting in
a loss of cash or securities from their
accounts—time is of the essence, and
requiring a Covered Entity to update the
disclosures promptly would enhance
investor protection by enabling
customers, counterparties, members,
registrants, or users to take proactive or
remedial measures to the extent
appropriate. Accordingly, the timing of
the filing of an updated disclosure
should take into account the exigent
nature of significant cybersecurity
incidents which would generally
militate toward swiftly filing the update.
Furthermore, requiring Covered Entities
to update their disclosures following the
occurrence of a new significant
cybersecurity incident would assist
market participants in determining
whether their business relationship with
that particular Covered Entity remains
appropriate and consistent with their
goals.
A Covered Entity also would need to
file an updated Part II of proposed Form
SCIR if the information in the summary
description of a significant
cybersecurity incident included on the
form is no longer within the look-back
365 See paragraph (d)(4) of proposed Rule 10. See
also Instruction C.2. of proposed Form SCIR. As
discussed earlier, a Covered Entity would be
required to file Part I of proposed Form SCIR with
the Commission promptly, but no later than 48
hours, upon having a reasonable basis to conclude
that a significant cybersecurity incident has
occurred or is occurring. See paragraph (c)(2)(i) of
proposed Rule 10; see also section II.B.2.a. of this
release (discussing this requirement in more detail).
Therefore, the Covered Entity would need to file a
Part I and an updated Part II of proposed Form SCIR
with the Commission relatively
contemporaneously. Depending on the facts and
circumstances, the Part I and updated Part II could
be filed at the same time or one could proceed the
other if the Covered Entity, for example, has the
information to complete Part II first but needs more
time to gather the information to complete Part I
(which elicits substantially more information than
Part II). However, as discussed above, Part I must
be filed no later than 48 hours after the Covered
Entity has a reasonable basis to conclude that a
significant cybersecurity incident has occurred or is
occurring and the Covered Entity must include in
the initial filing the information that is known at
that time and file an updated Part I as more
information becomes known to the Covered Entity.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
period (i.e., the current or previous
calendar year). For example, the
information that would need to be
included in the summary description
includes whether the significant
cybersecurity incident is ongoing and
whether the Covered Entity had
remediated it. The Covered Entity
would need to file an updated Part II of
proposed Form SCIR if the significant
cybersecurity incident was remediated
and ended on a date that was beyond
the look-back period. The updated Part
II of proposed Form SCIR would no
longer include a summary description of
that specific significant cybersecurity
incident. The objective is to focus the
most recently filed disclosure on events
within the relative near term. The
history of the Covered Entity’s
significant cybersecurity incidents
would be available in previous filings.
c. Request for Comment
The Commission requests comment
on all aspects of the proposed disclosure
requirements. In addition, the
Commission is requesting comment on
the following specific aspects of the
proposals:
55. Should paragraph (d)(1)(i) of
proposed Rule 10 be modified to revise
the requirements that Covered Entities
publicly disclose the cybersecurity risks
that could materially affect their
business and operations and to publicly
disclose a description of how the
Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks? If
so, explain why. If not, explain why not.
For example, would the public
disclosures required by paragraph
(d)(1)(i) of proposed Rule 10 be useful
or provide meaningful information to a
Covered Entity’s customers,
counterparties, members, registrants, or
users? If so, explain why. If not, explain
why not. Could the proposed disclosure
requirement be modified to make it
more useful? If so, explain how. Could
the public disclosures required by
paragraph (d)(1)(i) of proposed Rule 10
assist threat actors in engaging in cyber
crime? If so, explain why. If not, explain
why not. Could the proposed disclosure
requirements be modified to eliminate
this risk without negatively impacting
the usefulness of the disclosures? If so,
explain how.
56. Should paragraph (d)(1)(ii) of
proposed Rule 10 be modified to revise
the requirements that Covered Entities
publicly disclose information about
each significant cybersecurity incident
that has occurred during the current or
previous calendar year? If so, explain
why. If not, explain why not. For
example, would the public disclosures
required by paragraph (d)(1)(ii) of
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
proposed Rule 10 be useful or provide
meaningful information to a Covered
Entity’s customers, counterparties,
members, registrants, or users? If so,
explain why. If not, explain why not.
Could the proposed disclosure
requirement be modified to make it
more useful? If so, explain how. Could
the public disclosures required by
paragraph (d)(1)(ii) of proposed Rule 10
assist threat actors in engaging in cyber
crime? If so, explain why. If not, explain
why not. Could the proposed disclosure
requirements be modified to eliminate
this risk without negatively impacting
the usefulness of the disclosures? If so,
explain how.
57. Should paragraph (d)(1)(ii) of
proposed Rule 10 be modified to revise
the required current and previous year
look-back period for the disclosure of
significant cybersecurity incidents? If
so, explain why. If not, explain why not.
For example, should the look-back
period be a shorter period of time (e.g.,
only the current calendar year)? If so,
explain why. If not, explain why not.
Alternatively, should the look-back
period be longer (e.g., the current
calendar year and previous two calendar
years)? If so, explain why. If not, explain
why not. Should the look-back period
be expressed in months rather than
calendar years? For example, should the
look-back period be 12, 18, 24, 30, or 36
months? If so, explain why. If not,
explain why not.
58. Should paragraph (d)(1)(ii) of
proposed Rule 10 be modified to
provide that the requirement to include
a summary description of each
significant cybersecurity incident that
occurred during the current or previous
calendar year in Part II of proposed
Form SCIR be prospective and,
therefore, limited to significant
cybersecurity incidents that occur on or
after the compliance date of the
disclosure requirement? If so, explain
why. If not, explain why not.
59. Should the public disclosure
requirements of paragraphs (d)(1)(i) and
(ii) of proposed Rule 10 be modified to
require the disclosure of additional or
different information? If so, identify the
additional or different information and
explain why it would be appropriate to
require its public disclosure by Covered
Entities.
60. Should 17 CFR 240.15Fh-3(b) be
amended to specify that required
counterparty disclosure includes the
information that would be required by
paragraph (d)(1) of proposed Rule 10
and publicly disclosed on Part II of
proposed Form SCIR? If so, explain
why. If not explain why not.
61. Should paragraph (d)(2) of
proposed Rule 10 be modified to revise
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
the methods of making the public
disclosures? If so, explain why. If not,
explain why not. For example, should
Covered Entities be required to file Part
II of proposed Form SCIR on EDGAR but
not be required to post a copy of the
form on their business internet
websites? If so, explain why. If not,
explain why not. Would requiring the
public cybersecurity disclosures to be
filed in a centralized electronic system,
such as EDGAR, make it easier for
investors, analysts, and others to access
and gather information from the
cybersecurity disclosures than if those
disclosures were only posted on
Covered Entity websites? Alternatively,
should Covered Entities be required to
post an executed copy of Part II of
proposed Form SCIR on their business
internet websites but not be required to
file the form on EDGAR? If so, explain
why. If not, explain why not. Why or
why not?
62. Should paragraph (d)(2) of
proposed Rule 10 be modified to revise
the requirement to post a copy of Part
II of proposed Form SCIR on business
internet website of the Covered Entity to
permit the Covered Entity to post a link
to the EDGAR filing? If so, explain why.
If not, explain why not.
63. Should paragraph (d)(3) of
proposed Rule 10 be modified to revise
the additional methods of making the
public disclosures required of carrying
and introducing broker-dealers? If so,
explain why. If not, explain why not.
For example, would filing Part II of
proposed Form SCIR on EDGAR and
posting a copy of the form on the
Covered Entity’s business internet
website be sufficient to meet the
objectives of the disclosure
requirements discussed above and,
therefore, obviate the need for a carrying
broker-dealer or introducing brokerdealer to additionally send copies of the
form to customers? If so, explain why.
If not, explain why not. Rather than
requiring the broker-dealer or
introducing broker-dealer to send a copy
of the Part II of proposed Form SCIR
most recently filed on EDGAR to each
customer, would it be sufficient that the
most recently filed form as of the end of
each quarter or the calendar year be sent
to the customers? If so, explain why. If
not, explain why not.
64. Should paragraph (d)(3) of
proposed Rule 10 be modified to permit
the Covered Entity to send a website
link to the EDGAR filing to customers
instead of a copy of the EDGAR filing?
If so, explain why. If not, explain why
not.
65. Should paragraph (d)(3) of
proposed Rule 10 be modified to require
other types of Covered Entities to send
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
a copy of the most recently filed Part II
of proposed Form SCIR to their
customers, counterparties, members,
registrants, or users? If so, explain why.
If not, explain why not. For example,
should transfer agents be required to
send the most recently filed Part II of
proposed Form SCIR to their
securityholders? If so, explain why. If
not, explain why not.
66. Should paragraph (d)(4) of
proposed Rule 10 be modified to revise
the requirement that a Covered Entity
must ‘‘promptly’’ provide an updated
disclosure on Part II of proposed Form
SCIR if the information on the previous
disclosure materially changes to provide
that the Commission shall allow
registrants to delay publicly disclosing a
significant cybersecurity incident where
the Attorney General requests such a
delay from the Commission based on
the Attorney General’s written
determination that the delay is in the
interest of national security?
67. Should paragraph (d)(4) of
proposed Rule 10 be modified to revise
the requirement that a Covered Entity
must ‘‘promptly’’ provide an updated
disclosure on Part II of proposed Form
SCIR if the information on the previous
disclosure materially changes to specify
a timeframe within which the updated
filing must be promptly made? If so,
explain why. If not, explain why not.
For example, should the rule be
modified to require that the updated
disclosure must be made within 24, 36,
48, or 60 hours of the information on the
previous disclosure materially
changing? If so, explain why. If not,
explain why not. Should the timeframe
for making the updated disclosure be
expressed in business days? If so,
explain why. If not, explain why not.
For example, should the updated
disclosure be required to be made
within two, three, four, or five business
days (or some other number of days) of
the information on the previous
disclosure materially changing? If so,
explain why. If not, explain why not.
68. Should paragraph (d)(4) of
proposed Rule 10 be modified to revise
the requirement that a Covered Entity
must ‘‘promptly’’ provide an updated
disclosure on Part II of proposed Form
SCIR if the information on the previous
disclosure materially changes to require
the update to be made within 30 days
(similar to the requirement for updating
Form CRS)? 366 If so, explain why. If not,
explain why not. For example, would
this approach appropriately balance the
objective of requiring timely disclosure
with the objective of providing accurate
366 See Form CRS Instructions, available at
https://www.sec.gov/files/formcrs.pdf.
PO 00000
Frm 00049
Fmt 4701
Sfmt 4702
20259
and complete disclosure? If so, explain
why. If not, explain why not.
69. Should paragraph (d)(4) of
proposed Rule 10 be modified to revise
the requirements that trigger when an
updated Part II of proposed Form SCIR
must be filed on EDGAR, posted on the
Covered Entity’s business internet
website, and, if applicable, sent to
customers? If so, explain why. If not,
explain why not. For example, should
the rule require that an updated form
must be publically disclosed through
these methods on a quarterly, semiannual, or annual basis if the
information on the previously filed form
has materially changed? If so, explain
why. If not, explain why not.
70. Should Part II of proposed Form
SCIR be modified to require that
Covered Entities provide a UIC—such as
an LEI (which would require Covered
Entities without a UIC (such as an LEI)
to obtain one to comply with the
rule)? 367 If so, explain why. If not,
explain why not. For example, would
requiring Covered Entities to provide a
UIC better allow investors, analysts, and
third-party data aggregators to evaluate
the cyber security risk profiles of
Covered Entities? If so, explain why. If
not, explain why not. Should the form
be modified to require Covered Entities
to provide another type of standard
identifier other than a CIK number and
UIC (if they have a UIC)? If so, explain
why. If not, explain why not.
71. If the disclosure requirements of
proposed Rule 10 are adopted, what
would be an appropriate compliance
date for the disclosure requirements?
For example, should the compliance
date be three, six, nine, or twelve
months after the effective date of the
rule (or some other period of months)?
Please suggest a compliance period and
explain why it would be appropriate.
Should the compliance date for the
website disclosure be sooner than the
compliance date for the EDGAR
disclosure or vice versa? If so, explain
why. If not, explain why not. Should the
compliance date for the additional
disclosure methods that would be
required of carrying and introducing
broker-dealers be different than the
compliance dates for the website
disclosure and the EDGAR disclosure? If
so, explain why. If not, explain why not.
If the requirement to provide a summary
description of each significant
cybersecurity incident that occurred
367 As mentioned previously in section II.B.2.b. of
this release, the Commission approved a UIC
(namely, the LEI) in a previous rulemaking. The
Commission is aware that additional identifiers
could be recognized as UICs in the future, but for
the purposes of this release, the Commission is
equating the UIC with the LEI.
E:\FR\FM\05APP2.SGM
05APP2
20260
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
during the current and previous
calendar year is prospective (i.e., does
not apply to incidents that occurred
before the compliance date), should the
compliance period be shorter than if the
requirement was retrospective, given
that the initial disclosure, in most cases,
would limited to a summary description
of the cybersecurity risks that could
materially affect the Covered Entity’s
business and operations and how the
Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks? If
so, explain why. If not, explain why not.
4. Filing Parts I and II of Proposed Form
SCIR in EDGAR Using a Structured Data
Language
a. Discussion
Proposed Rule 10 would require
Covered Entities would file Parts I and
II of proposed Form SCIR electronically
with the Commission using the EDGAR
system in accordance with the EDGAR
Filer Manual, as defined in Rule 11 of
Regulation S–T,368 and in accordance
with the requirements of Regulation S–
T.369 In addition, under the proposed
requirements, Covered Entities would
file Parts I and II of Form SCIR in a
structured (i.e., machine-readable) data
language.370 Specifically, Covered
Entities would file Parts I and II of
proposed Form SCIR in an eXtensible
Markup Language (‘‘XML’’)-based data
language specific to the form (‘‘custom
XML,’’ and in this release ‘‘SCIRspecific XML’’). While the majority of
filings through the EDGAR system are
submitted in unstructured HTML or
ASCII formats, certain EDGAR-system
filings are submitted using custom XML
languages that are each specific to the
particular form being submitted.371 For
such filings, filers are typically provided
the option to either submit the filing
directly to the EDGAR system in the
relevant custom XML data language, or
to manually input the information into
a fillable web-based form developed by
the Commission that converts the
completed form into a custom XML
document.372
Requiring Covered Entities to file
Parts I and II of proposed Form SCIR
through the EDGAR system would allow
368 See
369 See
17 CFR 232.11.
paragraphs (c) and (d) of proposed Rule
lotter on DSK11XQN23PROD with PROPOSALS2
10.
370 Requirements related to custom-XML filings
are generally covered in the EDGAR Filer Manual,
which is incorporated in Commission regulations
by reference via Regulation S–T. See 17 CFR 232.11;
17 CFR 232.101.
371 See Commission, Current EDGAR Technical
Specifications (Dec. 5, 2022), available at https://
www.sec.gov/edgar/filer-information/current-edgartechnical-specifications.
372 See Chapters 8 and 9 of the EDGAR Filer
Manual (Volume II), version 64 (Dec. 2022).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the Commission to download Form
SCIR information directly from a central
location, thus facilitating efficient
access, organization, and evaluation of
the information contained in the forms.
Use of the EDGAR system also would
enable technical validation of the
information reported on Form SCIR,
which could potentially reduce the
incidence of non-discretionary errors
(e.g., leaving required fields blank).
Thus, the proposed requirement to file
Parts I and II of proposed Form SCIR
through the EDGAR system would allow
the Commission and, in the case of Part
II, the public to more effectively
examine and analyze the reported
information. In this regard, the proposed
requirement to file Parts I and II of
proposed Form SCIR through the
EDGAR system using SCIR-specific
XML, a machine-readable data language,
is designed to facilitate more thorough
review and analysis of the reported
information.
b. Request for Comment
The Commission requests comment
on all aspects of the proposed
requirements to file Parts I and II of
Form SCIR in EDGAR using a structured
data language. In addition, the
Commission is requesting comment on
the following specific aspects of the
proposals:
72. Should the Commission modify
the structured data language
requirement for both Parts I and II of
Form SCIR in accordance with the
alternatives discussed in Section IV.F.
below? 373 Should Covered Entities be
required to file the cybersecurity risk
and incident disclosures on Part II of
Form SCIR in the EDGAR system in a
structured data language? Why or why
not? Would custom XML or Inline
eXtensible Business Reporting Language
(‘‘iXBRL’’) be the most suitable data
language for this information? Or would
another data language be more
appropriate?
5. Recordkeeping
a. Amendments to Covered Entity
Recordkeeping Rules
As discussed above, proposed Rule 10
would require a Covered Entity to: (1)
establish, maintain, and enforce
reasonably designed policies and
procedures to address cybersecurity
risks; 374 (2) create written
373 See
section IV.F. of this release.
paragraph (b)(1) of proposed Rule 10. See
also sections II.B.1.a. through II.B.1.e. of this release
(discussing this proposed requirement in more
detail).
374 See
PO 00000
Frm 00050
Fmt 4701
Sfmt 4702
documentation of risk assessments; 375
(3) create written documentation of any
cybersecurity incident, including its
response to and recovery from the
incident; 376 (4) prepare a written report
each year describing its annual review
of its policies and procedures to address
cybersecurity risks; 377 (5) provide
immediate electronic written notice to
the Commission of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring; 378 (6) report,
not later than 48 hours, upon having a
reasonable basis to conclude that a
significant cybersecurity incident has
occurred or is occurring on Part I of
proposed Form SCIR; 379 and (7) provide
a written summary disclosure about its
cybersecurity risks that could materially
affect its business and operations, and
how the Covered Entity assesses,
prioritizes, and addresses those risks,
and significant cybersecurity incidents
that occurred during the current or
previous calendar year on Part II of
proposed Form SCIR.380 Consequently,
proposed Rule 10 would require a
Covered Entity to make several different
types of records (collectively, the ‘‘Rule
10 Records’’). The proposed
cybersecurity rule would not include
requirements specifying how long these
records would need to be preserved and
the manner in which they would need
to be maintained. Instead, as discussed
below, preservation and maintenance
requirements applicable to Rule 10
Records would be imposed through
amendments, as necessary, to the
existing record preservation and
maintenance rules applicable to the
Covered Entities.
In particular, broker-dealers, transfer
agents, and SBS Entities are subject to
existing requirements that specify how
long the records they are required to
make must be preserved (e.g., three or
six years) and how the records must be
maintained (e.g., maintenance
375 See paragraph (b)(1)(i)(B) of proposed Rule 10.
See also section II.B.1.a. of this release (discussing
this proposed requirement in more detail).
376 See paragraph (b)(1)(v)(B) of proposed Rule 10.
See also section II.B.1.e. of this release (discussing
this proposed requirement in more detail).
377 See paragraph (b)(2)(ii) of proposed Rule 10.
See also section II.B.1.f. of this release (discussing
this proposed requirement in more detail).
378 See paragraph (c)(1) of proposed Rule 10. See
also section II.B.2.a. of this release (discussing this
proposed requirement in more detail).
379 See paragraph (c)(2) of proposed Rule 10. See
also Section II.B.2.b. of this release (discussing this
proposed requirement in more detail).
380 See paragraph (d) of proposed Rule 10. See
also Section II.B.3. of this release (discussing this
proposed requirement in more detail).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
requirements for electronic records).381
The Commission is proposing to amend
these record preservation and
maintenance requirements to identify
Rule 10 Records specifically as records
that would need to be preserved and
maintained pursuant to these existing
requirements. In particular, the
Commission is proposing to amend the
record preservation and maintenance
rules for: (1) broker-dealers; 382 (2)
transfer agents; 383 and (3) SBS
entities.384 The proposed amendments
would specify that the Rule 10 Records
must be retained for three years. In the
case of the written policies and
procedures to address cybersecurity
risks, the record would need to be
maintained until three years after the
termination of the use of the policies
and procedures. These amendments
would subject the Rule 10 Records to
the record maintenance requirements of
Rules 17a–4, 17ad–7, and 18a–6,
including the requirements governing
electronic records.385
Exchange Act Rule 17a–1 (‘‘Rule 17a–
1’’)—the record maintenance and
preservation rule applicable to
registered clearing agencies, the MSRB,
national securities associations, and
national securities exchanges—as it
exists today would require the
preservation of the Rule 10 Records.386
In particular, Rule 17a–1 requires these
types of Covered Entities to keep and
preserve at least one copy of all
documents, including all
correspondence, memoranda, papers,
books, notices, accounts, and other such
records as shall be made or received by
381 See 17 CFR 240.17a-4 (‘‘Rule 17a–4’’) (setting
forth record preservation and maintenance
requirements for broker-dealers); 17 CFR 240.17Ad–
7 (‘‘Rule 17ad-7’’) (setting forth record preservation
and maintenance requirements for transfer agents);
17 CFR 240.18a–6 (‘‘Rule 18a–6’’) (setting forth
record preservation and maintenance requirements
for SBS Entities). The Commission’s proposal
includes an amendment to a CFR designation in
order to ensure regulatory text conforms more
consistently with section 2.13 of the Document
Drafting Handbook. See Office of the Federal
Register, Document Drafting Handbook (Aug. 2018
Edition, Revision 1.4, dated January 7, 2022),
available at https://www.archives.gov/files/federalregister/write/handbook/ddh.pdf. In particular, the
proposal is to amend the CFR section designation
for Rule 17Ad–7 (17 CFR 240.17Ad–7) to replace
the uppercase letter with the corresponding
lowercase letter, such that the rule would be
redesignated as Rule 17ad–7 (17 CFR 240.17ad–7).
382 This amendment would add a new paragraph
(e)(13) to Rule 17a–4.
383 This amendment would add a new paragraph
(j) to Rule 17ad–7.
384 This amendment would add a new paragraph
(d)(6) to Rule 18a–6 .
385 See paragraphs (f) of Rule 17a–4, (f) of Rule
17ad–7, and (e) of Rule 18a-6 (setting forth
requirements for electronic records applicable to
broker-dealers, transfer agents, and SBS Entities,
respectively).
386 See 17 CFR 240.17a–1.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the Covered Entity in the course of its
business as such and in the conduct of
its self-regulatory activity.387
Furthermore, Rule 17a–1 provides that
the Covered Entity must keep the
documents for a period of not less than
five years, the first two years in an
easily accessible place, subject to the
destruction and disposition provisions
of Exchange Act Rule 17a–6.388
Consequently, under the existing
provisions of Rule 17a–1, registered
clearing agencies, the MSRB, national
securities associations, and national
securities exchanges would be required
to preserve at least one copy of the Rule
10 Records for at least five years, the
first two years in an easily accessible
place. In the case of the written policies
and procedures to address cybersecurity
risks, pursuant to Rule 17a–1 the record
would need to be maintained until five
years after the termination of the use of
the policies and procedures.389
Similarly, Exchange Act Rule 13n–7
(‘‘Rule 13n–7’’)—the record
maintenance and preservation rule
applicable to SBSDRs—as it exists today
would require the preservation of the
Rule 10 Records.390 In particular, Rule
13n–7 requires SBSDRs to, among other
things, keep and preserve at least one
copy of all documents, including all
documents and policies and procedures
required by the Exchange Act and the
rules and regulations thereunder,
correspondence, memoranda, papers,
books, notices, accounts, and other such
records as shall be made or received by
it in the course of its business as
such.391 Furthermore, Rule 13n–7
provides that the SBSDR must keep the
documents for a period of not less than
five years, the first two years in a place
that is immediately available to
representatives of the Commission for
inspection and examination.392
Consequently, under the existing
provisions of Rule 13n–7, SBSDRs
would be required to preserve at least
one copy of the Rule 10 Records for at
387 See
paragraph (a) of Rule 17a–1.
paragraph (b) of Rule 17a–1; 17 CFR
240.17a–6 (‘‘Rule 17a–6’’). Rule 17a–6 of the
Exchange Act provides that an SRO may destroy
such records at the end of the five year period or
at an earlier date as is specified in a plan for the
destruction or disposition of any such documents
if such plan has been filed with the Commission by
SRO and has been declared effective by the
Commission.
389 See, e.g., Nationally Recognized Statistical
Rating Organizations, Exchange Act Release No.
72936 (Aug. 27, 2014) [79 FR 55078, 55099–100
(Sept. 15, 2014)] (explaining why preservation
periods for written policies and procedures are
based on when a version of the policies and
procedures is updated or replaced).
390 See 17 CFR 240.13n–7.
391 See paragraph (b)(1) of Rule 13n–7.
392 See paragraph (b)(2) of Rule 13n–7.
388 See
PO 00000
Frm 00051
Fmt 4701
Sfmt 4702
20261
least five years, the first two years in a
place that is immediately available to
representatives of the Commission for
inspection and examination. In the case
of the written policies and procedures to
address cybersecurity risks, the
Commission interprets this provision of
Rule 13n–7 to require that the record
would need to be maintained until five
years after the termination of the use of
the policies and procedures.
Clearing agencies that are exempt
from registration would be Covered
Entities under proposed Rule 10.393
Exempt clearing agencies are not subject
to Rule 17a–1. However, while exempt
clearing agencies—as entities that have
limited their clearing agency
functions—might not be subject to the
full range of clearing agency regulation,
the Commission has stated that, for
example, an entity seeking an
exemption from clearing agency
registration for matching services would
be required to, among other things,
allow the Commission to inspect its
facilities and records.394 In this regard,
exempt clearing agencies are subject to
conditions that mirror certain of the
recordkeeping requirements in Rule
17a–1,395 as set forth in the respective
Commission orders exempting each
exempt clearing agency from the
requirement to register as a clearing
agency (the ‘‘clearing agency exemption
orders’’).396 Pursuant to the terms and
conditions of the clearing agency
exemption orders, the Commission may
modify by order the terms, scope, or
conditions if the Commission
determines that such modification is
necessary or appropriate in the public
interest, for the protection of investors,
or otherwise in furtherance of the
393 See paragraph (a)(1)(ii) of proposed Rule 10
(defining as a ‘‘covered entity’’ a clearing agency
(registered or exempt) under section 3(a)(23)(A) of
the Exchange Act). See also section I.A.2.c. of this
release (discussing the clearing agency exemptions
provided by the Commission).
394 See Confirmation and Affirmation of
Securities Trades; Matching, Exchange Act Release
No. 39829 (Apr. 6, 1998) [63 FR 17943 (Apr. 13,
1998)] (providing interpretive guidance and
requesting comment on the confirmation and
affirmation of securities trades and matching).
395 See, e.g., BSTP SS&C Order, 80 FR at 75411
(conditioning BSTP’s exemption by requiring BSTP
to, among other things, preserve a copy or record
of all trade details, allocation instructions, central
trade matching results, reports and notices sent to
customers, service agreements, reports regarding
affirmation rates that are sent to the Commission or
its designee, and any complaint received from a
customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall
retain these records for a period of not less than five
years, the first two years in an easily accessible
place.).
396 See DTCC ITP Matching Order, 66 FR 20494;
BSTP SS&C Order, 80 FR 75388; Euroclear Bank
Order, 81 FR 93994.
E:\FR\FM\05APP2.SGM
05APP2
20262
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
purposes of the Exchange Act.397 In
support of the public interest and the
protection of investors, the Commission
is proposing to amend the clearing
agency exemption orders to add a
condition that each exempt clearing
agency must retain the Rule 10 Records
for a period of at least five years after
the record is made or, in the case of the
written policies and procedures to
address cybersecurity risks, for at least
five years after the termination of the
use of the policies and procedures.
b. Request for Comment
The Commission requests comment
on all aspects of the proposed
recordkeeping requirements. In
addition, the Commission is requesting
comment on the following specific
aspects of the proposals:
73. Should the proposed amendments
to Rules 17a–4, 18a–6, and/or 17ad–7 be
modified? If so, describe how they
should be modified and explain why the
modification would be appropriate. For
example, should the retention periods
for the records be five years (consistent
with Rule 17a–1) or some other period
of years as opposed to three years? If so,
explain why. If not, explain why not.
74. As discussed above, the
Commission is proposing to amend the
clearing agency exemption orders to
specifically require the exempt clearing
agencies to retain the Rule 10 Records.
Should the ordering language be
consistent with the proposed
amendments to Rules 17a–4, 17ad–7,
and18a–6? For example, should the
ordering language provide that the
exempt clearing agency must maintain
and preserve: (1) the written policies
and procedures required to be adopted
and implemented pursuant to paragraph
(b)(1) of proposed Rule 10 until five
years after the termination of the use of
the policies and procedures; (2) the
written documentation of any risk
assessment pursuant to paragraph
(b)(1)(i)(B) of proposed Rule 10 for five
years; (3) the written documentation of
the occurrence of a cybersecurity
incident pursuant to paragraph
(b)(1)(v)(B) of proposed Rule 10,
including any documentation related to
any response and recovery from such an
incident, for five years; (4) the written
report of the annual review required to
be prepared pursuant to paragraph
(b)(2)(ii) of proposed Rule 10 for five
years; (5) a copy of any notice
transmitted to the Commission pursuant
to paragraph (c)(1) of proposed Rule 10
or any Part I of proposed Form SCIR
filed with the Commission pursuant to
paragraph (c)(2) of proposed Rule 10 for
397 See
Clearstream Banking Order, 62 FR 9225.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
five years; and (6) a copy of any Part II
of proposed Form SCIR filed with the
Commission pursuant to paragraph (d)
of proposed Rule 10 for five years?
Additionally, should the ordering
language provide that the exempt
clearing agency must allow the
Commission to inspect its facilities and
records? If so, explain why. If not,
explain why not.
C. Proposed Requirements for NonCovered Broker-Dealers
1. Cybersecurity Policies and
Procedures, Annual Review,
Notification, and Recordkeeping
As discussed earlier, not all brokerdealers would be Covered Entities under
proposed Rule 10.398 Consequently,
these Non-Covered Broker-Dealers
would not be subject to the
requirements of proposed Rule 10 to: (1)
include certain elements in their
cybersecurity risk management policies
and procedures; 399 (2) file confidential
reports that provide information about
the significant cybersecurity incident
with the Commission and, for some
Covered Entities, other regulators; 400
and (3) make public disclosures about
their cybersecurity risks and the
significant cybersecurity incidents they
experienced during the current or
previous calendar year.401
In light of their limited business
activities, Non-Covered Broker-Dealers
would not be subject to the same
requirements as would Covered Entities.
Instead, Non-Covered Broker-Dealers
would be required to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks taking into account the size,
business, and operations of the firm.402
They also would be required to review
and assess the design and effectiveness
of their cybersecurity policies and
procedures, including whether the
policies and procedures reflect changes
in cybersecurity risk over the time
period covered by the review. They also
would be required to make a record
with respect to the annual review. In
addition, they would be required to
provide the Commission and their
examining authority with immediate
written electronic notice of a significant
398 See section II.A.1. of this release (discussing
the definition of ‘‘covered entity’’ and why certain
broker-dealers would not be included within the
definition).
399 See paragraphs (b)(1)(i) through (v) of
proposed Rule 10.
400 See paragraph (c)(2) of proposed Rule 10. See
also paragraph (a)(10) of proposed Rule 10 (defining
the term ‘‘significant cybersecurity risk’’).
401 See paragraph (d) of proposed Rule 10.
402 See paragraph (e)(1) of proposed Rule 10.
PO 00000
Frm 00052
Fmt 4701
Sfmt 4702
cybersecurity incident affecting them.403
Finally, they would be required to
maintain and preserve versions of their
policies and procedures and the record
of the annual review.
A Non-Covered Broker-Dealer could
be a firm that limits its business to
selling mutual funds on a subscriptionway basis or a broker-dealer that limits
its business to engaging in private
placements for clients. Alternatively, it
could be a broker-dealer that limits its
business to effecting securities
transactions in order to facilitate
mergers, acquisitions, business sales,
and business combinations or a brokerdealer that limits its business to
engaging in underwritings for issuers.
Moreover, a Non-Covered BrokerDealer—because it does not meet the
definition of ‘‘covered entity’’—would
not a be a broker-dealer that: maintains
custody of customer securities and
cash; 404 connects to a broker-dealer that
maintains custody of customer
securities through an introducing
relationship; 405 is a large proprietary
trading firm; 406 operates as a market
maker; 407 or operates an ATS.408
A broker-dealer that limits its
business to one of the activities
described above and that does not
engage in functions that would make it
a Covered Entity under proposed Rule
10 generally does not use information
systems to carry out its operations to the
same degree as a broker-dealer that is a
Covered Entity. For example, the
information systems used by a NonCovered Broker-Dealer could be limited
to smart phones and personal computers
with internet and email access.
Moreover, this type of firm may have a
small staff of employees using these
information systems. Therefore, the
403 See
paragraph (e)(2) of proposed Rule 10.
paragraph (a)(1)(i)(A) of proposed Rule 10
(defining ‘‘covered entity’’ to include a brokerdealer that maintains custody of cash and securities
for customers or other broker-dealers and is not
exempt from the requirements of Rule 15c3–3).
405 See paragraph (a)(1)(i)(B) of proposed Rule 10
(defining ‘‘covered entity’’ to include a brokerdealer that introduces customer accounts on a fully
disclosed basis to another broker-dealer that
maintains custody of cash and securities for
customers or other broker-dealers and is not exempt
from the requirements of Rule 15c3–3).
406 See paragraphs (a)(1)(i)(C) and (D) of proposed
Rule 10 (defining ‘‘covered entity’’ to include a
broker-dealer with regulatory capital equal to or
exceeding $50 million or total assets equal to or
exceeding $1 billion).
407 See paragraph (a)(1)(i)(E) of proposed Rule 10
(defining ‘‘covered entity’’ to include a brokerdealer that is a market maker under the Exchange
Act or the rules thereunder (which includes a
broker-dealer that operates pursuant to Rule 15c3–
1(a)(6)) or is a market maker under the rules of an
SRO of which the broker-dealer is a member).
408 See paragraph (a)(1)(i)(F) of proposed Rule 10
(defining ‘‘covered entity’’ to include a brokerdealer that is an ATS).
404 See
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
overall footprint of the information
systems used by a Non-Covered BrokerDealer may be materially smaller in
scale and complexity than the footprint
of the information systems used by a
broker-dealer that is a Covered Entity. In
addition, the amount of data stored on
these information systems relating to the
Non-Covered Broker-Dealer’s business
may be substantially less than the
amount of data stored on a Covered
Entity’s information systems. This
means the information system perimeter
of these firms that needs to be protected
from cybersecurity threats and
vulnerabilities is significantly smaller
than that of a Covered Broker-Dealer.
For these reasons, proposed Rule 10
would provide that the written policies
and procedures required of a NonCovered Broker-Dealer must be
reasonably designed to address the
cybersecurity risks of the firm taking
into account the size, business, and
operations of the firm.
Therefore, unlike the requirements for
a Covered Entity, proposed Rule 10 does
not specify minimum elements that
would need to be included in a NonCovered Broker-Dealer’s policies and
procedures.409 Nonetheless, a NonCovered Broker-Dealer may want to
consider whether any of those required
elements would be appropriate
components of it policies and
procedures for addressing cybersecurity
risk.410
Proposed Rule 10 also would require
that the Non-Covered Broker-Dealer
annually review and assess the design
and effectiveness of its cybersecurity
policies and procedures, including
whether the policies and procedures
reflect changes in cybersecurity risk
over the time period covered by the
review.411 The annual review and
assessment requirement is designed to
require Non-Covered Broker-Dealers to
evaluate whether their cybersecurity
policies and procedures continue to
work as designed. Non-Covered BrokerDealers could consider using this
information to determine whether
changes are needed to assure their
continued effectiveness (i.e., to make
sure their policies and procedures
continue to be reasonably designed to
address their cybersecurity risks as
required by the rule).
The rule also would require the NonCovered Broker-Dealer to make a written
record that documents the steps taken in
performing the annual review and the
conclusions of the annual review.
Therefore, Non-Covered Broker-Dealers
would need to make a record of the
review rather than documenting the
review in a written report, as would be
required of Covered Entities.412 A report
is a means to communicate information
within an organization. The personnel
that prepare the report for the Covered
Entity would be able to use it to
communicate their assessment of the
firm’s policies and procedures to others
within the organization such as senior
managers. For purposes of proposed
Rule 10, a record, among other things,
is a means to document that an activity
took place, for example, to demonstrate
compliance with a requirement. As
discussed above, Non-Covered BrokerDealers generally would be smaller and
less complex organizations than
Covered Entities. A record of the annual
review could be used by Commission
examination staff to review the NonCovered Broker-Dealer’s compliance
with the annual review requirement
without imposing the additional process
involved in creating an internal report.
As discussed earlier, Covered Entities
would be subject to a requirement to
give the Commission immediate written
electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring.413 NonCovered Broker-Dealers would be
subject to the same immediate written
electronic notice requirement. In
particular, they would be required to
give immediate written electronic notice
to the Commission of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
incident has occurred or is occurring.414
The Commission would keep the
notices nonpublic to the extent
permitted by law. The notice would
need to identify the Non-Covered
Broker-Dealer, state that the notice is
being given to alert the Commission of
a significant cybersecurity incident
impacting the Non-Covered Broker-
409 See paragraph (b)(1) of proposed Rule 10
(setting forth the elements that would need to be
included in a Covered Entity’s policies and
procedures).
410 As discussed earlier, the elements are
consistent with industry standards for addressing
cybersecurity risk. See section II.B.1. of this release
(discussing the policies and procedures
requirements for Covered Entities).
411 See paragraph (e)(1) of proposed Rule 10.
412 See section II.B.1.f. of this release (discussing
in more detail the annual report that would be
required of Covered Entities).
413 See paragraph (c)(1) of proposed Rule 10. See
also section II.B.2.a. of this release (discussing the
immediate notification requirement for Covered
Entities in more detail).
414 See paragraph (e)(2) of proposed Rule 10. See
also paragraph (a)(10) of proposed Rule 10 (defining
the term ‘‘significant cybersecurity incident’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00053
Fmt 4701
Sfmt 4702
20263
Dealer, and provide the name and
contact information of an employee of
the Non-Covered Broker-Dealer who can
provide further details about the nature
and scope of the significant
cybersecurity incident. In addition,
Non-Covered Broker-Dealers—like
Covered Broker-Dealers—would need to
give the notice to their examining
authority.415 The immediate written
electronic notice is designed to alert the
Commission on a confidential basis to
the existence of a significant
cybersecurity incident impacting a NonCovered Broker-Dealer so the
Commission staff can quickly begin to
assess the event.
Finally, as discussed above, proposed
Rule 10 would require the Non-Covered
Broker-Dealer to: (1) establish, maintain,
and enforce written policies and
procedures that are reasonably designed
to address the cybersecurity risks of the
firm; (2) make a written record that
documents its annual review; and (3)
provide immediate electronic written
notice to the Commission of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the significant cybersecurity
incident has occurred or is occurring.416
The Commission is proposing to amend
the broker-dealer record preservation
and maintenance rule to identify these
records specifically as being subject to
the rule’s requirements.417 Under the
amendments, the written policies and
procedures would need to be
maintained until three years after the
termination of the use of the policies
and procedures and all other records
would need to be maintained for three
years.
2. Request for Comment
The Commission requests comment
on all aspects of the proposed
requirements for non-covered brokerdealers. In addition, the Commission is
requesting comment on the following
specific aspects of the proposals:
75. Should paragraph (e)(1) of
proposed Rule 10 be modified to specify
certain minimum elements that would
need to be included in the policies and
procedures of Non-Covered BrokerDealers? If so, identify the elements and
explain why they should be included.
For example, should paragraph (e) of
proposed Rule 10 specify that the
policies and procedures must include
policies and procedures to address any
415 See paragraph (e)(2) of proposed Rule 10. See
also paragraph (c)(1)(i) of proposed Rule 10
(requiring Covered Broker-Dealers to provide the
notice to their examining authority).
416 See paragraph (e) of proposed Rule 10.
417 This amendment would add a new paragraph
(e)(13) to Rule 17a–4.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20264
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
or all of the following: (1) risk
assessment; (2) user security and access;
(3) information protection; (4)
cybersecurity threat and vulnerability
management; and (5) cybersecurity
incident response and recovery? If so,
explain why. If not, explain why not.
76. Should paragraph (e)(2) of
proposed Rule 10 be modified to require
the notice to be given within a specific
timeframe such as on the same day the
requirement was triggered or within 24
hours? If so, explain why. If not, explain
why not.
77. Should paragraph (e)(2) of
proposed Rule 10 be modified to revise
the trigger for the immediate
notification requirement? If so, explain
why. If not, explain why not. For
example, should the trigger be when the
Non-Covered Broker-Dealer ‘‘detects’’ a
significant cybersecurity incident
(rather than when it has a reasonable
basis to conclude that the significant
cybersecurity incident has occurred or
is occurring)? If so, explain why. If not,
explain why not. For example, would a
detection standard be a less subjective
standard? If so, explain why. If not,
explain why not. Is there another trigger
standard that would be more
appropriate? If so, identify it and
explain why it would be more
appropriate.
78. Should paragraph (e)(2) of
proposed Rule 10 be modified to
eliminate the requirement that a NonCovered Broker-Dealer give the
Commission immediate written
electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring? If so, explain
why. If not, explain why not. For
example, would this requirement be
unduly burdensome on Non-Covered
Broker-Dealers? Please explain.
79. If the immediate notification
requirement of paragraph (e)(2) is
adopted as proposed, it is anticipated
that a dedicated email address would be
established to receive these notices. Are
there other methods the Commission
should use for receiving these notices?
If so, identity them and explain why
they would be more appropriate than
email. For example, should the notices
be received through the EDGAR system?
If so, explain why. If not, explain why
not.
80. Should paragraph (e) of proposed
Rule 10 be modified to include any
other requirements that would be
applicable to Covered Entities under
proposed Rule 10 that also should be
required of Non-Covered BrokerDealers? If so, identify them and explain
why they should apply to Non-Covered
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Broker-Dealers. For example, should the
paragraph be modified to require NonCovered Broker-Dealers to report
information about a significant
cybersecurity incident confidentially on
Part I of proposed Form SCIR? If so,
explain why. If not, explain why not.
Should the timeframe for filing Part I of
Proposed Form SCIR be longer for NonCovered Broker-Dealers? For example,
should the reporting timeframe be
within 72 or 96 hours instead of 48
hours? Please explain. If Non-Covered
Broker-Dealers were required to file Part
I of Form SCIR, should they be
permitted to provide more limited
information about the significant
cybersecurity incident than Covered
Entities? If so, identify the more limited
set of information and explain why it
would be appropriate to permit NonCovered Broker-Dealers omit the
additional information that Covered
Entities would need to report.
81. Should Non-Covered BrokerDealers be required to make and
preserve for three years in accordance
with Rule 17a–4 a record of any
significant cybersecurity incident that
impacts them containing some or all of
the information that would be reported
by Covered Entities on Part I of
proposed Form SCIR? If so, explain
why. If not, explain why not.
82. Should paragraph (e) of proposed
Rule 10 be modified to require a NonCovered Broker-Dealer to prepare a
written report of the annual review
(rather than a record, as proposed)? If
so, explain why. If not, explain why not.
D. Cross-Border Application of the
Proposed Cybersecurity Requirements to
SBS Entities
1. Background on the Cross-Border
Application of Title VII Requirements
Security-based swap transactions take
place across national borders, with
agreements negotiated and executed
between counterparties in different
jurisdictions (which might then be
booked and risk-managed in still other
jurisdictions).418 Mindful that this
global market developed prior to the
enactment of the Dodd-Frank Act and
the fact that the application of Title
VII 419 to cross-border activities raises
issues of potential conflict or overlap
with foreign regulatory regimes,420 the
Commission has adopted a taxonomy to
classify requirements under section 15F
418 See Cross-Border Proposing Release, 78 FR at
30976, n. 48.
419 Unless otherwise indicated, references to
‘‘Title VII’’ in this section of this release are to
Subtitle B of Title VII of the Dodd-Frank Act.
420 See Cross-Border Proposing Release, 78 FR at
30975.
PO 00000
Frm 00054
Fmt 4701
Sfmt 4702
of the Exchange Act as applying at
either the transaction-level or at the
entity-level.421 Transaction-level
requirements under section 15F of the
Exchange Act are those that primarily
focus on protecting counterparties to
security-based swap transactions by
requiring SBSDs to, among other things,
provide certain disclosures to
counterparties, adhere to certain
standards of business conduct, and
segregate customer funds, securities,
and other assets.422 In contrast to
transaction-level requirements, entitylevel requirements under section 15F of
the Exchange Act are those that are
expected to play a role in ensuring the
safety and soundness of the SBS Entity
and thus relate to the entity as a
whole.423 Entity-level requirements
include capital and margin
requirements, as well as other
requirements relating to a firm’s
identification and management of its
risk exposure, including the risk
management procedures required under
section 15F(j) of the Exchange Act, a
statutory basis for rules applicable to
SBS Entities that the Commission is
proposing in this release.424 Because
these requirements relate to the entire
entity, they apply to SBS Entities on a
firm-wide basis, without exception.425
The Commission applied this
taxonomy in 2016 when it adopted rules
to implement business conduct
standards for SBS Entities. At that time,
the Commission also stated that the
rules and regulations prescribed under
section 15F(j) should be treated as
entity-level requirements.426 The
421 See id. at 31008–25. See also Business
Conduct Standards for Security-Based Swap
Dealers and Major Security-Based Swap
Participants, Exchange Act Release No. 77617 (Apr.
14, 2016) [81 FR 29959, 30061–69 (May 13, 2016)]
(‘‘Business Conduct Standards Adopting Release’’).
422 Cross-Border Proposing Release, 78 FR at
31010.
423 See id. at 31011, 31035.
424 See id. at 31011–16 (addressing the
classification of capital and margin requirements, as
well as of the risk management requirements of
section 15F(j) of the Exchange Act and other entitylevel requirements applicable to SBSDs).
425 See id. at 31011, 31024–25. See also id. at
31035 (applying the analysis to MSBSPs). In
reaching this conclusion, the Commission
explained that it ‘‘preliminarily believes that entitylevel requirements are core requirements of the
Commission’s responsibility to ensure the safety
and soundness of registered security based swap
dealers,’’ and that ‘‘it would not be consistent with
this mandate to provide a blanket exclusion to
foreign security-based swap dealers from entitylevel requirements applicable to such entities.’’ Id.
at 31024 (footnotes omitted). The Commission
further expressed the preliminary view that
concerns regarding the application of entity-level
requirements to foreign SBSDs would largely be
addressed through the proposed approach to
substituted compliance. See id.
426 See Business Conduct Standards Adopting
Release, 81 FR at 30064–65.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Commission has not, however,
expressly addressed the entity-level
treatment of the cybersecurity
requirements under proposed Rule 10,
except with regard to recordkeeping and
reporting.427
2. Proposed Entity-Level Treatment
lotter on DSK11XQN23PROD with PROPOSALS2
a. Proposal
Consistent with its approach to the
obligations described in Section 15F(j)
and to capital,428 margin,429 risk
mitigation,430 and recordkeeping,431 the
Commission is proposing to apply the
requirements of proposed Rule 10 to an
SBS Entity’s entire security-based swap
business without exception, including
in connection with any security-based
swap business it conducts with foreign
counterparties.432
Cybersecurity policies and procedures
and the related requirements of
proposed Rule 10 serve as an important
mechanism for allowing SBS Entities
and their counterparties to manage risks
associated with their operations,
including risks related to the entity’s
safety and soundness.433 An alternative
approach that does not require an SBS
Entity to take steps to manage
cybersecurity risk throughout the firm’s
entire business could contribute to
operational risk affecting the entity’s
security-based swap business as a
whole, and not merely specific securitybased swap transactions. Moreover, to
the extent that these risks affect the
safety and soundness of the SBS Entity,
they also may affect the firm’s
counterparties and the functioning of
427 The Commission has previously stated that
recordkeeping and reporting requirements are
entity-level requirements. See Recordkeeping and
Reporting Requirements for Security-Based Swap
Dealers, Major Security-Based Swap Participants,
and Broker-Dealers, Exchange Act Release No.
87005 (Sept. 19, 2019), 84 FR 68550, 68596–97
(Dec. 16, 2019) (‘‘SBS Entity Recordkeeping and
Reporting Adopting Release’’).
428 See Capital, Margin, and Segregation
Requirements for Security-Based Swap Dealers and
Major Security-Based Swap Participants and Capital
and Segregation Requirements for Broker-Dealers.
Exchange Act Release No. 86175 (Jun. 21, 2019), 84
FR 43872, 43879 (Aug, 22, 2019) (‘‘Capital, Margin,
and Segregation Requirements Adopting Release’’).
429 Id.
430 See Risk Mitigation Techniques for Uncleared
Security-Based Swaps, Exchange Act Release No.
87782 (Dec. 18, 2019) [85 FR 6359, 6378 (Feb. 4,
2020)] (‘‘SBS Entity Risk Mitigation Adopting
Release’’).
431 See SBS Entity Recordkeeping and Reporting
Adopting Release, 84 FR at 68596–97.
432 As entity-level requirements, transaction-level
exceptions such as in 17 CFR 3a71–3(c) and 17 CFR
3a67–10(d), would not be available for the proposed
cybersecurity requirements.
433 See sections I.A. and II.B.1. of this release
(discussing, respectively, cybersecurity risks and
how those risks can be managed by certain policies,
procedures, and controls). See also sections II.B.2–
5 of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the broader security-based swap market.
Accordingly, the Commission proposes
to apply the requirements to the entirety
of an SBS Entity’s business.434 However,
as described below, the Commission is
proposing that foreign SBS Entities have
the potential to avail themselves of
substituted compliance to satisfy the
cybersecurity requirements under
proposed Rule 10.
b. Request for Comment
The Commission generally requests
comments on the proposed entity-level
application of proposed Rule 10. In
addition, the Commission requests
comments on the following specific
issues:
83. Does the proposed approach
appropriately treat the proposed
requirements as entity-level
requirements applicable to the entire
business conducted by foreign SBS
Entities? If not, please identify any
particular aspects of proposed Rule 10
that should not be applied to a foreign
SBS Entity, or applied only to specific
transactions, and explain how such an
approach would be consistent with the
goals of Title VII of the Dodd-Frank Act.
84. Should the Commission apply the
same cross-border approach to the
application of proposed Rule 10 for both
SBSDs and MSBSPs? If not, please
describe how the cross-border approach
for SBSDs should differ from the crossborder approach for MSBSPs, and
explain the reason(s) for any potential
differences in approach.
434 The Commission has expressed the view that
an entity that has registered with the Commission
subjects itself to the entire regulatory system
governing such registered entities. Cross-Border
Proposing Release, 78 FR at 30986. See also
Business Conduct Standards Adopting Release, 81
FR at n.1306 (determining that the requirements
described in section 15F(j) of the Exchange Act
should be treated as entity-level requirements, and
stating that such treatment would not be
tantamount to applying Title VII to persons that are
‘‘transact[ing] a business in security-based swaps
without the jurisdiction of the United States,’’
within the meaning of section 30(c) of the Exchange
Act). That treatment of section 15F(j) of the
Exchange Act was also deemed necessary or
appropriate as a prophylactic measure to help
prevent the evasion of the provisions of the
Exchange Act that were added by the Dodd-Frank
Act, and thus help prevent the relevant purposes of
the Dodd-Frank Act from being undermined. Id.
(citing Application of ‘‘Security-Based Swap
Dealer’’ and ‘‘Major Security-Based Swap
Participant’’ Definitions to Cross-Border SecurityBased Swap Activities; Republication, Exchange Act
Release No. 72472 (June 25, 2014) [79 FR 47277,
47291–92 (Aug. 12, 2014)] (‘‘SBS Entity Definitions
Adopting Release’’) (interpreting anti-evasion
provisions of the Exchange Act, section 30(c)). A
different approach in connection with proposed
Rule 10 would not be consistent with the purposes
of Title VII of the Dodd-Frank Act and could allow
SBS Entities to avoid compliance with these
proposed rules for portions of their business in a
manner that could increase the risk to the registered
entity.
PO 00000
Frm 00055
Fmt 4701
Sfmt 4702
20265
85. What types of conflicts might a
foreign SBS Entity face if it had to
comply with proposed Rule 10 in more
than one jurisdiction? In what situations
would compliance with more than one
of these requirements be difficult or
impossible? For Market Entities that are
U.S. persons, could compliance with the
proposed rules create compliance
challenges with requirements in a
foreign jurisdiction?
86. As an alternative to treating the
proposed requirements as entity-level
requirements, should the Commission
instead treat the proposed requirements
as transaction-level requirements? If so,
to which cross-border security-based
swap transactions should these
requirements apply and why? Please
describe how these requirements would
apply differently if classified as
transaction-level requirements instead
of as entity-level requirements.
3. Availability of Substituted
Compliance
a. Existing Substituted Compliance Rule
In 2016,435 the Commission adopted
Exchange Act Rule 3a71–6 (‘‘Rule 3a71–
6’’) 436 to provide that the Commission
may, by order, make a determination
that compliance with specified
requirements under a foreign financial
regulatory system by non-U.S. SBS
Entities 437 may satisfy certain business
conduct requirements under Exchange
Act section 15F, subject to certain
conditions. The rule in part provides
that the Commission shall not make a
determination providing for substituted
compliance unless the Commission
determines, among other things, that the
foreign regulatory requirements are
435 See Business Conduct Standards Adopting
Release, 81 FR at 30070–81. Separately, in 2015, the
Commission adopted a rule making substituted
compliance potentially available in connection with
certain regulatory reporting and public
dissemination requirements related to securitybased swaps. See Regulation SBSR-Reporting and
Dissemination of Security-Based Swap Information,
Exchange Act Release No. 74244 (Feb. 11, 2015) [80
FR 14563 (Mar. 19, 2015)] (adopting 17 CFR
242.908 (‘‘Rule 908’’)). Paragraph (c) of Rule 908
does not contemplate substituted compliance for
the rules being proposing today.
436 See 17 CFR 240.3a71–6.
437 If the Commission makes a substituted
compliance determination under paragraph (a)(1) of
Rule 3a71–6, SBS Entities that are not U.S. persons
(as defined in 17 CFR 240.3a71–3(a)(4) (‘‘Rule
3a71–3(a)(4)’’)), but not SBS Entities that are U.S.
persons, may satisfy specified requirements by
complying with comparable foreign requirements
and any conditions set forth in the substituted
compliance determination made by the
Commission. See paragraphs (b) and (d) of Rule
3a71–6.
E:\FR\FM\05APP2.SGM
05APP2
20266
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
comparable to otherwise applicable
requirements.438
When the Commission adopted this
substituted compliance rule that
addressed the specified business
conduct requirements, the Commission
also noted that Exchange Act section
15F(j)(7) authorizes the Commission to
prescribe rules governing the duties of
SBS Entities.439 The Commission stated
that it was not excluding that provision
from the potential availability of
substituted compliance, and that it
expected to separately consider whether
substituted compliance may be available
in connection with any future rules
promulgated pursuant to that
provision.440 Further, the Commission
stated that it expected to assess the
potential availability of substituted
compliance in connection with other
requirements when the Commission
considers final rules to implement those
requirements.441 Consistent with these
statements, the Commission
subsequently amended Rule 3a71–6 to
provide SBS Entities that are non U.S.
persons with the potential to avail
themselves of substituted compliance
with respect to the following Title VII
requirements: (1) trade acknowledgment
and verification,442 (2) capital and
margin requirements,443 (3)
recordkeeping and reporting,444 and (4)
portfolio reconciliation, portfolio
compression, and trading relationship
documentation.445
b. Proposed Amendment to Rule 3a71–
6
lotter on DSK11XQN23PROD with PROPOSALS2
The Commission is proposing to
further amend Rule 3a71–6 to provide
SBS Entities that are not U.S. persons
(as defined in Rule 3a71–3(a)(4) of the
Exchange Act) with the potential to
avail themselves of substituted
compliance to satisfy the cybersecurity
requirements of proposed Rule 10 and
Form SCIR as applicable to SBS
438 See paragraph (a)(2) of 3a71–6. See also
Business Conduct Standards Adopting Release, 81
FR at 30074.
439 Business Conduct Standards Adopting
Release, 81 FR at n. 1438.
440 Id.
441 See Business Conduct Standards Adopting
Release, 81 FR at 30074.
442 See Trade Acknowledgment and Verification
of Security-Based Swap Transactions, Exchange Act
Release No. 78011 (Jun. 8, 2016) [81 FR 39807,
39827–28 (Jun. 17, 2016)] (‘‘SBS Entity Trade
Acknowledgment and Verification Adopting
Release’’).
443 See Capital, Margin, and Segregation
Requirements Adopting Release, 84 FR at 43948–50.
444 See SBS Entity Recordkeeping and Reporting
Adopting Release, 84 FR at 68597–99.
445 See SBS Entity Risk Mitigation Adopting
Release, 85 FR at 6379–80.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Entities.446 In proposing to amend the
rule, the Commission preliminarily
believes that the principles associated
with substituted compliance, as
previously adopted in connection with
both the business conduct requirements
and the recordkeeping and reporting
requirements, in large part should
similarly apply to the cyber security risk
management requirements being
proposing today. The discussions in the
Business Conduct Standards Adopting
Release, including for example those
regarding consideration of supervisory
and enforcement practices,447 certain
multi-jurisdictional issues,448 and
application procedures 449 are
applicable to the proposed cybersecurity
requirements. Accordingly, the
proposed substituted compliance rule
would apply to the cybersecurity risk
management requirements in the same
manner as it already applies to existing
business conduct requirements and the
recordkeeping and reporting
requirements.
Making substituted compliance
available for the cybersecurity risk
management requirements would be
consistent with the approach the
Commission has taken with other rules
applicable to SBS Entities. This
approach takes into consideration the
global nature of the security-based swap
market and the prevalence of crossborder transactions within that
market.450 The application of the
cybersecurity risk management
requirements may lead to requirements
that are duplicative of, or in conflict
with, applicable foreign requirements,
even when the two sets of requirements
implement similar goals and lead to
similar results. Those results have the
potential to disrupt existing business
relationships and, more generally, to
reduce competition and market
efficiency. To address those effects,
under certain circumstances it may be
appropriate to allow the possibility of
substituted compliance, whereby nonU.S. market participants may satisfy the
cybersecurity risk management
requirements by complying with
446 Substituted compliance would only be
available to eligible SBS Entities. For example,
substituted compliance would not be available to a
Market Entity registered as both an SBS Entity and
a broker-dealer with respect to the broker-dealer’s
obligations under the proposed rules.
447 Business Conduct Standards Adopting
Release, 81 FR at 30079.
448 Business Conduct Standards Adopting
Release, 81 FR at 30079–80.
449 Business Conduct Standards Adopting
Release, 81 FR at 30080–81.
450 See generally Business Conduct Standards
Adopting Release, 81 FR at 30073–74 (addressing
the basis for making substituted compliance
available in the context of the business conduct
requirements).
PO 00000
Frm 00056
Fmt 4701
Sfmt 4702
comparable foreign requirements.
Allowing for the possibility of
substituted compliance in this manner
would help achieve the benefits of those
particular requirements in a way that
helps avoid regulatory conflict and
minimizes duplication, thereby
promoting market efficiency, enhancing
competition, and contributing to the
overall functioning of the global
security-based swap market.
Accordingly, the Commission is
proposing to amend paragraph (d)(1) of
Rule 3a71–6 to make substituted
compliance available for proposed Rule
10 and Form SCIR if the Commission
determines with respect to a foreign
financial regulatory system that
compliance with specified requirements
under such foreign financial regulatory
system by a registered SBS Entity, or
class thereof, satisfies the corresponding
requirements of proposed Rule 10 and
Form SCIR.451 However, the proposal
would not amend Rule 3a71–6 in
connection with the proposed
amendments to Rule 18a–6 regarding
records to be preserved by certain SBS
Entities. Rule 3a71–6 currently permits
eligible applicants to seek a substituted
compliance determination from the
Commission with regard to the
requirements of Rule 18a–6.452
c. Comparability Criteria, and
Consideration of Related Requirements
If adopted, the proposed amendment
to paragraph (d)(1) of Rule 3a71–6
would provide that eligible applicants
may request that the Commission make
a substituted compliance determination
with respect to one or more of the
requirements Rule 10 and Form SCIR.453
Further, existing paragraph (d)(6) of
Rule 3a71–6 would permit eligible
applicants to request that the
Commission make a substituted
compliance determination with respect
to one or more of the requirements of
the proposed amendments to Rule 18a–
6, if adopted. A positive substituted
compliance determination with respect
to requirements existing before adoption
of the proposed Rule 10, Form SCIR,
and the related record preservation
requirements would not automatically
result in a positive substituted
compliance determination with respect
451 Paragraph (a)(1) of Rule 3a71–6 provides that
the Commission may, conditionally or
unconditionally, by order, make a determination
with respect to a foreign financial regulatory system
that compliance with specified requirements under
the foreign financial system by an SBS Entity, or
class thereof, may satisfy the corresponding
requirements identified in paragraph (d) of the rule
that would otherwise apply. See section II.D.3.c. of
this release.
452 See paragraph (d)(6) of Rule 3a71–6.
453 See paragraph (c) of Rule 3a71–6.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
to proposed Rule 10, Form SCIR or the
proposed amendments to Rule 18a–6.
Before making a substituted compliance
determination, the substance of each
foreign regulatory system to which
substituted compliance would apply
should be evaluated for comparability to
such newly adopted requirements. As
such, if the Commission adopts the
proposed amendment to Rule 3a71–6,
eligible applicants 454 seeking a
Commission determination permitting
SBS Entities that are not U.S. persons to
satisfy the requirements of proposed
Rule 10, Form SCIR, or the proposed
amendments to Rule 18a–6 by
complying with comparable foreign
requirements would be required to file
an application, pursuant to the
procedures set forth in 17 CFR 240.0–
13, requesting that the Commission
make a such a determination pursuant
to 17 CFR 3a71–6(a)(1).455
The Commission has taken a holistic
approach in determining the
comparability of foreign requirements
for substituted compliance purposes,
focusing on regulatory outcomes as a
whole, rather than on a requirement-byrequirement comparison.456 The
Commission preliminarily believes that
such a holistic approach would be
appropriate for determining
comparability for substituted
compliance purposes in connection
with the requirements of proposed Rule
10, Form SCIR, and the proposed
amendments to Rule 18a–6. Under the
proposed amendment to Rule 3a71–6,
the Commission’s comparability
assessments associated with the
proposed cybersecurity risk
management requirements accordingly
would consider whether, in the
Commission’s view, the foreign
regulatory system achieves regulatory
454 See
17 CFR 3a71–6(c).
Commission substituted compliance
determinations do not address the requirements of
the proposed new rules or the proposed
amendments. If the Commission adopts the
requirements in the proposed new or amended
rules, SBS Entities (or the relevant foreign financial
regulatory authority or authorities) seeking a
substituted compliance determination with respect
to those requirements would be required to file an
application requesting that the Commission make
the determination. Applicants may not request that
the Commission make a substituted compliance
determination related to the new requirements by
amending a previously filed application that
requested a substituted compliance determination
related to other Commission requirements.
However, new applications may incorporate
relevant information from the applicant’s
previously filed requests for substituted compliance
determinations if the information remains accurate.
456 See Business Conduct Standards Adopting
Release, 81 FR at 30078–79. See also SBS Entity
Trade Acknowledgment and Verification Adopting
Release, 81 FR at 39828; SBS Entity Recordkeeping
and Reporting Adopting Release, 84 FR at 68598–
99.
lotter on DSK11XQN23PROD with PROPOSALS2
455 Existing
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
outcomes that are comparable to the
regulatory outcomes associated with
those requirements. Rule 3a71–6
provides that the Commission’s
substituted compliance determination
will take into account factors that the
Commission determines appropriate,
such as, for example, the scope and
objectives of the relevant foreign
regulatory requirements (taking into
account the applicable criteria set forth
in paragraph (d) of the rule), as well as
the effectiveness of the supervisory
compliance program administered, and
the enforcement authority exercised, by
a foreign financial regulatory authority
or authorities in such foreign financial
regulatory system to support its
oversight of the SBS Entity (or class
thereof) or of the activities of such SBS
Entity (or class thereof).457
The Commission may determine to
conduct its comparability analyses
regarding Rule 10, Form SCIR, and the
related record preservation
requirements in conjunction with
comparability analyses regarding other
Exchange Act requirements that, like the
requirements being proposed today,
relate to risk management,
recordkeeping, reporting, and
notification requirements of SBS
Entities. If the Commission adopts the
proposed amendment to Rule 3a71–6,
substituted compliance requests related
to Rule 10, Form SCIR, and the related
record preservation requirements may
be filed by (i) applicants filing a request
for a substituted compliance
determination solely in connection with
Rule 10, Form SCIR, and the related
record preservation requirements,458
and (ii) applicants filing a request for a
substituted compliance determination
in connection with Rule 10, Form SCIR,
and the related record preservation
requirements combined with a request
for a substituted compliance
determination related to other eligible
requirements. In either event,
depending on the applicable facts and
circumstances, the Commission’s
comparability assessment associated
with the Rule 10, Form SCIR, or the
related record preservation
requirements may constitute part of a
broader assessment of Exchange Act risk
management, recordkeeping, reporting,
and notification requirements for SBS
Entities, and the applicable
comparability decisions may be made at
the level of those risk management,
457 See
17 CFR 240.3a71–6(a)(2)(i).
category of applicants would include
those who previously filed requests for the
Commission to make substituted compliance
determinations related to other requirements
eligible for substituted compliance determinations
under Rule 3a71–6.
458 This
PO 00000
Frm 00057
Fmt 4701
Sfmt 4702
20267
recordkeeping, reporting, and
notification requirements for SBS
Entities as a whole.
d. Request for Comment
The Commission generally requests
comments on all aspects of the proposed
amendment to Rule 3a71–6 and
proposed availability of substituted
compliance. In addition, the
Commission requests comments on the
following specific issues:
87. Should the Commission make
substituted compliance available with
respect to proposed Rule 10, Form SCIR,
and the related record preservation
requirements? Why or why not? If you
believe that substituted compliance
should not be available with respect to
these requirements, how would you
distinguish this policy decision from the
Commission’s previous determination to
make substituted compliance
potentially available with respect to
other Title VII requirements (i.e., the
business conduct, trade
acknowledgment and verification,
capital and margin, recordkeeping and
reporting, and portfolio reconciliation,
portfolio compression, and trading
relationship documentation rules)?
88. Are there other aspects of the
scope of the substituted compliance rule
for which the Commission should
amend or provide additional guidance
in light of proposed Rule 10, Form SCIR,
and the proposed amendment to Rule
18a–6? If so, what other amendments or
additional guidance would be
appropriate and why?
89. Are the items identified in Rule
3a71–6 as factors the Commission will
consider prior to making a substituted
compliance determination in
connection with proposed Rule 10,
Form SCIR, and the related record
preservation requirements appropriate?
If so, explain why. If not, explain why
not. Should any of those items be
modified or deleted? Should additional
considerations be added? If so, please
explain.
E. Amendments to Rule 18a–10
1. Proposal
Exchange Act Rule 18a–10 (‘‘Rule
18a–10’’) permits an SBSD that is
registered as a swap dealer and
predominantly engages in a swaps
business to elect to comply with the
capital, margin, segregation,
recordkeeping, and reporting
requirements of the Commodity
Exchange Act and the CFTC’s rules in
lieu of complying with the capital,
margin, segregation, recordkeeping, and
reporting requirements of Exchange Act
Rules 18a–1, 18a–3, 18a–4, 18a–5, 18a–
E:\FR\FM\05APP2.SGM
05APP2
20268
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
6, 18a–7, 18a–8, and 18a–9.459 An SBSD
may elect to operate pursuant to Rule
18a–10 if it meets certain conditions.460
First, the firm must be registered with
the Commission as a stand-alone SBSD
(i.e., not also registered as a brokerdealer or an OTC derivatives dealer) and
registered with the CFTC as a swap
dealer. Second, the firm must be exempt
from the segregation requirements of
Rule 18a–4. Third, the aggregate gross
notional amount of the firm’s
outstanding security-based swap
positions must not exceed the lesser of
two thresholds as of the most recently
ended quarter of the firm’s fiscal
year.461 The thresholds are: (1) a
maximum fixed-dollar gross notional
amount of open security-based swaps of
$250 billion; 462 and (2) 10% of the
combined aggregate gross notional
amount of the firm’s open securitybased swap and swap positions.
As discussed above, Rule 18a–6 is
proposed to be amended to require
SBSDs to maintain and preserve the
records required to be made pursuant to
proposed Rule 10.463 However, because
Rule 18a–6 is within the scope of Rule
18a–10, an SBSD operating pursuant to
Rule 18a–10 would not be subject to the
maintenance and preservation
requirements of Rule 18a–6 with respect
to the records required to be made
pursuant to proposed Rule 10.
Therefore, while an SBSD would be
subject to proposed Rule 10 and need to
make these records, the firm would not
need to maintain or preserve them in
accordance with Rule 18a–6. For these
reasons, the Commission is proposing to
amend Rule 18a–10 to exclude from its
scope the record maintenance and
preservation requirements of Rule 18a–
6 as they pertain to the records required
to be made pursuant to proposed Rule
10.464 Therefore, the records required to
be made pursuant to proposed Rule 10
would need to be preserved and
459 See
17 CFR 240.18a–10.
Capital, Margin, and Segregation
Requirements Adopting Release, 84 at 43944–46
(discussing the conditions and the reasons for
them). See also SBS Entity Recordkeeping and
Reporting Adopting Release, 84 FR at 68549.
461 The gross notional amount is based on the
notional amounts of the firm’s security-based swaps
and swaps that are outstanding as of the quarter
end. It is not based on transaction volume during
the quarter.
462 The maximum fixed-dollar threshold of $250
billion is set for a transition period of 3 years from
the compliance date of the rule. Three years after
that date it will drop to $50 billion (unless the
Commission issues an order retaining the $250
billion threshold or lesser amount that is greater
than $50 billion).
463 See section II.B.5. of this release (discussing
these proposals in more detail).
464 See proposed paragraph (g) of Rule 18a–10.
lotter on DSK11XQN23PROD with PROPOSALS2
460 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
maintained in accordance with Rule
18a–6, as it is proposed to be amended.
As discussed in more detail below,
certain types of Market Entities are
subject to Regulation SCI and
Regulation S–P.465 The Commission
separately is proposing to amend
Regulation SCI and Regulation S–P.466
Regulation SCI and Regulation S–P
(currently and as they would be
amended) have or would have
provisions requiring policies and
procedures that address certain types of
cybersecurity risks.467 Regulation SCI
(currently and as it would be amended)
also requires immediate written or
telephonic notice and subsequent
reporting to the Commission on Form
SCI of certain types of incidents.468
These notification and subsequent
reporting requirements of Regulation
SCI could be triggered by a ‘‘significant
cybersecurity incident’’ as that term
would be defined in proposed Rule
10.469 Finally, Regulation SCI and
Regulation S–P (currently and as they
would be amended) have or would have
provisions requiring disclosures to
persons affected by certain incidents.470
These current or proposed disclosure
requirements of Regulation SCI and
Regulation S–P could be triggered by a
cybersecurity-related event that also
would be a ‘‘significant cybersecurity
incident’’ as that term would be defined
in proposed Rule 10.471 Consequently, if
proposed Rule 10 is adopted (as
proposed), Market Entities could be
subject to requirements in that rule and
in Regulation SCI and Regulation S–P
that pertain to cybersecurity. While the
Commission preliminarily believes that
these requirements are nonetheless
appropriate, it is seeking comment on
the proposed amendments, given the
following: (1) each proposal has a
different scope and purpose; (2) the
policies and procedures related to
cybersecurity that would be required
under each of the proposed rules would
be consistent; (3) the public disclosures
or notifications required by the
proposed rules would require different
types of information to be disclosed,
largely to different audiences at
different times; and (4) it should be
appropriate for entities to comply with
the proposed requirements.
The Commission encourages
interested persons to provide comments
on the discussion below, as well as on
the potential related application of
proposed Rule 10, Regulation SCI, and
Regulation S–P. More specifically, the
Commission encourages commenters:
(1) to identify any areas where they
believe the requirements of proposed
Rule 10 and the existing or proposed
requirements of Regulation SCI and
Regulation S–P would be particularly
costly or create practical
implementation difficulties; (2) to
provide details on what in particular
about implementation would be
difficult; and (3) to make
465 See 17 CFR 242.1000 through 1007
(Regulation SCI); 17 CFR 248.1 through 248.30
(Regulation S–P). See also section II.F.1.b. of this
release (discussing the types of Market Entities that
are or would be subject to Regulation SCI and/or
Regulation S–P).
466 See Regulation SCI 2023 Proposing Release;
Regulation S–P 2023 Proposing Release.
467 See section II.F.1.c. of this release (discussing
the existing and proposed requirements of
Regulation SCI and Regulation S–P to have policies
and procedures that address certain cybersecurity
risks).
468 See section II.F.1.d. of this release (discussing
the existing and proposed immediate notification
and subsequent reporting requirements of
Regulation SCI).
469 See paragraph (a)(10) of proposed Rule 10
(defining the term ‘‘significant cybersecurity
incident’’).
470 See section II.F.1.e. of this release (discussing
the existing and proposed disclosure requirements
of Regulation SCI and Regulation S–P).
471 See paragraph (a)(10) of proposed Rule 10
(defining the term ‘‘significant cybersecurity
incident’’).
2. Request for Comment
The Commission requests comment
on all aspects of the proposed
amendments relating to Rule 18a–10. In
addition, the Commission is requesting
comment on the following specific
aspects of the proposals:
90. Should the proposed amendments
to Rule 18a–10 be modified? If so,
describe how and explain why the
modification would be appropriate. For
example, would the records required to
be made pursuant to proposed Rule 10
be subject to CFTC record preservation
and maintenance rules? If so, identify
the rules and explain the preservation
and maintenance requirements they
would impose on the records required
to be made pursuant to proposed Rule
10. In addition, explain whether it
would be appropriate to permit an SBSD
operating pursuant to Rule 18a–10 to
comply with these CFTC rules in terms
of preserving and maintaining the
records required to be made pursuant to
proposed Rule 10 in lieu of the
complying with the preservation and
maintenance requirements that would
apply to the records under the proposed
amendments to Rule 18a–6.
F. Market Entities Subject to Regulation
SCI, Regulation S–P, Regulation ATS,
and Regulation S–ID
1. Discussion
a. Introduction
PO 00000
Frm 00058
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
recommendations on how to minimize
these potential impacts. To assist this
effort, the Commission is seeking
specific comment below on these
topics.472
b. Market Entities That Are or Would Be
Subject to Regulation SCI and
Regulation S–P
Certain Market Entities that would be
subject to the requirements of proposed
Rule 10 applicable to Covered Entities
are subject to the existing requirements
of Regulation SCI. In particular, SCI
entities include the following Covered
Entities that also would be subject to the
requirements of proposed Rule 10: (1)
ATSs that trade certain stocks exceeding
specific volume thresholds; (2)
registered clearing agencies; (3) certain
exempt clearing agencies; (4) the MSRB;
(5) FINRA; and (6) national securities
exchanges.473 Therefore, if proposed
Rule 10 is adopted (as proposed), these
Covered Entities would be subject to its
requirements and the requirements of
Regulation SCI (currently and as it
would be amended). The Commission is
separately proposing to revise
Regulation SCI to expand the definition
of ‘‘SCI entity’’ to include the following
Covered Entities that also would be
subject to the requirements of proposed
Rule 10: (1) broker-dealers that exceed
an asset-based size threshold or a
volume-based trading threshold in NMS
stocks, exchange-listed options, agency
securities, or U.S. treasury securities; (2)
all exempt clearing agencies; and (3)
SBSDRs.474 Therefore, if these
472 See
section II.F.2. of this release.
17 CFR 242.1000 (defining the terms ‘‘SCI
alternative trading system,’’ ‘‘SCI self-regulatory
system,’’ and ‘‘Exempt clearing agency subject to
ARP,’’ and including all of those defined terms in
the definition of ‘‘SCI Entity’’). The definition of
‘‘SCI entities’’ includes additional Commission
registrants that would not be subject to the
requirements of proposed Rule 10: plan processors
and SCI competing consolidators. However, the
Commission is seeking comment on whether these
registrants should be subject to the requirements of
proposed Rule 10.
474 All exempt clearing agencies and SBSDRs
would be subject to the requirements of proposed
Rule 10 applicable to Covered Entities. See
paragraphs (a)(1)(ii) and (vii) of proposed Rule 10
(defining these registrants as ‘‘covered entities’’).
Broker-dealers that exceed the asset-based size
threshold under the proposed amendments to
Regulation SCI (which would be several hundred
billion dollars) also would be subject to the
requirements of proposed Rule 10 applicable to
Covered Entities, as they would exceed the $1
billion total assets threshold in the broker-dealer
definition of ‘‘covered entity.’’ See paragraph
(a)(1)(i)(D) of proposed Rule 10. A broker-dealer
that exceeds one or more of the volume-based
trading thresholds under the proposed amendments
to Regulation SCI likely would meet one of the
broker-dealer definitions of ‘‘covered entity’’ in
proposed Rule 10 given their size and activities. For
example, it would either be a carrying brokerdealer, have regulatory capital equal to or exceeding
lotter on DSK11XQN23PROD with PROPOSALS2
473 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
amendments to Regulation SCI are
adopted and proposed Rule 10 is
adopted (as proposed), these additional
Covered Entities would be subject to the
requirements of proposed Rule 10 and
also to the requirements of Regulation
SCI. Additionally, broker-dealers and
transfer agents that would be subject to
proposed Rule 10 also would be subject
to some or all of the existing or
proposed requirements of Regulation S–
P.475
c. Policies and Procedures to Address
Cybersecurity Risks
i. Different Scope and Purpose of the
Policies and Procedures Requirements
Each of the policies and procedures
requirements has a different scope and
purpose. Regulation SCI (currently and
as it would be amended) limits the
scope of its requirements to certain
systems of the SCI Entity that support
securities market related functions.
Specifically, it does and would require
an SCI Entity to have reasonably
designed policies and procedures
applicable to its SCI systems and, for
purposes of security standards, its
indirect SCI systems.476 While certain
$50 million, have total assets equal to or exceeding
$1 billion, or operate as a market maker. See
paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10. The Commission is seeking comment
above on whether a broker-dealer that is an SCI
entity should be defined specifically as a ‘‘covered
entity’’ under proposed Rule 10.
475 Broadly, Regulation S–P’s requirements apply
to all broker-dealers, except for ‘‘notice-registered
broker-dealers’’ (as defined in 17 CFR 248.30), who
in most cases will be deemed to be in compliance
with Regulation S–P if they instead comply with
the financial privacy rules of the CFTC, and are
otherwise explicitly excluded from certain of
Regulation S–P’s obligations. See 17 CFR 248.2(c).
For the purposes of this section II.F. of this release,
the term ‘‘broker-dealer’’ when used to refer to
broker-dealers that are subject to Regulation S–P
(currently and as it would be amended) excludes
notice-registered broker-dealers. Currently, transfer
agents registered with the Commission (‘‘SECregistered transfer agents’’) (but not transfer agents
registered with another appropriate regulatory
agency) are subject to Regulation S–P’s ‘‘disposal
rule’’ (‘‘Regulation S–P Disposal Rule’’). See 17 CFR
248.30(b). However, no transfer agent is currently
subject to any other portion of Regulation S–P,
including the ‘‘safeguards rule’’ under Regulation
S–P (‘‘Regulation S–P Safeguards Rule’’). See 17
CFR 248.30(a). Under the proposed amendments to
Regulation S–P, SEC-registered transfer agents and
transfer agents registered with another appropriate
regulatory agency (as defined in 15 U.S.C.
78c(34)(B)) would be subject to the Regulation S–
P Safeguards Rule and the Regulation S–P Disposal
Rule. Regulation S–P also applies to additional
financial institutions that would not be subject to
proposed Rule 10. See 17 CFR 248.3.
476 See 17 CFR 242.1001(a)(1). ‘‘SCI systems’’ are
defined as electronic or similar systems of, or
operated by or on behalf of, an SCI entity that
directly support at least one of six market functions:
(1) trading; (2) clearance and settlement; (3) order
routing; (4) market data; (5) market regulation; or (6)
market surveillance. 17 CFR 242.1000. ‘‘Indirect SCI
systems’’ are defined as those of, or operated by or
PO 00000
Frm 00059
Fmt 4701
Sfmt 4702
20269
aspects of the policies and procedures
required by Regulation SCI (as it exists
today and as proposed to be amended)
are designed to address certain
cybersecurity risks (among other
things),477 the policies and procedures
required by Regulation SCI focus on the
SCI entities’ operational capability and
the maintenance of fair and orderly
markets.
Similarly, Regulation S–P (currently
and as it would be amended) also has
a distinct focus. The policies and
procedures required under Regulation
S–P, both currently and as proposed to
be amended, are limited to protecting a
certain type of information—customer
records or information and consumer
report information 478—and they apply
to such information even when stored
outside of SCI systems or indirect SCI
systems. Furthermore, these policies
and procedures need not address other
types of information stored on the
systems of the broker-dealer or transfer
agent.
Proposed Rule 10 would have a
broader scope than Regulation SCI and
Regulation S–P (currently and as they
would be amended) because it would
require Market Entities to establish,
maintain, and enforce written policies
on behalf of, an SCI entity that, if breached, would
be reasonably likely to pose a security threat to SCI
systems. 17 CFR 242.1000. The distinction between
SCI systems and indirect SCI systems seeks to
encourage SCI Entities that their SCI systems,
which are core market-facing systems, should be
physically or logically separated from systems that
perform other functions (e.g., corporate email and
general office systems for member regulation and
recordkeeping). See Regulation Systems
Compliance and Integrity, Release No. 34–73639 79
FR 72251 (Dec. 5, 2014), at 79 FR at 72279–81
(‘‘Regulation SCI 2014 Adopting Release’’). Indirect
SCI systems are subject to Regulation SCI’s
requirements with respect to security standards.
Further, ‘‘critical SCI systems’’ (a subset of SCI
systems) are defined as those that directly support
functionality relating to: (1) clearance and
settlement systems of clearing agencies; (2)
openings, reopenings, and closings on the primary
listing market; (3) trading halts; (4) initial public
offerings; (5) the provision of market data by a plan
processor; or (6) exclusively-listed securities; and as
a catchall, systems that provide functionality to the
securities markets for which the availability of
alternatives is significantly limited or nonexistent
and without which there would be a material
impact on fair and orderly markets. 17 CFR
242.1000.
477 See 17 CFR 242.1000 (defining ‘‘indirect SCI
systems’’). The distinction between SCI systems and
indirect SCI systems seeks to encourage SCI Entities
that their SCI systems, which are core market-facing
systems, should be physically or logically separated
from systems that perform other functions (e.g.,
corporate email and general office systems for
member regulation and recordkeeping). See
Regulation SCI 2014 Adopting Release, 79 FR at
72279–81. Indirect SCI systems are subject to
Regulation SCI’s requirements with respect to
security standards.
478 Or as proposed herein, ‘‘customer
information’’ and ‘‘consumer information.’’ See
proposed rules 248.30(e)(5) and (e)(1), respectively.
E:\FR\FM\05APP2.SGM
05APP2
20270
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
and procedures that are reasonably
designed to address their cybersecurity
risks.479 Unlike Regulation SCI, these
requirements would therefore cover SCI
systems, indirect SCI systems, and
information systems that are not SCI
systems or indirect SCI systems. And,
unlike Regulation S–P, the proposed
requirements would also encompass
information beyond customer
information and consumer information.
To illustrate, a Market Entity could
use one comprehensive set of policies
and procedures to satisfy the
requirements of proposed Rule 10 and
the existing and proposed cybersecurityrelated requirements of Regulation SCI
and Regulation S–P, so long as: (1) the
cybersecurity-related policies and
procedures required under Regulation
S–P and Regulation SCI fit within and
are consistent with the scope of the
policies and procedures required under
proposed Rule 10; and (2) and the
policies and procedures requirements of
proposed Rule 10 also address the more
narrowly-focused existing and proposed
cybersecurity-related policies and
procedures requirements under
Regulation SCI and Regulation S–P.
ii. Consistency of the Policies and
Procedures Requirements
lotter on DSK11XQN23PROD with PROPOSALS2
Covered Entities
As discussed above, the Market
Entities that would be SCI Entities
under the existing and proposed
requirements of Regulation SCI would
be subject the policies and procedures
requirements of proposed Rule 10
applicable to Covered Entities. In
addition, broker-dealers and transfer
agents are subject to the requirements of
Regulation S–P (currently and as it
would be amended).480 Transfer agents
would be Covered Entities under
proposed Rule 10 and, therefore, subject
to the policies and procedures
requirements of that rule applicable to
Covered Entities.481 Further, the two
categories of broker-dealers that likely
would have the largest volume of
customer information and consumer
information subject to the existing or
proposed requirements of Regulation S–
479 See paragraphs (b) and (e) of proposed Rule 10
(setting forth the requirements of Covered Entities
and Non-Covered Entities, respectively, to have
policies and procedures to address their
cybersecurity risks).
480 As discussed above, SEC-registered transfer
agents are subject to the Regulation S–P Disposal
Rule but not to the Regulation S–P Safeguards Rule.
The proposed amendments to Regulation S–P
would apply the Regulation S–P Safeguards Rule
and the Regulation S–P Disposal Rule to all transfer
agents.
481 See paragraph (b)(1) of proposed Rule 10
(setting forth the policies and procedures
requirements for Covered Entities).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
P would be Covered Entities under
proposed Rule 10: carrying brokerdealers and introducing brokerdealers.482 For these reasons, the
Commission first analyzes the potential
overlap between proposed Rule 10 and
the current and proposed requirements
of Regulation SCI and Regulation S–P by
taking into account the policies and
procedures requirements of proposed
Rule 10 that would apply to Covered
Entities.
Regulation SCI and Regulation S–P
General Policies and Procedures
Requirements
Regulation SCI, Regulation S–P, and
proposed Rule 10 all include
requirements that address certain
cybersecurity-related risks. Regulation
SCI requires an SCI Entity to have
reasonably designed policies and
procedures to ensure that its SCI
systems and, for purposes of security
standards, indirect SCI systems, have
levels of capacity, integrity, resiliency,
availability, and security, adequate to
maintain the SCI entity’s operational
capability and promote the maintenance
of fair and orderly markets.483
The Regulation S–P Safeguards Rule
requires broker-dealers (but not transfer
agents) to adopt written policies and
procedures that address administrative,
technical, and physical safeguards for
the protection of customer records and
information.484 The Regulation S–P
Safeguards Rule further provides that
these policies and procedures must: (1)
insure the security and confidentiality
of customer records and information; (2)
protect against any anticipated threats
or hazards to the security or integrity of
customer records and information; and
(3) protect against unauthorized access
to or use of customer records or
information that could result in
substantial harm or inconvenience to
any customer.485 Additionally, the
Regulation S–P Disposal Rule requires
broker-dealers and SEC-registered
transfer agents that maintain or
otherwise possess consumer report
information for a business purpose to
properly dispose of the information by
taking reasonable measures to protect
against unauthorized access to or use of
the information in connection with its
disposal.486
482 See paragraphs (a)(1)(i)(A) and (B) of proposed
Rule 10 (defining, respectively, carrying brokerdealers and introducing broker-dealers as Covered
Entities).
483 See 17 CFR 242.1001(a)(1).
484 See 17 CFR 248.30(a).
485 See 17 CFR 248.30(a)(1) through (3).
486 See 17 CFR 248.30(b)(2). Regulation S–P
currently defines the term ‘‘disposal’’ to mean: (1)
the discarding or abandonment of consumer report
PO 00000
Frm 00060
Fmt 4701
Sfmt 4702
Proposed Rule 10 would require a
Covered Entity to establish, maintain,
and enforce written policies and
procedures that are reasonably designed
to address the Covered Entity’s
cybersecurity risks. In addition, Covered
Entities would be required to include
the following elements in their policies
and procedures: (1) periodic
assessments of cybersecurity risks
associated with the Covered Entity’s
information systems and written
documentation of the risk assessments;
(2) controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems; (3) measures
designed to monitor the Covered
Entity’s information systems and protect
the Covered Entity’s information from
unauthorized access or use, and
oversight of service providers that
receive, maintain, or process
information, or are otherwise permitted
to access the Covered Entity’s
information systems; (4) measures to
detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities
with respect to the Covered Entity’s
information systems; and (5) measures
to detect, respond to, and recover from
a cybersecurity incident and written
documentation of any cybersecurity
incident and the response to and
recovery from the incident.487
As discussed earlier, the inclusion of
these elements in proposed Rule 10 is
designed to enumerate the core areas
that Covered Entities would need to
address when designing, implementing,
and assessing their policies and
procedures.488 Taken together, these
requirements are designed to position
Covered Entities to be better prepared to
protect themselves against cybersecurity
risks, to mitigate cybersecurity threats
and vulnerabilities, and to recover from
cybersecurity incidents. They are also
designed to help ensure that Covered
Entities focus their efforts and resources
on the cybersecurity risks associated
with their operations and business
practices.
A Covered Entity that implements
reasonably designed policies and
procedures in compliance with the
requirements of proposed Rule 10
described above that cover its SCI
systems and indirect SCI systems
should generally satisfy the existing
general policies and procedures
information; or (2) the sale, donation, or transfer of
any medium, including computer equipment, on
which consumer report information is stored. See
17 CFR 248.30(b)(1)(iii).
487 See sections II.B.1.a. through II.B.1.e. of this
release (discussing these proposed requirements in
more detail).
488 See section II.B.1. of this release.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
requirements of Regulation SCI that
pertain to cybersecurity.489 Similarly,
policies and procedures implemented
by a Covered Broker-Dealer that are
reasonably designed in compliance with
the requirements of proposed Rule 10
should generally satisfy the existing
general policies and procedures
requirements of the Regulation S–P
Safeguards Rule discussed above that
pertain to cybersecurity, to the extent
that such information is stored
electronically and, therefore, falls
within the scope of proposed Rule 10.
In addition, reasonably designed
policies and procedures implemented
by a Covered Broker-Dealer or SECregistered transfer agent in compliance
with the requirements of proposed Rule
10 should generally satisfy the existing
requirements of the Regulation S–P
Disposal Rule discussed above.
Regulation SCI and Regulation S–P
Requirements to Oversee Service
Providers. Under the amendments to
Regulation SCI, the policies and
procedures required of SCI entities
would need to include a program to
manage and oversee third party
providers that provide functionality,
support or service, directly or indirectly,
for SCI systems and indirect SCI
systems.490 In addition, proposed
amendments to the Regulation S–P
Safeguards Rule would require brokerdealers and transfer agents to include
written policies and procedures within
their response programs that require
their service providers, pursuant to a
489 As noted above, the CAT System is a facility
of each of the Participants and an SCI system. See
also CAT NMS Plan Approval Order, 81 FR at
84758. It would also qualify as an ‘‘information
system’’ of each national securities exchange and
each national securities association under proposed
Rule 10. The CAT NMS Plan requires the CAT’s
Plan Processor to follow certain security protocols
and industry standards, including the NIST Cyber
Security Framework, subject to Participant
oversight. See, e.g., CAT NMS Plan at appendix D,
section 4.2. For the reasons discussed above and
below with respect to SCI systems, the policies and
procedures requirements of proposed Rule 10 are
not intended to be inconsistent with the security
protocols set forth in the CAT NMS Plan. Moreover,
to the extent the CAT NMS Plan requires security
protocols beyond those that would be required
under proposed Rule 10, those additional security
protocols should generally fit within and be
consistent with the policies and procedures
required under proposed Rule 10 to address all
cybersecurity risks.
490 See Regulation SCI 2023 Proposing Release.
These policies and procedures would need to
include initial and periodic review of contracts
with such vendors for consistency with the SCI
entity’s obligations under Regulation SCI; and a
risk-based assessment of each third party provider’s
criticality to the SCI entity, including analyses of
third party provider concentration, of key
dependencies if the third party provider’s
functionality, support, or service were to become
unavailable or materially impaired, and of any
potential security, including cybersecurity, risks
posed. Id.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
written contract, to take appropriate
measures that are designed to protect
against unauthorized access to or use of
customer information, including
notification to the broker-dealer or
transfer agent as soon as possible, but no
later than 48 hours after becoming
aware of a breach, in the event of any
breach in security resulting in
unauthorized access to customer
information maintained by the service
provider to enable the broker-dealer or
transfer agent to implement its response
program expeditiously.491
Proposed Rule 10 would have several
policies and procedures requirements
that are designed to address similar
cybersecurity risks as these proposed
amendments to Regulation SCI and
Regulation S–P. First, a Covered Entity’s
policies and procedures under proposed
Rule 10 would need to require periodic
assessments of cybersecurity risks
associated with the Covered Entity’s
information systems and information
residing on those systems.492 This
element of the policies and procedures
would need to include requirements
that the Covered Entity identify its
service providers that receive, maintain,
or process information, or are otherwise
permitted to access its information
systems and any of its information
residing on those systems, and assess
the cybersecurity risks associated with
its use of these service providers.493
Second, under proposed Rule 10, a
Covered Entity’s policies and
procedures would need to require
oversight of service providers that
receive, maintain, or process its
information, or are otherwise permitted
to access its information systems and
the information residing on those
systems, pursuant to a written contract
between the Covered Entity and the
service provider, through which the
service providers would need to be
required to implement and maintain
appropriate measures that are designed
to protect the Covered Entity’s
information systems and information
residing on those systems.494
A Covered Entity that implements
these requirements of proposed Rule 10
with respect to its SCI systems and
indirect SCI systems generally should
satisfy the proposed requirements of
Regulation SCI that the SCI entity’s
policies and procedures include a
491 See
Regulation S–P 2023 Proposing Release.
492 See paragraph (b)(1)(i)(A) of proposed Rule 10;
see also section II.B.1.a. of this release (discussing
this requirement in more detail).
493 See paragraph (b)(1)(i)(A)(2) of proposed Rule
10.
494 See paragraphs (b)(1)(iii)(B) of proposed Rule
10; see also section II.B.1.c. of this release
(discussing this requirement in more detail).
PO 00000
Frm 00061
Fmt 4701
Sfmt 4702
20271
program to manage and oversee third
party providers that provide
functionality, support or service,
directly or indirectly, for SCI systems
and indirect SCI systems. Similarly, a
broker-dealer or transfer agent that
implements these requirements of
proposed Rule 10 generally would
comply with the proposed requirements
of the Regulation S–P Safeguards Rule
relating to the oversight of service
providers.
Regulation SCI and Regulation S–P
Unauthorized Access Requirements.
Under the proposed amendments to
Regulation SCI, SCI entities would be
required to have a program to prevent
the unauthorized access to their SCI
systems and indirect SCI systems, and
information residing therein.495 The
proposed amendments to the Regulation
S–P Disposal Rule would require
broker-dealers and transfer agents that
maintain or otherwise possess consumer
information or customer information for
a business purpose to properly dispose
of this information by taking reasonable
measures to protect against
unauthorized access to or use of the
information in connection with its
disposal.496 The broker-dealer or
transfer agent would be required to
adopt and implement written policies
and procedures that address the proper
disposal of consumer information and
customer information in accordance
with this standard.497
Proposed Rule 10 would have several
policies and procedures requirements
that are designed to address similar
cybersecurity-related risks as these
proposed requirements of Regulation
SCI and the Regulation S–P Disposal
Rule. First, a Covered Entity’s policies
and procedures under proposed Rule 10
would need to require controls: (1)
requiring standards of behavior for
individuals authorized to access the
Covered Entity’s information systems
and the information residing on those
systems, such as an acceptable use
policy; (2) identifying and
authenticating individual users,
including but not limited to
implementing authentication measures
that require users to present a
combination of two or more credentials
for access verification; (3) establishing
procedures for the timely distribution,
495 See
Regulation SCI 2023 Proposing Release.
Regulation S–P 2023 Proposing Release.
As discussed above, the general policies and
procedures requirements of the Regulation S–P
Safeguards Rule require the policies and
procedures—among other things—to protect against
unauthorized access to or use of customer records
or information that could result in substantial harm
or inconvenience to any customer. See 17 CFR
248.30(a)(3).
497 See Regulation S–P 2023 Proposing Release.
496 See
E:\FR\FM\05APP2.SGM
05APP2
20272
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
replacement, and revocation of
passwords or methods of authentication;
(4) restricting access to specific
information systems of the Covered
Entity or components thereof and the
information residing on those systems
solely to individuals requiring access to
the systems and information as is
necessary for them to perform their
responsibilities and functions on behalf
of the Covered Entity; and (5) securing
remote access technologies.498
Second, under proposed Rule 10, a
Covered Entity’s policies and
procedures would need to include
measures designed to protect the
Covered Entity’s information systems
and protect the information residing on
those systems from unauthorized access
or use, based on a periodic assessment
of the Covered Entity’s information
systems and the information that resides
on the systems.499 The periodic
assessment would need to take into
account: (1) the sensitivity level and
importance of the information to the
Covered Entity’s business operations; (2)
whether any of the information is
personal information; (3) where and
how the information is accessed, stored
and transmitted, including the
monitoring of information in
transmission; (4) the information
systems’ access controls and malware
protection; and (5) the potential effect a
cybersecurity incident involving the
information could have on the Covered
Entity and its customers, counterparties,
members, registrants, or users, including
the potential to cause a significant
cybersecurity incident.500
A Covered Entity that implements
these requirements of proposed Rule 10
with respect to its SCI systems and
indirect SCI systems generally should
satisfy the proposed requirements of
Regulation SCI that the SCI entity’s
policies and procedures include a
program to prevent the unauthorized
access to their SCI systems and indirect
SCI systems, and information residing
therein. Similarly, a broker-dealer or
transfer agent that implements these
requirements of proposed Rule 10
should generally satisfy the proposed
requirements of the Regulation S–P
Disposal Rule to adopt and implement
written policies and procedures that
address the proper disposal of consumer
information and customer information.
498 See paragraphs (b)(1)(ii)(A) through (E) of
proposed Rule 10; see also section II.B.1.b. of this
release (discussing these requirements in more
detail).
499 See paragraph (b)(1)(iii)(A) of proposed Rule
10; see also section II.B.1.c. of this release
(discussing these requirements in more detail).
500 See paragraphs (b)(1)(iii)(A)(1) through (5) of
proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Regulation SCI and Regulation S–P
Response Programs. Regulation SCI
requires SCI entities to have policies
and procedures to monitor its SCI
systems and indirect SCI systems for
SCI events, which include systems
intrusions for unauthorized access, and
also requires them to have policies and
procedures that include escalation
procedures to quickly inform
responsible SCI personnel of potential
SCI events.501
The amendments to Regulation S–P’s
safeguards provisions would require the
policies and procedures to include a
response program for unauthorized
access to or use of customer
information. Further, the response
program would need to be reasonably
designed to detect, respond to, and
recover from unauthorized access to or
use of customer information, including
procedures, among others: (1) to assess
the nature and scope of any incident
involving unauthorized access to or use
of customer information and identify
the customer information systems and
types of customer information that may
have been accessed or used without
authorization; 502 and (2) to take
appropriate steps to contain and control
the incident to prevent further
unauthorized access to or use of
customer information.503
The amendments to the Regulation S–
P Safeguards Rule would require the
policies and procedures to include a
response program for unauthorized
access to or use of customer
information. Further, the response
program would need to be reasonably
designed to detect, respond to, and
recover from unauthorized access to or
use of customer information, including
procedures, among others: (1) to assess
the nature and scope of any incident
involving unauthorized access to or use
of customer information and identify
the customer information systems and
types of customer information that may
have been accessed or used without
authorization; and (2) to take
appropriate steps to contain and control
the incident to prevent further
unauthorized access to or use of
customer information.504
Proposed Rule 10 would have several
policies and procedures requirements
that are designed to address similar
cybersecurity-related risks as these
proposed requirements of the
Regulation S–P Safeguards Rule. First,
under proposed Rule 10, a Covered
Entity’s policies and procedures would
need to require measures designed to
detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities
with respect to the Covered Entity’s
information systems and the
information residing on those
systems.505 Second, under proposed
Rule 10, a Covered Entity’s policies and
procedures would need to have
measures designed to detect, respond to,
and recover from a cybersecurity
incident, including policies and
procedures that are reasonably designed
to ensure (among other things): (1) the
continued operations of the Covered
Entity; (2) the protection of the Covered
Entity’s information systems and the
information residing on those systems;
and (3) external and internal
cybersecurity incident information
sharing and communications.506
A Covered Entity that implements
reasonably designed policies and
procedures in compliance with these
requirements of proposed Rule 10
generally should satisfy the proposed
requirements of the Regulation SCI and
Regulation S–P Safeguards Rule to have
a response program relating to response
programs for unauthorized access.
Regulation SCI Review Requirements.
Regulation SCI currently prescribes
certain elements that must be included
in each SCI entity’s policies and
procedures.507 These required elements
include policies and procedures that
must provide for regular reviews and
501 See 17 CFR 242.1001(a)(2)(vii) and (c)(1),
respectively.
502 Regulation SCI’s obligation to take corrective
action may include a variety of actions, such as
determining the scope of the SCI event and its
causes, among others. See Regulation SCI 2014
Adopting Release, 79 FR at 72251, 72317. See also
17 CFR 242.1002(a).
503 See Regulation S–P 2023 Proposing Release.
The response program also would need to have
procedures to notify each affected individual whose
sensitive customer information was, or is
reasonably likely to have been, accessed or used
without authorization unless the covered institution
determines, after a reasonable investigation of the
facts and circumstances of the incident of
unauthorized access to or use of sensitive customer
information, the sensitive customer information has
not been, and is not reasonably likely to be, used
in a manner that would result in substantial harm
or inconvenience. See id.
504 See Regulation S–P 2023 Proposing Release.
As discussed below, the response program also
would need to have procedures to notify each
affected individual whose sensitive customer
information was, or is reasonably likely to have
been, accessed or used without authorization unless
the covered institution determines, after a
reasonable investigation of the facts and
circumstances of the incident of unauthorized
access to or use of sensitive customer information,
the sensitive customer information has not been,
and is not reasonably likely to be, used in a manner
that would result in substantial harm or
inconvenience. See id.
505 See paragraph (b)(1)(iv) of proposed Rule 10;
see also section II.B.1.d. of this release (discussing
this requirement in more detail).
506 See paragraph (b)(1)(v) of proposed Rule 10;
see also section II.B.1.e. of this release (discussing
this requirement in more detail).
507 See 17 CFR 242.1001(a)(2).
PO 00000
Frm 00062
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
testing of SCI systems and indirect SCI
systems, including backup systems, to
identify vulnerabilities from internal
and external threats.508 In addition,
Regulation SCI requires SCI entities to
conduct penetration tests as part of a
review of their compliance with
Regulation SCI.509 While these reviews
must be conducted not less than once
each calendar year, the penetration tests
currently need to be conducted not less
than once every three years.510 The
amendments to Regulation SCI would
increase the required frequency of the
penetration tests to not less than once
each calendar year.511 The amendments
to Regulation SCI also would require
that the penetration tests include tests of
any vulnerabilities of the SCI entity’s
SCI systems and indirect SCI systems
identified under the existing
requirement to perform regular reviews
and testing of SCI systems and indirect
SCI systems, including backup systems,
to identify vulnerabilities from internal
and external threats.512
Proposed Rule 10 would have several
policies and procedures requirements
that are designed to address similar
cybersecurity-related risks as these
existing and proposed requirements of
Regulation SCI. First, a Covered Entity’s
policies and procedures under proposed
Rule 10 would need to require periodic
assessments of cybersecurity risks
associated with the Covered Entity’s
information systems and information
residing on those systems.513 Moreover,
this element of the policies and
procedures would need to include
requirements that the Covered Entity
categorize and prioritize cybersecurity
risks based on an inventory of the
components of the Covered Entity’s
information systems and information
residing on those systems and the
potential effect of a cybersecurity
incident on the Covered Entity.514
Second, under proposed Rule 10, a
Covered Entity’s policies and
procedures would need to require
measures designed to detect, mitigate,
and remediate any cybersecurity threats
and vulnerabilities with respect to the
Covered Entity’s information systems
lotter on DSK11XQN23PROD with PROPOSALS2
508 17
CFR 242.1001(a)(2)(iv).
17 CFR 242.1003(b)(1)(i).
509 See
510 Id.
511 See
Regulation SCI 2023 Proposing Release.
Regulation SCI 2023 Proposing Release; 17
CFR 242.1001(a)(2)(iv).
513 See paragraph (b)(1)(i)(A) of proposed Rule 10;
see also section II.B.1.a. of this release (discussing
this requirement in more detail).
514 See paragraph (b)(1)(i)(A)(1) of proposed Rule
10.
512 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
and the information residing on those
systems.515
A Covered Entity that implements
these requirements of proposed Rule 10
with respect to its SCI systems and
indirect SCI systems generally should
satisfy the current requirements of
Regulation SCI that the SCI entity’s
policies and procedures require regular
reviews and testing of SCI systems and
indirect SCI systems, including backup
systems, to identify vulnerabilities from
internal and external threats.
Further, while proposed Rule 10 does
not require penetration testing, the
proposed rule—as discussed above—
requires measures designed to protect
the Covered Entity’s information
systems and protect the information
residing on those systems from
unauthorized access or use, based on a
periodic assessment of the Covered
Entity’s information systems and the
information that resides on the
systems.516 As discussed earlier,
penetration testing could be part of
these measures.517 Therefore, the
existing and proposed requirements of
Regulation SCI requiring penetration
testing could be incorporated into and
should fit within a Covered Entity’s
policies and procedures to address
cybersecurity risks under proposed Rule
10.
Non-Covered Broker-Dealers
Non-Covered Broker-Dealers—which
would be subject to Regulation S–P but
not Regulation SCI—are smaller firms
whose functions do not play as
significant a role in the U.S. securities
markets, as compared to Covered
Broker-Dealers.518 For example, NonCovered Broker-Dealers tend to offer a
more focused and limited set of services
such as facilitating private placements
of securities, selling mutual funds and
515 See paragraph (b)(1)(iv) of proposed Rule 10;
see also section II.B.1.d. of this release (discussing
this requirement in more detail).
516 See paragraph (b)(1)(iii)(A) of proposed Rule
10.
517 See also section II.B.1.c. of this release. The
Commission also is requesting comment above on
whether proposed Rule 10 should be modified to
specifically require penetration testing.
518 See section IV.C.2. of this release (discussing
the activities of broker-dealers that would not meet
the definition of ‘‘covered entity’’ in proposed Rule
10). As discussed below in section IV.C.2. of this
release, the 1,541 broker-dealers that would meet
the definition of ‘‘covered entity’’ in proposed Rule
10 had average total assets of $3.5 billion and
average regulatory equity of $325 million; whereas
the 1,969 that would not meet the definition of
‘‘covered entity’’ had average total assets of $4.7
million and regulatory equity of $3 million. This
means that broker-dealers that would not meet the
definition of ‘‘covered entity’’ in proposed Rule 10
accounted for about 0.2% of the total assets of all
broker-dealers and 0.1% of total capital for all
broker-dealers.
PO 00000
Frm 00063
Fmt 4701
Sfmt 4702
20273
variable contracts, underwriting
securities, and participating in direct
investment offerings.519 Further, they do
not hold customer securities and cash or
serve as a conduit (i.e., an introducing
broker-dealer) for customers to access
their accounts at a carrying brokerdealer that holds the customers’
securities and cash. If these NonCovered Broker-Dealers do not possess
or maintain any customer information
or consumer information for a business
purpose in connection with the services
they provide, they would not be subject
to either the current or proposed
requirements of Regulation S–P,
including those that pertain to
cybersecurity.
However, Non-Covered BrokerDealers under proposed Rule 10 that do
possess or maintain customer
information or consumer information
for a business purpose would be subject
to the current and proposed
requirements of Regulation S–P. Given
their smaller size, some of these NonCovered Broker-Dealers may store and
dispose of the information in paper form
and, therefore, under the existing and
proposed requirements of Regulation S–
P would need to address the physical
security aspects of storing and disposing
of this information. These paper records
would not be subject to proposed Rule
10.
Some Non-Covered Broker-Dealers
likely would store customer information
and consumer information for a
business purpose electronically on an
information system. Under the existing
and proposed requirements of
Regulation S–P, these Non-Covered
Broker-Dealers would need to address
the cybersecurity risks of storing this
information on an information system.
These Non-Covered Broker-Dealers
would be subject the requirements of
proposed Rule 10 to establish, maintain,
and enforce written policies and
procedures that are reasonably designed
to address their cybersecurity risks
taking into account the size, business,
and operations of the firm.520 Under
proposed Rule 10, they also would be
required to review and assess the design
and effectiveness of their cybersecurity
policies and procedures, including
whether the policies and procedures
reflect changes in cybersecurity risk
over the time period covered by the
519 See section IV.C.2. of this release (discussing
the activities of broker-dealers that would not meet
the definition of ‘‘covered entity’’ in proposed Rule
10).
520 See paragraph (e) of proposed Rule 10 (setting
forth the policies and procedures requirements for
Market Entities that are not broker-dealers). See also
section II.C. of this release (discussing these
proposed requirements in more detail).
E:\FR\FM\05APP2.SGM
05APP2
20274
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
review. This means the Non-Covered
Broker-Dealer would need to
comprehensively address all of its
cybersecurity risks. The policies and
procedures to address cybersecurity
risks required under proposed Rule 10
would need to address cybersecurity
risks involving information systems on
which customer information and
consumer information is stored.
Therefore, complying with this
requirement of proposed Rule 10 would
be consistent with complying with the
existing and proposed requirements of
Regulation S–P that relate to
cybersecurity.
As discussed above, Regulation S–P
(currently and as it would be amended)
sets forth certain specific requirements
that pertain to cybersecurity risk;
whereas the requirements of proposed
Rule 10 applicable to Non-Covered
Broker-Dealers more generally require
the firm to establish, maintain, and
enforce written policies and procedures
that are reasonably designed to address
its cybersecurity risks taking into
account the size, business, and
operations of the firm. As explained
above, those more specific existing and
proposed requirements of Regulation S–
P are consistent with certain of the
elements—which are based on industry
standards for addressing cybersecurity
risk—that Covered Entities would be
required to include in their policies and
procedures under proposed Rule 10.521
Further, proposed Rule 10 would
require a Non-Covered Broker-Dealer to
take into account its size, business, and
operations when designing its policies
and procedures to address its
cybersecurity risks. Storing customer
information and consumer information
on an information system is the type of
operation a Non-Covered Broker-Dealer
would need to take into account.
Consequently, the specific existing and
proposed requirements of Regulation S–
P should fit within and be consistent
with a Non-Covered Broker-Dealer’s
reasonably designed policies and
procedures to address its cybersecurity
risks under proposed Rule 10, including
the risks associated with storing
customer information and consumer
information on an information system.
iii. Regulation ATS and Regulation S–ID
Certain broker-dealers that operate an
ATS are subject to Regulation ATS and
certain broker-dealers that offer and
maintain certain types of accounts for
customers are subject to requirements of
Regulation S–ID to establish an identity
521 See section II.B.1. of this release (discussing
the policies and procedures requirements for
Covered Entities).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
theft program.522 Additionally, SBS
Entities and transfer agents could be
subject to Regulation S–ID if they are
‘‘financial institutions’’ or
‘‘creditors.’’ 523 As discussed below,
Regulation ATS and Regulation S–ID are
more narrowly focused on certain
cybersecurity risks as compared to
proposed Rule 10, which focuses on all
cybersecurity risks of a Market Entity. In
addition, the current requirements of
Regulation ATS and Regulation S–ID
should fit within and be consistent with
the broader policies and procedures
required under proposed Rule 10 to
address all cybersecurity risks.
Regulation ATS requires certain
broker-dealers that operate an ATS to
review the vulnerability of its systems
and data center computer operations to
internal and external threats, physical
hazards, and natural disasters if during
at least four of the preceding six
calendar months, such ATS had: (1)
with respect to municipal securities, 20
percent or more of the average daily
volume traded in the United States; or
(2) with respect to corporate debt
securities, 20 percent or more of the
average daily volume traded in the
United States.524 Therefore, in addition
to other potential systems issues, the
broker-dealer would need to address
cybersecurity risk of relating to its ATS
system. Further, this requirement
applies to systems that support order
entry, order handling, execution, order
routing, transaction reporting, and trade
comparison in the particular security.525
Therefore, it has a narrower focus than
proposed Rule 10.
Regulation ATS also requires all
broker-dealers that operate an ATS to
establish adequate written safeguards
and written procedures to protect
subscribers’ confidential trading
information.526 The written safeguards
and procedures must include, among
other things, limiting access to the
confidential trading information of
subscribers to those employees of the
522 See 17 CFR 242.301 through 304 (conditions
to the Regulation ATS exemption); 17 CFR 248.201
and 202 (Regulation S–ID identity theft program
requirements).
523 See 17 CFR 248.201 and 202. The scope of
Regulation S–ID includes any financial institution
or creditor, as defined in the Fair Credit Reporting
Act (15 U.S.C. 1681) that is required to be
‘‘registered under the Securities Exchange Act of
1934.’’ See 17 CFR 248.201(a).
524 See 17 CFR 242.301(b)(6). Currently, no ATS
has crossed the either of the volume-based
thresholds and, therefore, no ATS is subject to the
requirements pertaining, in part, to cybersecurity.
See also Amendments Regarding the Definition of
‘‘Exchange’’ and ATSs Release, 87 FR 15496.
525 See Regulation of Exchanges and Alternative
Trading Systems, Exchange Act Release No. 40760
(Dec. 8, 1998) [63 FR 70844, 70876 (Dec. 22, 1998)].
526 See 17 CFR 242.301(b)(10).
PO 00000
Frm 00064
Fmt 4701
Sfmt 4702
alternative trading system who are
operating the system or responsible for
its compliance with these or any other
applicable rules.527 These requirements
apply to all broker-dealers that operate
an ATS and, as indicated, apply to a
narrow set of information stored on
their information systems: the
confidential trading information of the
subscribers to the ATS.
As discussed above, Covered Entities
under proposed Rule 10—which would
include broker-dealers that operate as an
ATS—would be required to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address the Covered Entity’s
cybersecurity risks. In addition, Covered
Entities would be required to include
the following elements in their policies
and procedures: (1) periodic
assessments of cybersecurity risks
associated with the Covered Entity’s
information systems and written
documentation of the risk assessments;
(2) controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems; (3) measures
designed to monitor the Covered
Entity’s information systems and protect
the Covered Entity’s information from
unauthorized access or use, and
oversight of service providers that
receive, maintain, or process
information, or are otherwise permitted
to access the Covered Entity’s
information systems; (4) measures to
detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities
with respect to the Covered Entity’s
information systems; and (5) measures
to detect, respond to, and recover from
a cybersecurity incident and written
documentation. Consequently, a brokerdealer operates an ATS and that
implements reasonably designed
policies and procedures in compliance
with the requirements of proposed Rule
10 should generally satisfy the current
requirements of Regulation ATS to
review the vulnerability of its systems
and data center computer operations to
internal and external threats and to
protect subscribers’ confidential trading
information to the extent these
requirements pertain to cybersecurity.
Regulation S–ID requires—among
other things—a financial institution or
creditor within the scope of the
regulation that offers or maintains one
or more covered accounts to develop
and implement a written identity theft
prevention program that is designed to
detect, prevent, and mitigate identity
theft in connection with the opening of
a covered account or any existing
527 See
E:\FR\FM\05APP2.SGM
17 CFR 242.301(b)(10)(i)(A).
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
covered account.528 Regulation S–ID
defines the term ‘‘covered account’’—in
pertinent part—as an account that the
financial institution or creditor
maintains, primarily for personal,
family, or household purposes, that
involves or is designed to permit
multiple payments or transactions, such
as a brokerage account with a brokerdealer, and any other account that the
financial institution or creditor offers or
maintains for which there is a
reasonably foreseeable risk to customers
or to the safety and soundness of the
financial institution or creditor from
identity theft, including financial,
operational, compliance, reputation, or
litigation risks.529 Therefore, Regulation
S–ID is narrowly focused on one
cybersecurity risk—identity theft.
Identity theft—as discussed earlier—is
one of the tactics threat actors use to
cause harm after obtaining unauthorized
access to personal information.530 As a
cybersecurity risk, Market Entities
would need to address it as part of their
policies and procedures under proposed
Rule 10. Consequently, the requirement
of Regulation S–ID should fit within and
be consistent with a Market Entity’s
reasonably designed policies and
procedures to address its cybersecurity
risks under proposed Rule 10, including
the risks associated with identity theft.
d. Notification and Reporting to the
Commission
Regulation SCI (currently and as it
would be amended) provides the
framework for notifying the Commission
of SCI events including, among other
things, to: immediately notify the
Commission of the event; provide a
written notification on Form SCI within
24 hours that includes a description of
the SCI event and the system(s) affected,
with other information required to the
extent available at the time; provide
regular updates regarding the SCI event
until the event is resolved; and submit
a final detailed written report regarding
the SCI event.531 If proposed Rule 10 is
528 See
17 CFR 248.201(d)(1).
17 CFR 248.201(b)(3).
530 See section I.A. of this release.
531 See 17 CFR 242.1002(b). An ‘‘SCI event’’ is an
event at an SCI entity that is: (1) a ‘‘systems
disruption,’’ which is an event in an SCI entity’s
SCI systems that disrupts, or significantly degrades,
the normal operation of an SCI system; (2) a
‘‘systems intrusion,’’ which is any unauthorized
entry into the SCI systems or indirect SCI systems
of an SCI entity; or (3) a ‘‘systems compliance
issue,’’ which is an event at an SCI entity that has
caused any SCI system of such entity to operate in
a manner that does not comply with the Exchange
Act and the rules and regulations thereunder or the
entity’s rules or governing documents, as
applicable. See 17 CFR 242.1000 (defining the terms
‘‘systems disruption,’’ ‘‘system intrusion,’’ and
‘‘system compliance issue’’ and including those
lotter on DSK11XQN23PROD with PROPOSALS2
529 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
adopted as proposed, it would require
Market Entities that are Covered Entities
to provide the Commission (and other
regulators, if applicable) with
immediate written electronic notice of a
significant cybersecurity incident
affecting the Covered Entity and,
thereafter, report and update
information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission (and other regulators, if
applicable).532 Part I of proposed of
Form SCIR would elicit information
about the significant cybersecurity
incident and the Covered Entity’s efforts
to respond to, and recover from, the
incident.
Consequently, a Covered Entity that is
also an SCI entity that experiences a
significant cybersecurity incident under
proposed Rule 10 that also is an SCI
event would be required to make two
filings for the single incident: one on
Part I of proposed Form SCIR and the
other on Form SCI. The Covered Entity
also would be required to make
additional filings on Forms SCIR and
SCI pertaining to the significant
cybersecurity incident (i.e., to provide
updates and final reports). The
approach of having two separate
notification and reporting programs—
one under proposed Rule 10 and the
other under Regulation SCI—would be
appropriate for the following reasons.
As discussed earlier, certain brokerdealers and all transfer agents would not
be SCI entities under the current and
proposed requirements of Regulation
SCI.533 Certain of the broker-dealers that
are not SCI entities (currently and as it
terms in the definition of ‘‘SCI event’’). The
amendments to Regulation SCI would broaden the
definition of ‘‘system intrusion’’ to include a
cybersecurity event that disrupts, or significantly
degrades, the normal operation of an SCI system, as
well as a material attempted unauthorized entry
into the SCI systems or indirect SCI systems of an
SCI entity. Regulation SCI 2023 Proposing Release.
532 See paragraphs (c)(1) and (2) of proposed Rule
10 (requiring Covered Entities to provide immediate
written notice and subsequent reporting on Part I
of proposed Form SCIR of significant cybersecurity
incidents); sections II.B.2. and II.B.4. of this release
(discussing the requirements of paragraphs (c)(1)
and (2) of proposed Rule 10 and Part I of Form SCIR
in more detail). Non-Covered Broker-Dealers also
would be subject to an immediate written electronic
notice requirement under paragraph (e)(2) of
proposed Rule 10. However, as discussed above, a
Non-Covered Broker-Dealer likely would not be an
SCI Entity.
533 See section II.F.1.b. of this release. Currently,
broker-dealers that operate as ATSs and trade
certain stocks exceeding specific volume thresholds
are SCI entities. The proposed amendments to
Regulation SCI would expand the definition of ‘‘SCI
entity’’ to include broker-dealers that exceed an
asset-based size threshold or a volume-based
trading threshold in NMS stocks, exchange-listed
options, agency securities, or U.S. treasury
securities. See Regulation SCI 2023 Proposing
Release.
PO 00000
Frm 00065
Fmt 4701
Sfmt 4702
20275
would be amended) would be Covered
Entities and all transfer agents would be
Covered Entities.534 In addition, the
current and proposed reporting
requirements of Regulation SCI are or
would be triggered by events impacting
SCI systems and indirect SCI systems.
The Covered Entities that are or would
be SCI entities use and rely on
information systems that are not SCI
systems or indirect SCI systems under
the current and proposed amendments
to Regulation SCI. For these reasons,
Covered Entities could be impacted by
significant cybersecurity incidents that
do not trigger the current and proposed
notification requirements of Regulation
SCI either because they do not meet the
current or proposed definitions of ‘‘SCI
entity’’ or the significant cybersecurity
incident does not meet the current or
proposed definitions of ‘‘SCI event.’’
As discussed earlier, the objective of
the notification and reporting
requirements of proposed Rule 10 is to
improve the Commission’s ability to
monitor and evaluate the effects of a
significant cybersecurity incident on
Covered Entities and their customers,
counterparties, members, registrants, or
users, as well as assess the potential
risks affecting financial markets more
broadly.535 For this reason, Part I of
proposed Form SCIR is tailored to elicit
information relating specifically to
cybersecurity, such as information
relating to the threat actor, and the
impact of the incident on any data or
personal information that may have
been accessed.536 The Commission and
its staff could use the information
reported on Part I of Form SCIR to
monitor the U.S. securities markets and
the Covered Entities that support those
markets broadly from a cybersecurity
perspective, including identifying
cybersecurity threats and trends from a
market-wide view. By requiring all
Covered Entities to report information
about a significant cybersecurity
incident on a common form, the
information obtained from these filings
over time would create a comprehensive
set of data of all significant
cybersecurity incidents impacting
Covered Entities that is based on these
entities responding to the same check
boxes and questions on the form. This
would facilitate analysis of the data,
including analysis across different
Covered Entities and significant
cybersecurity incidents. Eventually, this
534 See paragraphs (a)(1)(i)(A) and (F) proposed
Rule 10 (defining the categories of broker-dealers
that would be Covered Entities); paragraph (a)(1)(ix)
proposed Rule 10 (defining transfer agents as
‘‘covered entities’’).
535 See section II.B.2.a. of this release.
536 See section II.B.2.b. of this release.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20276
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
set of data and the ability to analyze it
by searching and sorting how different
Covered Entities responded to the same
questions on the form could be used to
spot common trending risks and
vulnerabilities as well as best practices
employed by Covered Entities to
respond to and recover from significant
cybersecurity incidents.
The current and proposed definitions
of ‘‘SCI event’’ include events that are
not related to significant cybersecurity
incidents.537 For example, under the
current and proposed requirements of
Regulation SCI, the definition of ‘‘SCI
event’’ includes an event in an SCI
entity’s SCI systems that disrupts, or
significantly degrades, the normal
operation of an SCI system.538
Therefore, the definitions are not
limited to events in an SCI entity’s SCI
systems that disrupt, or significantly
degrade, the normal operation of an SCI
system caused by a significant
cybersecurity incident. The information
elicited in Form SCI reflects the broader
scope of the reporting requirements of
Regulation SCI (as compared to the
narrower focus of proposed Rule 10 on
reporting about significant cybersecurity
incidents). For example, the form
requires the SCI entity to identify the
type of SCI event: systems compliance
issue, systems disruption, and/or
systems intrusion. In addition, Form SCI
is tailored to elicit information
specifically about SCI systems. For
example, the form requires the SCI
entity to indicate whether the type of
SCI system impacted by the SCI event
directly supports: (1) trading; (2)
clearance and settlement; (3) order
routing; (4) market data; (5) market
regulation; and/or (6) market
surveillance. If the impacted system is
a critical SCI system, the SCI entity
must indicate whether it directly
supports functionality relating to: (1)
clearance and settlement systems of
clearing agencies; (2) openings,
reopenings, and closings on the primary
listing market; (3) trading halts; (4)
initial public offerings; (5) the provision
of consolidated market data; and/or (6)
exclusively-listed securities. The form
also requires the SCI entity to indicate
if the systems that provide functionality
to the securities markets for which the
availability of alternatives is
significantly limited or nonexistent and
without which there would be a
537 See 17 CFR 242.1000 (defining the term ‘‘SCI
event’’); Regulation SCI 2023 Proposing Release.
538 See 17 CFR 242.1000 (defining the term
‘‘system disruption’’ and including that term in the
definition of ‘‘SCI event’’); Regulation SCI 2023
Proposing Release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
material impact on fair and orderly
markets.
e. Disclosure
Proposed Rule 10 and the existing and
proposed requirements of Regulation
SCI and the proposed requirements of
Regulation S–P also have similar, but
distinct, requirements related to
notification about certain cybersecurity
incidents. Regulation SCI requires that
SCI entities disseminate information to
their members, participants, or
customers (as applicable) regarding SCI
events.539 The proposed amendments to
Regulation S–P would require brokerdealers and transfer agents to notify
affected individuals whose sensitive
customer information was, or is
reasonably likely to have been, accessed
or used without authorization.540
Proposed Rule 10 would require a
Covered Entity to make two types of
public disclosures relating to
cybersecurity on Part II of proposed
Form SCIR.541 Covered Entities would
be required to make the disclosures by
filing Part II of proposed Form SCIR on
EDGAR and posting a copy of the filing
on their business internet websites.542
In addition, a Covered Entity that is
either a carrying or introducing brokerdealer would be required to provide a
copy of the most recently filed Part II of
Form SCIR to a customer as part of the
account opening process. Thereafter, the
carrying or introducing broker-dealer
would need to provide the customer
with the most recently filed form
annually. The copies of the form would
need to be provided to the customer
using the same means that the customer
elects to receive account statements
(e.g., by email or through the postal
service). Finally, a Covered Entity
would be required to promptly make
updated disclosures through each of the
methods described above (as applicable)
if the information required to be
disclosed about cybersecurity risk or
significant cybersecurity incidents
materially changes, including, in the
case of the disclosure about significant
cybersecurity incidents, after the
occurrence of a new significant
cybersecurity incident or when
539 See
17 CFR 242.1002(c).
Regulation S–P 2023 Proposing Release.
The proposed amendments to Regulation S–P
would define ‘‘sensitive customer information’’ to
mean any component of customer information
alone or in conjunction with any other information,
the compromise of which could create a reasonably
likely risk of substantial harm or inconvenience to
an individual identified with the information. Id.
The proposed amendments would provide example
of sensitive customer information. Id.
541 See paragraph (d)(1) of proposed Rule 10.
542 See section II.B.3.b. of this release (discussing
these proposed requirements in more detail).
540 See
PO 00000
Frm 00066
Fmt 4701
Sfmt 4702
information about a previously
disclosed significant cybersecurity
incident materially changes.
Consequently, a Covered Entity
would—if it experiences a ‘‘significant
cybersecurity incident’’—be required to
make updated disclosures under
proposed Rule 10 by filing Part II of
proposed Form SCIR on EDGAR,
posting a copy of the form on its
business internet website, and, in the
case of a carrying or introducing brokerdealer, by sending the disclosure to its
customers using the same means that
the customer elects to receive account
statements. Moreover, if Covered Entity
is an SCI entity and the significant
cybersecurity incident is or would be an
SCI event under the current or proposed
requirements of Regulation SCI, the
Covered Entity also could be required to
disseminate certain information about
the SCI event to certain of its members,
participants, or customers (as
applicable). Further, if the Covered
Entity is a broker-dealer or transfer
agent and, therefore, subject to
Regulation S–P (as it is proposed to be
amended), the broker-dealer or transfer
agent also could be required to notify
individuals whose sensitive customer
information was, or is reasonably likely
to have been, accessed or used without
authorization.
However, despite these similarities,
there are distinct differences. First,
proposed Rule 10, Regulation SCI, and
Regulation S–P (as proposed to be
amended) require different types of
information to be disclosed. Second, the
disclosures, for the most part, would be
made to different persons: (1) the public
at large in the case of proposed Rule
10; 543 (2) affected members,
participants, or customers (as
applicable) of the SCI entity in the case
of Regulation SCI; 544 and (3) affected
individuals whose sensitive customer
information was, or is reasonably likely
to have been, accessed or used without
authorization or, in some cases, all
individuals whose information resides
in the customer information system that
was accessed or used without
authorization in the case of Regulation
S–P (as proposed to be amended).
Additionally, the disclosure or
notification provided about certain
cybersecurity incidents is different
543 A carrying broker-dealer would be required to
make the disclosures to its customers as well
through the means by which they receive account
statements.
544 Information regarding major SCI events is and
would be required to be disseminated by an SCI
entity to all of its members, participants, or
customers (as applicable) under the existing and
proposed requirements of Regulation SCI. See
Regulation SCI 2023 Proposing Release.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
under proposed Rule 10 and the existing
and/or proposed requirements of
Regulation SCI and Regulation S–P,
given their distinct goals. For example,
the requirement to disclose summary
descriptions of certain cybersecurity
incidents from the current or previous
calendar year publicly on EDGAR,
among other methods, under proposed
Rule 10 serves a different purpose than:
(1) the member, participant, or customer
(as applicable) dissemination of
information regarding SCI events under
Regulation SCI; and (2) the customer
notification obligation under the
proposed amendments to Regulation S–
P, which would provide more specific
information to individuals affected by a
security compromise involving their
sensitive customer information, so that
those individuals may take remedial
actions if they so choose.
2. Request for Comment
The Commission requests comment
on the potential duplication or overlap
between the requirements of proposed
Rule 10, Regulation SCI (as it currently
exists and as it is proposed to be
amended), and Regulation S–P (as it
currently exists and as it is proposed to
be amended). In addition, the
Commission is requesting comment on
the following matters:
91. Should the policies and
procedures requirements of proposed
Rule 10 be modified to address Market
Entities that also would be subject to the
existing and proposed requirements of
Regulation SCI and/or Regulation S–P?
For example, would it be particularly
costly or create practical
implementation difficulties to apply the
requirements of proposed Rule 10 (if it
is adopted) to have policies and
procedures to address cybersecurity
risks to Market Entities even if they also
would be subject to requirements to
have policies and procedures under
Regulation SCI and/or Regulation S P
that address certain cybersecurity risks
(currently and as they would be
amended)? If so, explain why. If not,
explain why not. Are there ways the
policies and procedures requirements of
proposed Rule 10 could be modified to
minimize these potential impacts while
achieving the separate goals of this
proposal to protect participants in the
U.S. securities markets and the markets
themselves from cybersecurity risks? If
so, explain how and suggest specific
modifications.
92. Would it be appropriate to modify
proposed Rule 10 to exempt SCI systems
or indirect SCI systems from its policies
and procedures requirements and
instead rely on the policies and
procedures requirements of Regulation
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
SCI to address cybersecurity risks to
these information systems of Covered
Entities? If so, explain why. If not,
explain why not. What would be the
costs and benefits of this approach? For
example, if one set of policies and
procedures generally would satisfy the
requirements of both rules, would this
approach result in incremental costs or
benefits? Please explain. Would this
approach achieve the objectives of this
rulemaking to address cybersecurity
risks to Covered Entities, given that Rule
10 is specifically designed to address
cybersecurity risks and Regulation SCI
is designed to address a broader range
of risks to certain information systems?
Please explain. Would this approach
create practical implementation and
compliance complexities insomuch as
one set of the Covered Entity’s systems
would be subject to Regulation SCI (i.e.,
SCI systems and indirect SCI systems)
and the other set would be subject to
Rule 10? Please explain. If it would
create practical implementation and
compliance difficulties, would Covered
Entities nonetheless apply separate
policies and procedures requirements to
their information systems based on
whether they are or are not SCI systems
and indirect SCI Systems or would they
develop a single set of policies and
procedures that comprehensively
addresses the requirements of
Regulation SCI and Rule 10? Please
explain. Would a comprehensive set of
policies and procedures result in
stronger measures to protect SCI
systems and indirect SCI systems from
cybersecurity risks? Please explain. If
so, would this be appropriate given the
nature of SCI systems and indirect SCI
systems and the roles these systems play
in the U.S. securities markets? Please
explain.
93. Should the policies and
procedures requirements of proposed
Rule 10 be modified to address Market
Entities that also would be subject to the
requirements of Regulation ATS? If so,
explain why. If not, explain why not.
94. Should the immediate notification
and reporting requirements of proposed
Rule 10 be modified to address Covered
Entities that also would be subject to the
existing and proposed requirements of
Regulation SCI? For example, would it
be particularly costly or create practical
implementation difficulties to apply the
immediate notification and subsequent
reporting requirements of proposed Rule
10 and Part I of proposed Form SCIR (if
they are adopted) to Covered Entities
even if they also would be subject to
immediate notification and subsequent
reporting requirements under
Regulation SCI (as it currently exists
and would be amended)? If so, explain
PO 00000
Frm 00067
Fmt 4701
Sfmt 4702
20277
why. If not, explain why not. Are there
ways the notification and reporting
requirements of proposed Rule 10 and
Part I of proposed Form SCIR could be
modified to minimize these potential
impacts while achieving the separate
goals of this proposal to protect
participants in the U.S. securities
markets and the markets themselves
from cybersecurity risks? If so, explain
how and suggest specific modifications.
For example, should Part I of proposed
Form SCIR be modified to include a
section that incorporates the check
boxes and questions of Form SCI so that
a single form could be filed to meet the
reporting requirements of proposed Rule
10 and Regulation SCI? If so, explain
why. If not, explain why not. Are there
other ways Part I of proposed Form
SCIR could be modified to combine the
elements of Form SCI? If so, explain
how. Should Rule 10 be modified to
require that the initial Part I of Form
SCIR must be filed within 24 hours
(instead of promptly but not later than
48 hours) to align the filing timeframe
with Regulation SCI? If so, explain why.
If not, explain why not.
95. Should the public disclosure
requirements of proposed Rule 10 be
modified to address Covered Entities
that also would be subject to the
existing and proposed requirements of
Regulation SCI and/or Regulation S–P?
For example, would it be particularly
costly or create practical
implementation difficulties to apply the
public disclosure requirements of
proposed Rule 10 and Part II of
proposed form SCIR (if they are
adopted) to Covered Entities even if
they also would be subject to the current
and proposed disclosure requirements
of Regulation SCI and Regulation S–P?
If so, explain why. If not, explain why
not. Are there ways the public
disclosure requirements of proposed
Rule 10 could be modified to minimize
these potential impacts while achieving
the separate goals of this proposal to
protect participants in the U.S.
securities markets and the markets
themselves from cybersecurity risks? If
so, explain how and suggest specific
modifications. For example, should
proposed Rule 10 be modified to permit
the customer notification that would be
required under the amendments to
Regulation S–P to satisfy the
requirement of proposed Rule 10 that a
Covered Entity that is a carrying brokerdealer or introducing broker-dealer send
a copy of an updated Part II of proposed
Form SCIR to its customers? If so,
explain why. If not, explain why not.
Would sending the notification required
by proposed Rule 10 and the
E:\FR\FM\05APP2.SGM
05APP2
20278
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
notification required by the proposed
amendments to Regulation S–P to the
same customer be confusing to the
customer? If so, explain why. If not,
explain why not.
lotter on DSK11XQN23PROD with PROPOSALS2
G. Cybersecurity Risk Related to Crypto
Assets
The creation, distribution, custody,
and transfer of crypto assets depends
almost exclusively on the operations of
information systems.545 Crypto assets,
therefore, are exposed to cybersecurity
risks.546 Further, crypto assets are
attractive targets for threat actors.547
Therefore, information systems that
involve crypto assets may be subject to
heightened cybersecurity risks. If
Market Entities engage in business
activities involving crypto assets, they
could be exposed to these heighted
cybersecurity risks.548
Crypto assets are an attractive target
for unlawful activity due, in large part,
to the unique nature of distributed
ledger technology. Possession or control
of crypto assets on a distributed ledger
is based on ownership or knowledge of
public and private cryptographic key
545 The term ‘‘digital asset’’ or ‘‘crypto asset’’
refers to an asset that is issued and/or transferred
using distributed ledger or blockchain technology
(‘‘distributed ledger technology’’), including, but
not limited to, so-called ‘‘virtual currencies,’’
‘‘coins,’’ and ‘‘tokens.’’ See Custody of Digital Asset
Securities by Special Purpose Broker-Dealers,
Exchange Act Release No. 90788 (Dec. 23, 2020) [86
FR 11627, 11627, n.1 (Feb. 26, 2021)]. To the extent
digital assets rely on cryptographic protocols, these
types of assets are commonly referred to as ‘‘crypto
assets.’’ A crypto asset may or may not meet the
definition of a ‘‘security’’ under the federal
securities laws. See, e.g., Report of Investigation
Pursuant to Section 21(a) of the Securities
Exchange Act of 1934: The DAO, Securities
Exchange Act Release No. 81207 (July 25, 2017),
available at https://www.sec.gov/litigation/
investreport/34-81207.pdf. See also SEC v. W.J.
Howey Co., 328 U.S. 293 (1946). ‘‘Digital asset
securities’’ can be referred to as ‘‘crypto asset
securities’’ and for purposes of this release, the
Commission does not distinguish between the terms
‘‘digital asset securities’’ and ‘‘crypto asset
securities.’’
546 See KPMG, Assessing crypto and digital asset
risks (May 2022), available at https://
advisory.kpmg.us/content/dam/advisory/en/pdfs/
2022/assessing-crypto-and-digital-asset-risks.pdf
(‘‘Properly securing digital assets[] is typically
viewed as the biggest risk that companies must
address.’’).
547 See U.S. Department of Treasury, CryptoAssets: Implications for Consumers, Investors, and
Businesses (Sept. 2022), available at https://
home.treasury.gov/system/files/136/CryptoAsset_
EO5.pdf (‘‘Treasury Crypto Report’’) (‘‘Moreover,
the crypto-asset ecosystem has unique features that
make it an increasingly attractive target for
unlawful activity, including the ongoing evolution
of the underlying technology, pseudonymity,
irreversibility of transactions, and the current
asymmetry of information between issuers of
crypto-assets and consumers and investors.’’).
548 Moreover, if the Market Entity’s activities
involving crypto asset securities involve its
information systems, the requirements being
proposed in this release would be implicated.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
pairings. These key pairings are
somewhat analogous to user names and
passwords and consist of strings of
letters and numbers used to sign
transactions on a distributed ledger and
to prove ownership of a blockchain
address, which is commonly known as
a ‘‘digital wallet.’’ 549 Digital wallets, in
turn, generally require the use of
internet-connected hardware and
software to receive and transmit
information about crypto asset holdings.
A digital wallet can be obtained by
anyone, including a potential threat
actor. If a victim’s digital wallet is
connected to the internet, and a threat
actor obtains access to the victim’s
private key, the threat actor can transfer
the contents of the wallet to another
blockchain address (such as the threat
actor’s own digital wallet) without
authorization from the true owner. It
may be difficult to subsequently track
down the identity of the threat actor
because the owner of a digital wallet can
remain anonymous (absent additional
attribution information) and because
intermediaries involved in the transfer
of crypto assets, such as trading
platforms, may not comply with or may
actively claim not to be subject to
applicable ‘‘know your customer’’ or
related diligence requirements.550
The current state of distributed ledger
technology may present other
challenges to defending against
cybercriminal activity. First, there is no
centralized information technology
(‘‘IT’’) infrastructure that can
dynamically detect and prevent
cyberattacks on wallets or prevent the
transfer of illegitimately obtained crypto
assets by threat actors.551 This is unlike
traditional infrastructures, such as those
used by banks and broker-dealers,
where behavioral and historic
549 See, e.g., NIST Glossary (defining ‘‘private
key’’).
550 See, e.g., Treasury Crypto Report (‘‘Compared
to registered financial market intermediaries—
which are subject to rules and laws that promote
market integrity and govern risks and business
conduct, including identifying, disclosing, and
mitigating conflicts of interest and adhering to
AML/CFT requirements—many crypto-asset
platforms may either not yet be in compliance with,
or may actively claim not to be subject to, existing
applicable U.S. laws and regulations, including
registration requirements. . . . When the
onboarding process used by platforms is limited or
opaque, the risk that the platform may be used for
illegal activities increases.’’).
551 See CipherTrace, Cryptocurrency crime and
anti-money laundering report (June 2022), available
at https://4345106.fs1.hubspotusercontent-na1.net/
hubfs/4345106/CAML%20Reports/CipherTrace
%20Cryptocurrency%20Crime%20and%20AntiMoney%20Laundering%20Report
%2c%20June%202022.pdf?_hstc=56248308.
2ea6daf13b00f00afe4d9acf0886eddf
.1667865330143.1667865330143.1667917991763.
2&_hssc=56248308.1.1667917991763&_
hsfp=247897319 (‘‘CipherTrace 2022 Report’’).
PO 00000
Frm 00068
Fmt 4701
Sfmt 4702
transaction patterns can be used to
detect and prevent account takeovers in
real-time. Furthermore, distributed
ledger technology often makes it
difficult or impossible to reverse
erroneous or fraudulent crypto asset
transactions, whereas processes and
protocols exist to reverse erroneous or
fraudulent transactions when trading
more traditional assets.552 In addition,
certain code that governs the operation
of a blockchain and that governs socalled ‘‘smart contracts’’ are often
transparent to the public. This provides
threat actors with visibility into
potential vulnerabilities associated with
the code, though developers may have
limited ability to patch those
vulnerabilities.553 These characteristics
of distributed ledger technology, and
others, present cybersecurity
vulnerabilities that, if taken advantage
of by a threat actor, could lead to
financial harm without meaningful
recourse to reverse fraudulent
transactions, recover or replace lost
crypto assets, or correct errors.
The amount of crypto assets stolen by
threat actors annually continues to
increase.554 Threat actors looking to
552 For example, this is the case with Bitcoin and
Ether, the two crypto assets with the largest market
values. See CoinMarketCap, Today’s
Cryptocurrency Prices by Market Cap, available at
https://coinmarketcap.com/ (‘‘Crypto Asset Market
Value Chart’’). See also, e.g., Kaili Wang, Qinchen
Wang, and Dan Boneh, ERC–20R and ERC–721R:
Reversible Transactions on Ethereum (Oct. 11,
2022), available at https://arxiv.org/pdf/2208.
00543.pdf#page=16&zoom=100,96,233 (Stanford
University proposal discussing the immutability of
Ethereum-based tokens, and proposing that
reversible Ethereum transactions may facilitate
more wide-spread adoption of these crypto assets).
With respect to securities, the clearance and
settlement of securities that are not crypto assets are
characterized by infrastructure whereby
intermediaries such as clearing agencies and
securities depositories serve as key participants in
the process. The clearance and settlement of crypto
asset securities, on the other hand, may rely on
fewer, if any, intermediaries and remain evolving
areas of practices and procedures.
553 See Treasury Crypto Report (‘‘Smart contracts,
which are widely used by many permissionless
blockchains, also present risks as they combine the
features of generally being immutable and publicly
viewable. Taken together, these attributes pose
several vulnerabilities that may be exploited by
illicit actors to steal customer funds: once an
attacker finds a bug in a smart contract and exploits
it, immutable smart contract protocols limit
developers’ ability to patch the exploited
vulnerability, giving attackers more time to exploit
the vulnerability and steal assets.’’).
554 See Treasury Crypto Report (noting that of the
total amount of crypto asset based crime in 2021,
theft rose by over 500% year-over-year to $3.2
billion in total); Chainalysis, The 2022 Crypto
Crime Report (Feb. 2022), available at https://
go.chainalysis.com/2022-Crypto-Crime-Report.html
(‘‘Chainalysis 2022 Report’’) (predicting that illicit
transaction activity will reach an all-time high in
terms of value in 2022, and noting that crypto asset
based crime hit a new all-time high in 2021, with
illicit addresses receiving $14 billion over the
course of the year, up from $7.8 billion in 2020).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
exploit the vulnerabilities associated
with crypto assets often employ social
engineering techniques, such as
phishing to acquire a user’s
cryptographic key pairing information.
Phishing tactics that have been
employed to reach and trick crypto asset
users into disclosing their private keys
include: (1) monitoring social media for
users reaching out to wallet software
support, intervening with direct
messages, and impersonating legitimate
support staff who need the user’s
private key to fix the problem; (2)
distributing new crypto assets at no cost
to a set of wallets in an ‘‘airdrop,’’ and
then failing transactions on those assets
with an error message to redirect the
owner to a phishing website or a
website that installs plug-in software
and steals the user’s credentials from a
local device; and (3) impersonating a
wallet software provider and stealing
private keys directly from the user.555
To the extent that the activities of
Market Entities involve crypto assets,
these types of phishing tactics could be
used against their employees.
Another related variation of a social
engineering attack that is similar to
phishing, but does not involve stealing
private keys directly, is called ‘‘ice
phishing.’’ In this scheme, the threat
actor tricks the user into signing a
digital transaction that delegates
approval and control of the user’s wallet
to the attacker, allowing the threat actor
to become the so-called ‘‘spender’’ of
the wallet. Once the threat actor obtains
control over the user’s wallet, the threat
actor can transfer all of the crypto assets
to a new wallet controlled by the threat
actor.556
Threat actors also target private keys
and crypto assets through other means,
such as installing key logging
software,557 exploiting vulnerabilities in
555 See Microsoft 365 Defender Research Team,
‘Ice Phishing’ on the Blockchain (Feb. 16, 2022),
available at https://www.microsoft.com/security/
blog/2022/02/16/ice-phishing-on-the-blockchain/.
556 See CipherTrace June 2022 Report. Delegating
authority to another user reportedly is a common
transaction on decentralized finance (‘‘DeFi’’)
platforms, as the user may need to provide the DeFi
platform with approval to conduct transactions
with the user’s tokens. In an ‘‘ice phishing’’ attack,
the attacker modifies the spender address to the
attacker’s address. Once the approval transaction
has been signed, submitted, and mined, the spender
can access the funds. The attacker can accumulate
approvals over a period of time and then drain the
victim’s wallets quickly.
557 Key logging can involve a threat actor
deploying a software program designed to record
which keys are pressed on a computer keyboard to
obtain passwords or other encryption keys,
therefore bypassing certain security measures. See
NIST Glossary (defining ‘‘key logger’’). Key logging
software can be installed, for example, when the
victim clicks a link or downloads an attachment in
a phishing email, downloads a Trojan virus that is
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
code used in connection with crypto
assets (such as smart contracts), and
deploying flash loan attacks.558
Installing key logging software, in
particular, is an example of malware
that threat actors looking to exploit the
vulnerabilities associated with crypto
assets often employ. Other common
types of crypto asset-focused malware
techniques include info stealers,
clippers, and cryptojackers.559
The size and growth of the crypto
asset markets, along with the fact that
many participants in these markets
(such as issuers, intermediaries, trading
platforms, and service providers) may
be acting in noncompliance with
applicable law, continue to make them
an attractive target for threat actors
looking for quick financial gain. The
crypto asset ecosystem has exhibited
rapid growth in the past few years. For
example, industry reports have
suggested that the total crypto asset
market value increased from
approximately $135 billion on January
1, 2019 to just under $2.1 trillion on
March 31, 2022.560 According to these
reports, the crypto asset market value
peaked at almost $3 trillion in
November 2021.561 Various sources also
report that the market value remains
over $1 trillion today.562
disguised as a legitimate file or application, or is
directed to a phony website.
558 See Treasury Crypto Report (‘‘In an innovation
unique to DeFi lending, some protocols may
support ‘flash loans,’ which enable users to borrow,
use, and repay crypto assets in a single transaction
that is recorded on the blockchain in the same data
block. Because there is no default risk associated
with flash loans, users can borrow without posting
collateral and without risk of being liquidated. A
‘flash loan attack’ can occur when the temporary
surge of funds obtained in a flash loan is used to
manipulate prices of crypto-assets, often through
the interaction of multiple DeFi services, enabling
attackers to take over the governance of a protocol,
change the code, and drain the treasury.’’). In 2021,
code exploits and flash loan attacks accounted for
49.8% of all crypto asset value stolen across all
crypto asset services. See Chainalysis 2022 Report.
559 Specifically, ‘‘info stealers’’ collect saved
credentials, files, autocomplete history, and crypto
asset wallets from compromised computers.
‘‘Clippers’’ can insert new text into the victim’s
clipboard, replacing text the user has copied.
Hackers can use clippers to replace crypto asset
addresses copied into the clipboard with their own,
allowing them to reroute planned transactions to
their own wallets. ‘‘Cryptojackers’’ make
unauthorized use of the computing power of a
victim’s device to mine crypto assets. See
Chainalysis 2022 Report.
560 See CipherTrace June 2022 Report. The
amount of total activity in the crypto asset markets
has increased as well. According to the CipherTrace
June 2022 Report, while the total activity in 2020
was around $4.3 trillion, there was approximately
$16 trillion of total activity in the first half of 2021
alone. See id.
561 See id.
562 See Crypto Asset Market Value Chart; see also
Treasury Crypto Report.
PO 00000
Frm 00069
Fmt 4701
Sfmt 4702
20279
III. General Request for Comment
In addition to the specific requests for
comment above, the Commission is
requesting comments from all members
of the public on all aspects of the
proposed rule and amendments.
Commenters are requested to provide
empirical data in support of any
arguments or analyses. With respect to
any comments, the Commission notes
that they are of the greatest assistance to
this rulemaking initiative if
accompanied by supporting data and
analysis of the issues addressed in those
comments and by alternatives to the
Commission’s proposals where
appropriate.
IV. Economic Analysis
A. Introduction
The Commission is mindful of the
economic effects, including the costs
and benefits, of: (1) proposed Rule 10;
(2) Parts I and II of proposed Form SCIR;
(3) the proposed amendments to Rules
17a–4, 17ad–7, and 18a–6; (4) the
proposed amendments to existing orders
that exempt certain clearing agencies
from registering with the Commission;
and (5) the proposed amendments to
paragraph (d)(1) of Rule 3a71–6 to add
proposed Rule 10 and Form SCIR to the
list of Commission requirements eligible
for a substituted compliance
determination. Section 3(f) of the
Exchange Act provides that when
engaging in rulemaking that requires the
Commission to consider or determine
whether an action is necessary or
appropriate in the public interest, to
also consider, in addition to the
protection of investors, whether the
action will promote efficiency,
competition, and capital formation.563
Section 23(a)(2) of the Exchange Act
also requires the Commission to
consider the effect that the rules and
rule amendments would have on
competition, and it prohibits the
Commission from adopting any rule that
would impose a burden on competition
not necessary or appropriate in
furtherance of the Exchange Act.564 The
analysis below addresses the likely
economic effects of the proposed rule
and form, the proposed rule
amendments, and the proposed
amendments to the exemptive orders,
including the anticipated and estimated
benefits and costs of these proposals
and their likely effects on efficiency,
competition, and capital formation. The
Commission also discusses the potential
economic effects of certain alternatives
563 See
564 See
E:\FR\FM\05APP2.SGM
15 U.S.C. 78c(f).
15 U.S.C. 78w(a)(2).
05APP2
20280
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
to the approaches taken with respect to
these proposals.
As discussed above, Market Entities
rely on information systems to perform
functions that support the fair, orderly,
and efficient operation of the U.S.
securities markets.565 This exposes them
and the U.S. securities markets to
cybersecurity risk. According to the
Bank for International Settlements, the
financial sector has the second-largest
share of COVID–19-related
cybersecurity events between the end of
February and June 2020.566 As is the
case with other risks (e.g., market,
credit, or liquidity risk), cybersecurity
risk can be addressed through policies
and procedures that are reasonably
designed to manage the risk. A second
means to address cybersecurity risk to
the U.S. securities markets is through
the Commission gathering and sharing
information about significant
cybersecurity incidents. This risk also
can be addressed through greater
transparency.567 For these reasons (and
the reasons discussed throughout the
release), the Commission is proposing
Rule 10 and Form SCIR to require that
Market Entities address cybersecurity
risks, to improve the Commission’s
ability to obtain information about
significant cybersecurity incidents
impacting Covered Entities and to
require Covered Entities to disclose
publicly summary descriptions of their
cybersecurity risks and significant
cybersecurity incidents (if applicable).
It is important to note that the Market
Entities serve different functions in the
U.S. securities markets and are subject
to different regulatory regimes. As a
result, Market Entities today have
varying approaches to cybersecurity
protections and would have different
costs and benefits associated with
complying with proposed Rule 10 and
for Covered Entities to file Parts I and
II of proposed Form SCIR. In addition,
Market Entities may have different costs
and benefits depending on the size and
complexity of their businesses. For
example, because Non-Covered BrokerDealers likely are materially smaller in
size than Covered Entities, use fewer
and less complex information systems,
and have less data stored on information
systems, the obligations of Non-Covered
Broker-Dealers under proposed Rule 10
lotter on DSK11XQN23PROD with PROPOSALS2
565 See
section I.A. of this release (discussing
cybersecurity risks and the use of information
systems by Market Entities).
566 Id. The health sector is ranked first in term of
the cyberattacks.
567 ‘‘The Council recommends that regulators and
market participants continue to work together to
improve the coverage, quality, and accessibility of
financial data, as well as improve data sharing
among relevant agencies.’’ FSOC 2021 Annual
Report, at 16.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
are more limited, and likely would have
lower compliance costs. This could be
the case even though Non-Covered
Broker-Dealers may still need to invest
in hardware and software, employ legal
and compliance personnel, or contract
with a third party. Furthermore, in
addition to the direct benefits and costs
realized by Market Entities, other
market participants, such as investors
and third-party service providers would
realize indirect benefits and costs from
the adoption of the proposed rule. The
direct and indirect benefits and costs
realized by each type of Market Entity
and market participants are discussed
below.568
Many of the benefits and costs
discussed below are difficult to
quantify. For example, the effectiveness
of cybersecurity strengthening measures
taken as a result of proposed Rule 10
depends on the extent to which they
reduce the likelihood of a cybersecurity
incident and on the expected cost of
such an incident, including remediation
costs in the event that a cybersecurity
incident causes harm. As a result, the
effectiveness of cybersecurity
strengthening is subject to numerous
assumptions and unknowns, and thus is
difficult to quantify. Effectively, because
cybersecurity infrastructure as well as
policies and procedures help to prevent
successful cybersecurity intrusions, the
benefit of cybersecurity protection can
be measured as the expected loss from
a cybersecurity incident. In 2020, the
average loss in the financial services
industry was $18.3 million, per
company per incident. The average cost
of a financial services data breach was
$5.85 million.569 Thus, those values
would represent the benefit of avoiding
a cybersecurity incident.
The Commission has limited
information on cybersecurity incidents
impacting Market Entities. For example,
as discussed above, certain Market
Entities are SCI entities subject to the
requirements of Regulation SCI. 570 SCI
entities must report SCI events to the
Commission on Form SCI, which could
include cybersecurity incidents.571
However, only certain Market Entities
are SCI entities and the reporting
requirements of Regulation SCI are
limited to SCI systems and indirect SCI
568 See section IV.D. of this release (discussing
these benefits and costs).
569 Jennifer Rose Hale, The Soaring Risks of
Financial Services Cybercrime: By the Numbers,
Diligent (Apr. 9, 2021), available at https://
www.diligent.com/insights/financial-services/
cybersecurity/#.
570 See section II.F.1.b. of this release (discussing
the Covered Entities that are subject to Regulation
SCI).
571 See section II.F.1.d. of this release (discussing
the reporting requirements of Regulation SCI).
PO 00000
Frm 00070
Fmt 4701
Sfmt 4702
systems, which are a subset of the
information systems used by SCI
entities. To the extent that a
cybersecurity incident at a Market
Entity that is also a SCI entity is an SCI
event, the Market Entity would be
required to file Form SCI. However,
only certain SCI events are also
considered to be cybersecurity
incidents. Consequently, the
Commission currently has only partial
knowledge of the cybersecurity
incidents that occur at Market Entities.
The Commission believes using the
benefit and cost values related to SCI
Entities as a basis to estimate the
benefits and costs of the proposed rule
for Covered Entities would be
instructive but may be under inclusive.
Similarly, the Commission has access
to information contained in confidential
anti-money laundering (AML)
suspicious activity reports (‘‘SARs’’)
that broker-dealers file with the
Department of the Treasury’s Financial
Crime Enforcement Network
(‘‘FinCEN’’), which includes known or
suspected cybersecurity incidents.572
However, the SARs filed by brokerdealers with FinCEN do not necessarily
include all of the details associated with
an incident, such as whether the
incident was confirmed, the extent of
the impact, and how the breach was
remediated. Furthermore, the SAR filing
may not be timely, as a broker-dealer
has up to 30 days to file the SAR if a
suspect is identified, or up to 60 days
if a suspect is not identified. Issues that
require immediate attention—such as
terrorist financing or ongoing money
laundering schemes—must be reported
to law enforcement.573 If reporting is not
otherwise required by the Commission
or an SRO, a broker-dealer ‘‘may also,
but is not required to’’ contact the
Commission.574 Broker-dealers must
make the supporting documentation
available to the Commission and
registered SROs (as well as to FinCEN,
law enforcement agencies, and Federal
regulatory authorities that examine for
Bank Secrecy Act compliance) upon
request.575 The benefits and costs of
filing SARs with FinCEN can serve as a
basis to approximate the cost of filing
Part I of proposed Form SCIR. However,
the proposed rule would require a
572 See, e.g., Fergus Shiel and Ben Hallman,
International Consortium of Investigative
Journalists, Suspicious Activity Reports, Explained
(Sept. 20, 2020), available at https://www.icij.org/
investigations/fincen-files/suspicious-activityreports-explained/ (stating that approximately 85%
of SARs are filed by a few large banks to report
money laundering).
573 See 31 CFR 1023.320(b)(3).
574 See 31 CFR 1023.320(a)(1), (b)(3).
575 See 31 CFR 1023.320(d).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
quicker reporting timeline, more
information to be provided, and
multiple updates with regard to a given
significant cybersecurity event. Thus,
the costs related to complying with SAR
filings serves as a floor for Covered
Entities complying with the proposed
rule.
While the Commission has attempted
to quantify economic effects where
possible, some of the discussion of
economic effects is qualitative in nature.
The Commission seeks comment on all
aspects of the economic analysis,
especially any data or information that
would enable the Commission to
quantify the proposal’s economic effects
more accurately.
B. Broad Economic Considerations
Market Entities generally have
financial incentives to maintain some
level of cybersecurity protection
because failure to safeguard their
operations from attacks on their
information systems and protect
information about their customers,
counterparties, members, registrants, or
users as well as their funds and assets
could lead to losses of funds, assets, and
customer information, as well as
damage the Market Entity’s reputation.
As a result, Market Entities generally
have an incentive to invest some
amount of money to address
cybersecurity risk.
Market Entities’ reputational motives
generally should encourage them to
invest in measures to protect their
information systems from cybersecurity
risk.576 Moreover, the damage caused by
a significant cybersecurity incident,
including the associated remediation
costs, may exceed that of implementing
cybersecurity policies and procedures
that may have prevented the incident
and its harmful impacts. As a result,
significant losses arising from a
potential significant cybersecurity
incident can encourage Market Entities
to invest in cybersecurity protections
today. However, such investments in
cybersecurity protections may not be
sufficient. The Investment Company
Institute notes that the remediation
costs of $252 million associated with
the 2013 data breach experienced by
Target Brands, Inc. (‘‘Target’’) far
exceeded the cost of the cybersecurity
insurance the company purchased ($90
million), resulting in an out-of-pocket
loss for Target of $162 million.577 PCH
576 See Marc Dupuis and Karen Renaud, Scoping
the Ethical Principles of Cybersecurity Fear
Appeals, 23 Ethics and Info. Tech. 265 (2021),
available at https://doi.org/10.1007/s10676-02009560-0.
577 See National Law Review, Target Data Breach
Price Tag: $252 Million and Counting (Feb. 26,
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Technologies states that in 2020, small
companies (1–49 employees) lost an
average of $24,000 per cybersecurity
incident. That loss increased to $50,000
per incident for medium-sized
companies (50–249 employees). Large
companies (250–999 employees) and
enterprise-level firms (1,000 employees
or more) lost an average of $133,000 and
$504,000 per cybersecurity incident,
respectively.578
Having an annual penetration testing
requirement can help Market Entities
reduce the likelihood of costly data
breaches. For instance, according to one
industry source, RSI Security, a
penetration test ‘‘can measure [the
entity’s] system’s strengths and
weaknesses in a controlled environment
before [the entity has] to pay the cost of
an extremely damaging data breach.’’ 579
For example, RSI Security explains that
penetration testing ‘‘can cost anywhere
from $4,000–$100,000,’’ and ‘‘[o]n
average, a high quality, professional
[penetration testing] can cost from
$10,000–$30,000.’’ 580 RSI Security,
however, was clear that the magnitudes
of these costs can vary with size,
complexity, scope, methodology, types,
experience, and remediation
measures.581 On the other hand, the
same article cited IBM’s 2019 Cost of a
Data Breach Study, which reported that
the average cost of a data breach is $3.92
million with an average loss of 25,575
records,582 which would more than
justify ‘‘the average $10,000–$30,000
bill from a professional, rigorous
[penetration testing].’’ 583 Another
2015), available at https://www.natlawreview.com/
article/target-data-breach-price-tag-252-millionand-counting.
578 Timothy Guim, Cost of Cyber Attacks vs. Cost
of Cyber Security in 2021, PCH Technologies (July
7, 2021), available at https://pchtechnologies.com/
cost-of-cyber-attacks-vs-cost-of-cyber-security-in2021/#:∼:text=1%20Large%20businesses
%3A%20Between%20%242%20million%20
and%20%245,%24500%2C000%20or
%20less%20spent%20on%20cybersecurity
%20per%20year.
579 RSI Security, What is the Average Cost of
Penetration Testing?, RSI Security Blog (posted
Mar. 5,2020), available at https://
blog.rsisecurity.com/what-is-the-average-cost-ofpenetration-testing/#:∼:text=Penetration%20
testing%20can%20cost%20anywhere,that%20of
%20a%20large%20company.
580 See RSI Security, What is the Average Cost of
Penetration Testing?, RSI Security Blog (posted
Mar. 5, 2020), available at https://
blog.rsisecurity.com/what-is-the-average-cost-ofpenetration-testing/
#:∼:text=Penetration%20testing%20can%20cost%
20anywhere,that%20of%20a%20
large%20company.
581 See id.
582 See IBM, Cost of a Data Breach Report (2019),
available at https://www.ibm.com/downloads/cas/
RDEQK07R (‘‘2019 Cost of Data Breach Report’’).
583 See RSI Security, What is the Average Cost of
Penetration Testing?, RSI Security Blog (posted
Mar. 5, 2020), available at https://
PO 00000
Frm 00071
Fmt 4701
Sfmt 4702
20281
source estimates a ‘‘high-quality,
professional [penetration testing to cost]
between $15,000–$30,000,’’ while
emphasizing that ‘‘cost varies quite a bit
based on a set of variables.’’ 584 This is
in line with a third source, which states
that ‘‘[a] true penetration test will likely
cost a minimum of $25,000.’’ 585 It is the
Commission’s understanding that multicloud architecture could introduce more
complexity and accordingly,
cybersecurity risks into Market Entities
back-up systems, to the extent they have
them.586
Large Market Entities that have
economies of scale are able to
implement cybersecurity policies and
procedures in a more cost-effective
manner. Smaller Market Entities, on the
other hand, generally do not enjoy the
same economies of scale or scope. The
marginal cost for smaller Market Entities
when implementing cybersecurity
policies and procedures that are just as
robust as those that would be needed by
large Market Entities likely would be
relatively high for smaller Market
Entities. As a result, investment costs in
cybersecurity protection at small brokerdealers, for example, (most of which
would be Non-Covered Broker-Dealers
under proposed Rule 10) likely will
account for a larger proportion of their
revenue than at relatively large brokerdealers (which likely would be Covered
Entities that realize economies of scale).
Having policies and procedures in
place to address cybersecurity risk
would benefit the customers,
counterparties, members, registrants, or
users with whom Market Entities
interact. However, a cybersecurity
budget likely is tempered, in part, such
that the total sum spent to address
cybersecurity risk provides some, but
possibly not complete, protection
against cyberattacks.587 Ultimately,
blog.rsisecurity.com/what-is-the-average-cost-ofpenetration-testing/#:∼:text=Penetration
%20testing%20can%20cost%20anywhere,that
%20of%20a%20large%20company.
584 Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.),
available at https://www.securitymetrics.com/blog/
how-much-does-pentest-cost.
585 Mitnick Security, What Should You Budget for
a Penetration Test? The True Cost, Mitnick Security
Blog, (posted Jan. 29, 2021, 5:13 a.m.), available at
https://www.mitnicksecurity.com/blog/whatshould-you-budget-for-a-penetration-test-the-truecost.
586 For example, security breach possibilities
could increase because of the interconnection of
Market Entities through their multi cloud providers.
587 See Martijn Wessels, Puck van den Brink,
Thijmen Verburgh, Beatrice Cadet, and Theo van
Ruijven, Understanding Incentives for Cybersecurity
Investments: Development and Application of a
Typology, 1 Digit. Bus. 1–7 (Oct. 2021), available at
https://doi.org/10.1016/j.digbus.2021.100014; Scott
Dynes, Eric Goetz, and Michael Freeman, Cyber
E:\FR\FM\05APP2.SGM
Continued
05APP2
20282
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
those costs to address cybersecurity
risks will be passed on, to the extent
possible, to the persons with whom the
Market Entities do business.588
The level of cybersecurity protection
instituted by Market Entities may be
inadequate from the perspective of
overall economic efficiency.589 In other
words, the chosen level of cybersecurity
protection may, in fact, represent an
underinvestment relative to the optimal
level of cybersecurity protection that
should be maintained by Market Entities
from an overall economic perspective.
Levels of cybersecurity protection that
are not optimal may exacerbate the
occurrence of harmful cybersecurity
incidents. Cybersecurity events have
grown in both number and
sophistication.590 These developments
in the market have significantly
increased the negative externalities that
may flow from systems failures.
Underinvestment in cybersecurity
may occur because a Market Entity is
aware that it would not bear the full cost
of a cybersecurity incident (i.e., some
negative externalities may be borne by
its customers, counterparties, members,
registrants, or users). As a result, the
Market Entity does not have to
internalize the complete cost of
cybersecurity protection when deciding
upon its level of investment. This
underinvestment by the Market Entity is
considered to be a moral hazard
problem, because other market
participants are harmed by a significant
cybersecurity incident and are forced to
bear those costs that spill over to them.
Security: Are Economic Incentives Adequate?
(Intern. Conf. on Critical Infrastructure Protection,
Conference Paper, 2007), available at https://
doi.org/10.1007/978-0-387-75462-8_2; Brent R.
Rowe and Michael P. Gallaher, Private Sector Cyber
Security Investment Strategies: An Empirical
Analysis, The Fifth Workshop on the Economics of
Information Security (Mar. 2006), available at
https://www.infosecon.net/workshop/downloads/
2006/pdf/18.pdf (‘‘Private Sector Cyber Security
Investment Strategies Analysis’’); Nicole van der
Meulen, RAND Europe, Investing in Cybersecurity
(Aug. 2015), available at https://repository.wodc.nl/
bitstream/handle/20.500.12832/2173/2551-fulltext_tcm28-73946.pdf?sequence=4&isAllowed=y.
588 See Derek Mohammed, Cybersecurity
Compliance in the Financial Sector, J. Internet
Banking and Com. (2015), available at https://
www.icommercecentral.com/open-access/
cybersecurity-compliance-in-the-financialsector.php?aid=50498.
589 Low levels of investment in cybersecurity
protection, which are different from
underinvestment in cybersecurity protection, can be
a function of a number of issues, such as firm
budget, available solutions, knowledge of the threat
actors’ capabilities, and the performance of inhouse or contracted information technology teams.
590 See, e.g., Chuck Brooks, Alarming Cyber
Statistics For Mid-Year 2022 That You Need To
Know (June 3, 2022), available at https://
www.forbes.com/sites/chuckbrooks/2022/06/03/
alarming-cyber-statistics-for-mid-year-2022-thatyou-need-to-know/?sh=2429c57e7864.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
At the same time, even though Market
Entities may not bear the full cost of a
cybersecurity failure (e.g., loss of the
personal information or the assets of
their customers, members, registrants, or
users), they likely would incur some
costs themselves and therefore have
incentives to avoid cybersecurity
failures. These incentives could cause
them to implement policies and
procedures to address cybersecurity
risk, which would likely result in
benefits that accrue in large part to their
customers, counterparties, members,
registrants, or users. Market Entities
could do this in order to avoid the
harms that could be caused by a
significant cybersecurity incident (e.g.,
loss of funds, assets, or personal,
confidential, or proprietary information;
damage to or the holding hostage of
their information systems; or
reputational damage). As a result,
Market Entities have a potential
incentive to rely overly on reactive
solutions to cybersecurity threats and
attacks instead of proactive ones.591
1. In the context of cybersecurity,
negative externalities arising from the
moral hazard problem can have
significant negative repercussions on
the financial system more broadly,
particularly due to the
interconnectedness of Market
Entities.592 Borg notes that the level of
interconnectedness and complexity can
have an influence on the degree of
damage that cybersecurity incidents
impose on Market Entities as well as
their customers, counterparties,
members, registrants, and users.593 As
for the availability of substitutes the
negative effect of a cybersecurity
incident could be lessened to the extent
that there is one or more competing
firms that can complete the task, such
as another broker-dealer or national
securities exchange. On the flip side,
significant cybersecurity incidents may
be the most damaging when there are no
substitutes available to execute the
required task.
In addition to other firms being
negatively affected by a cybersecurity
incident, investors can be negatively
affected. For example, a significant
cybersecurity incident at a national
securities exchange could affect its
ability to execute trades, causing orders
591 See Private Sector Cyber Security Investment
Strategies Analysis.
592 See Anil K. Kashyap and Anne Wetherilt,
Some Principles for Regulating Cyber Risk, 109
Amer. Econ. Assoc. Papers and Proc. 482 (May
2019).
593 See Scott Borg, Economically Complex
Cyberattacks, IEEE Computer Society (2005),
available at https://ieeexplore.ieee.org/stamp/
stamp.jsp?tp=&arnumber=1556539.
PO 00000
Frm 00072
Fmt 4701
Sfmt 4702
to go unfilled. Depending on how long
it takes the national securities exchange
to resolve the issue, the prices of
securities traded on the exchange may
be different from when the orders were
originally placed.594 A loss of
confidence in an exchange due to a
cybersecurity incident could result in a
longer-term reallocation of trading
volume to competing exchanges or other
trading venues.595 A significant
cybersecurity incident could produce
negative effects that spill over and affect
market participants outside of the
national securities exchange itself. It
also may adversely affect market
confidence, and curtail economic
activity through a reduction in
securities trading among market
participants.596
While the negative externalities that
arise from the moral hazard problem are
usually depicted as being absorbed by
other market participants, the losses to
other parties may be potentially covered
in part or in full by insurance
policies.597 An even stronger incentive
to underinvest is the possibility that an
outside party can make whole or at least
mitigate some of the losses incurred by
the various market participants. Market
Entities may underinvest in their
cybersecurity measures due to the moral
hazard that results from expectations of
government support.598 Most threat
594 National securities exchanges currently are
subject to certain obligations under Regulation SCI.
595 National securities exchanges may be required
to meet certain regulatory obligations in such
circumstances.
596 See Electra Ferriello, Prof. Robert Shiller’s U.S.
Crash Confidence Index, Yale School of
Management, Intern. Ctr. for Fin. (Nov. 3, 2020),
available at https://som.yale.edu/blog/prof-robertshillers-us-crash-confidence-index; Gregg E.
Berman, Senior Advisor to the Director, Division of
Trading and Markets, Commission, Speech by SEC
Staff: Market Participants and the May 6 Flash
Crash (Oct. 2010), available at https://www.sec.gov/
news/speech/2010/spch101310geb.htm.
597 See Marsh, Underinvestment in Cyber
Insurance Can Leave Organizations Vulnerable
(2022), available at https://www.marsh.com/pr/en/
services/cyber-risk/insights/underinvestment-incyber-insurance.html.
598 It has long been noted that it is difficult for
governments to commit credibly to not providing
support to entities that are seen as critical to the
functioning of the financial system, resulting in
problems of moral hazard. See, e.g., Walter Bagehot,
Lombard Street: A Description of the Money Market
(Henry S. King & Co., 1873). Historically, banking
entities seen as ‘‘too big to fail’’ or ‘‘too
interconnected to fail’’ have been the principal
recipients of such government support. Since the
financial crisis of 2007–2009, non-bank financial
institutions (such as investment banks), money
market funds, and insurance companies, as well as
specific markets such as the repurchase market
have also benefited. See, e.g., Gary B. Gorton,
Slapped by the Invisible Hand: The Panic of 2007,
Oxford Univ. Press (2010); see also Viral V.
Acharya, Deniz Anginer, and A. Joseph Warburton,
The End of Market Discipline? Investor
Expectations of Implicit Government Guarantees,
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
20283
actors primarily have a monetary
incentive, and there is a large monetary
incentive to breach cybersecurity
protections in the financial sector. As a
result, Covered Entities—such as
clearing agencies, large national
securities exchanges, and large carrying
broker-dealers—may be attractive targets
to sophisticated threat actors aiming to
compromise or disrupt the U.S.
financial system because of the services
they perform to support the functioning
of the U.S. securities markets; the
protection of confidential, proprietary,
or personal information they store; or
the financial assets they hold. Protection
against ‘‘advanced persistent threats’’ 599
from sophisticated threat actors,
whatever their motives, is costly.600 The
belief—no matter how misplaced—that
a widespread and crippling
cybersecurity attack would be met with
government support, such as direct
payments for recovery and immediate
cybersecurity investments, could lead to
moral hazard where certain Covered
Entities underinvest in defenses aimed
at countering that threat.601
Suboptimal spending on
cybersecurity also can be the result of
asymmetric information among Market
Entities and market participants. A
Market Entity may not know what its
optimal cybersecurity expenditures
should be because the nature and scope
of future attacks are unknown. In
addition, a Market Entity may not know
what its competitors do in terms of
cybersecurity planning, whether they
have been subject to unsuccessful
cyberattacks, or have been a victim of
one or more significant cybersecurity
incidents. Market Entities also may not
be able to signal credibly to their
customers, counterparties, members,
registrants, or users that they are better
at addressing cybersecurity risks than
their peers, thus reducing their
incentive to bear such cybersecurity
investment costs.602 Lastly, Market
Entities’ customers, counterparties,
members, registrants, or users typically
do not have information about the
Market Entities’ cybersecurity spending,
the efficacy of the cybersecurity
investments made, or their policies and
procedures. Therefore, those market
participants cannot make judgments
about Market Entities’ cybersecurity
preparedness. Because of this
information asymmetry, Market Entities
may not have as strong of an incentive
to have robust cybersecurity measures
compared to a scenario in which
customers, counterparties, members,
registrants, or users had perfect
information about the Market Entities’
cybersecurity practices and the risks
that they face.
Underinvestment in cybersecurity
also may stem from the principal-agent
problem of divergent goals in economic
theory. The relationship between a
Market Entity (i.e., the agent) and the
principals (i.e., its customers,
counterparties, members, registrants, or
users) can be affected if the principal
relies on the agent to perform services
on the principal’s behalf.603 Because
principals and their agents may not
have perfectly aligned preferences and
goals, agents may take actions that
increase their well-being at the expense
of principals, thereby imposing ‘‘agency
costs’’ on the principals.604 Although
private contracts between principals
and agents may aim to minimize such
costs, they are limited in their ability to
do so in that agents can decide not enter
into such agreements and ultimately not
provide the particular services to the
principals. Furthermore, agents can
charge much higher fees that the
principals choose not to bear. These
limitations provides one rationale for
regulatory intervention.605 Market-based
incentives alone are unlikely to result in
optimal provision of cybersecurity
protection. In this context, having plans
and procedures in place to prepare for
and respond to cybersecurity
incidents,606 and the rule would help
ensure that the infrastructure of the U.S.
securities markets remains robust,
resilient, and secure. A well-functioning
financial system is a public good.
Beyond reputational damage to the
affected agent (Market Entity), the
principals (the Market Entity’s
customers, counterparties, members,
registrants, or users) can be negatively
affected by a cybersecurity breach as a
result of loss in personal information
and/or funds and assets. Thus the
principals and the agents may have
different reasons for needing
cybersecurity protocols. Furthermore,
the negative effects of a cybersecurity
incident also can spread among Market
Entities due to their
interconnectedness.607 Those other
Market Entities prefer that the
principals employ strong cybersecurity
practices that reduce the chances of a
successful breach and its negative
cascading effects throughout the
financial sector. All of the preceding
negative externalities are arguments for
proposed Rule 10.
In the production of cybersecurity
defenses and controls, the main input is
information. In particular, information
about prior attacks and their degree of
success, as well as prior human errors
and their degree of harm, is valuable in
mounting effective countermeasures and
controls.608 However, Market Entities
may be naturally reluctant to share such
information, as doing so could assist
future attackers as well as lead to loss
of customers, reputational harm,
litigation, or regulatory scrutiny, which
would be costs associated with public
disclosure.609 On the other hand,
disclosure of such information creates a
positive information externality—the
benefits of which accrue to society at
large and are not fully captured by the
Market Entity making the disclosure.
SSRN Scholarly Paper, Rochester, NY: Social
Science Research Network (May 1, 2016).
599 ‘‘Advanced persistent threat’’ refers to
sophisticated cyberattacks by hostile organizations
with the goal of: gaining access to defense,
financial, and other targeted information from
governments, corporations and individuals;
maintaining a foothold in these environments to
enable future use and control; and modifying data
to disrupt performance in their targets. See Michael
K. Daly, The Advanced Persistent Threat (or
Informationized Force Operations), Raytheon (Nov.
4, 2009), available at https://www.usenix.org/
legacy/event/lisa09/tech/slides/daly.pdf.
600 See Nikos Virvilis and Dimitris Gritzalis, The
Big Four—What We Did Wrong in Advanced
Persistent Threat Detection?, 2013 Int’l Conf. on
Availability, Reliability and Security 248 (2013).
601 See Lawrence A. Gordon, Martin P. Loeb, and
William Lucyshyn, Cybersecurity Investments in the
Private Sector: The Role of Governments, 15 Geo.
J. Int’l Aff. 79 (2014).
602 See Sanford J. Grossman, The Informational
Role of Warranties and Private Disclosure about
Product Quality, 24 J. L. Econ. 461 (Dec. 1981); see
also Michael Spence, Competitive and Optimal
Responses to Signals: An Analysis of Efficiency and
Distribution, 7 J. Econ. Theory 296 (Mar. 1, 1974);
George. A. Akerlof, The Market for ‘‘Lemons’’:
Quality Uncertainty and the Market Mechanism, 84
Q. J. Econ. 488 (Aug. 1970).
603 See Michael C. Jensen and William H.
Meckling, Theory of the Firm: Managerial Behavior,
Agency Costs and Ownership Structure, 3 J. Fin.
Econ. 305 (1976).
604 Id.
605 Such limitations can arise from unobservability or un-verifiability of actions,
transactions costs associated with including
numerous contingencies in contracts, or bounded
rationality in the design of contracts. See, e.g., Jean
Tirole, Cognition and Incomplete Contracts, 99 a.m.
Econ. Rev. 265 (Mar. 2009) (discussing a relatively
modern treatment of these issues).
606 For example, according to an IBM report, in
the context of system issues arising from
cybersecurity events, having an incident response
plan and ‘‘testing that plan regularly can help [each
firm] proactively identify weaknesses in [its]
cybersecurity and shore up [its] defenses’’ and
‘‘save millions in data breach costs.’’ See 2019 Cost
of Data Breach Report; see also Alex Asen et al., Are
You Spending Enough on Cybersecurity (Feb. 19,
2020), available at https://www.bcg.com/
publications/2019/are-you-spending-enoughcybersecurity (noting ‘‘[a]s the world becomes ever
more reliant on technology, and as cybercriminals
refine and intensify their attacks, organizations will
need to spend more on cybersecurity’’).
607 See sections I.A.1. and I.A.2. of this release
(discussing how the interconnectedness of Market
Entities creates cybersecurity risk).
608 See Peter W. Singer and Allan Friedman,
Cybersecurity: What Everyone Needs to Know 222
(Oxford Univ. Press, 2014).
609 See, e.g., FTC Equifax Civil Action.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00073
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20284
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
This situation can occur because the
disclosure informs the Market Entity’s
customers, counterparties, members,
registrants, or users—as well as the
Market Entity’s competitors—about the
cybersecurity incidents experienced by
the Market Entity. As a result,
information disclosures intended to
close the information asymmetry gap
can have both positive and negative
consequences.
As discussed earlier, sources of
market failure in cybersecurity come
from information asymmetries at two
different levels: (1) between Market
Entities and their customers,
counterparties, members, registrants, or
users; and (2) between Market Entities
and threat actors. These two failures, in
turn, create distinct consequences for
each of these stakeholders.
At the first level, a Market Entity’s
customers, counterparties, members,
registrants, or users have incomplete
information about their own
cybersecurity risks due to incomplete
information about the Market Entity’s
actual cybersecurity policies and
procedures. To exacerbate the first level
of information asymmetry, Market
Entities typically interact with other
market participants. For example,
investors do business with brokerdealers, introducing broker-dealers work
with carrying broker-dealers, FINRA
supervises broker-dealers, brokerdealers interact with national securities
exchanges, and national securities
exchanges work with clearing agencies.
When utilizing the services of a
Market Entity, other market participants
may not have full information regarding
the Market Entity’s exposure to material
harm as a result of a cybersecurity
incident. A cybersecurity incident that
harms a Market Entity can harm its
customers, counterparties, members,
registrants, or users. Disclosure of
information regarding significant
cybersecurity incidents by Market
Entities could be used by their
customers, counterparties, members,
registrants, or users to manage their own
cybersecurity risk by investing in
additional cybersecurity protection,
and, to the extent they have a choice,
selecting a different Market Entity with
satisfactory cybersecurity protection
with whom to transact or otherwise
conduct business.610 That is, a Market
Entity with strong cybersecurity policies
and procedures and a clean record in
610 As discussed earlier, the public disclosure
requirements of proposed Rule 10 would apply to
Market Entities that meet the proposed rule’s
definition of ‘‘covered entity.’’ See paragraph (d) of
proposed Rule 10; section II.B.3. of this release
(discussing the public disclosure requirements of
proposed Rule 10).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
terms of past significant cybersecurity
incidents may be perceived by these
market participants as more desirable to
interact with, or obtain services from,
than Market Entities of the same type
that do not fit that profile. Even general
details about the cybersecurity
incidents, as well as the number of
significant cybersecurity incidents
during the current or previous calendar
year, could allow customers,
counterparties, members, registrants,
and users to compare Market Entities.
As a result, information from the
disclosure may permit customers,
counterparties, members, registrants,
and users to gauge the riskiness of doing
business with a certain Market Entity
when they would not have been able to
without that knowledge, and the
disclosures may encourage those market
participants to move their business to
competing Market Entities that would
have to disclose information under
proposed Rule 10 and are perceived to
be more prepared for cybersecurity
attacks.611 The information disclosed by
competitors also can incentivize Market
Entities to increase their investment in
cybersecurity protections and allow
them to adjust their defenses when they
would not have done so otherwise, thus
increasing overall market stability by
further limiting harmful cybersecurity
incidents.
At the second level, there are
differences in the capabilities of threat
actors that are external to Market
Entities and the assumed level of
cybersecurity preparations needed by
Market Entities to protect against
significant cybersecurity incidents.
Specifically, Market Entities cannot
fully anticipate the type, method, and
complexity of all types of cyberattacks
that may materialize. Moreover,
cyberattacks evolve over time, becoming
more complex and using new avenues
to circumvent Market Entities’
cybersecurity protections.612
Furthermore, Market Entities cannot
predict the timing or the target of a
given cyberattack. Though this
information asymmetry is impossible to
eradicate fully given the inherent
secretive nature of threat actors,
regulation may help to prevent an
expansion of information asymmetry by
requiring Market Entities to gather and
assess information about cybersecurity
risks and vulnerabilities more often.
Doing so would not only help to contain
the negative effects of successful
611 The firms making the disclosure may be
incentivized to invest more in cybersecurity
protection, potentially to the point of
overinvestment in order not to lose customers,
counterparties, members, registrants, and users.
612 See, e.g., Verizon DBIR.
PO 00000
Frm 00074
Fmt 4701
Sfmt 4702
cybersecurity attacks on any one Market
Entity going forward, but it also would
aid in minimizing the growth in
negative externalities as the effects of
successful cyberattacks spillover to
other Market Entities as well as to their
customers, counterparties, members,
registrants, or users.
Cybersecurity defenses must
constantly evolve in order to keep up
with the threat actors who are
exogenous to the Market Entity, and its
ability to anticipate specific attacks on
itself is difficult at best. Within the
reasonable scenario of an
interconnected market with multiple
points of entry for a potential threat
actor, it may be more costly for Market
Entities that are the victims of cascading
cybersecurity breaches than for the
initial target itself, as the other Market
Entities within the network ultimately
would need to prepare for a multitude
of attacks originating from many
different initial targets.613 A strong
cybersecurity program can also help
Market Entities to protect themselves
from cybersecurity attacks that could
possibly come from one of multiple
entry points. Having comprehensive
cybersecurity policies and procedures
will aid Market Entities identifying the
source of a breach, which can result in
lower detection costs and the
identification of the threat actor in a
more expeditious manner.
C. Baseline
Each type of Market Entity that would
be subject to proposed Rule 10 has a
distinct business model and role in the
U.S. financial markets. As a result, the
risks and practices, regulation, and
market structure for each Market Entity
will form the baseline for the economic
analysis.
1. Cybersecurity Risks and Current
Relevant Regulations
a. Cybersecurity Risks
With the widespread adoption of
internet-based products and services
over the last two decades, all businesses
have had to address cybersecurity
issues.614 For financial services firms,
the stakes are particularly high because
they transact, hold custody of, and
maintain ownership records of wealth
in the form of cash, securities, or other
liquid assets that cyber threat actors
might strive to obtain illegally. Such
entities also represent attack vectors for
threat actors. In addition, Market
Entities have linkages with each other as
613 See Cybersecurity and its Cascading Effect on
Societal Systems.
614 See section I.A.1. of this release (discussing
cybersecurity risks to the U.S. securities markets).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
a result of the business they conduct
together. A breach at one Market Entity
may be exploited and serve as a means
of compromising other Market Entities.
Cybersecurity threat intelligence
surveys consistently find the financial
sector to be one of the most—if not the
most—attacked industries,615 and
remediation costs for an incident can be
substantial.616 As a result, firms in the
financial sector need to invest in
cybersecurity to protect their business
operations along with the accompanying
assets and data stored on information
systems.
Further, as discussed earlier, the
custody and transfer of crypto assets
depends almost exclusively on the
operations of information systems.617
Crypto assets, therefore, are exposed to
cybersecurity risks and they are
attractive targets for threat actors.
Information systems that involve crypto
assets may be subject to heightened
cybersecurity risks. To the extent that
Market Entities engage in business
activities involving crypto assets, they
could be exposed to these heighted
cybersecurity risks.
The ubiquity and rising costs of
cybercrime,618 along with financial
services firms’ increasingly costly efforts
to prevent it,619 have been the
motivation behind the growth in the
cybersecurity industry.620 Many Market
Entities cite the NIST Framework as the
main standard for implementing strong
cybersecurity measures.621 The focus
that has been placed on cybersecurity
also has led to the development of
numerous technologies and standards
by private sector firms aimed at
mitigating cybersecurity threats. Many
of these developments, such as multifactor authentication, secure hypertext
615 See, e.g., IBM, X-Force Threat Intelligence
Index 2022 (2022), available at https://
www.ibm.com/security/data-breach/threatintelligence.
616 See, e.g., 2019 Cost of Data Breach Report
(noting the average cost of a data breach in the
financial industry in the United States is $5.97
million).
617 See section II.G. of this release (discussing
cybersecurity risks related to crypto assets).
618 See FBI internet Crime Report (noting that
cybercrime victims lost approximately $6.9 billion
in 2021).
619 See Office of Financial Research, Annual
Report to Congress 2021, available at https://
www.financialresearch.gov/annual-reports/files/
OFR-Annual-Report-2021.pdf.
620 Sage Lazzaro, The Cybersecurity Industry Is
Burning—But VCs Don’t Care, VentureBeat (Sept. 2,
2021), available at https://venturebeat.com/2021/
09/02/the-cybersecurity-industry-is-burning-andvcs-dont-care/ (‘‘VentureBeat’’).
621 FCI, Top 5 Ways the Financial Services
Industry Can Leverage NIST for Cybersecurity
Compliance, available at https://fcicyber.com/top5-ways-the-financial-services-industry-can-leveragenist-for-cybersecurity-compliance/.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
transfer protocol,622 and user-access
control, are now commonplace.
Practitioners—chief technology officers
(‘‘CTOs’’), chief compliance officers
(‘‘CCOs’’), chief information officers
(‘‘CIOs’’), chief information security
officers (‘‘CISOs’’), and their staffs—
frequently utilize industry standard
frameworks 623 and similar offerings
from cybersecurity consultants and
product vendors to assess and address
institutional cybersecurity
preparedness. Such frameworks include
information technology asset
management, controls, change
management, vulnerability
management, incident management,
continuity of operations, risk
management, dependencies on third
parties, training, and information
sharing. In recent years, companies’
boards of directors and executive
management teams have focused on
these areas.
Unaddressed cybersecurity risks,
particularly at Market Entities, impose
negative externalities on the broader
financial system. Actions taken to
implement, maintain, and upgrade
cybersecurity protections likely reduce
overall risk in the economy. In addition,
due to the potential for large-scale losses
with respect to funds, securities, and
customer information, Market Entities
have a vested interest in installing,
maintaining, and upgrading
cybersecurity-related software and
hardware. Based on staff discussions
with market participants, cybersecurityrelated activities can be performed inhouse or contracted out to third parties
with expertise in those areas. Financial
services firms may employ a mix of inhouse and outsourced staff and
resources to meet their cybersecurity
needs and goals.
b. Current Relevant Regulations
i. Broker-Dealers
Broker-dealers are subject to
Regulation S–P 624 and Regulation S–
ID.625 In addition, ATSs that trade
certain stocks exceeding specific
volume thresholds are subject to
Regulation SCI.626 Further, an ATS is
subject to Regulation ATS.627 As
discussed earlier, Regulation SCI,
622 Hypertext transfer protocol, HTTP, is the
primary set of rules that allow a web browser to
communicate with (i.e., send data to) a website.
623 CISA, Cyber Resilience Review (CRR): Method
Description and Self-Assessment User Guide (Apr.
2020), available at https://www.cisa.gov/sites/
default/files/publications/2_CRR%204.0_SelfAssessment_User_Guide_April_2020.pdf.
624 See 17 CFR 248.1 through 248.30.
625 See 17 CFR 248.201 and 202.
626 See 17 CFR 242.1000 through 1007.
627 See 17 CFR 242.301 through 304.
PO 00000
Frm 00075
Fmt 4701
Sfmt 4702
20285
Regulation S–P, Regulation ATS, and
Regulation S–ID have provisions
requiring policies and procedures to
address certain types of cybersecurity
risks.628 Regulation SCI also requires
immediate written or telephonic notice
and subsequent reporting to the
Commission on Form SCI of certain
types of incidents.629 Finally,
Regulation SCI has provisions requiring
disclosures to persons affected by
certain incidents.630
Broker-dealers are also subject to the
Commission’s financial responsibility
rules. Rule 15c3–1 requires brokerdealers to maintain minimum amounts
of net capital, ensuring that the brokerdealer at all times has enough liquid
assets to promptly satisfy all creditor
claims if the broker-dealer were to go
out of business.631 Rule 15c3–3 under
the Exchange Act imposes requirements
relating to safeguarding customer funds
and securities.632 These rules provide
protections for broker-dealer
counterparties and customers and can
help to mitigate the risks to, and impact
on, customers and other market
participants by protecting them from the
consequences of financial failure that
may occur because of a systems issue at
a broker-dealer.
Under Exchange Act Rule 15c3–4,
OTC derivatives dealers must establish,
document, and maintain a system of
internal risk management controls to
assist it in managing the risks associated
with its business activities, including
market, credit, leverage, liquidity, legal,
and operational risks.633 The required
risk management system must include,
among other things: a risk control unit
that reports directly to senior
management, periodic reviews which
may be performed by internal audit
staff, and annual reviews which must be
conducted by independent certified
public accountants.634 Management
must periodically review the entity’s
business activities for consistency with
risk management guidelines, including
that the data necessary to conduct the
risk monitoring and risk management
function as well as the valuation process
628 See section II.F.1.c. of this release (discussing
in more detail the existing requirements of
Regulation SCI, Regulation S–P, Regulation ATS,
and Regulation S–ID to have policies and
procedures to address certain cybersecurity risks).
629 See section II.F.1.d. of this release (discussing
in more detail the existing immediate notification
and subsequent reporting requirements of
Regulation SCI).
630 See section II.F.1.e. of this release (discussing
in more detail the existing disclosure requirements
of Regulation SCI).
631 See 17 CFR 240.15c3–1.
632 See 17 CFR 240.15c3–3.
633 See 17 CFR 240.15c3–4(a).
634 See 17 CFR 240.15c3–4(c).
E:\FR\FM\05APP2.SGM
05APP2
20286
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
over the entity’s portfolio of products is
accessible on a timely basis and
information systems are available to
capture, monitor, analyze, and report
relevant data.635
Exchange Act Rules 17a–3 and 17a–4
require broker-dealers to make and keep
current records detailing, among other
things, securities transactions, money
balances, and securities positions.636
Further, a broker-dealer that fails to
make and keep current the records
required by Rule 17a–3 must give notice
to the Commission of this fact on the
same day and, thereafter, within 48
hours transmit a report to the
Commission stating what the brokerdealer has done or is doing to correct
the situation.637
Moreover, with certain exceptions,
broker-dealers must file confidential
SARs with FinCEN to report any
suspicious transaction relevant to a
possible violation of law or
regulation.638 The SARs include
information regarding who is
conducting the suspicious activity, what
instruments or mechanisms are being
used, when and where the suspicious
activity took place, and why the filer
thinks the activity is suspicious. Brokerdealers must make the records available
to FinCEN as well as to other
appropriate law enforcement agencies,
federal or state securities regulators, and
SROs registered with the Commission.
Broker-dealers are generally required
to register with the Commission and
join a national securities association or
national securities exchange.639 As
SROs, national securities associations
and national securities exchanges are
required to enforce their members’
compliance with the Exchange Act, the
rules and regulations thereunder, and
the SRO’s own rules. The vast majority
of brokers and dealers join FINRA.
Broker-dealers that are members of
FINRA are subject FINRA Rules 3110,
3120, and 4530(b) (among other FINRA
rules).640 FINRA Rule 3110 requires
broker-dealer members to have in place
a system to supervise its activities so
that they are in compliance with
applicable rules and regulations. FINRA
Rule 3120 requires broker-dealer
members to test and verify that the
635 Id.
636 See
17 CFR 240.17a–3; 17 CFR 240.17a–4.
17 CFR 240.17a–11.
638 See 31 CFR 1023.320; section IV.A. of this
release (discussing the requirements to file SARs in
more detail).
639 See 15 U.S.C. 78o(a)(1) and 15 U.S.C.
78o(b)(8).
640 Broker-dealers that are members of national
securities exchanges are also subject to the rules of
the national securities exchanges regarding
membership, registration, operation, and business
conduct, among other exchange regulations.
lotter on DSK11XQN23PROD with PROPOSALS2
637 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
supervisory procedures are reasonably
designed with respect to the activities of
the member and its associated persons,
as well as to achieve compliance with
applicable securities laws and
regulations and with applicable FINRA
rules. In addition, broker-dealer
members must create additional or
amended supervisory procedures where
a need is identified by such testing and
verification. The designated
individual(s) must submit to the brokerdealer member’s senior management no
less than annually a report detailing
each member’s system of supervisory
controls, the summary of the test results
and significant identified exceptions,
and any additional or amended
supervisory procedures created in
response to the test results. FINRA Rule
4530(b) states that each broker-dealer
member shall promptly report to
FINRA, but not later than 30 calendar
days after the member has concluded or
reasonably should have concluded, that
an associated person of the member or
the member itself has violated any
securities-, insurance-, commodities-,
financial- or investment-related laws,
rules, regulations, or standards of
conduct of any domestic regulatory
body, foreign regulatory body, or SRO.
Furthermore, Commission staff has
issued statements 641 and FINRA has
641 See, e.g. EXAMS, Risk Alert, Safeguarding
Client Accounts; EXAMS, Risk Alert, Select
COVID–19 Compliance Risks and Considerations
for Broker-Dealers and Investment Advisers (Aug.
12, 2020), available at https://www.sec.gov/files/
Risk%20Alert%20-%20COVID-19
%20Compliance.pdf; EXAMS,Risk Alert,
Ransomeware; EXAMS, Report on OCIE
Cybersecurity and Resiliency Observations (Jan. 27,
2020), available at https://www.sec.gov/files/OCIE
%20Cybersecurity%20and%20Resiliency%20
Observations.pdf (‘‘EXAMS Cybersecurity and
Resiliency Observations’’); EXAMS, Safeguarding
Customer Records and Information in Network
Storage—Use of Third Party Security Features (May
23, 2019), available at https://www.sec.gov/files/
OCIE%20Risk%20Alert%20-%20Network
%20Storage.pdf; EXAMS, Investment Adviser and
Broker-Dealer Compliance Issues Related to
Regulation S–P—Privacy Notices and Safeguard
Policies (Apr. 16, 2019), available at https://
www.sec.gov/files/OCIE%20Risk%20Alert%20%20Regulation%20S-P.pdf; EXAMS, Observations
from Cybersecurity Examinations (Aug. 7, 2017),
available at https://www.sec.gov/files/observationsfrom-cybersecurity-examinations.pdf (‘‘EXAMS
Observations from Cybersecurity Examinations’’);
EXAMS, Cybersecurity: Ransomware Alert (May 17,
2017), available at https://www.sec.gov/files/riskalert-cybersecurity-ransomware-alert.pdf; EXAMS,
OCIE’s 2015 Cybersecurity Examination Initiative
(Sept. 15, 2015), available at https://www.sec.gov/
files/ocie-2015-cybersecurity-examinationinitiative.pdf; EXAMS, Cybersecurity Examination
Sweep Summary (Feb. 3, 2015), available at https://
www.sec.gov/about/offices/ocie/cybersecurityexamination-sweep-summary.pdf (‘‘Cybersecurity
Examination Sweep Summary’’); EXAMS, OCIE’s
2014 Cybersecurity Initiative (Apr. 15, 2014),
available at https://www.sec.gov/ocie/
announcement/Cybersecurity-Risk-Alert-Appendix4.15.14.pdf.
PO 00000
Frm 00076
Fmt 4701
Sfmt 4702
issued guidance 642 in the area of
cybersecurity.643 The statements and
FINRA guidance with respect to these
rules identify common elements of
reasonably designed cybersecurity
policies and procedures including risk
assessment, user security and access,
information protection, incident
response,644 and training.645
Consistent with these rules, nearly all
broker-dealers that participated in two
Commission exam sweeps in 2015 and
2017 reported 646 maintaining some
642 See FINRA, Core Cybersecurity Threats and
Effective Controls for Small Firms (May 2022),
available at https://www.finra.org/sites/default/
files/2022-05/Core_Cybersecurity_Threats_and_
Effective_Controls-Small_Firms.pdf; FINRA, Cloud
Computing in the Securities Industry (Aug. 16,
2021), available at https://www.finra.org/sites/
default/files/2021-08/2021-cloud-computing-in-thesecurities-industry.pdf; FINRA, 2021 Report on
FINRA’s Examination and Risk Monitoring Program
(Feb. 1, 2021), available at https://www.finra.org/
sites/default/files/2021-02/2021-report-finrasexamination-risk-monitoring-program.pdf (‘‘FINRA
2021 Report on Examination and Risk Monitoring
Program’’); FINRA, 2019 Report on FINRA
Examination Findings and Observations (Oct. 16,
2019), available at https://www.finra.org/sites/
default/files/2019-10/2019-exam-findings-andobservations.pdf; FINRA Common Cybersecurity
Threats; FINRA, Report on Selected Cybersecurity
Practices—2018 (Dec. 1, 2018), available at https://
www.finra.org/sites/default/files/Cybersecurity_
Report_2018.pdf (‘‘FINRA Report on Selected
Cybersecurity Practices’’); FINRA, Report on FINRA
Examination Findings (Dec. 6, 2017), available at
https://www.finra.org/sites/default/files/2017Report-FINRA-Examination-Findings.pdf; FINRA,
Small Firm Cybersecurity Checklist (May 23, 2016),
available at https://www.finra.org/compliancetools/small-firm-cybersecurity-checklist.
643 Cybersecurity has also been a regular theme of
FINRA’s Regulatory and Examination Priorities
Letter since 2008 often with reference to Regulation
S–P. Similarly, while risks related to data
compromises were highlighted in the Commission
staff’s exam priorities, an official focus on ‘‘cyber’’
began in 2014 after the SEC sponsored a
Cybersecurity Roundtable and the Division of
Examination conducted cybersecurity initiative I
and II to assess industry practices and legal and
compliance issues associated with broker-dealer
and investment adviser cybersecurity preparedness.
Cybersecurity initiatives I and II were each separate
series of examinations of cybersecurity practices
conducted by EXAMS, concluding in 2014 and
2017. The examinations covered broker-dealers,
investment advisers, and funds. EXAMS released a
summary report for each initiative.
644 See FINRA 2021 Report on Examination and
Risk Monitoring Program (noting that FINRA
recommended among effective practices with
respect to incident response: (1) establishing and
regularly testing—often using tabletop exercises—a
written formal incident response plan that outlines
procedures for responding to cybersecurity and
information security incidents; and (2) developing
frameworks to identify, classify, prioritize, track
and close cybersecurity-related incidents).
645 These categories vary somewhat in terms of
nomenclature and the specific categories
themselves across different Commission and FINRA
publications.
646 See Cybersecurity Examination Sweep
Summary (noting that of 57 examined brokerdealers, the vast majority adopted written
information security policies, conducted periodic
audits to determine compliance with these
information security policies and procedures,
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
cybersecurity policies and procedures;
conducting some periodic risk
assessments to identify threats and
vulnerabilities,647 conducting firm-wide
systems inventorying or cataloguing,
ensuring regular system maintenance
including the installation of software
patches to address security
vulnerabilities, performing some
penetration testing.648 A separate staff
statement observed that at least some
firms implemented capabilities that are
able to control, monitor, and inspect all
incoming and outgoing network traffic
to prevent unauthorized or harmful
traffic and implemented capabilities
that are able to detect threats on
endpoints.649 In the two Commission
exam sweeps, many firms indicated that
policies and procedures were vetted and
approved by senior management and
that firms provided annual
cybersecurity reports to the board while
some also provided ad hoc reports in
the event of major cybersecurity
events.650 Broadly, many broker-dealers
reported relying on industry standards
with respect to cybersecurity 651
typically by adhering to a specific
industry standard or combination of
industry standards or by using industry
conducted risk assessments and reported
considering such risk assessments in establishing
their cybersecurity policies and procedures, and
that with respect to vendors, the majority of the
broker-dealers required cybersecurity risk
assessments of vendors with access to their firms’
networks and had at least some specific policies
and procedures relating to vendors). See also
EXAMS Observations from Cybersecurity
Examinations (noting that nearly all firms surveyed
had incident response plans).
647 See FINRA Report on Selected Cybersecurity
Practices. This report noted that FINRA has
conducted a voluntary Risk Control Assessment
(‘‘RCA’’) Survey with all active member firms for a
number of years. According to the 2018 RCA, 94%
of higher revenue firms and 70% of mid-level
revenue firms use a risk assessment as part of their
cybersecurity program.
648 Id. According to FINRA’s 2018 RCA, 100% of
higher revenue firms include penetration testing as
a component in their overall cybersecurity program.
649 See EXAMS Cybersecurity and Resiliency
Observations.
650 See FINRA, Report on Cybersecurity Practices
(Feb. 2015), available at https://www.finra.org/sites/
default/files/2020-07/2015-report-on-cybersecuritypractices.pdf (‘‘FINRA Report on Cybersecurity
Practices’’).
651 Id. Among the firms that were part of the
sweep, nearly 90% used one or more of the NIST,
International Organization for Standardization
(‘‘ISO’’) or Information Systems Audit and Control
Association (‘‘ISACA’’) frameworks or standards.
More specifically, 65% of the respondents reported
that they use the ISO 27001/27002 standard while
25% use the Control Objectives for Information and
Related Technologies (‘‘COBIT’’) framework created
by ISACA. Some firms use combinations of these
standards for various parts of their cybersecurity
programs. While the report focused on firm
utilization of cybersecurity frameworks specifically,
in many cases, the referenced frameworks were
broader IT frameworks.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
standards as guidance in designing
policies and procedures.
With respect to broker-dealer
reporting to their boards regarding
cybersecurity policies and procedures
and cybersecurity incidents, the board
reporting frequency ranged from
quarterly to ad-hoc among the firms
FINRA reviewed.652 Approximately
two-thirds of the broker-dealers (68%)
examined in a 2015 survey had an
individual explicitly assigned as the
firm’s CISO which might suggest
extensive executive leadership
engagement.
There are no current Commission or
FINRA requirements for broker-dealers
to disseminate notifications of breaches
to members or clients although many
firms do so 653 pursuant to various state
data breach laws.654 Broker-dealers are
subject to state laws known as ‘‘Blue
Sky Laws,’’ which generally are
regulations established as safeguards for
investors against securities fraud.655 All
50 states have enacted laws in recent
years requiring firms to notify
individuals of data breaches. These laws
differ by state, with some states
imposing heightened notification
requirements relative to other states.656
652 See FINRA Report on Cybersecurity Practices.
At a number of firms, the board received annual
cybersecurity-related reporting while other firms
report on a quarterly basis. A number of firms also
provide ad hoc reporting to the board in the event
of major cybersecurity events.
653 See Cybersecurity Examination Sweep
Summary. Based on a small sample of firms, the
vast majority of broker-dealers maintained plans for
data breach incidents and most had plans for
notifying customers of material events.
654 See Digital Guardian, The Definitive Guide to
U.S. State Data Breach Laws (Nov. 15, 2022),
available at https://info.digitalguardian.com/rs/
768-OQW-145/images/the-definitive-guide-to-usstate-data-breach-laws.pdf.
655 See, e.g., Office of Investor Education and
Advocacy, Commission, Blue Sky Laws, available at
https://www.investor.gov/introduction-investing/
investing-basics/glossary/blue-sky-laws.
656 For example, some states may require a firm
to notify individuals when a data breach includes
biometric information, while others do not.
Compare Cal. Civil Code § 1798.29 (stating that
notice to California residents of a data breach is
generally required when a resident’s personal
information was or is reasonably believed to have
been acquired by an unauthorized person and that
‘‘personal information’’ is defined to mean an
individual’s first or last name in combination with
one of a list of specified elements, which includes
certain unique biometric data), with Ala. Stat. §§ 8–
38–2, 8–38–4, 8–38–5 (stating that notice of a data
breach to Alabama residents is generally required
when sensitive personally identifying information
has been acquired by an unauthorized person and
is reasonably likely to cause substantial harm to the
resident to whom the information relates and that
‘‘sensitive personally identifying information’’ is
defined as the resident’s first or last name in
combination with one of a list of specified
elements, which does not include biometric
information).
PO 00000
Frm 00077
Fmt 4701
Sfmt 4702
20287
ii. SROs
National securities exchanges,
registered clearing agencies, FINRA, and
the MSRB are all SROs and are all
considered to be SCI Entities, which
requires them to comply with
Regulation SCI.657 As discussed earlier,
Regulation SCI has provisions requiring
policies and procedures to address
certain types of cybersecurity risks.658
Regulation SCI also requires immediate
written or telephonic notice and
subsequent reporting to the Commission
on Form SCI of certain types of
incidents.659 Finally, Regulation SCI has
provisions requiring disclosures to
persons affected by certain incidents.660
In addition, as described above, Rule
613 of Regulation NMS requires the
Participants to jointly develop and
submit to the Commission a CAT NMS
Plan.661 The Participants conduct the
activities of the CAT through a jointly
owned limited liability company,
Consolidated Audit Trail, LLC. The CAT
is intended to function as a modernized
audit trail system that provides
regulators with more timely access to a
comprehensive set of trading data, thus
enabling regulators to more efficiently
and effectively reconstruct market
events, monitor market behavior, and
investigate misconduct. The CAT
System accepts data that are submitted
by the Participants and broker-dealers,
as well as data from certain market data
feeds like SIP and OPRA.662
FINRA CAT, LLC—a wholly-owned
subsidiary of FINRA—has entered into
an agreement with the Company to act
as the Plan Processor and, as such, is
responsible for building, operating and
maintaining the CAT. However, because
the CAT System is owned and operated
by FINRA CAT, LLC on behalf of the
national securities exchanges and
FINRA, the Participants remain
ultimately responsible for the
performance of the CAT and its
compliance with statutes, rules, and
regulations.
657 See
17 CFR 242.1000 through 1007.
section II.F.1.c. of this release (discussing
in more detail the existing requirements of
Regulation SCI to have policies and procedures to
address certain cybersecurity risks).
659 See section II.F.1.d. of this release (discussing
in more detail the existing immediate notification
and subsequent reporting requirements of
Regulation SCI).
660 See section II.F.1.e. of this release (discussing
in more detail the existing disclosure requirements
of Regulation SCI).
661 See 17 CFR 242.613; see also section II.F.1.c.
of this release (discussing the CAT NMS Plan in
general and describing the roles of the Participants
and Plan Processor).
662 CAT data is not public, although some
information in the CAT may be available through
public sources (e.g., market data feeds like the SIP
or proprietary exchange feeds).
658 See
E:\FR\FM\05APP2.SGM
05APP2
20288
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Under the Commission approved CAT
NMS Plan, the Plan Processor must
develop various policies and procedures
related to data security, including a
comprehensive information security
program that includes, among other
things, requirements related to: (1)
connectivity and data transfer, (2) data
encryption, (3) data storage, (4) data
access, (5) breach management,
including requirements related to the
development of a cyber incident
response plan and documentation of all
information relevant to breaches, and (6)
personally identifiable information data
management.663 As part of this
requirement, the Plan Processor is
required to create and enforce policies,
procedures, and control structures to
monitor and address CAT data security,
including reviews of industry
standards 664 and periodic penetration
testing.665 Under the CAT NMS Plan the
comprehensive information security
program must be updated by the Plan
Processor at least annually.666
Furthermore, both the Participants and
the Plan Processor must also implement
various data confidentiality measures
that include safeguards to secure access
and use of the CAT.667 The Plan
Processor must also review Participant
information security policies and
procedures related to the CAT to ensure
that such policies and procedures are
comparable to those of the CAT
System.668 In addition to these policies
and procedures requirements,669 the
663 See CAT NMS Plan, appendix D, sections 4
and 6.12.
664 The Company is subject to certain industry
standards with respect to its comprehensive
information security program, including but not
limited to: NIST 800–23 (Guidelines to Federal
Organizations on Security Assurance and
Acquisition/Use of Test/Evaluated Products), NIST
800–53 (Security and Privacy Controls for Federal
Information Systems and Organizations), NIST 800–
115 (Technical Guide to Information Security
Testing and Assessment), and, to the extent not
otherwise specified, all other provisions of the NIST
cyber security framework. See CAT NMS Plan,
Appendix D, section 4.2.
665 Id. at section 6.2(b)(v); Appendix D, sections
4 and 6.12.
666 See CAT NMS Plan at Appendix D, section
4.1.
667 Specifically, the measures implemented by the
Plan Processor must include, among other things:
(1) restrictions on the acceptable uses of CAT Data;
(2) role-based access controls; (3) authentication of
individual users; (4) MFA and password controls;
(5) implementation of information barriers to
prevent unauthorized staff from accessing CAT
Data; (6) separate storage of sensitive personal
information and controls on transmission of data;
(7) security-driven monitoring and logging; (8)
escalation of non-compliance events or security
monitoring; and (9) remote access controls. Id. at
Appendix D, sections 4.1, 5.3, 8.1.1, and 8.2.2;
section 6.2(a)(v)(J)–(L); section 6.2(b)(vii); section
6.5(c)(i); section 6.5(f).
668 CAT NMS Plan at section 6.2(b)(vii).
669 In August 2020, the Commission proposed
certain amendments to the CAT NMS Plan that are
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
CAT NMS Plan requires several forms of
periodic review of CAT, including an
annual written assessment,670 regular
reports,671 and an annual audit.672
iii. SBS Entities
Section 15F(j)(2) of the Exchange Act,
among other things, requires each SBS
Entity to establish robust and
professional risk management systems
adequate for managing its day-to-day
business.673 Additionally, certain SBS
Entities must comply with specified
provisions of Rule 15c3–4 and,
therefore, establish, document, and
maintain a system of internal risk
management controls to assist in
managing the risks associated with their
business activities.674 Further, SBS
Entities could be subject to Regulation
designed to enhance the security of the CAT. See
https://www.sec.gov/rules/proposed/2020/3489632.pdf.
670 The Participants are required to provide the
Commission with an annual written assessment of
the Plan Processor’s performance, which must
include, among other things, an evaluation of
potential technology upgrades and an evaluation of
the CAT information security program. Id. at
section 6.6(b); section 6.2(a)(v)(G).
671 The Plan Processor is required to provide the
operating committee with regular reports on various
topics, including data security issues and the Plan
Processor. Id. at section 6.1(o); section 6.2(b)(vi);
section 6.2(a)(v)(E); and section 4.12(b)(i).
672 The Plan Processor is required to create and
implement an annual audit plan that includes a
review of all Plan Processor policies, procedures,
control structures, and tools that monitor and
address data security, in addition to other types of
auditing practices. Id. at section 6.2(a)(v)(B)–(C);
Appendix D, section 4.1.3; Appendix D, section 5.3.
673 15 U.S.C. 78o–10(j). The Commission also
requires that specified SBS Entity trading
relationship documentation include the process for
determining the value of each security-based swap
for purposes of complying with, among other
things, the risk management requirements of section
15F(j) of the Exchange Act and paragraph
(h)(2)(iii)(I) of Rule 15Fh–3, and any subsequent
regulations promulgated pursuant to section 15F(j).
See 17 CFR 140.15Fi–5(b)(4). The documentation
must include either: (1) alternative methods for
determining the value of the security-based swap in
the event of the unavailability or other failure of
any input required to value the security-based swap
for such purposes; or (2) a valuation dispute
resolution process by which the value of the
security-based swap shall be determined for the
purposes of complying with the rule. See 17 CFR
140.15Fi–5(b)(4)(ii). Further, SBS Entities must
engage in portfolio reconciliation to resolve
discrepancies, among other things. See 17 CFR
240.15Fi–3(a) and (b). Such discrepancies include
those resulting from a cybersecurity incident.
674 See 17 CFR 240.15c3–1(a)(7)(iii) (applies to
broker-dealers authorized to use models, including
broker-dealers dually registered as an SBSD); 17
CFR 240.15c3–1(a)(10)(ii) (applies to broker-dealers
not authorized to use models that are dually
registered as an SBSD); 17 CFR 240.18a–1(f)
(applies to SBSDs that are not registered as a brokerdealer, other than an OTC derivatives dealer, and
that do not have a prudential regulator); 17 CFR
240.18a–2(c) (applies to MSBSPs); see also 17 CFR
240.15c3–4; see section IV.C.1.b.i. of this section
(discussing requirements of Rule 15c3–4).
PO 00000
Frm 00078
Fmt 4701
Sfmt 4702
S–ID if they are ‘‘financial institutions’’
or ‘‘creditors.’’ 675
SBS Entities are subject to additional
Commission rules to have risk
management policies and procedures, to
review policies and procedures, to
report information about compliance to
the Commission, and to disclose certain
risks to their counterparties. For
example, paragraph (h) of Rule 15Fh–3
requires, among other things, that an
SBSD or MSBSP establish, maintain,
and enforce written policies and
procedures regarding the supervision of
the types of security-based swap
business in which it is engaged and the
activities of its associated persons that
are reasonably designed to prevent
violations of applicable federal
securities laws and the rules and
regulations thereunder.676 The policies
and procedures must include, among
other things: (1) procedures for a
periodic review, at least annually, of the
security-based swap business in which
the SBS Entity engages and (2)
procedures reasonably designed to
comply with duties set forth in section
15F(j) of the Exchange Act, such as risk
management duties set forth in section
15F(j)(2).677
Paragraph (b) of Rule 15Fk–1 requires
each SBS Entity’s CCO to, among other
things, report directly to the board of
directors or to the senior officer of the
SBS Entity and to take reasonable steps
to ensure that the SBS Entity
establishes, maintains, and reviews
written policies and procedures
reasonably designed to achieve
compliance with the Exchange Act and
the rules and regulations thereunder
relating to its business as an SBS Entity
by: (1) reviewing its compliance with
respect to the requirements described in
section 15F of the Act and the rules and
regulations thereunder, where the
review involves preparing the an annual
assessment of its written policies and
procedures reasonably designed to
achieve compliance with section 15F of
675 See 17 CFR 248.201 and 202. The scope of
Regulation S–ID includes any financial institution
or creditor, as defined in the Fair Credit Reporting
Act (15. U.S.C. 1681) that is required to be
‘‘registered under the Securities Act of 1934.’’ See
17 CFR 248.201(a). Because SBS Entities are
required to be so registered, an SBS Entity that is
a ‘‘financial institution’’ or ‘‘creditor’’ as defined in
the Fair Credit Reporting Act is within the scope
of Regulation S–ID.
676 See 17 CFR 240.15Fh–3(h). An SBS Entity
must amend its written supervisory procedures, as
appropriate, when material changes occur in its
business or supervisory system. Material
amendments to the SBS Entity’s supervisory
procedures must be communicated to all associated
persons to whom such amendments are relevant
based on their activities and responsibilities. See 17
CFR 240.15Fh–3(h)(4).
677 See 17 CFR 240.15Fh–3(h)(2)(iii).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
the Act and the rules and regulations
thereunder; (2) taking reasonable steps
to ensure that the SBS Entity
establishes, maintains, and reviews
policies and procedures reasonably
designed to remediate non-compliance
issues identified by the chief
compliance officer through any means;
and (3) taking reasonable steps to ensure
that the SBS Entity establishes and
follows procedures reasonably designed
for the handling, management response,
remediation, retesting, and resolution of
non-compliance issues.678
Paragraph (c) of Rule 15Fk–1 requires
an SBS Entity to submit an annual
compliance report containing, among
other things, a description of: (1) its
assessment of the effectiveness of its
policies and procedures relating to its
business as an SBS Entity; (2) any
material changes to the SBS Entity’s
policies and procedures since the date
of the preceding compliance report; (3)
any areas for improvement, and
recommended potential or prospective
changes or improvements to its
compliance program and resources
devoted to compliance; (4) any material
non-compliance matters identified; and
(5) the financial, managerial,
operational, and staffing resources set
aside for compliance with the Exchange
Act and the rules and regulations
thereunder relating to its business as a
SBSD or MSBSP, including any material
deficiencies in such resources.679 The
compliance report must be submitted to
the Commission within 30 days
following the deadline for filing the SBS
Entity’s annual financial report.680
SBS Entities’ operations also are
governed, in part, by paragraph (b) of
Rule 15Fh-3 in that they must, at a
reasonably sufficient time prior to
entering into a security-based swap,
disclose to a counterparty (other than a
SBSD, MSBSP, swap dealer, or major
swap participant) material information
concerning the security-based swap in a
manner reasonably designed to allow
the counterparty to assess material risks
and characteristics as well as material
incentives or conflicts of interest.681
Relevant risks may include market,
credit, liquidity, foreign currency, legal,
operational, and any other applicable
risks.682 Further, SBSDs must establish,
maintain, and enforce written policies
and procedures reasonably designed to
678 See 17 CFR 240.15Fk–1(b)(2). The CCO also
must administer each policy and procedure that is
required to be established pursuant to section 15F
of the Exchange Act and the rules and regulations
thereunder. See 17 CFR 240.15Fk–1(b)(4).
679 See 17 CFR 240.15Fk–1(c)(2).
680 Id.
681 See 17 CFR 240.15Fh–3(b).
682 See 17 CFR 240.15Fh–3(b)(1).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
obtain and retain a record of the
essential facts concerning each
counterparty whose identity is known to
the SBSD that are necessary for
conducting business with such
counterparty.683 Among other things,
the essential facts regarding the
counterparty are facts required to
implement the SBSD’s operational risk
management policies in connection
with transactions entered into with such
counterparty.684
iv. SBSDRs
Section 13(n) of the Exchange Act
specifies the requirements and core
principles with which SBSDRs are
required to comply. The Commission
adopted rules that cover the receiving
and maintenance of security-based swap
data, how entities can access such
information, and the maintaining the
continued privacy of confidential
information. Security-based swap data
repositories must have written policies
and procedures reasonably designed to
review any prohibition or limitation of
any person with respect to access to
services offered, directly or indirectly,
or data maintained by the SBSDR.685
The SBSDRs must enforce written
policies and procedures reasonably
designed to protect the privacy of
security-based swap transaction
information.686 As a result, they must
establish and maintain safeguards,
policies, and procedures reasonably
designed to prevent the
misappropriation or misuse, directly or
indirectly, of confidential information,
including, but not limited to, trade data;
position data; and any nonpublic
personal information about a market
participant or any of its customers,
material, nonpublic information, and/or
intellectual property, such as trading
strategies or portfolio positions, by the
SBSDR or any person associated with
the SBSDR for personal benefit or for
the benefit of others. Such safeguards,
policies, and procedures must address,
without limitation: (1) limiting access to
such confidential information, material,
nonpublic information, and intellectual
property; (2) standards pertaining to
trading by persons associated with the
SBSDR for their personal benefit or for
the benefit of others; and (3) adequate
oversight to ensure compliance with
these safeguards. These rules cover
potential unauthorized access from
within or outside of the SBSDR, which
could include a cybersecurity breach.687
683 See
17 CFR 240.15Fh–3(e).
17 CFR 240.15Fh–3(e)(2).
685 17 CFR 240.13n–4(c)(1)(iv).
686 17 CFR 240.13n–9(b)(1).
687 17 CFR 240.13n–9(b)(2).
684 See
PO 00000
Frm 00079
Fmt 4701
Sfmt 4702
20289
Additionally, a SBSDR must furnish
to a market participant, prior to
accepting its securities-based swap data,
a disclosure document that contains
information from which the market
participant can identify and evaluate
accurately the risks and costs associated
with using the services of the SBSDR.688
Key points include, among other things,
the criteria for providing others with
access to services offered and data
maintained by the SBSDR; criteria for
those seeking to connect to or link with
the SBSDR; policies and procedures
regarding the SBDR’s safeguarding of
data and operational reliability, as
described in Rule 13n-6; policies and
procedures reasonably designed to
protect the privacy of any and all
security-based swap transaction
information that the SBSDR receives
from a SBSD, counterparty, or any
registered entity, as described in Rule
13n–9(b)(1); policies and procedures
regarding its non-commercial and/or
commercial use of the security-based
swap transaction information that it
receives from a market participant, any
registered entity, or any other person;
dispute resolution procedures involving
market participants, as described in
Rule 13n–5(b)(6); and governance
arrangements of the swap-based security
data repository.689
v. Transfer Agents
Transfer agents registered with the
Commission (but not transfer agents
registered with another appropriate
regulatory agency) are subject to the
Regulation S–P Disposal Rule.690
Transfer agents also may be subject to
Regulation S–ID if they are ‘‘financial
institutions’’ or ‘‘creditors.’’ 691 As
discussed earlier, the Regulation S–P
Disposal Rule and Regulation S–ID have
provisions requiring policies and
procedures to address certain types of
cybersecurity risks.692
Rule 17Ad–12 requires transfer agents
to ensure that all securities are held in
safekeeping and are handled, in light of
all facts and circumstances, in a manner
that is reasonably free from risk of theft,
loss, or destruction. In addition, the
transfer agent must ensure that funds
688 See
17 CFR 240.13n–10.
17 CFR 240.13n–10(b).
690 See 17 CFR 248.30(b)(2).
691 See 17 CFR 248.201 and 202. The scope of
Regulation S–ID includes any financial institution
or creditor, as defined in the Fair Credit Reporting
Act (15 U.S.C. 1681) that is required to be
‘‘registered under the Securities Exchange Act of
1934.’’ See 17 CFR 248.201(a).
692 See section II.F.1.c. of this release (discussing
in more detail the existing requirements of the
Regulation S–P Disposal Rule and Regulation S–ID
to have policies and procedures to address certain
cybersecurity risks).
689 See
E:\FR\FM\05APP2.SGM
05APP2
20290
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
are protected, in light of all facts and
circumstances, against misuse. In
evaluating which particular safeguards
and procedures must be employed, the
cost of the various safeguards and
procedures as well as the nature and
degree of potential financial exposure
are two relevant factors.693
Transfer agents are subject indirectly
to state corporation law when acting as
agents of corporate issuers, and they are
directly subject to state commercial law,
principal-agent law, and other laws,
many of which are focused on corporate
governance and the rights and
obligations of issuers and
securityholders.694 The transfer of
investment securities is primarily
governed by UCC Article 8, which has
been adopted by the legislatures of all
50 states,695 the District of Columbia,
Puerto Rico, and the Virgin Islands.
Transfer agents may also be subject to
the laws of the states of incorporation
for both issuers and their
securityholders that apply to specific
services provided by the transfer agent,
such as data privacy.696
c. Market Entities Subject to CFTC
Regulations
Certain types of Market Entities are
dually registered with the Commission
and the CFTC. For example, some
clearing agencies are registered with the
CFTC as derivative clearing
organizations (‘‘DCOs’’) and some
SBSDRs are registered with the CFTC as
swap data repositories (‘‘SDRs’’). In
addition, some broker-dealers are
registered with the CFTC as futures
commission merchants (‘‘FCMs’’) or
swap dealers. Most currently registered
SBSDs are also registered with the CFTC
as swap dealers. As CFTC registrants,
these Market Entities are subject to
requirements that pertain to
cybersecurity or are otherwise relevant
to the proposals in this release.
i. Requirements for DCOs
DCOs are subject to a CFTC systems
safeguards rule.697 This rule requires
693 17
CFR 240.17Ad–12(a).
e.g., Del. Code Ann. tit. 8 (Delaware
General Corporation Law), Del. Code Ann. tit. 6, art.
8 (Investment Securities), Restatement (Third) of
Agency (2006).
695 Louisiana has enacted the provisions of
Article 8 into the body of its law, among others, but
has not adopted the UCC as a whole.
696 For example, California’s privacy statute
which became effective in 2003, was the first
significant effort by a state to assert substantive
regulation of privacy of customer data. See Cal. Civ.
Code §§ 1798.80–1798.84. While state regulations
vary across jurisdictions, other states have followed
suit with similar regulatory initiatives. See, e.g.,
Minn. Stat. § 325E.61, Neb. Rev. Stat. §§ 87–801–
807.
697 See 17 CFR 39.18.
lotter on DSK11XQN23PROD with PROPOSALS2
694 See,
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
them—among other things—to establish
and maintain: (1) a program of risk
analysis and oversight with respect to
their operations and automated systems
to identify and minimize sources of
operational risk; and (2) a business
continuity and disaster recovery plan,
emergency procedures, and physical,
technological, and personnel resources
sufficient to enable the timely recovery
and resumption of operations and the
fulfillment of each obligation and
responsibility of the DCO, including,
but not limited to, the daily processing,
clearing, and settlement of transactions,
following any disruption of its
operations.698 The safeguards rule also
requires vulnerability and penetration
testing (among other things).699 Further,
it requires notice to the CFTC staff if the
DCO experiences certain exceptional
events.700
ii. Requirements for SDRs
SDRs are subject to a CFTC systems
safeguards rule.701 This rule requires
them—among other things—to: (1)
establish and maintain a program of risk
analysis and oversight to identify and
minimize sources of operational risk
through the development of appropriate
controls and procedures and the
development of automated systems that
are reliable, secure, and have adequate
scalable capacity; (2) establish and
maintain emergency procedures, backup
facilities, and a business continuitydisaster recovery plan that allow for the
timely recovery and resumption of
operations and the fulfillment of their
duties and obligations as an SDR; and
(3) periodically conduct tests to verify
that backup resources are sufficient to
ensure continued fulfillment of all their
duties under the Commodity Exchange
Act and the CFTC’s regulations.702 The
program of risk analysis and oversight
required by the SDR safeguards rule—
among other things—must address: (1)
698 See 17 CFR 39.18(b) and (c). The program of
risk analysis and oversight must include—among
other elements—information security, including,
but not limited to, controls relating to: access to
systems and data (including, least privilege,
separation of duties, account monitoring and
control); user and device identification and
authentication; security awareness training; audit
log maintenance, monitoring, and analysis; media
protection; personnel security and screening;
automated system and communications protection
(including, network port control, boundary
defenses, encryption); system and information
integrity (including, malware defenses, software
integrity monitoring); vulnerability management;
penetration testing; security incident response and
management; and any other elements of information
security included in generally accepted best
practices. See 17 CFR 39.18(b)(2)(i).
699 See 17 CFR 39.18(e).
700 See 17 CFR 39.18(g).
701 See 17 CFR 49.24.
702 See 17 CFR 49.24(a).
PO 00000
Frm 00080
Fmt 4701
Sfmt 4702
information security; and (2) business
continuity-disaster recovery planning
and resources.703 The safeguards rule
also requires the SDR to notify the CFTC
promptly of—among other events—all
cyber security incidents or targeted
threats that actually or potentially
jeopardize automated systems
operation, reliability, security, or
capacity.704
iii. Requirements for FCMs and Swap
Dealers
The CFTC does not have a
cybersecurity regime for FCMs and
swap dealers comparable to that being
proposed in this release.705 However,
FCMs and swap dealers are currently
subject to information security
requirements by virtue of their
membership with the National Futures
Association (NFA).706 Specifically, NFA
703 See 17 CFR 49.24(b)(2) and (3). For the
purposes of the SDR safeguards rule, information
security includes, but is not limited to, controls
relating to: access to systems and data (including
least privilege, separation of duties, account
monitoring and control); user and device
identification and authentication; security
awareness training; audit log maintenance,
monitoring, and analysis; media protection;
personnel security and screening; automated system
and communications protection (including network
port control, boundary defenses, encryption);
system and information integrity (including
malware defenses, software integrity monitoring);
vulnerability management; penetration testing;
security incident response and management; and
any other elements of information security included
in generally accepted best practices. See 17 CFR
49.24(b)(2).
704 See 17 CFR 49.24(g)(2).
705 Current CFTC requirements relating to
information security for FCMs and swap dealers are
more general in nature or limited in application.
See, e.g., 17 CFR 23.600(c)(4)(vi) (providing that
swap dealer’s risk management program policies
and procedures shall take into account, among
other things, secure and reliable operating and
information systems with adequate, scalable
capacity, and independence from the business
trading unit; safeguards to detect, identify, and
promptly correct deficiencies in operating and
information systems; and reconciliation of all data
and information in operating and information
systems); 162.21, 160.30 (requiring FCMs and swap
dealers to adopt written policies and procedures
addressing administrative, technical, and physical
safeguards with respect to the information of
consumers). The current CFTC Chairman has,
however, announced support for developing
cybersecurity requirements for FCMs and swap
dealers. See CFTC, Address of Chairman Rostin
Behnam at the ABA Business Law Section
Derivatives & Futures Law Committee Winter
Meeting (Feb. 3, 2023), available at https://
www.cftc.gov/PressRoom/SpeechesTestimony/
opabehnam31.
706 See NFA, Interpretive Notice 9070—NFA
Compliance Rules 2–9, 2–36 and 2–49: Information
Systems Security Programs (Sept. 30, 2019),
available at https://www.nfa.futures.org/
rulebooksql/rules.aspx?RuleID=9070&Section=9.
NFA has also issued guidance relating to the
oversight of third-party service providers. See NFA,
Interpretive Notice 9079—NFA Compliance Rules
2–9 and 2–36: Members’ Use of Third-Party Service
Providers (Sept. 30, 2021), available at https://
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
examines swap dealers and FCMs for
compliance with NFA Interpretive
Notice 9070, which establishes general
requirements for NFA members relating
to their information systems security
programs (ISSPs).707 The notice requires
members to adopt and enforce a written
ISSP reasonably designed to provide
safeguards to protect against security
threats or hazards to their technology
systems. The safeguards must be
appropriate to the member’s size,
complexity of operations, type of
customers and counterparties, the
sensitivity of the data accessible within
its systems, and its electronic
interconnectivity with other entities.
The notice further provides guidance on
how to meet this requirement, including
that members should document and
describe the safeguards in the ISSP,
identify significant internal and external
threats and vulnerabilities, create an
incident response plan, and monitor
and regularly review their ISSPs for
effectiveness, among other things.
Members should also have procedures
to promptly notify NFA in the form and
manner required of a cybersecurity
incident related to the member’s
commodity interest business and that
results in: (1) any loss of customer or
counterparty funds; (2) any loss of a
member’s own capital; or (3) in the
member providing notice to customers
or counterparties under state or federal
law.
The CFTC does require swap dealers
to establish and maintain a business
continuity and disaster recovery plan
that outlines the procedures to be
followed in the event of an emergency
or other disruption of their normal
business activities.708 The business
www.nfa.futures.org/rulebooksql/rules.
aspx?Section=9&RuleID=9079.
707 Id.
708 See 17 CFR 23.603. The business continuity
and disaster recovery plan must include: (1) the
identification of the documents, data, facilities,
infrastructure, personnel and competencies
essential to the continued operations of the swap
dealer and to fulfill its obligations; (2) the
identification of the supervisory personnel
responsible for implementing each aspect of the
business continuity and disaster recovery plan and
the emergency contacts required to be provided; (3)
a plan to communicate with specific persons the in
the event of an emergency or other disruption, to
the extent applicable to the operations of the swap
dealer; (4) procedures for, and the maintenance of,
back-up facilities, systems, infrastructure,
alternative staffing and other resources to achieve
the timely recovery of data and documentation and
to resume operations as soon as reasonably possible
and generally within the next business day; (5)
maintenance of back-up facilities, systems,
infrastructure and alternative staffing arrangements
in one or more areas that are geographically
separate from the swap dealer’s primary facilities,
systems, infrastructure and personnel (which may
include contractual arrangements for the use of
facilities, systems and infrastructure provided by
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
continuity and disaster recovery plan
must be designed to enable the swap
dealer to continue or to resume any
operations by the next business day
with minimal disturbance to its
counterparties and the market, and to
recover all documentation and data
required to be maintained by applicable
law and regulation.709 The business
continuity and disaster recovery plan
must—among other requirements—be
tested annually by qualified,
independent internal personnel or a
qualified third party service.710 The date
the testing was performed must be
documented, together with the nature
and scope of the testing, any
deficiencies found, any corrective action
taken, and the date that corrective
action was taken.711
d. Market Entities Subject to Federal
Banking Regulations
Broker-dealers affiliated with a
banking organization 712 and some SBS
Entities and transfer agents that are
banking organizations are subject to the
requirements of prudential regulators
such as the FDIC, Federal Reserve
Board, and the OCC. These prudential
regulators have rules requiring banking
organizations to notify them no later
than 36 hours after learning of a
‘‘computer-security incident,’’ which is
defined ‘‘as an occurrence that results in
actual harm to the confidentiality,
integrity, or availability of an
information system or the information
that the system processes, stores, or
transmits.’’
The rule also requires a bank service
provider to notify at least one bankdesignated point of contact at each
affected customer bank as soon as
possible when it determines it has
experienced a computer-security
incident that has materially disrupted or
degraded, or is reasonably likely to
disrupt or degrade, covered services
provided to the bank for four or more
hours. If the bank has not previously
provided a designated point of contact,
the notification must be made to the
third parties); (6) back-up or copying, with
sufficient frequency, of documents and data
essential to the operations of the swap dealer or to
fulfill the regulatory obligations of the swap dealer
and storing the information off-site in either hardcopy or electronic format; and (7) the identification
of potential business interruptions encountered by
third parties that are necessary to the continued
operations of the swap dealer and a plan to
minimize the impact of such disruptions. See 17
CFR 23.603(b).
709 See 17 CFR 23.603(a).
710 See 17 CFR 23.603(g).
711 Id.
712 In the simplification of the Volcker Rule,
effective Jan. 21, 2020, Commission staff estimated
that there were 202 broker-dealers that were
affiliated with banking organizations.
PO 00000
Frm 00081
Fmt 4701
Sfmt 4702
20291
bank’s chief executive officer (‘‘CEO’’)
and CIO or to two individuals of
comparable responsibilities.’’ 713
Prudential regulators have also
published guidance for banking
organizations relating to
cybersecurity.714
e. Information Sharing
Information sharing is an important
part of cybersecurity. Alerts that are
issued by the Commission or by the
securities industry make Market Entities
aware of trends in cybersecurity
incidents and potential threats. This
advanced warning can help Market
Entities to prepare for future
cybersecurity attacks by testing and
upgrading their cybersecurity
infrastructure.
The value of such information sharing
has long been recognized. In 1998,
Presidential Decision Directive 63
established industry-based information
sharing and analysis centers (‘‘ISACs’’)
to promote the disclosure and sharing of
cybersecurity information among
firms.715 The FS–ISAC provides
financial firms with such a forum.716
However, observers have questioned the
efficacy of these information-sharing
partnerships.717 Although the
Commission does not have data on the
extent of Market Entities’ use of such
forums or their efficacy, surveys of
securities firms conducted by FINRA
suggest that there is considerable
variation in firms’ willingness to share
713 See 12 CFR 53.1 through 53.4 (OCC); 12 CFR
225.300 through 225.303 (Federal Reserve Board);
12 CFR 304.21 through 24 (FDIC).
714 See, e.g., SR 21–14: Authentication and Access
to Financial Institution Services and Systems (Aug.
11, 2021), available at https://
www.federalreserve.gov/supervisionreg/srletters/
sr2114.htm; SR 15–9: FFIEC Cybersecurity
Assessment Tool for Chief Executive Officers and
Boards of Directors (July 2, 2015), available at
https://www.federalreserve.gov/supervisionreg/
srletters/sr1509.htm; SR 05–23/CA 05–10:
Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and
Customer Notice (Dec. 1, 2005), available at https://
www.federalreserve.gov/boarddocs/srletters/2005/
SR0523.htm.
715 See President Decision Directive/NSC–63,
Critical Infrastructure Protection (May 22, 1998);
Presidential Decision Directive 63, Critical
Infrastructure Protection: Sector Coordinators, 98
FR 41804 (Aug. 5, 1998) (notice and request for
expressions of interest); see also National Council
of ISACs, available at https://
www.nationalisacs.org.
716 Information about FS–ISAC is available at
https://www.fsisac.com.
717 See James A. Lewis and Denise E. Zheng,
Cyber Threat Information Sharing, 2015 Cre. for
Strategic and Int’l Stud. 62 (Mar. 2015) (stating that
the ‘‘benefits of information sharing, when done
correctly, are numerous’’ but that [p]rogrammatic,
technical, and legal challenges, as well as lack of
buy-in from the stakeholder community, are the key
impediments’’ to effective information-sharing
partnerships).
E:\FR\FM\05APP2.SGM
05APP2
20292
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
information about cybersecurity threats
on a voluntary basis, with larger firms
being more likely to do so.718 Similarly,
a recent survey of financial firms found
that while recognition of the value of
information-sharing arrangements is
widespread, the majority of firms report
hesitance to participate due to
regulatory restrictions or privacy
concerns.719
Market surveillance and regulatory
activities—such as enforcement by
SROs—can result in information sharing
with—and referrals to—the Commission
and other federal agencies, particularly
if the issues being investigated are
cybersecurity related.
f. Adequacy of Current Cybersecurity
Policies and Procedures
While spending on cybersecurity
measures in the financial services
industry is considerable, and the
growing risk of cybersecurity events has
led many corporate executives to
significantly increase their cybersecurity
budget,720 the budget levels themselves
are not the most important facet of a
cybersecurity program.721 In a recent
survey of 20 consumer/financial (nonbanking) services firms, respondents
ranked cybersecurity budget levels
lower than other facets of cybersecurity
maintenance.722 For example, financial
companies’ boards and management
teams indicated that overall
cybersecurity strategy, the identification
threats and cybersecurity risks, the
firm’s susceptibility to breaches when
other financial institutions are
successfully attacked, and the results of
cybersecurity testing all ranked higher
than security budgets themselves.723
Surveys of financial services firms
indicate that 10.5% of their information
technology budgets are spent on
cybersecurity, and the per-employee
expenditure is approximately $2,348
annually as of 2020.724 This peremployee value can be used to estimate
the cybersecurity expenditures at each
of the Market Entities that would be
affected by the proposed rule.725
requirements would not apply to brokerdealers that are not Covered Entities.729
Table 1 presents a breakdown of all
broker-dealers registered with the
Commission as of the third quarter of
2022. Based on 2022 FOCUS Part II/IIA
data, there were 3,510 registered brokerdealers with average total assets of $1.5
billion and average regulatory capital of
$144 million. Of those broker-dealers,
1,541 would be classified as Covered
Entities with average total assets of $3.5
billion and average regulatory capital of
$325 million. Meanwhile, the 1,969
brokers that would be classified as NonCovered Broker-Dealers were generally
much smaller than broker-dealers that
would be classified as Covered Entities,
having an average total asset level of
$4.7 million and regulatory capital of $3
million. In other words, Non-Covered
Broker-Dealers accounted for only about
0.2 percent of total asset value and only
0.1 percent of total regulatory capital in
the third quarter of 2022.
The majority of small broker-dealers,
as defined by Rule 0–10 730 were
classified as Non-Covered BrokerDealers (74%) compared to a minority of
small broker-dealers that were classified
as Covered Entities (26%), which means
that most small broker-dealers would be
subject to the less stringent regulatory
requirements under the proposed Rule
10 for Non-Covered Broker-Dealers. The
small broker-dealers that qualified as
Covered Entities and would be subject
to additional requirements of proposed
Rule 10 generally were broker-dealers
that introduce their customer accounts
to carrying broker-dealers on a fully
disclosed basis.
2. Market Structure
a. Broker-Dealers
The operations and functions of
broker-dealers are discussed earlier in
this release.726 The following brokerdealers would be Covered Entities: (1)
broker-dealers that maintain custody of
securities and cash for customers or
other broker-dealers (i.e., carrying
broker-dealers); (2) broker-dealers that
introduce their customer accounts to a
carrying broker-dealer on a fully
disclosed basis (i.e., introducing brokerdealers); (3) broker-dealers with
regulatory capital equal to or exceeding
$50 million; (4) broker-dealers with total
assets equal to or exceeding $1 billion;
(5) broker-dealers that operate as market
makers; and (6) broker-dealers that
operate an ATS.727 Broker-dealers that
do not fall into one of those six
categories would not be Covered
Entities (i.e., they would be NonCovered Broker-Dealers). As discussed
above, broker-dealers that are Covered
Entities would be subject to additional
policies and procedures, reporting, and
disclosure requirements under proposed
Rule 10.728 These additional
TABLE 1—BROKER-DEALERS AS COVERED ENTITIES AS OF SEPTEMBER 2022
[Average broker-dealer total assets and regulatory equity]
lotter on DSK11XQN23PROD with PROPOSALS2
Carrying .................................................................................................................
Introducing .............................................................................................................
Market making .......................................................................................................
718 See FINRA Report on Cybersecurity Practices.
Survey respondents included large investment
banks, clearing firms, online brokerages, highfrequency traders, and independent dealers.
719 See Julie Bernard, Mark Nicholson, and
Deborah Golden, Reshaping the Cybersecurity
Landscape, Deloitte (Jul. 24, 2020), available at
https://www2.deloitte.com/us/en/insights/industry/
financial-services/cybersecurity-maturity-financialinstitutions-cyber-risk.html (‘‘Reshaping the
Cybersecurity Landscape’’). Survey respondents
consisted of CISOs (or equivalent) of 53 members
of the FS–ISAC. Of the respondents, 24 reported
being in the retail/corporate banking sector, 20
reported being in the consumer/financial services
(non-banking) sector, and 17 reported being in the
insurance sector. Other respondents included IT
service providers, financial utilities, trade
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Number of
small BDs
included
Total number
of BDs
Categories of covered BDs
162
1219
19
associations, and credit unions. Some respondents
reported being in multiple sectors.
720 For example, according to one source, as of
2020, ‘‘55% of enterprise executives [were
planning] to increase their cybersecurity budgets in
2021 and 51% are adding full-time cyber staff in
2021.’’ Louis Columbus, The Best Cybersecurity
Predictions for 2021 Roundup, Forbes.com (Dec. 15,
2020), available at https://www.forbes.com/sites/
louiscolumbus/2020/12/15/the-best-cybersecuritypredictions-for-2021-roundup/?sh=6d6db8b65e8c.
721 See Reshaping the Cybersecurity Landscape.
722 Id.
723 Id.
724 Id.
725 The per-employee expenditure can be
multiplied by the Market Entity’s employee head
count on a full-time equivalent basis to estimate its
spending on cybersecurity protection.
PO 00000
Frm 00082
Fmt 4701
Sfmt 4702
Number of
retail BDs
0
195
0
145
1106
1
726 See
Average total
assets
(millions)
$28,250.9
103.0
179.2
Average
regulatory
equity
(millions)
$2,528.7
44.3
17.4
section I.A.2.b. of this release.
paragraphs (a)(1)(i)(A) through (F) of
proposed Rule 10.
728 See paragraph (b) through (d) of proposed Rule
10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’).
729 See paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do
not meet the definition of ‘‘covered entity’’).
730 See 17 CFR 240.0–10 (‘‘Rule 0–10’’) for
definition of small entities including small brokerdealers under the Exchange Act for purposes of the
Regulatory Flexibility Act (‘‘RFA’’). This definition
is for the economic analysis only. See also section
VI of this release (setting forth the Commission’s
RFA analysis).
727 See
E:\FR\FM\05APP2.SGM
05APP2
20293
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
TABLE 1—BROKER-DEALERS AS COVERED ENTITIES AS OF SEPTEMBER 2022—Continued
[Average broker-dealer total assets and regulatory equity]
Number of
small BDs
included
Total number
of BDs
Categories of covered BDs
Average total
assets
(millions)
Number of
retail BDs
Average
regulatory
equity
(millions)
ATS .......................................................................................................................
>$50 Million Regulatory Equity and/or >$1 billion total assets ............................
36
105
0
0
21
44
4.1
6,891.6
3.1
351.5
Covered .................................................................................................................
1541
195
1317
3,523.3
325.1
Non-Covered .........................................................................................................
1969
569
1115
4.7
3.0
Total ...............................................................................................................
3510
764
2432
1,549.9
144.4
Covered Broker-Dealers provide a
broad spectrum of services to their
clients, including, for example: trade
execution, clearing, market making,
margin and securities lending, sale of
investment company shares, research
services, underwriting and selling, retail
sales of corporate securities, private
placements, and government and Series
K securities sales and trading. In
contrast, Non-Covered Broker-Dealers
tend to offer a more focused and limited
set of services.
In terms of specific services offered,
as presented in Table 2 below, while the
majority of broker-dealers that are
Covered Entities have lines of business
devoted to broker and dealer services
across a broad spectrum of financial
instruments, Non-Covered BrokerDealers as a whole focus on private
placements. In addition, a significant
minority of Non-Covered Broker-Dealers
also engages in mutual fund sales and
underwriting, variable contract sales,
corporate securities underwriting, and
direct investment offerings.
TABLE 2—LINES OF BUSINESS AT BROKER-DEALERS AS OF SEPTEMBER 2022 *
[Percent of covered entity and non-covered broker-dealers engaged in each line of business]
lotter on DSK11XQN23PROD with PROPOSALS2
Line of business
Retailing Corporate Equity Securities Over The Counter .......................................................................................
Corporate Debt Securities .......................................................................................................................................
Mutual Funds ...........................................................................................................................................................
Private Placements ..................................................................................................................................................
Options .....................................................................................................................................................................
US Government Securities Broker ..........................................................................................................................
Municipal Debt/Bonds—Broker ................................................................................................................................
Other Securities Business .......................................................................................................................................
Underwriter—Corporate Securities ..........................................................................................................................
Trading Via Floor Broker .........................................................................................................................................
Variable Contracts ...................................................................................................................................................
Proprietary Trading ..................................................................................................................................................
Investment Advisory Services .................................................................................................................................
Municipal Debt/Bonds—Dealer ................................................................................................................................
Direct investments—Primary ...................................................................................................................................
US Government Securities Dealer ..........................................................................................................................
Other Non-Securities Business ...............................................................................................................................
Time Deposits ..........................................................................................................................................................
Commodities ............................................................................................................................................................
Market Making .........................................................................................................................................................
Mortgage or Asset Backed Securities .....................................................................................................................
Bank Networking/Kiosk Relationship .......................................................................................................................
Internet/Online Trading Accounts ............................................................................................................................
Exchange Non-Floor Activities ................................................................................................................................
Direct investments—Secondary ..............................................................................................................................
Oil and Gas Interests ...............................................................................................................................................
Underwriter—Mutual Funds .....................................................................................................................................
Exchange Floor Activities ........................................................................................................................................
Executing Broker .....................................................................................................................................................
Day Trading Accounts .............................................................................................................................................
Insurance Networking/Kiosk Relationship ...............................................................................................................
Non Profit Securities ................................................................................................................................................
Real Estate Syndication ..........................................................................................................................................
Prime Broker ............................................................................................................................................................
Issuer Affiliated Broker ............................................................................................................................................
Clearing Broker in a Prime Broker Arrangement ....................................................................................................
Crowdfunding FINRA Rule 4518 (a) .......................................................................................................................
Funding Portal .........................................................................................................................................................
Crowdfunding FINRA Rule 4518 (b) .......................................................................................................................
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00083
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
Percent of
covered
broker-dealers
(percent)
Percent of
non-covered
broker-dealers
(percent)
76.4
69.6
62.2
58.1
58.1
56.2
53.1
52.0
45.0
43.4
42.4
40.4
25.8
25.4
21.2
20.7
18.1
16.5
12.5
12.3
11.9
11.0
10.8
10.6
8.2
7.9
6.4
5.9
5.5
4.8
4.7
4.2
2.8
1.6
1.2
1.2
0.7
0.2
0.1
8.1
7.9
19.5
72.1
3.7
3.9
6.4
65.1
11.5
5.7
16.3
3.8
4.6
1.5
13.2
0.9
11.2
1.2
1.1
0.6
1.3
0.4
0.5
0.9
2.0
3.1
7.8
1.2
0.6
0.3
0.6
0.4
2.8
0.0
1.1
0.0
1.1
0.3
0.3
20294
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
TABLE 2—LINES OF BUSINESS AT BROKER-DEALERS AS OF SEPTEMBER 2022 *—Continued
[Percent of covered entity and non-covered broker-dealers engaged in each line of business]
Line of business
Capital Acquisition Broker .......................................................................................................................................
Percent of
covered
broker-dealers
(percent)
Percent of
non-covered
broker-dealers
(percent)
0.1
1.2
* This information is derived from Form BD, Question 12.
As of November 2022, there were 33
NMS Stock ATSs with an effective Form
ATS–N on file with the Commission 731
and 68 non-NMS Stock ATSs with a
Form ATS on file with the
Commission.732 Most broker-dealer ATS
operators operate a single ATS.
lotter on DSK11XQN23PROD with PROPOSALS2
b. Clearing Agencies
The operations and functions of
clearing agencies are discussed earlier
in this release.733 A clearing agency
(whether registered with the
Commission or exempt) would be
considered a Covered Entity under
proposed Rule 10.734 There are a total of
16 clearing agencies that would meet
the definition of a Covered Entity under
proposed Rule 10. There are seven
registered and active clearing agencies:
DTC, FICC, NSCC, ICC, ICEEU, the
Options Clearing Corp., and LCH SA.
Two clearing agencies are registered
with the Commission but are inactive
and currently do not provide clearing
and settlement activities. Those clearing
agencies are the BSECC and SCCP.735 In
addition, there are five clearing agencies
that are exempt from registering with
the Commission. Those exempt clearing
agencies are DTCC ITP Matching U.S.
LLC, Bloomberg STP LLC, and SS&C
Technologies, Inc., which provide
731 See Form ATS–N Filings and Information,
available at https://www.sec.gov/divisions/
marketreg/form-ats-n-filings.htm.
732 See the current list of registered ATSs on the
Commission’s website, available at https://
www.sec.gov/foia/docs/atslist.
733 See section I.A.2.c. of this release.
734 See paragraph (a)(1)(iii). of proposed Rule 10.
735 BSECC and SCCP have not provided clearing
services in over a decade. See BSECC Notice
(stating that BSECC ‘‘returned all clearing funds to
its members by September 30, 2010, and [ ] no
longer maintains clearing members or has any other
clearing operations as of that date . . . . BSECC [ ]
maintain[s] its registration as a clearing agency with
the Commission for possible active operations in
the future’’); SCCP Notice (noting that SCCP
‘‘returned all clearing fund deposits by September
30, 2009; [and] as of that date SCCP no longer
maintains clearing members or has any other
clearing operations . . . . SCCP [] maintain[s] its
registration as a clearing agency for possible active
operations in the future.’’). BSECC and SCCP are
included in the economic baseline and must be
considered in the benefits and costs analysis due to
their registration with the Commission. They also
are included in the PRA for purposes of the PRA
estimate. See section V of this release (setting forth
the Commission’s PRA analysis).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
d. National Securities Associations
matching services; and Clearstream
Banking, S.A. and Euroclear Bank SA/
NV, which provide clearing agency
services with respect to transactions
involving U.S. government and agency
securities for U.S. participants.736
Of the seven operating registered
clearing agencies, six provide CCP
clearing services and one provides CSD
services. In addition, NSCC, FICC, and
DTC are all registered clearing agencies
that are subsidiaries of the Depository
Trust and Clearing Corporation.
Together, this subset of registered
clearing agencies offer clearing and
settlement services for equities,
corporate, and municipal bonds,
government and mortgage-backed
securities, derivatives, money market
instruments, syndicated loans, mutual
funds, and alternative investment
products in the United States. ICC and
ICEEU are both registered clearing
agencies for credit default swaps
(‘‘CDS’’) and are both subsidiaries of
ICE. LCH SA, a France-based subsidiary
of LCH Group Holdings Ltd, is a
registered clearing agency that also
offers clearing for CDS. The seventh
registered clearing agency, the Options
Clearing Corp., offers clearing services
for exchange-traded U.S. equity options.
The operations and functions of
national securities association are
discussed earlier in this release.739 A
national securities association would be
considered a Covered Entity under
proposed Rule 10.740 FINRA currently is
the only national securities association
registered with the Commission and is
a not-for-profit organization with 3,700
employees that oversees broker-dealers,
including their branch offices, and
registered representatives through
examinations, enforcement, and
surveillance.
FINRA, among other things, provides
a forum for securities arbitration and
mediation; conducts market regulation,
including by contract for a majority of
the national securities exchanges;
regulates its broker-dealer members;
administers testing and licensing of
registered persons; collects and stores
regulatory filings; 741 and operates
industry utilities such as Trade
Reporting Facilities.742 Through the
collection of regulatory filings
submitted by broker-dealers as well as
stock options and fixed-income quote,
order, and trade data, FINRA maintains
certain confidential information—not
only its own but of other SROs.
c. The MSRB
e. National Securities Exchanges
The operations and functions of the
MSRB are discussed earlier in this
release.737 The MSRB would be
considered a Covered Entity under
proposed Rule 10.738 As an SRO
registered with the Commission, the
MSRB protects municipal securities
investors, municipal entities, obligated
persons, and the public interest. While
the MSRB used to only regulate the
activities of broker-dealers and banks
that buy, sell, and underwrite municipal
securities, it regulates certain activities
of municipal advisors.
The operations and functions of the
national securities exchanges are
discussed earlier in this release.743 A
national securities exchange would be
considered a Covered Entity under
proposed Rule 10.744 There are 24
736 In addition to the 14 clearing agencies
discussed above, the Commission’s expects that two
entities may apply to register or to seek an
exemption from registration as a clearing agency in
the next three years. As a result, they were included
in the PRA in section V.
737 See section I.A.2.d. of this release.
738 See paragraph (a)(1)(iv) of proposed Rule 10.
PO 00000
Frm 00084
Fmt 4701
Sfmt 4702
739 See
section I.A.2.e. of this release.
paragraph (a)(1)(i)(v) of proposed Rule 10.
741 Some of the filings collected include FOCUS
reports; Form OBS; Form SSOI; Form Custody; firm
clearing arrangements filings; Blue Sheets; customer
margin balance reporting; short interest reporting;
Form PF; Form 211; public offering and private
placement related filings; FINRA Rules 4311 and
4530 reporting; subordination agreements; and
Regulations M, T, and NMS.
742 These include Trade Reporting and
Compliance Engine (TRACE), OTC ATS and NonATS data, Over-the-Counter Reporting Facility
(ORF), Trade Reporting Facility (TRF), Alternative
Display Facility (ADF), and Order Audit Trail
System (OATS) (phased out as of 2021).
743 See section I.A.2.f. of this release.
744 See paragraph (a)(1)(vi) of proposed Rule 10.
740 See
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
national securities exchanges 745
currently registered with the
Commission that would meet the
definition of a Covered Entity under
proposed Rule 10(a)(1): BOX Exchange
LLC; Cboe BYX Exchange, Inc.; Cboe
BZX Exchange, Inc.; Cboe C2 Exchange,
Inc.; Cboe EDGA Exchange, Inc.; Cboe
EDGX Exchange, Inc.; Cboe Exchange,
Inc.; Investors Exchange LLC; LongTerm Stock Exchange, Inc.; MEMX,
LLC; Miami International Securities
Exchange; MIAX Emerald, LLC; MIAX
PEARL, LLC; Nasdaq BX, Inc.; Nasdaq
GEMX, LLC; Nasdaq ISE, LLC; Nasdaq
MRX, LLC; Nasdaq PHLX LLC; The
Nasdaq Stock Market; New York Stock
Exchange LLC; NYSE Arca, Inc.; NYSE
Chicago, Inc.; NYSE American, LLC;
and NYSE National, Inc.746
f. SBS Entities and SBSDRs
lotter on DSK11XQN23PROD with PROPOSALS2
Operations and functions of SBS
Entities and SBSDRs are discussed
earlier in this release.747 An SBS Entity
and an SBSDR would be considered a
Covered Entity under proposed Rule
10.748 As of January 4, 2023, there were
50 registered SBSDs that would meet
the definition of a Covered Entity under
proposed Rule 10(a)(1).749 There were
no MSBSPs as of January 4, 2023.
There are three SBSDRs that would
meet the definition of a Covered Entity
under proposed Rule 10(a)(1). The
Commission has two registered securitybased swap data repositories (ICE Trade
Vault, LLC and DTCC Data Repository
(U.S.), LLC). GTR North America
provides transaction reporting services
for derivatives in the United States
through the legal entity DTCC Data
Repository (U.S.) LLC. DTCC Data
Repository (U.S.), LLC enables firms to
meet their reporting obligations under
the Dodd-Frank Act and accepts trade
submissions directly from reporting
firms as well as through third-party
service providers.750 In addition to the
two registered SBSDRs, the Commission
expects that an additional entity may
745 Exempt securities exchanges governed by
section 5 of the Act are not considered to be
national securities exchanges.
746 Two exchanges, The Island Futures Exchange,
LLC, and NQLX LLC, were formerly registered with
the Commission as national securities exchanges.
747 See sections I.A.2.g. and I.A.2.h. of this
release.
748 See paragraphs (a)(1)(iii), (vii), and (viii) of
proposed Rule 10 (defining, respectively, MSBSPs,
SBSDRs, and SBSDs as ‘‘covered entities’’).
749 See List of Registered Security-Based Swap
Dealers and Major Security-Based Swap
Participants (Jan. 4, 2023), available at https://
www.sec.gov/tm/List-of-SBS-Dealers-and-MajorSBS-Participants.
750 See DTCC, GTR North America, available at
https://www.dtcc.com/repository-and-derivativesservices/repository-services/gtr-north-america.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
apply to be a registered SBSDR in the
next three years.
g. Transfer Agents
The operations and functions of
transfer agents are discussed earlier in
this release.751 Transfer agents would be
Covered Entities under proposed Rule
10.752 Transfer agents generally work for
issuers of securities. Among other
functions, they may: (1) track, record,
and maintain on behalf of issuers the
official record of ownership of each
issuer’s securities; (2) cancel old
certificates, issue new ones, and
perform other processing and
recordkeeping functions that facilitate
the issuance, cancellation, and transfer
of securities; (3) facilitate
communications between issuers and
registered securityholders; and (4) make
dividend, principal, interest, and other
distributions to securityholders.753
Transfer agents are required to be
registered with the Commission, or if
the transfer agent is a bank, then with
a bank regulatory agency. As of
December 31, 2022, there were 353
registered transfer agents.754
h. Service Providers
Many Market Entities utilize service
providers to perform some or all of their
cybersecurity functions. Market Entities
that are large—relative to other Market
Entities—in terms of their total assets,
number of clients or members, or daily
transactions processed are likely to have
significant information technology, their
own information technology
departments and dedicated staff such
that some functions are performed inhouse. Other services may be contracted
out to service providers that cater to
Market Entities. Smaller Market Entities
that do not have large technology
budgets may rely more heavily (or
completely) on third parties for their
cybersecurity needs. According to a
voluntary survey, financial services
firms spend approximately 0.3 percent
of revenue or 10% of their information
technology budgets on cybersecurity,
highlighting the fact that identifying
vulnerabilities and having cybersecurity
policies and procedures in place are
more important than the actual
cybersecurity budget itself, particularly
with respect to expensive hardware and
software.755
751 See
section I.A.2.i. of this release.
paragraph (a)(1)(ix) of proposed Rule 10.
753 See Transfer Agent Regulations, Exchange Act
Release No. 76743 (Dec. 22, 2015), 80 FR 81948,
81949 (Dec. 31, 2015).
754 See Commission, Transfer Agent Data Sets
(Dec. 31, 2022), available at https://www.sec.gov/
dera/data/transfer-agent-data-sets.
755 See Reshaping the Cybersecurity Landscape.
20295
In performing their contracted duties,
specialized service providers may
receive, maintain, or process
confidential information from Market
Entities, or are otherwise permitted to
access Market Entities’ information
systems and the information residing on
those systems. Market Entities work
with service providers that provide
certain critical functions, such as
process payment providers, regulatory
services consultants, data providers,
custodians, and valuation services.
However, Market Entities also employ
general service providers, such as email
providers, relationship management
systems, cloud applications, and other
technology vendors.
Regardless of their size, Market
Entities typically enter into contracts
with service providers to perform a
specific function for a given time frame
at a set price. At the conclusion of a
contract, it may be renewed if both
parties are satisfied. Because prices
typically increase over time, there may
be some need to negotiate a new fee for
continued service. Negotiations also
occur if additional services are
requested from a given third-party
provider. In the instance where
additional services are required midcontract, for example, due to increased
regulatory requirements, the service
provider may be able to bill for the extra
work that it must incur separately to
provide the additional service,
particularly if that party is in a highly
concentrated market for that service and
can wield market power. This may be
the case because that condition is
specified in the contract with the
Market Entity.
Service providers that cater to the
securities industry with specialized
services are likely to have economies of
scale that allow them to more easily
handle requests from Market Entities for
additional services.756 Some service
providers, however, may not have the
technical expertise to provide a
requested additional service or may
refuse to do so for other reasons. In this
case, the Market Entity would need to
find another service provider. The costs
associated with service provider
contracts, including those of
renegotiating them or tacking on of
supplemental fees, are passed on to the
Market Entity’s customers,
counterparties, members, participants,
752 See
PO 00000
Frm 00085
Fmt 4701
Sfmt 4702
756 See Bharath Aiyer et al., New Survey Reveals
$2 Trillion Market Opportunity for Cybersecurity
Technology and Service Providers (2022), available
at https://www.mckinsey.com/capabilities/risk-andresilience/our-insights/cybersecurity/new-surveyreveals-2-trillion-dollar-market-opportunity-forcybersecurity-technology-and-service-providers.
E:\FR\FM\05APP2.SGM
05APP2
20296
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
or users to the extent that the Market
Entities are able to do so.
D. Benefits and Costs of Proposed Rule
10, Form SCIR, and Rule Amendments
lotter on DSK11XQN23PROD with PROPOSALS2
In this section, the Commission
considers the benefits and costs of the
rule, form, and amendments being
proposed in this release.757 As
discussed earlier, proposed Rule 10
would require all Market Entities
(Covered Entities and non-Covered
Entities) to establish, maintain, and
enforce written policies and procedures
that are reasonably designed to address
their cybersecurity risks.758 All Market
Entities also, at least annually, would be
required to review and assess the design
and effectiveness of their cybersecurity
policies and procedures, including
whether the policies and procedures
reflect changes in cybersecurity risk
over the time period covered by the
review.759 They also would be required
to prepare a report (in the case of
Covered Entities) or a record (in the case
of non-Covered Entities) with respect to
the annual review.760 Finally, all Market
Entities would need to give the
Commission immediate written
electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring.761
Market Entities that meet the
definition of ‘‘covered entity’’ would be
subject to certain additional
requirements under proposed Rule
10.762 First, their cybersecurity risk
management policies and procedures
757 Throughout the following, the Commission
also considers benefits and costs related to potential
effects on economic efficiency, competition, and
capital formation. The Commission summarizes
these effects in section IV.E. of this release.
758 See paragraphs (b) through (d) of proposed
Rule 10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e)(1) of proposed Rule 10; see
also sections II.B.1. and II.C. of this release
(discussing these proposed requirements in more
detail).
759 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10; see also
sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
760 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10; see also
sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
761 See paragraph (c)(1) of proposed Rule 10;
paragraph (e)(2) of proposed Rule 10; see also
sections II.B.2.a. and II.C. of this release (discussing
these proposed requirements in more detail).
762 See paragraph (b) through (d) of proposed Rule
10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do
not meet the definition of ‘‘covered entity’’).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
would need to include the following
elements:
• Periodic assessments of
cybersecurity risks associated with the
Covered Entity’s information systems
and written documentation of the risk
assessments;
• Controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems;
• Measures designed to monitor the
Covered Entity’s information systems
and protect the Covered Entity’s
information from unauthorized access
or use, and oversight of service
providers that receive, maintain, or
process information, or are otherwise
permitted to access the Covered Entity’s
information systems;
• Measures to detect, mitigate, and
remediate any cybersecurity threats and
vulnerabilities with respect to the
Covered Entity’s information systems;
and
• Measures to detect, respond to, and
recover from a cybersecurity incident
and written documentation of any
cybersecurity incident and the response
to and recovery from the incident.763
Second, Covered Entities would need
to make certain records pursuant to the
policies and procedures required under
proposed Rule 10. In particular, Covered
Entities would be required to document
in writing periodic assessments of
cybersecurity risks associated with the
Covered Entity’s information systems
and information residing on those
systems.764 Additionally, Covered
Entities would be required to document
in writing any cybersecurity incident,
including the Covered Entity’s response
to and recovery from the cybersecurity
incident.765
Third, Covered Entities—in addition
to providing the Commission with
immediate written electronic notice
upon having a reasonable basis to
conclude that the significant
cybersecurity incident has occurred or
is occurring—would need to report and
update information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission by filing it with the
Commission through the EDGAR
system.766 The form would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s efforts to respond to, and
recover from, the incident. Covered
Entities would be required to file
updated versions of proposed Form
SCIR when material information
becomes available or previously
reported information is deemed
inaccurate. Lastly, a final proposed
Form SCIR would need to be submitted
after a significant cybersecurity incident
is resolved.
Fourth, Covered Entities would need
to disclose publicly summary
descriptions of their cybersecurity risks
and the significant cybersecurity
incidents they experienced during the
current or previous calendar year on
Part II of proposed Form SCIR.767 The
form would need to be filed with the
Commission through the EDGAR system
and posted on the Covered Entity’s
public-facing business internet website
and, in the case of Covered Entities that
are carrying or introducing brokerdealers, provided to customers at
account opening and annually
thereafter.
Rules 17a–4, 17ad–7, and 18a–6—
which apply to broker-dealers, transfer
agents, and SBS Entities respectively—
would be amended to establish
preservation and maintenance
requirements for the written policies
and procedures, annual reports, Parts I
and II of proposed Form SCIR, and
records required to be made pursuant to
proposed Rule 10 (i.e., the Rule 10
Records).768 The proposed amendments
would specify that the Rule 10 Records
must be retained for three years. In the
case of the written policies and
procedures to address cybersecurity
risks, the record would need to be
maintained until three years after the
termination of the use of the policies
and procedures.769 In addition, orders
exempting certain clearing agencies
from registering with the Commission
are proposed to be amended to establish
preservation and maintenance
763 See sections II.B.1.a. through II.B.1.e. of this
release (discussing these proposed requirements in
more detail). In the case of non-Covered Entities, as
discussed in more detail below in Section II.C. of
this release, the design of the cybersecurity risk
management policies and procedures would need to
take into account the size, business, and operations
of the broker-dealer. See paragraph (e) of proposed
Rule 10.
764 See paragraph (b)(1)(i)(B) of proposed Rule 10;
see also section II.B.1.a. of this release (discussing
this documentation requirement in more detail).
765 See paragraph (b)(1)(v)(B) of proposed Rule 10;
see also section II.B.1.e. of this release (discussing
this documentation requirement in more detail).
766 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
767 See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
768 See sections II.B.5. and II.C. of this release
(discussing these proposed amendments in more
detail). Rule 17a–4 sets forth record preservation
and maintenance requirements for broker-dealers,
Rule 17ad–7 sets forth record preservation and
maintenance requirements for transfer agents, and
Rule 18a–6 sets forth record preservation and
maintenance requirements for SBS Entities.
769 See proposed rule 17a–4(e).
PO 00000
Frm 00086
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
requirements for the Rule 10 Records
that would apply to the exempt clearing
agencies subject to those orders.770 The
amendments would provide that the
records need to be retained for five years
(consistent with Rules 13n–7 and 17a–
1).771 In the case of the written policies
and procedures to address cybersecurity
risks, the record would need to be
maintained until three years after the
termination of the use of the policies
and procedures.
1. Benefits and Costs of the Proposal to
the U.S. Securities Markets
The Commission is proposing rules to
require all Market Entities, based on the
reasons discussed throughout, to take
steps to protect their information
systems and the information residing on
those systems from cybersecurity
risk.772 For example, as discussed
above, Market Entities may not take the
steps necessary to address adequately
their cybersecurity risks.773 A Market
Entity that fails to do so is more
vulnerable to succumbing to a
significant cybersecurity incident. As
discussed earlier, a significant
cybersecurity incident can cause serious
harm not only to the Market Entity but
also to its customers, counterparties,
members, registrants, or users, as well as
to any other market participants
(including other Market Entities) that
interact with the impacted Market
Entity.774 Therefore, it is vital to the
U.S. securities markets and the
participants in those markets that all
Market Entities address cybersecurity
risk, which, as discussed above, is
increasingly threatening the financial
sector.775
lotter on DSK11XQN23PROD with PROPOSALS2
a. Benefits
The Commission anticipates that an
important economic benefit of the
proposal would be to protect the fair,
orderly, and efficient operations of the
U.S. securities markets and the
770 See section II.B.5. of this release (discussing
these proposed amendments in more detail).
771 As discussed in section II.B.5.a. of this release,
the existing requirements of Rule 13n–7 (which
applies to SBSDRs) and Rule 17a–1 (which applies
to registered clearing agencies, the MSRB, national
securities associations, and national securities
exchanges) will require these Market Entities to
retain the Rule 10 Records for five years and, in the
case of the written policies and procedures, for five
years after the termination of the use of the policies
and procedures.
772 See section I.A.1. of this release (discussing
the attractiveness of the U.S. securities market to
threat actors).
773 See section IV.B. of this release (discussing
broad economic considerations).
774 See section I.A.2. of this release (discussing
how critical operations of Market Entities are
exposed to cybersecurity risk).
775 See section I.A.1. of this release (discussing
threats to the U.S. financial sector).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
soundness of Market Entities better by
requiring all Market Entities to
establish, maintain, and enforce written
policies and procedures cybersecurity
policies and procedures. As noted
earlier, the average loss in the financial
services industry was $18.3 million, per
company per cybersecurity incident.
Adopting and enforcing cybersecurity
policies and procedures could assist
Market Entities from incurring such
losses. Furthermore, the requirement to
implement cybersecurity policies and
procedures could protect potential
negative downstream effects that could
be incurred by other participants in the
U.S. securities markets, such as the
Market Entity’s customers,
counterparties, members, registrants,
and users, in the event of a
cybersecurity attack. By requiring each
Market Entity to implement policies and
procedures to address cybersecurity
risk, the proposed rule would reduce
the likelihood that one Market Entity’s
cybersecurity incident can adversely
affect other Market Entities and market
participants, as well as the U.S.
securities markets at large.
In addition, FSOC has stated that
‘‘[m]aintaining and improving
cybersecurity resilience of the financial
sector requires continuous assessment
of cyber vulnerabilities and close
cooperation across firms and
governments within the U.S. and
internationally.’’ 776 The information
provided to the Commission under the
proposed reporting requirements could
help in assessing potential cybersecurity
risks that affect the U.S. securities
markets. The reporting of significant
cybersecurity incidents also could be
used to address future cyberattacks. For
example, these reports could assist the
Commission in identifying patterns and
trends across Covered Entities,
including widespread cybersecurity
incidents affecting multiple Covered
Entities at the same time. Further, the
776 FSOC, Annual Report (2022), at 70, available
at https://home.treasury.gov/system/files/261/
FSOC2022AnnualReport.pdf (‘‘FSOC 2022 Annual
Report’’) (‘‘By exchanging cyber threat information
within a sharing community, organizations can
leverage the collective knowledge, experience, and
capabilities of that sharing community to gain a
more complete understanding of the threats the
organization may face.’’) See also NIST, Special
Pub. 800–150, Guide to Cyber Threat Information
Sharing iii (2016), available at https://
nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-150.pdf. The NIST Special Publication
also notes that the use of structured data can
facilitate information sharing. Id. at 7 (‘‘Structured
data that is expressed using open, machinereadable, standard formats can generally be more
readily accessed, searched, and analyzed by a wider
range of tools. Thus, the format of the information
plays a significant role in determining the ease and
efficiency of information use, analysis, and
exchange.’’).
PO 00000
Frm 00087
Fmt 4701
Sfmt 4702
20297
reports could be used to evaluate the
effectiveness of various approaches that
are used to respond to and recover from
significant cybersecurity incidents.
Therefore, requiring Covered Entities to
report significant cybersecurity
incidents to the Commission could help
assist the Commission in carrying out its
mission of maintaining fair, orderly, and
efficient operations of the U.S. securities
markets.
Similarly, requiring Covered Entities
to publicly disclose summary
descriptions of their cybersecurity risks
and significant cybersecurity incidents
would provide enhanced transparency
about cybersecurity threats that could
impact the U.S. securities markets.
Participants in these markets could use
this additional information to enhance
the management of their own
cybersecurity risks, which also could
serve to strengthen the resilience of the
U.S. securities markets to future
cybersecurity threats.
b. Costs
In general, the costs associated with
the proposals include the costs of
developing, implementing,
documenting, and reviewing
cybersecurity policies and procedures.
For example, a Market Entity that has
only the minimal cybersecurity
protection needed to meet the current
regulatory requirements may incur
substantial costs when implementing
the policies and procedures required by
proposed Rule 10. These costs could be
significantly lower for a Market Entity
that currently has a well-developed and
documented cybersecurity program. A
Market Entity that incurs costs under
the proposal may attempt to pass them
on to other market participants and even
other Market Entities to the extent that
they are able to do that. This could
increase costs for the Market Entity’s
customers, counterparties, members,
registrants, or users participate in the
U.S. securities markets.
In general, compliance costs with
proposed Rule 10 would vary across the
various types of Market Entities. As
discussed above, one factor determining
costs would be the extent to which a
Market Entity’s existing measures to
address cybersecurity risk would
comply with the proposal. Other factors
would be the Market Entity’s particular
business model, size, and unique
cybersecurity risks. While the
compliance costs for smaller entities,
such as Non-Covered Broker-Dealers,
may be relatively smaller, those costs
may not be inconsequential relative to
their size. Further, Covered Entities may
incur substantial compliance costs given
their relatively large size.
E:\FR\FM\05APP2.SGM
05APP2
20298
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
2. Policies and Procedures and Annual
Review Requirements for Covered
Entities
The definition of a ‘‘covered entity’’
includes a wide range of Commission
registrants. The different Covered
Entities that would be subject to
proposed Rule 10 vary based on the
types of businesses they are involved in,
their relative sizes, and the number of
competitors they face. As a result, the
benefits and costs associated with the
requirements to establish, maintain, and
enforce written cybersecurity policies
and procedures and to review them at
least annually likely will vary among
the different types of Covered Entities.
Because the benefits and costs are
heterogeneous across the different types
of Covered Entities, the costs and
benefits that are common to all Covered
Entities are discussed first. Next, the
benefits and costs associated with each
type of Covered Entity are examined
separately to account for the different
operations and functions they perform
and the differences in how existing or
proposed regulations apply to them. The
estimated cost of compliance for a given
Covered Entity and for all Covered
Entities combined is provided in the
common costs discussion.
lotter on DSK11XQN23PROD with PROPOSALS2
a. Common Benefits and Costs for
Covered Entities
i. Benefits
As discussed above, due to the
interconnected nature of the U.S.
securities market, strong policies and
procedures to address cybersecurity
risks are needed by Covered Entities to
protect not only themselves, but also the
Market Entities with whom they do
business, as well as other market
participants, such as the Covered
Entity’s customers, counterparties,
members, or users. The Commission
anticipates that an important economic
benefit of the cybersecurity policies and
procedures and annual review
requirements of proposed Rule 10
would be to reduce the cybersecurity
vulnerabilities of each Market Entity
and enhance the preparedness of each
Market Entity against cybersecurity
threats to its operations. This would
reduce the likelihood that the Market
Entity experiences the adverse
consequences of a cybersecurity
incident. With written cybersecurity
policies and procedures that are
maintained and enforced, as well as
periodically reviewed and assessed,
Market Entities can better protect
themselves against cybersecurity
threats; harden the security surrounding
their information systems and the data,
which includes the prevention of
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
unauthorized access; minimize the
damage from successful cyberattacks;
and recover more quickly from
significant cybersecurity incidents when
they do occur. For example, the Covered
Entity’s risk assessment policies and
procedures would need to require
written documentation of these risk
assessments.777
Relatedly, proposed Rule 10 would
require that the incident response and
recovery policies and procedures
include written documentation of a
cybersecurity incident, including the
Covered Entity’s response to and
recovery from the incident.778 These
records could be used by the Covered
Entity to assess the efficacy of, and
adherence to, its incident response and
recovery policies and procedures. The
record of the cybersecurity incidents
further could be used as a ‘‘lessonslearned’’ document to help the Covered
Entity respond more effectively the next
time it experiences a cybersecurity
incident. The Commission staff also
could use the records to review
compliance with this aspect of proposed
Rule 10.
The records discussed above generally
could be used by the Covered Entity
when it performs its review to analyze
whether its current policies and
procedures need to be updated, to
inform the Covered Entity of the risks
specific to it, and to support responses
to cybersecurity risks by identifying
cybersecurity threats to information
systems that, if compromised, could
result in significant cybersecurity
incidents.779 The documentation also
could be used by Commission staff and
internal auditors of the Covered Entity
to examine for adherence to the risk
assessment policies and procedures.
Moreover, the annual review
requirement is designed to require the
Covered Entity to evaluate whether its
cybersecurity policies and procedures
continue to work as designed and
whether changes are needed to ensure
their continued effectiveness, including
oversight of any delegated
responsibilities. As discussed earlier,
the sophistication of the tactics,
techniques, and procedures employed
by threat actors is increasing.780
777 See
paragraph (b)(1)(i)(B) of proposed Rule 10.
paragraph (b)(1)(v)(B) of proposed Rule 10.
779 See paragraph (b)(2) of proposed Rule 10
(which would require a Covered Entity to review
and assess the design and effectiveness of the
cybersecurity policies and procedures, including
whether the policies and procedures reflect changes
in cybersecurity risk over the time period covered
by the review). See also section II.B.1.f. of this
release (discussing the proposed requirements in
more detail).
780 See section I.A.1. of this release (discussing,
for example, how cybersecurity threats are
778 See
PO 00000
Frm 00088
Fmt 4701
Sfmt 4702
As discussed above, it is unlikely that
Covered Entities do not currently have
some minimum level of cybersecurity
policies and procedures in place due to
their own business decisions and
certain existing regulations and
oversight. However, as discussed above,
current Commission regulations
regarding cybersecurity policies and
procedures are narrower in scope.
Proposed Rule 10 aims to be
comprehensive in terms of mandating
that Covered Entities have cybersecurity
policies and procedures that address all
cybersecurity incidents that may affect
their information systems and the funds
and securities as well as personal,
confidential, and proprietary
information that may be stored on those
systems. The benefits of the proposed
Rule 10 would be lessened to the extent
that a Covered Entity already has
implemented cybersecurity policies and
procedures that are generally consistent
with the written policies and
procedures and annual review
requirements under proposed Rule 10.
If a Covered Entity has to supplement
its existing cybersecurity policies and
procedures, amend them, or institute
annual reviews and document their
assessments in a report, the benefit of
proposed Rule 10 for that Covered
Entity would be greater. The proposal
will help ensure the Covered Entity has
robust procedures in place to prevent
cybersecurity incidents, may enable
Covered Entities to detect cybersecurity
incidents earlier, and help ensure that
Covered Entities have a plan in place to
remediate cybersecurity incidents
quickly. Lastly, as a second-order effect,
it could reduce the Covered Entities’
risk of exposure to other Covered
Entities’ cybersecurity incidents
stemming—for example—from the
interconnectedness of Covered Entities’
information systems.
The Commission currently does not
have reliable data on the extent to
which each Covered Entity’s existing
policies and procedures are consistent
with the proposed Rule 10. Therefore, it
is not possible to quantify the scale of
the benefits arising from the proposed
policies and procedures and annual
review requirements. However, given
the importance of the U.S. securities
markets, the value of the funds and
assets that are traded and held, and the
current state of transactions where
much of them are electronic, it seems
likely that the Covered Entities that
evolving); see also Bank of England CBEST Report
(stating that ‘‘[t]he threat actor community, once
dominated by amateur hackers, has expanded to
include a broad range of professional threat actors,
all of whom are strongly motivated, organised and
funded’’).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
transact business digitally have a strong
incentive to implement cybersecurity
policies and procedures in order to
protect and maintain their operations.
The proposed rule will require Covered
Entities to implement stronger
protections that go beyond what they do
based on those market incentives.
To the extent that Covered Entities
engage in business activities involving
crypto assets (which depend almost
exclusively on the operations of
information systems), developing strong
cybersecurity policies and procedures
would result in large benefits for them
and potentially for their customers,
counterparties, members, registrants or
users. For example, robust cybersecurity
policies and procedures would help to
ensure that Covered Entities are better
shielded from the theft of crypto assets
by threat actors, which may be difficult
or impossible to recover, given the
nature of the distributed ledger
technology.781 In addition, Covered
Entities would avoid negative
reputational damage associated with a
successful cyberattack.
lotter on DSK11XQN23PROD with PROPOSALS2
ii. Costs
The costs associated with the policies
and procedures and annual review
requirements of proposed Rule 10
would primarily result from compliance
costs borne by Covered Entities in the
design, implementation, review, written
assessment, and updates of the
cybersecurity policies and procedures.
The proposed requirement will likely
change a Covered Entity’s behavior
toward cybersecurity risk and
necessitates a certain amount of
investment in cybersecurity
protection.782 In addition to the
aforementioned direct compliance costs
faced by Covered Entities, those
Covered Entities that utilize service
providers would need to take steps to
oversee them under proposed Rule
10.783 The costs of this oversight,
including direct compliance costs,
ultimately would likely be passed on to
781 See section II.G. of this release (noting that
there is no centralized IT infrastructure that can
dynamically detect and prevent cyberattacks on
wallets or prevent the transfer of illegitimately
obtained crypto assets by bad actors).
782 While the existing policies and procedures of
Covered Entities largely could be consistent with
the requirements of proposed Rule 10, without a
requirement to do so, they may not conduct annual
reviews and draft assessment reports. The annual
review and report costs are estimated be around
$1,500 and $20,000 based on the costs of obtaining
a cybersecurity audit. See How Much Does a
Security Audit Cost?, Cyber Security Advisor (Jan.
29, 2019), available at https://cybersecadvisor.org/
blog/how-much-does-a-security-audit-cost (‘‘Cost of
Security Audit’’).
783 See paragraphs (b)(1)(i)(A)(2), (b)(1)(iii)(B),
and (b)(2) of proposed Rule 10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the Covered Entities’ customers,
counterparties, members, participants,
or users to the extent Covered Entities
are able to do so. As indicated above,
the compliance costs generally may be
lessened to the extent that Covered
Entities’ existing policies and
procedures would be consistent with
the requirements of proposed Rule 10.
Therefore, the marginal increase in
compliance costs that arise likely would
be due to the extent to which a Covered
Entity needs to make modifications to
its existing cybersecurity policies and
procedures, implement annual reviews
of those policies and procedures, and/or
write assessments reports.
The compliance costs associated with
developing, implementing,
documenting, and reviewing the
cybersecurity policies and procedures
for Covered Entities’ activities that
involve crypto assets likely would be
higher than those connected with
traditional services and technologies
offered and used, respectively, by
Covered Entities. The cost difference
primarily would be due to technological
features of distributed ledger
technologies as well as with the costs
increasing as a Covered Entity engages
in activities with additional crypto
assets and blockchains.
iii. Service Providers
As indicated above, Covered Entities
may use service providers to supply
them with some or all of their necessary
cybersecurity protection. In general, the
cost of contracted cybersecurity services
depends on the size of the entity, where
larger firms may offer a wider range of
services and thus needing more
cybersecurity protection. According to a
data security provider blog, ‘‘[a]mong
mid-market organizations (250–999
employees), 46% spend under $250,000
on security each year and 43% spend
$250,000 to $999,999. Among enterprise
organizations (1,000–9,999 employees),
57% spend between $250,000 and
$999,999, 23% spend less than
$250,000, and 20% spend at least $1
million. Half of large enterprises (more
than 10,000 employees) spend $1
million or more on security each year
and 43% spend between $250,000 and
$999,999.’’ 784
Under the proposal, Covered Entities
need to identify their service providers
that receive, maintain, or process
information, or are otherwise permitted
to access its information systems and
the information residing on those
784 See
Desdemona Bandini, New Security Report:
The Security Bottom Line, How Much Security Is
Enough?, (Nov. 19, 2019), available at https://
duo.com/blog/new-security-report-the-securitybottom-line-how-much-security-is-enough.
PO 00000
Frm 00089
Fmt 4701
Sfmt 4702
20299
systems, and then assess the
cybersecurity risks associated with their
use by those service providers.785 The
policies and procedures for protecting
information would require oversight of
the service providers that receive,
maintain, or process the Covered
Entities’ information, or are otherwise
permitted to access the Covered Entities’
information systems and the data
residing on those systems, through a
written contractual agreement, as
specified in paragraph (b)(iii)(B) of
proposed Rule 10.786 Service providers
would be required to implement and
maintain, pursuant to a written contract
with the Covered Entities, appropriate
measures, including the practices
described in paragraph (b) of proposed
Rule 10.
The proposed requirements will likely
impose additional costs, at least
initially, on service providers catering to
Covered Entities, as they would be
asked to provide services not included
in existing contracts. The Commission
believes that most service providers
providing business-critical services
would likely face pressure to enhance
their cybersecurity practices to satisfy
demand from Covered Entities due to
new regulatory requirements placed on
those Covered Entities.787 Service
providers may be willing to bear
additional costs in order to continue
their business relationships with the
Covered Entities, particularly if the
parties are operating under an ongoing
contract.788 Such situations are more
likely to arise with services that are
considered general information
technology, such as email, relationship
management, website hosting, cloud
applications, and other common
technologies, given that the service
provider does not have market power
because it has many competitors
offering these services. In contrast,
providers of more specialized services—
such as payment service providers,
regulatory service providers, data
providers, custodians, and providers of
valuation services—may have
significant market power and may be
able to charge a Covered Entity
separately for the additional services
that would be required under proposed
Rule 10. Whether passed on to Covered
Entities immediately or reflected in
785 See
paragraph (b)(1)(i)(A)(2) of proposed Rule
10.
786 See
paragraph (b)(1)(iii)(B) of proposed Rule
10.
787 A service provider involved in any businesscritical function would likely need to receive,
maintain, or process information from the Covered
Entities as well as the Covered Entities’ customers,
counterparties, members, registrants, or users.
788 See, e.g., Cost of Security Audit.
E:\FR\FM\05APP2.SGM
05APP2
20300
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
subsequent contract renewals, the costs
associated the additional services—
including the associated negotiation
process—would likely be passed on to
the Covered Entities’ customers,
counterparties, members, participants,
or users to the extent that they are able
to do so.
In terms of the cost of additional
services received from service
providers, those providers that offer a
specialized service and have market
power may not be willing to give any
price concessions in the negotiation
process. The same may be true for
service providers where Covered
Entities make up a small proportion of
their overall business. Other service
providers in a more competitive
environment—such as those that offer
general information technology
services—may be more willing to
provide a discount to keep the Covered
Entity as a customer.789 Moreover, the
compliance costs for service providers
of common technologies may be
generally larger than those realized by
firms that offer specialized services
because they cater to a wider variety of
customers, which makes contracts with
different parties more idiosyncratic.
Some Covered Entities may find that
one or several of their existing service
providers may not be technically able
to—or may not wish to make the
investment to—support the Covered
Entities’ compliance with the proposed
rule. Similarly, some Covered Entities
may find that one or several of their
existing service providers may not be
able to—or wish to because of
significant market power—enter into
written contracts where the costs are not
mutually agreeable. Also, some service
providers may not want to amend their
contracts and take on the particular
obligations even if they already have the
technical abilities. In those cases, the
Covered Entities would need to change
service providers and bear the
associated switching costs, while the
service providers would suffer loss of
their customer base.790
For service providers that do business
with Covered Entities, the proposed rule
may impose additional costs related to
revising the service provider’s
cybersecurity practices to satisfy the
requirements that would be imposed on
789 See Jon Brodkin, IT Shops Renegotiate
Contracts to Get Savings Out of Vendors, Computer
World (Nov. 6, 2008), available at https://
www.computerworld.com/article/2781173/it-shopsrenegotiate-contracts-to-get-savings-out-ofvendors.html.
790 For example, the Covered Entity has
insufficient market power to affect changes in the
service provider’s business practices and the suite
of cybersecurity technologies it currently offers to
that Covered Entity.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
the Covered Entities. Moreover, if a
service provider is already providing
services to a Covered Entity that are
largely compliant with proposed Rule
10, then the resulting increase in
compliance costs likely would be minor.
Even if satisfying additional client
requirements would not represent a
significant expense for service
providers, the processes and procedures
that are necessary to implement an
infrequently utilized service may
prevent some service providers from
continuing to work with the Covered
Entity.791 That is, the provision of the
service may be viewed as more
burdensome than the revenue received
from the Covered Entity. This
consequence would serve as a
disincentive to the service provider. In
such cases, Covered Entities would bear
costs related to finding alternative
service providers while existing service
providers would suffer lost revenue
once the Covered Entities switch service
providers.792
To estimate the costs associated with
the proposed policies and procedures
requirements and annual review
requirements, the Commission
considered the initial and ongoing
compliance costs.793 The internal
annual costs for these requirements
(which include an initial burden
estimate annualized over a three year
period) are estimated to be $14,631.54
per Covered Entity, and $29,102,133.06
in total. These costs include a blended
rate of $462 for a compliance attorney
and assistant general counsel for a total
of 31.67 hours. The annual external
costs for adopting and implementing the
policies and procedures, as well as the
annual review of the policies and
procedures are estimated to be $3,472
per Covered Entity, and $6,905,808 in
total. This includes the cost of using
outside legal counsel at a rate of $496
per hour for a total of seven hours.
b. Broker-Dealers
i. Benefits
The benefits of the policies and
procedures requirements of proposed
Rule 10 for Covered Broker-Dealers
likely will not be consistent across these
entities, as their services vary. Covered
Broker-Dealers that are larger, more
interconnected with other market
791 For example, the costs associated with legal
review of alterations to standard contracts may not
be worth bearing by the service provider if Covered
Entities represent a small segment of the service
provider’s business.
792 At the same time, these frictions would benefit
service providers that cater to customers in
regulated industries.
793 See section V of this release (discussing these
costs in more detail).
PO 00000
Frm 00090
Fmt 4701
Sfmt 4702
participants, and offer more services
have a higher potential for greater losses
for themselves and others in the event
of a cybersecurity incident. Thus, the
benefits arising from robust
cybersecurity practices increases with
the size and number of services offered
by Covered Broker-Dealers. For
example, a cybersecurity incident at a
large Covered Broker-Dealer that
facilitates trade executions and/or
provides carrying and clearing services
carries greater risk due to the larger
number of services it provides as well
as its interconnections with other
Market Entities. For example, carrying
broker-dealers may provide services to
multiple introducing brokers-dealers
and their customers. Commission staff
determined that, as of September 2022,
carrying broker-dealers have an average
of 44 introducing broker-dealers on
behalf of which they carry funds and
securities,794 with a median number of
five broker-dealers. Furthermore, a
carrying broker-dealer may intermediate
the connection between one introducing
broker-dealer and the final carrying
broker-dealer.795 As a result, there are
potentially many avenues for
infiltration, from the introducing brokerdealers to the carrying broker-dealers.
Such Covered Broker-Dealers will not
only hold customers’ personally
identifiable information and records,
but also typically have control over
customers’ funds and assets. This makes
them attractive targets for threat actors.
In addition, even a brief disruption of
the services offered by a carrying brokerdealer (e.g., from a ransomware attack)
could have large, negative downstream
repercussions on the broker-dealer’s
customers and other Covered Entities
(e.g., inability to submit orders during
volatile market conditions or to access
funds and securities). The persons
negatively impacted could include not
only individuals but also institutional
customers, such as introducing brokerdealers, hedge funds, and family offices.
In this scenario, the Covered BrokerDealer could incur major losses if it
experienced a significant cybersecurity
incident. Thus, compliance with written
cybersecurity policies and procedures,
along with annual reviews and a written
assessment report, likely would have
substantial benefits for those Covered
Broker-Dealers that hold customer
information, funds, and assets.
Because Covered Broker-Dealers
perform a number of functions in the
U.S. securities markets and those
functions are increasingly performed
through the use of information systems,
794 Based
on Form Custody, Item 4, as of 2021.
795 Id.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
it is important that those information
systems be secure against cyberattacks.
Covered Broker-Dealers use networks to
connect their information systems to
those of national securities exchanges,
clearing agencies, and to communicate
and transact with other Covered BrokerDealers. Written policies and
procedures would strengthen a Covered
Broker-Dealer’s cybersecurity protocols
so that it would be more difficult for
threat actors to disrupt market-making
activities in securities or otherwise
compromise the liquidity of the
securities markets, an occurrence that
could negatively impact the ability of
investors to liquidate or purchase
certain securities at favorable or
predictable prices or in a timely
manner.
ATSs are trading systems that meet
the definition of ‘‘exchange’’ under
federal securities laws but are not
required to register as national securities
exchanges if they comply with the
conditions of the Regulation ATS
exemption, which includes registering
as a broker-dealer. ATSs have become
significant venues for orders and nonfirm trading interest in securities.796
ATSs use data feeds, algorithms, and
connectivity to perform their functions.
ATSs rely heavily on information
systems to perform these functions,
including to connect to other Market
Entities, such as other Covered BrokerDealers and national securities
exchanges.
A significant cybersecurity incident
that disrupts an ATS could negatively
impact the ability of investors to
liquidate or purchase certain securities
at favorable or predictable prices or in
a timely manner to the extent it
provides liquidity to the market for
those securities. Furthermore, the
records stored by ATSs on their
information systems consist of
proprietary information about Market
Entities that use their services,
including confidential business
information (e.g., information about
their trading activities). A significant
cybersecurity incident at an ATS could
lead to the improper use of this
information to harm the Market Entities
(e.g., public exposure of confidential
trading information) or provide the
unauthorized user with an unfair
advantage over other market
participants (e.g., trading based on
796 Exchange Act Rule 3a1–1(a)(2) exempts an
ATS from the definition of exchange under section
3(a)(1) of the Exchange Act on the condition that
the ATS complies with Regulation ATS. See
generally Regulation of NMS Stock Alternative
Trading Systems Release, 83 FR 38768;
Amendments Regarding the Definition of
‘‘Exchange’’ and ATSs Release, 87 FR 15496.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
20301
confidential business information).
Comprehensive cybersecurity policies
and procedures, along with periodic
assessments, would fortify broker-dealer
ATS operations in their efforts to thwart
cybersecurity attacks.
On the other hand, a small Covered
Broker-Dealer could experience a
cybersecurity incident that has
significant negative impacts on the
entity and its customers, such as a
disruption to its services or the theft of
a customer’s personal information.
These types of incidents would have
profound negative effects for the small
Covered Broker-Dealer and its
customers, but the negative effects
would likely be insignificant relative to
the size of the entire U.S. securities
markets. In this case, strong
cybersecurity policies and procedures
generally could provide substantial
benefits to small Covered Broker-Dealers
themselves and their customers, but
likely not to other market participants.
As discussed in the baseline, Covered
Broker-Dealers currently are subject to
Regulations S–P, Regulation S–ID,
FINRA rules, and SRO and Commission
oversight, as well as Regulation ATS
applying to broker-dealer operated
ATSs.797 In addition, Covered BrokerDealers that operate an ATS and trade
certain stocks exceeding specific
volume thresholds are subject to
Regulation SCI.798 As discussed above,
Regulation S–P, Regulation ATS, and
Regulation S–ID have requirements to
establish policies and procedures that
address certain cybersecurity risks.799
Therefore, Covered Broker-Dealers
subject to these other regulations have
existing cybersecurity policies and
procedures that address certain
cybersecurity risks. However, proposed
Rule 10 would require all Covered
Broker-Dealers to establish, maintain,
and enforce a set of cybersecurity
policies and procedures that is broader
and more comprehensive than is
required under the existing
requirements of Regulation S–P,
Regulation S–ID, and Regulation ATS
that pertain to cybersecurity risk. This
could substantially benefit these
Covered Broker-Dealers and their
customers and counterparties as well as
other Market Entities that provide
services to them or transact with them.
In particular, the failure to protect a
particular information system from
cybersecurity risk can create a
vulnerability that a threat actor could
exploit to access other information
systems of the Covered Broker-Dealer.
Therefore, proposed Rule 10—because it
would require all information systems
to be protected by policies and
procedures—would result in benefits to
Covered Broker-Dealers (i.e., enhanced
cybersecurity resiliency).
Covered Broker-Dealers that are
registered as FCMs or swap dealers are
subject to NFA requirements that relate
to proposed Rule 10.800 These
additional requirements may bring those
dually-registered Covered BrokerDealers more in line with the
requirements of the proposed rule.801 As
a result, the marginal benefit of
compliance for them may be smaller
than those that are only registered with
the Commission.
797 See section IV.C.1.b.i. of this release
(discussing as part of the baseline the current
relevant regulations applicable to broker-dealers);
see also section II.F. of this release (discussing other
relevant regulations applicable to Covered BrokerDealers).
798 Id.
799 See section II.F.1.c. of this release (discussing
in more detail the existing requirements of
Regulation S–P, Regulation ATS, and Regulation S–
ID to have policies and procedures to address
certain cybersecurity risks).
800 See section IV.C.1.d.iii. of this release
(discussing as part of the baseline current CFTCrelated requirements applicable to FCMs and swap
dealers).
801 See section I.B. of this release (discussing the
proposed requirements for Covered Entities,
including Covered Broker-Dealers, with respect to
cybersecurity policies and procedures).
802 See section II.F.1.c. of this release (discussing
the requirements of proposed Rule 10 and how they
relate to Regulation S–P, Regulation ATS, and
Regulation S–ID).
PO 00000
Frm 00091
Fmt 4701
Sfmt 4702
ii. Costs
The compliance costs of the policies
and procedures requirements of
proposed Rule 10 for Covered BrokerDealers may generally be lower, to the
extent their current policies and
procedures are designed to comply with
Regulation SCI, Regulation S–P,
Regulation ATS (if they operate an
ATS), Regulation S–ID, and FINRA rules
and are consistent with certain of the
requirements of the proposed Rule
10.802 However, the requirements of
proposed Rule 10 are designed to
address all of the Covered BrokerDealer’s cybersecurity risks; whereas the
requirements of these other regulations
that relate to cybersecurity are more
narrowly focused. Consequently, the
marginal costs associated with
implementing the cybersecurity policies
and procedures required under the
proposed Rule 10 would depend on the
extent to which broker-dealers’ existing
cybersecurity protections address
cybersecurity risks beyond those that
are required to be addressed by these
other regulations.
Covered Broker-Dealers that are
dually registered with the CFTC as
FCMs or swap dealers are subject to
E:\FR\FM\05APP2.SGM
05APP2
20302
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
NFA requirements, as noted above.803
These additional requirements may
make compliance with the proposed
rule less burdensome and thus less
costly, as those NFA requirements are
already in place.
c. Clearing Agencies and National
Securities Exchanges
lotter on DSK11XQN23PROD with PROPOSALS2
i. Benefits
Strong cybersecurity protocols at
national securities exchanges would
help maintain their critical function of
matching orders of buyers and sellers. A
cybersecurity incident could prevent an
exchange from executing trades,
therefore preventing members and their
customers from buying or selling
securities at the exchange. Interruptions
in order flow and execution timing
could lead to inefficiencies in order
matching, possibly resulting in a less
desirable execution price. Moreover,
customer information could be stolen
and trading strategies could be revealed.
Lastly, a cybersecurity breach could be
problematic for market surveillance staff
that monitors the market for illegal
trading activity. Thus, the policies and
procedures requirements of proposed
Rule 10 could offer significant benefits
to national securities exchanges and
market participants that depend on their
processing of order flow and the ability
of regulators to surveil the market.
Clearing agencies serve an important
role in the securities markets by
ensuring that executed trades are
cleared and that the funds and securities
are transferred to and from the
appropriate accounts. A cybersecurity
incident at a clearing agency could
result in delays in clearing as well as in
the movement of funds and assets. Such
an incident also could lead to the loss
or misappropriation of customer
information, funds, and assets. Threat
actors could also gain access to and
misappropriate the clearing agency’s
default fund by, for example, obtaining
access to the clearing agency’s account
in which the fund is held. Strong
cybersecurity policies and procedures
would assist clearing agencies in
protecting the funds and securities in
their control. This would benefit the
clearing agency, its members, and
market participants that rely on the
services of its members.
As discussed in the baseline, national
securities exchanges, registered clearing
agencies, and certain exempt clearing
agencies are subject to Regulation
803 See section IV.C.1.d.iii. of this release
(discussing as part of the baseline current CFTCrelated requirements applicable to FCMs and swap
dealers).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
SCI.804 Regulation SCI has requirements
for SCI entities to establish policies and
procedures that address certain
cybersecurity risks The proposed
requirements of proposed Rule 10, in
contrast, apply to all of the Covered
Entity’s information systems. The
benefits of the policies and procedures
requirements of proposed Rule 10
would depend on the extent to which
the national securities exchanges’ and
clearing agencies’ current cybersecurity
policies and procedures (which include
those required by Regulation SCI) are
consistent with those required under the
proposed rule. Major changes in
cybersecurity policies and procedures
could yield large benefits. However, the
marginal benefit of the proposed rule
likely would decline the more closely a
national securities exchange’s or
clearing agency’s cybersecurity policies
and procedures are consistent with the
requirements of proposed Rule 10.
Clearing agencies that are registered
as DCOs are subject to additional CFTC
requirements that may be related to
those of proposed Rule 10.805 As a
result, the marginal benefit of proposed
Rule 10 may be smaller than those that
are only registered with the
Commission.
ii. Costs
The incremental cost of compliance
with the policies and procedures
requirements of proposed Rule 10 for
national exchanges and clearing
agencies depends on how much their
current cybersecurity policies and
procedures go beyond what is required
by Regulation SCI. This is because the
requirements of proposed Rule 10 are
designed to address all of the
cybersecurity risks faced by a national
securities exchange or clearing agency;
in contrast, the requirements of
Regulation SCI that relate to
cybersecurity are more narrowly
focused.806 Therefore, national
securities exchanges and clearing
agencies that have policies and
procedures in place that only address
the requirements of Regulation SCI will
need to make potentially significant
changes to their cybersecurity policies
and procedures in order to comply with
the requirements of proposed Rule 10.
Alternatively, national securities
804 See section IV.C.1.b.ii. of this release
(discussing as part of the baseline the relevant
regulations applicable to national securities
exchanges and clearing agencies).
805 See section IV.C.1.d.i. of this release
(discussing as part of the baseline the current
relevant CFTC regulations applicable to DCOs).
806 See section II.F.1.c. of this release (discussing
the requirements of proposed Rule 10 and how they
relate to the requirements of Regulation SCI).
PO 00000
Frm 00092
Fmt 4701
Sfmt 4702
exchanges and clearing agencies that
currently have comprehensive
cybersecurity policies and procedures
may incur fewer costs to comply with
proposed Rule 10. Nevertheless,
assuming that they do not do so already,
ensuring that those cybersecurity
policies and procedures are documented
and reviewed on an annual basis as
required by the proposal, with an
accompanying written assessment,
would assist national securities
exchanges and clearing agencies to
withstand cybersecurity incidents and
address them more effectively, thus
minimizing the negative effects of such
occurrences.
Clearing agencies that are dually
registered with the CFTC as DCOs are
subject to that agency’s systems
safeguards rule, as noted above.807
Complying with the CFTC requirements
may make compliance with the
proposed rule less burdensome and thus
less costly, to the extent that the
registered DCO implements the CFTC
requirements on the registered clearing
agency side of its operations.
Finally, national securities exchanges
and clearing agencies that are registered
with the Commission but currently are
not active would incur substantially
higher costs relative to their active peers
if they needed to come into compliance
with proposed Rule 10. If they resume
clearing activities and operations, they
may incur significant costs to develop,
document, implement, maintain, and
enforce policies and procedures,
including cybersecurity policies and
procedures, as well as establish
protocols for written annual reviews
with necessary modifications and
updates.
d. FINRA and the MSRB
i. Benefits
FINRA is the only national securities
association currently registered with the
Commission. Similarly, the MSRB is the
only entity (other than the Commission)
established by Congress to, among other
activities, propose and adopt rules with
respect to transactions in municipal
securities.
FINRA issues cybersecurity-related
statements to members that discuss best
practices for achieving adequate
cybersecurity protection.808 FINRA and
MSRB members are also subject to
internal oversight and external audits.
Nevertheless, both FINRA and the
807 See section IV.C.1.c.i. of this release
(discussing as part of the baseline the current
relevant CFTC regulations applicable to DCOs).
808 See FINRA, Cybersecurity, available at https://
www.finra.org/rules-guidance/key-topics/
cybersecurity#overview.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
MSRB store proprietary information
about their members, including
confidential business information, on
their respective information systems.
FINRA stores information about brokerdealers and trades. Some information
and systems under FINRA’s control may
belong to other organizations where
FINRA is simply contracted to perform
data processing duties. There also may
be sensitive information related to
FINRA’s oversight practices that is not
made public, such as regulatory
assessments of various broker-dealers or
internal analyses regarding its
examinations and examination
programs. Furthermore, FINRA may
keep information on cyberattacks on
itself and on broker-dealers that, if made
public, could compromise existing
cybersecurity systems. Therefore,
FINRA and the MSRB themselves
require their own cybersecurity policies
and procedures.
As discussed in the baseline, FINRA
and the MSRB are subject to Regulation
SCI.809 Regulation SCI has requirements
to establish policies and procedures that
address certain cybersecurity risks.810
Therefore, the benefits of the policies
and procedures requirements of
proposed Rule 10 would depend on the
extent to which the FINRA’s and the
MSRB’s current cybersecurity policies
and procedures (which include those
required by Regulation SCI) are
consistent with those required under the
proposed rule. This means the marginal
benefit of the proposed rule may be
limited depending on how closely
FINRA’s and the MSRB’s cybersecurity
policies and procedures are consistent
with proposed Rule 10. Nevertheless,
ensuring that those cybersecurity
policies and procedures are documented
and reviewed on an annual basis, with
an accompanying written assessment,
could assist the two entities in avoiding
cybersecurity incidents and addressing
them more effectively, thus minimizing
the negative effects of such occurrences.
ii. Costs
As with national securities exchanges
and clearing agencies, the Commission
does not expect that FINRA and the
MSRB will incur significant costs as a
result of complying with the policies
and procedures requirements of
proposed Rule 10 because they are
already subject to Regulation SCI and,
due to their importance in the oversight
and oversight of their members or
809 See
section IV.C.1.b.ii. of this release
(discussing as part of the baseline the current
relevant regulations applicable to national
securities associations and FINRA).
810 See section II.F.1.c. of this release (discussing
in more detail the requirements of Regulation SCI).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
registrants, as well as the storage of
trade information and data owned by
other parties, there are strong incentives
for FINRA and the MSRB to invest in
comprehensive cybersecurity programs.
e. SBS Entities
i. Benefits
As discussed in the baseline, SBS
Entities must comply with section
15F(j)(2) of the Exchange Act and
various Commission rules. SBS Entities
that are dually registered with the CFTC
are subject to that agency’s rules as well
as the rules of the NFA.811 The benefits
that would accrue to SBS Entities
depend on the level of cybersecurity
protection they currently have in place.
Policies and procedures that are
consistent with the policies and
procedures requirements of proposed
Rule 10 may only need moderate
updating and adjustment. As a result the
marginal benefits likely are small. There
would be much greater benefits for SBS
Entities that must significantly revise
their current policies and procedures.
Further, proposed Rule 10 would
require that SBS Entities have policies
and procedures to respond to and
recover from cybersecurity incidents,
which would assist the SBS Entities in
minimizing the harm caused by the
incident and enhancing their ability to
recover from it. Annual reviews also
would help them update their policies
and procedures to address emerging
threats.
SBS Entities that are registered as
swap dealers are subject to additional
requirements of the CFTC and NFA that
may be related to those of proposed
Rule 10.812 As a result, the marginal
benefit of compliance for them may be
smaller than those that are only
registered with the Commission.
ii. Costs
Complying with the policies and
procedures requirements of proposed
Rule 10 may not be costly for SBS
Entities. SBS Entities must comply with
section 15F(j)(2) of the Exchange Act
and various Commission rules. The
costs that arise from compliance with
proposed Rule 10 depend on how
closely their current documented
policies and procedures, as well as
annual reviews and summary reports,
are consistent with the proposed rule.
SBS Entities that have very similar
cybersecurity policies and procedures to
811 See section IV.C.1.c.iii. of this release
(discussing as part of the baseline current relevant
regulations applicable to SBS Entities).
812 See section IV.C.1.c.iii. of this release
(discussing as part of the baseline the current
relevant CFTC regulations applicable to swap
dealers).
PO 00000
Frm 00093
Fmt 4701
Sfmt 4702
20303
those that would be required under
proposed Rule 10 would have small
associated costs to come into
compliance with the rule. SBS Entities
that need to make more substantial
changes to their cybersecurity policies
and procedures to comply with the
proposed rule would incur higher
attendant costs. Ultimately, the ability
of SBS Entities to bear those additional
costs depends on the competitive
landscape of the security-based swap
market.
SBS Entities that are dually registered
with the CFTC as swap dealers are
subject to that agency’s requirements, as
noted above.813 These additional
requirements may make compliance
with the proposed rule less burdensome
and thus less costly, as the CFTC
requirements are already in effect and
dually registered SBS Entities must
comply with those regulations.
f. SBSDRs
i. Benefits
SBSDRs collect and maintain
security-based swap transaction data so
that relevant authorities can access and
analyze the data from secure, central
locations, thereby allowing regulators to
monitor for potential market abuse and
risks to financial stability.814 SBSDRs
also reduce operational risk and
enhance operational efficiency in the
security-based swap market, such as by
maintaining transaction records that
help counterparties ensure that their
records reconcile.815
The Commission requires SBSDRs to
have written documentation regarding
how they keep such transaction
information secure.816 If the policies
and procedures requirements of
proposed Rule 10 requires an SBSDR to
do additional development,
documentation, implementation, and
review of its cybersecurity policies and
procedures, then the benefits that accrue
813 See section IV.C.1.c.iii. of this release
(discussing as part of the baseline the current
relevant CFTC regulations applicable to swap
dealers).
814 See SBSDR Adopting Release, 80 FR at 14440
(‘‘[SBSDRs] are required to collect and maintain
accurate SBS transaction data so that relevant
authorities can access and analyze the data from
secure, central locations, thereby putting them in a
better position to monitor for potential market
abuse and risks to financial stability.’’).
815 See SBSDR Proposing Release at 77307
(stating that ‘‘[t]he enhanced transparency provided
by an [SBSDR is important to help regulators and
others monitor the build-up and concentration of
risk exposures in the [security-based swap] market
. . . . In addition, [SBSDRs] have the potential to
reduce operational risk and enhance operational
efficiency in the [security-based swap] market’’).
816 See section IV.C.1.b.iv. of this release
(discussing as part of the baseline the current
relevant regulations applicable to SBSDRs).
E:\FR\FM\05APP2.SGM
05APP2
20304
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
from doing so will be large. In this
circumstance, compliance with the
policies and procedures requirements of
proposed Rule 10 would bolster
SBSDRs’ cybersecurity resiliency. As a
result, SBSDRs would be better
prepared to identify cybersecurity
vulnerabilities and prevent significant
cybersecurity incidents, thereby
safeguarding the security-based swap
trade data that they receive and
maintain. Further, proposed Rule 10
would require that SBSDRs have
policies and procedures to respond to
and recover from a significant
cybersecurity incident, which would
assist SBSDRs in minimizing the harm
caused by the incident and enhancing
their ability to recover from it. Annual
reviews also would help them update
their policies and procedures to address
emerging threats.
SBSDRs that are dually registered
with the CFTC as SDRs must comply
with that agency’s systems safeguards
rule, applicable to information systems
for data under the CFTC’s
jurisdiction.817 These additional
requirements may bring those duallyregistered SBSDRs more in line with the
requirements of the proposed rule, to
the extent that the registered entity
applies the CFTC’s systems safeguard
requirements to the SBSDR operations.
As a result, the marginal benefit of
compliance for them may be smaller
than those that are only registered with
the Commission.
lotter on DSK11XQN23PROD with PROPOSALS2
ii. Costs
The costs that arise from compliance
with the policies and procedures
requirements of proposed Rule 10
depend on how closely the current
documented policies and procedures of
SBSDRs are consistent with the
proposed rule. SBSDRs that have very
similar cybersecurity policies and
procedures to those that would be
required under proposed Rule 10 would
face small costs to amend their
cybersecurity policies and procedures.
SBSDRs that need to make more
substantial changes to their
cybersecurity policies and procedures to
comply with the proposed rule would
realize greater marginal benefits from
attaining compliance, while incurring
higher attendant costs.
SBSDRs that are dually registered
with the CFTC as SDRs are subject to
that agency’s system safeguards rule, as
noted above.818 These additional
817 See section IV.C.1.d.ii. of this release
(discussing as part of the baseline the current
relevant CFTC regulations applicable to SDRs).
818 See section IV.C.1.d.iii. of this release
(discussing as part of the baseline the current
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
requirements may make compliance
with the proposed rule less burdensome
and thus less costly, to the extent the
registered entity applies the CFTC’s
system safeguard requirements to its
SBSDR operations.
g. Transfer Agents
i. Benefits
The benefits of the policies and
procedures requirements of proposed
Rule 10 likely will differ across transfer
agents, as their size and the level of
their services may vary. Transfer agents,
among other functions, may: (1) track,
record, and maintain on behalf of
issuers the official record of ownership
of each issuer’s securities; (2) cancel old
certificates, issue new ones, and
perform other processing and
recordkeeping functions that facilitate
the issuance, cancellation, and transfer
of those securities; (3) facilitate
communications between issuers and
registered securityholders; and (4) make
dividend, principal, interest, and other
distributions to securityholders.819 A
cybersecurity incident at a transfer agent
would have varying negative impacts
depending on the range of services
offered by the transfer agent.
Nonetheless, for the issuer who depends
on the transfer agent to maintain the
official record of ownership, or for
securityholders who depend on the
transfer agent for distributions, an
incident at even a small transfer agent
with limited services could have
profound negative implications.
In addition, some transfer agents may
maintain records and information
related to securityholders that could
include names, addresses, phone
numbers, email addresses, employers,
employment history, bank and specific
account information, credit card
information, transaction histories,
securities holdings, and other detailed
and individualized information related
to the transfer agents’ recordkeeping and
transaction processing on behalf of
issuers. This information may make a
transfer agent particularly attractive to
threat actors. Compliance with written
cybersecurity policies and procedures
under proposed Rule 10, along with
annual reviews and a written
assessment report, would likely produce
a large benefit for clients and investors
of transfer agents.
Preventing successful cyberattacks
would keep securities from being stolen
by threat actors and would ensure that
dividends are paid when promised. In
relevant CFTC regulations applicable to swap
dealers).
819 See section I.A.2.i. of this release (discussing
critical operations and functions of transfer agents).
PO 00000
Frm 00094
Fmt 4701
Sfmt 4702
addition, because transfer agents have
information on the securityholders’
personal information, policies and
procedures to protect that information
from unauthorized access or use would
benefit the transfer agent and the
securityholders. Moreover, if a
significant cybersecurity incident
materializes, transfer agents would have
a plan to resolve the issue, thus
potentially reducing the timeframe and
damage associated with the incident.
As discussed in the baseline, transfer
agents registered with the Commission
(but not transfer agents registered with
another appropriate regulatory agency)
are subject to the Regulation S–P
Disposal Rule and may be subject to
Regulation S–ID.820 The Regulation S–P
Disposal Rule and Regulation S–ID
require measures that implicate a
certain cybersecurity risk.821
Nonetheless, the policies and
procedures requirements of proposed
Rule 10 would still provide substantial
benefits to transfer agents. This is
because, as discussed above, proposed
Rule 10 would require all transfer agents
to establish, maintain, and enforce
policies and procedures to address
cybersecurity risks that are broader and
more comprehensive than those policies
and procedures required by the existing
requirements of Regulation S–P or
Regulation S–ID.
ii. Costs
Transfer agents likely would incur
moderate costs in complying with the
policies and procedures requirements of
proposed Rule 10 if their current
policies and procedures—including
those to comply with the Regulation S–
P Disposal Rule and Regulation S–ID (if
either or both apply)—would need to be
augmented to meet the requirements of
proposed Rule 10. Transfer agents also
would have to do annual reviews and
write assessment reports. Such costs
likely would be passed on to the entities
that use transfer agent’s services.
Transfer agents that have made the
business decision to implement robust
cybersecurity policies, procedures, and
practices would incur lower marginal
compliance costs, to the degree those
policies, procedures, and practices are
consistent with the requirements of
proposed Rule 10.
820 See section IV.C.1.b.v. of this release
(discussing as part of the baseline the current
relevant regulations applicable to transfer agents).
Transfer agents that are subsidiaries of bank holding
companies would incur minimal cost since they are
already subject to federal banking cybersecurity
regulations.
821 See section II.F.1.c. of this release (discussing
in more detail the existing requirements of the
Regulation S–P Disposal Rule and Regulation S–ID).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
h. Request for Comment
The Commission requests comment
on all aspects of the foregoing analysis
of the benefits and costs of the policies
and procedures, review and assessment,
and report requirements of proposed
Rule 10. Commenters are requested to
provide empirical data in support of any
arguments or analyses. In addition, the
Commission is requesting comment on
the following matters:
1. Please discuss which types of
Covered Entities have some level of
cybersecurity in place and which may
not? If not, explain why. Please describe
the level of cybersecurity policies and
procedures that have been implemented
by Covered Entities and compare them
to the requirements of proposed Rule
10.
2. Do the benefits and costs associated
with Covered Entities having written
cybersecurity policies and procedures,
including provisions for written annual
reviews and assessments, reports, and
updates (if necessary) vary by the type
of Covered Entity? If so, explain how.
Are there benefits and costs of the
proposals not described above? If so,
please describe them.
3. Are the estimated compliance costs
(both initially and on an ongoing basis)
for Covered Entities to adopt
cybersecurity policies and procedures,
along with reviewing them annually and
drafting a summary report, reasonable?
If not, explain why and provide
estimates of the compliance costs.
4. How costly would it be for a given
type of Covered Entity to become
compliant with proposed Rule 10?
Please explain and provide estimates of
the costs.
5. Do Covered Entities typically
document their cybersecurity policies
and procedures? If not, how costly
would it be for them to be documented?
6. Please describe practices of
Covered Entities with regard to the use
of service providers in connection with
their information systems and the
information residing on those systems.
How many Market Entities contract with
service providers? What functions are
contracted out versus completed in
house? Are the cybersecurity policies
and procedures implemented by these
service providers comparable to the
requirements of proposed Rule 10?
Please explain. Would it be costly
contractually to request that a service
provider provide compliant services,
including documented policies and
procedures? What are the costs of
finding a new service provider if one or
more could not provide services that are
compliant with the proposed rule?
7. How costly would it be to review
and update, if necessary, cybersecurity
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
policies and procedures at least
annually? Would it be preferable to
conduct the reviews on either a more or
less frequent basis? Explain why. Would
it be less costly to have a third party
conduct the review and update of a
Covered Entities’ cybersecurity policies
and procedures? Please explain.
3. Regulatory Reporting of Cybersecurity
Incidents by Covered Entities
Under proposed Rule 10, Covered
Entities would need to provide the
Commission with immediate written
electronic notice of a significant
cybersecurity incident affecting the
Covered Entity and, thereafter, report
and update information about the
significant cybersecurity incident by
filing Part I of proposed Form SCIR with
the Commission through the EDGAR
system.822 The form would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s efforts to respond to, and
recover from, the incident. In the case
of certain Covered Entities, the notice
and subsequent reports would need to
be provided to other regulators.
a. Benefits
The requirements of proposed Rule 10
that Covered Entities provide immediate
written electronic notice and
subsequent reporting about significant
cybersecurity incidents to the
Commission and would improve the
Commission’s ability to assess these
incidents. These requirements also
would allow the Commission to
understand better the causes and
impacts of significant cybersecurity
incidents and how Covered Entities
respond to and recover from them.
Thus, the notification and reporting
requirements—through the information
they would provide the Commission—
could be used to understand better how
significant cybersecurity incidents
materialize and, therefore, how Covered
Entities can better protect themselves
from them and, when they occur, how
Covered Entities can better mitigate
their impacts and recover more quickly
from them. Over time, this database of
information could provide useful
insights into how to minimize the harm
more broadly that is caused by
significant cybersecurity incidents,
which have the potential to cause
broader disruptions to the U.S.
securities markets and undermine
financial stability.
A Covered Entity would be required
to provide immediate written electronic
20305
notice to the Commission of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the incident has occurred or is
occurring.823 This timeframe allows for
quick notification to the Commission
and, in some cases, other regulators
about the significant cybersecurity
incident, which—in turn—would allow
for more timely assessment of the
incidents. These incidents, if not
addressed quickly, could have harmful
spillover impacts to other Market
Entities and participants in the U.S.
securities markets.
The immediate written electronic
notice would need to identify the
Covered Entity, state that the notice is
being given to alert the Commission of
a significant cybersecurity incident
impacting the Covered Entity, and
provide the name and contact
information of an employee of the
Covered Entity who can provide further
details about the significant
cybersecurity incident.824 By not
requiring detailed information about the
significant cybersecurity incident, the
Covered Entity would be able to provide
the notice quickly while it continues to
assess which information systems have
been subject to the significant
cybersecurity incident and the impact
that the incident has had on those
systems. This would facilitate the
Covered Entity’s ability to alert the
Commission and other regulators (if
applicable) at a very early stage after it
has a reasonable basis to conclude that
a significant cybersecurity incident has
occurred or is occurring. This, in turn,
would allow the Commission and other
regulators (if applicable) to begin taking
steps to assess the significant
cybersecurity incident at that early
stage.
This proposed immediate written
electronic notification requirement is
modelled on other notification
requirements that apply to brokerdealers and SBSDs pursuant to other
Exchange Act rules. Under these
existing requirements, broker-dealers
and certain SBSDs must provide the
Commission with same-day written
notification if they undergo certain
adverse events, including falling below
their minimum net capital requirements
or failing to make and keep current
required books and records.825 The
objective of these requirements is to
provide the Commission staff with the
opportunity to respond when a broker823 See
paragraph (c)(1) of proposed Rule 10.
824 Id.
822 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
PO 00000
Frm 00095
Fmt 4701
Sfmt 4702
825 See 17 CFR 240.17a–11 (notification rule for
broker-dealers); 17 CFR 240.18a–8 (notification rule
for SBS Entities).
E:\FR\FM\05APP2.SGM
05APP2
20306
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
dealer or SBSD is in financial or
operational difficulty.826 Similarly, the
immediate written electronic
notification requirement of proposed
Rule 10 would provide the Commission
staff with the opportunity to promptly
begin to assess the situation when a
Covered Entity is experiencing a
significant cybersecurity incident.
Promptly thereafter (but no later than
48 hours), a Covered Entity would be
required to report separately more
detailed information about the
significant cybersecurity incident by
filing initial, amended and final
versions of Part I of proposed Form
SCIR with the Commission through the
EDGAR.827 The Covered Entity also
would be required to file updated
reports and a final report.
The reporting requirements under
proposed Rule 10 would provide the
Commission and its staff with
information to understand better the
nature and extent of a particular
significant cybersecurity incident and
the efficacy of the Covered Entity’s
response to mitigate the disruption and
harm caused by the incident.828 It also
strengthens and expands the
Commission’s knowledge regarding
cybersecurity incidents beyond what is
already required by current Commission
regulations. In addition, the reporting
would provide the staff with a view into
the Covered Entity’s understanding of
the scope and impact of the significant
cybersecurity incident. All of this
information would assist the
Commission and its staff in assessing
the significant cybersecurity incident
impacting the Covered Entity. It also
could benefit other Market Entities to
the extent the confidential information
provided by the impacted Covered
Entity could be used to assist them
(without divulging the identity of the
impacted Covered Entity) in avoiding a
similar significant cybersecurity
incident or succumbing to an attack by
the same threat actor that caused the
significant cybersecurity incident.
The information provided to the
Commission under the proposed
reporting requirements also would be
used to assess the potential
826 See SBS Entity Recordkeeping and Reporting
Proposing Release, 79 FR at 25247.
827 See paragraphs (c)(2) of proposed Rule 10. As
discussed below, Part II of proposed Form SCIR
would be used by Covered Entities to make public
disclosures about the cybersecurity risks they face
and the significant cybersecurity incidents they
experienced during the current or previous calendar
year. See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements).
828 See Line Items 2 through 14 of Part I of
proposed Form SCIR (eliciting information about
the significant cybersecurity incident and the
Covered Entity’s response to the incident).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
cybersecurity risks affecting U.S.
securities markets more broadly. This
information could be used to address
future significant cybersecurity
incidents or address cybersecurity
vulnerabilities that may be present at
other similar Covered Entities. For
example, these reports could assist the
Commission in identifying patterns and
trends across Covered Entities,
including widespread cybersecurity
incidents affecting multiple Covered
Entities at the same time. Further, the
reports could be used to evaluate the
effectiveness of various approaches to
respond to and recover from a different
types of significant cybersecurity
incidents. This could benefit all Market
Entities, other participants in the U.S.
securities markets, and ultimately
promote the fair, orderly, and efficient
operation of the U.S. securities markets.
Requiring Covered Entities to file Part
I of proposed Form SCIR in EDGAR in
a custom XML would allow for more
efficient processing of information about
significant cybersecurity incidents. It
would create a comprehensive set of
data of all significant cybersecurity
incidents impacting Covered Entities
that is based on these entities
responding to the same check boxes and
questions on the form. This would
facilitate analysis of the data, including
analysis across different Covered
Entities and significant cybersecurity
incidents. Eventually, this set of data
and the analysis of it by searching and
sorting based on how different Covered
Entities responded to the same
questions on the form could be used to
spot common trending risks and
vulnerabilities as well as best practices
employed by Covered Entities to
respond to and recover from significant
cybersecurity incidents.
As discussed above, Covered Entities
have incentives to not disclose
information about significant
cybersecurity incidents. Such incentives
constrain the information available
about cybersecurity threats and thereby
inhibit the efficacy of collective (i.e., an
industry’s or a society’s) cybersecurity
measures.829 At the same time, complete
transparency in this area likely runs the
risk of facilitating future attacks.830 As
829 See section IV.B. of this release (discussing
broad economic considerations); see, e.g., Lewis
and Zheng, Cyber Threat Information Sharing
(recommending that regulators encourage
information sharing).
830 Although ‘‘security through obscurity’’ as a
cybersecurity philosophy has long been derided,
‘‘obscurity,’’ or more generally ‘‘deception,’’ has
been recognized as an important cyber resilience
technique. See Ron Ross, Victoria Pillitteri, Richard
Graubart, Deborah Bodeau, and Rosalie McQuaid,
Developing Cyber Resilient Systems: A Systems
Security Engineering Approach, 2 Nat. Inst. of
PO 00000
Frm 00096
Fmt 4701
Sfmt 4702
discussed above, the challenge of
effective information sharing has long
been recognized, and government efforts
at encouraging such sharing on a
voluntary basis have had only limited
success.831 The Commission would not
publicly disclose and would keep them
confidential to the extent permitted by
law Part I of proposed Form SCIR. This
would limit the risks associated with
public disclosure of vulnerabilities as a
result of successful cybersecurity
incidents. The Commission also may
share information with relevant law
enforcement or national security
agencies.
The aforementioned benefits arise
from improved information sharing
between the affected Covered Entity and
the Commission. Delays in incident
reporting may hinder the utility of Part
I of proposed Form SCIR because the
Commission would not be able to assess
the situation close to the time of its
occurrence or discovery. Thus, the
utility of such reports, at least initially,
may be more limited if they are not filed
as quickly as proposed.
Requiring Covered Entities to identify
themselves on Part I of proposed Form
SCIR with a UIC 832 if they already have
a UIC would be beneficial because the
LEI—which is a Commission-approved
UIC—is a globally-recognized standard
identifier 833 with reference data that is
Standards and Tech. (Dec. 2021), available at
https://doi.org/10.6028/NIST.SP.800-160v2r1. See
also Section IV.D.2.b (discussion of costs associated
with disclosure).
831 See section IV.C.1.e. of this release (discussing
information sharing).
832 As mentioned in section II.B.2.b. of this
release, the instructions of proposed Form SCIR
would define UIC to mean an identifier that has
been issued by an IRSS that has been recognized by
the Commission pursuant to Rule 903(a) of
Regulation SBSR (17 CFR 242.903(a)).
833 ‘‘The [LEI] is a reference code—like a bar
code—used across markets and jurisdictions to
uniquely identify a legally distinct entity[.]’’ Office
of Financial Research, U.S. Treasury Dep’t, Legal
Entity Identifier—Frequently Asked Questions,
available at https://www.financialresearch.gov/
data/legal-entity-identifier-faqs/. ‘‘The financial
crisis underscored the need for a global system to
identify financial connections, so regulators and
private sector firms could understand better the true
nature of risk exposures across the financial
system.’’ Id. Using the LEI as a UIC to facilitate
tracking financial entity cybersecurity incidents and
risks is feasible because ‘‘[t]he Global LEI System
was established for a large range of potential uses.’’
The Legal Entity Identifier Regulatory Oversight
Committee (‘‘LEIROC’’), LEI Uses, available at
https://www.leiroc.org/lei/uses.htm. The
functionality of the LEI is such that it could be used
to identify and track entities for various purposes.
For example, the LEI is one of three identifiers that
firms can use under a December 2022 U.S. Customs
& Border Protection Pilot for automation program
for enhanced tracing in international supply chains.
See U.S. Customs and Border Protection,
Announcement of the National Customs
Automation Program Test Concerning the
Submission Through the Automated Commercial
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
available free of charge.834 Unlike many
identifiers that are specific to a
particular regulatory authority or
jurisdiction, the LEI is a permanent,
unique global identifier that also
contains ‘‘Level 2’’ parent and (direct/
indirect) child entity information. Entity
parent-child relationships are
particularly relevant to assessing the
risks of entities operating in the
securities markets, where financial
entities’ interconnectedness and
complex group structures could
otherwise make understanding the
scope of potential widespread risks
challenging.835 Additionally, unlike
most company registries, all LEI data
elements are validated annually and
subject to a ‘‘quality program [that]
scans the full [data] repository daily and
publishes the results monthly in quality
reports[,]’’ which helps to ensure the
accuracy—and usefulness—of LEI data
as compared to other types of entity
identifiers that lack such features.836
Environment of Certain Unique Entity Identifiers for
the Global Business Identifier Evaluative Proof of
Concept, 87 FR 74157 (Dec. 2, 2022), available at
https://www.federalregister.gov/documents/2022/
12/02/2022–26213/announcement-of-the-nationalcustoms-automation-program-test-concerning-thesubmission-through-the.
834 Bank for Int’l Settlements, David Leung, et al.,
Corporate Digital Identity: No Silver Bullet, but a
Silver Lining, BIS Paper No. 126, at 20 (June 2022),
available at https://www.bis.org/publ/bppdf/
bispap126.pdf. (‘‘BIS Papers 126’’) (stating that ‘‘LEI
data [is] available free of charge to users in both the
public and private sector’’). The FSOC has stated
the LEI ‘‘enables unique and transparent
identification of legal entities.’’ FSOC, 2021 Annual
Report, at 171 (stating that ‘‘[b]roader adoption of
the LEI by financial market participants continues
to be a Council priority’’). The FSOC also has stated
that the LEI ‘‘facilitate[s] many financial stability
objectives, including improved risk management in
firms [and] better assessment of microprudential
and macroprudential risks[.]’’ FSOC, 2022 Annual
Report 99 (2022), available at https://
home.treasury.gov/system/files/261/
FSOC2022AnnualReport.pdf. The same principles
that make the LEI well-suited for allowing
regulators to track entity exposures to financial
market risks across jurisdictions and entities should
apply in other contexts, such as cross-border
payments. See FSB, FSB Options to Improve
Adoption of the LEI, in Particular for Use in Crossborder Payments (July 7, 2022), available at https://
www.fsb.org/wp-content/uploads/P070722.pdf.
835 FSB Peer Review Report; see also European
Systemic Risk Board, Francois Laurent, et al., The
Benefits of the Legal Entity Identifier for Monitoring
Systemic Risk, Occasional Paper Series No. 18,
(Sept. 2021) (‘‘The fact that the LEI enables full
reporting of the group structure in the LEI database
is also crucial for risk analysis. Indeed, the risk
usually stems from the group and not from
individual entities, and conducting a relevant risk
analysis implies aggregating exposures at the level
of the group.’’). For a discussion of the
cybersecurity implications of the
interconnectedness of Market Entities’ information
systems, see section I.A.1 of this release.
836 See BIS Papers 126, at 16 (noting that
‘‘[h]istorically, corporate identification has mainly
come from company registries in individual
jurisdictions[,]’’ with the registries connected to the
filing of certain documents and the paying of
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
b. Costs
Covered Entities would incur costs
complying with the requirements of
proposed Rule 10 to provide immediate
written electronic notice and
subsequent reporting about significant
cybersecurity incidents to the
Commission and, in the case of certain
Covered Entities, other regulators, on
Part I of proposed Form SCIR. The
immediate notification requirement
would impose minimal costs given the
limited nature of the information that
would need to be included in the
written notice and the fact that it would
be filed electronically.
The costs of complying with the
requirements to file Part I of proposed
Form SCIR to report a significant
cybersecurity incident would be
significantly greater than the initial
notice, given the amount of information
that would need to be included in the
filing. In addition, because Part I of
proposed Form SCIR is a regulatory
filing, Covered Entities likely would
incur costs associated with a legal and
compliance review prior to the form
being filed on EDGAR.
In terms of the costs of filing Part I of
Form SCIR on EDGAR, several
categories of Covered Entities already
file forms in EDGAR. Specifically, all
transfer agents, SBSDs, MSBSPs, and
SBSDRs must file registration or
reporting forms in EDGAR,837 and some
broker-dealers choose to file certain
reports on EDGAR rather than filing
them in paper form. The applicable
EDGAR forms for these entities are filed,
at least in part, in a custom XML.
Covered Entities that do not currently
file registration or reporting forms on
EDGAR would have to file a notarized
Form ID to receive a CIK number and
access codes to file on EDGAR.838
required fees necessary to create legal entities).
Under company registry regimes, each company
typically is identified by name and ‘‘a company
registration number’’ that is not standardized across
jurisdictions and is not part of a harmonized system
of corporate identification. See id. (stating that
‘‘[w]ith greater globalization of business and
finance, [the existing company registry system] has
become a source of inefficiency and risks from the
standpoint of financial stability, market integrity,
and investor protection’’). Further, ‘‘company
registries typically do not offer similar types of
quality programs for the corporate data they
provide’’ and that such data generally is
‘‘declarative—provided by the registrant’’ without
independent verification or validation. See id. at 20.
837 SBSDRs received temporary relief from filing
through EDGAR. See Cross-Border Application of
Certain Security-Based Swap Requirements,
Exchange Act Release No. 87780 (Dec. 18, 2019) [85
FR 6270, 6348 (Feb. 2, 2020)].
838 See section V of this release (discussing of the
number of Covered Entities who do not currently
file forms in EDGAR and the costs that would be
associated with an EDGAR-filing requirement in
more detail).
PO 00000
Frm 00097
Fmt 4701
Sfmt 4702
20307
Consequently, the requirement to file
Part I of proposed Form SCIR in EDGAR
using a form-specific XML may impose
some compliance costs on certain
Covered Entities. These Covered Entities
would need to complete Form ID to
obtain the EDGAR-system access codes
that enable entities to file documents
through the EDGAR system. They would
have to pay a notary to notarize Form
ID. The inclusion of a UIC on proposed
Form SCIR would not impose any
marginal costs because a Covered Entity
would only be required to provide a UIC
if they have already obtained one.
To estimate the costs for Market
Entities to research the validity of a
suspected significant cybersecurity
incident and to provide immediate
written electronic notification to the
Commission regarding the significant
cybersecurity incident that are real or
reasonably determined to be true, the
Commission considered the initial and
ongoing compliance costs.839 The
internal annual costs for these
requirements (which include an initial
burden estimate annualized over a three
year period) are estimated to be
$1,648.51 per Market Entity, and
$6,524,802.58 in total. These costs
include a blended rate of $353 for an
assistant general counsel, compliance
manager, and systems analyst for a total
of 4.67 hours. The annual external costs
for these requirements are estimated to
be $1,488 per Market Entity, and
$5,889,504 in total. This includes the
cost of using outside legal counsel at a
rate of $496 per hour for a total of three
hours.
To estimate the costs for Covered
Entities to fill out an initial Part I of
proposed Form SCIR, and file an
amended Part I of Form SCIR, the
Commission considered the initial and
ongoing compliance costs.840 The
internal annual costs for these
requirements (which include an initial
burden estimate annualized over a three
year period) are estimated to be
$1,077.50 per Covered Entity, and
$2,143,147.50 in total. These costs
include a blended rate of $431 for an
assistant general counsel and
compliance manager for a total of 2.5
hours. The annual external costs for
these requirements are estimated to be
$992 per Covered Entity, and $1,973,088
in total. This includes the cost of using
outside legal counsel at a rate of $496
per hour for a total of two hours.
839 See section V of this release (discussing these
costs in more detail).
840 See section V of this release (discussing these
costs in more detail).
E:\FR\FM\05APP2.SGM
05APP2
20308
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
c. Request for Comment
The Commission requests comment
on all aspects of the foregoing analysis
of the benefits and costs of the
requirements to provide immediate
notification and subsequent reporting of
significant cybersecurity incidents.
Commenters are requested to provide
empirical data in support of any
arguments or analyses. In addition, the
Commission is requesting comment on
the following matters:
8. Are the estimated compliance costs
(both initially and on an ongoing basis)
for Covered Entities to provide the
notification and subsequent reports
reasonable? If not, explain why and
provide estimates of the compliance
costs.
9. Are there any other benefits and
costs that the confidential reporting
would provide the Commission? If so,
please describe them. Please provide
views on the costs of reporting
significant cybersecurity incidents to
the Commission relative to the
Commission’s cost estimates.
10. What are the costs and benefits
associated with requiring Covered
Entities to file Part I of proposed Form
SCIR using a structured data language?
Should the Commission require Covered
Entities to file Part I of proposed Form
SCIR using a structured data language,
such as a custom XML? Should the
Commission require Covered Entities to
file Part I of proposed Form SCIR using
a different structured data language than
a custom XML, such as Inline XBRL?
Why or why not?
11. Are there any Covered Entities
that should be exempted from the
proposed structured data requirements
for filing Part I of proposed Form SCIR?
If so, what particular exemption
threshold should the Commission use
for the structured data requirements and
why?
12. Should Covered Entities be
required to file proposed Form SCIR
with a CIK number? What are the costs
and benefits associated with requiring
Covered Entities to identify themselves
on Part I of proposed Form SCIR with
a CIK number?
13. Should Covered Entities be
required to file Part I of proposed Form
SCIR with a UIC (i.e., such as an LEI),
particularly when some Covered
Entities do not have a UIC and would
have to obtain one? What are the
benefits associated with requiring
Covered Entities with a UIC to identify
themselves with that UIC?
14. Would requiring a UIC on Part I
of proposed Form SCIR allow the
Commission to better evaluate
cybersecurity threats to Covered Entities
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
using data from other regulators and
from law enforcement agencies? Please
explain how.
15. Are there any Covered Entities for
which the proposed structured data
requirements for Part I of proposed
Form SCIR should be exempted? If so,
what particular exemption threshold or
thresholds should the Commission use
for the structured data requirements
under the proposed rule amendments,
and why?
4. Public Disclosure of Cybersecurity
Risks and Significant Cybersecurity
Incidents
Under proposed Rule 10, Covered
Entities would need to publicly disclose
summary descriptions of their
cybersecurity risks and the significant
cybersecurity incidents they
experienced during the current or
previous calendar year on Part II of
proposed Form SCIR.841 The form
would need to be filed with the
Commission through the EDGAR system
and posted on the Covered Entity’s
business internet website and, in the
case of Covered Entities that are
carrying or introducing broker-dealers,
provided to customers at account
opening and at least annually thereafter.
a. Benefits
As discussed above, there exists an
information asymmetry between
Covered Entities and their customers,
counterparties, members, registrants, or
users.842 This information asymmetry,
together with limitations to private
contracting, inhibits the ability of
customers, counterparties, members,
registrants, and users to screen and
discipline the Covered Entities with
whom they do business or obtain
services from based on the effectiveness
of the Covered Entity’s cybersecurity
policies. The public disclosure
requirements of proposed Rule 10
would help alleviate this information
asymmetry, and in so doing would
enable customers, counterparties,
members, registrants, or users to better
assess the effectiveness of Covered
Entities’ cybersecurity preparations and
the cybersecurity risks of doing business
with any one of them. For example,
customers, counterparties, members,
registrants, or users could use the
frequency or nature of significant
cybersecurity incidents—as disclosed
under the proposed public disclosure
requirement—to infer a Covered Entity’s
effort toward preventing cybersecurity
841 See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
842 See section IV.B. of this release (discussing
broad economic considerations).
PO 00000
Frm 00098
Fmt 4701
Sfmt 4702
incidents. Likewise customers,
counterparties, members, registrants, or
users could use the descriptions of
cybersecurity risks to avoid certain
Covered Entities with less welldeveloped cybersecurity procedures.
Public disclosures mitigate the
information asymmetry. Customers,
counterparties, members, registrants, or
users can use the information to
understand better the risks of doing
business with certain Covered Entities.
A Covered Entity disclosing that it
addresses cybersecurity risks in a robust
manner and that it has not experienced
a significant cybersecurity incident or
few such incidents could signal to
customers, counterparties, members,
registrants, or users that customer
information, funds, and assets are
safeguarded properly. In contrast,
disclosures of sub-par cybersecurity
practices or a history of significant
cybersecurity incidents may convince
customers, counterparties, members,
registrants, or users to not do business
with that Covered Entity.
In addition to mitigating information
asymmetries with stakeholders in
general, public disclosure would also
mitigate a source of principal-agent
problems in the customer-Covered
Entity relationship. As discussed above,
Covered Entities may have different
incentives than customers in the area of
cybersecurity prevention.843 Insofar as
principals (customers) prefer a higher
level of cybersecurity focus by agents
(Covered Entities), public disclosure
would act as an incentive for Covered
Entities to increase their focus in this
area and signal their commitment to
protecting customers’ funds and data.
The proposed requirement for
Covered Entities to post the required
disclosures on their websites would
help inform, for example, retail
customers about Covered Broker-Dealers
because they are likely to look for
information about their broker-dealers
on the firm’s websites. In addition,
requiring the submission of Part II of
proposed Form SCIR in a custom XML
data language would likely facilitate
more effective and thorough review,
analysis, and comparison of
cybersecurity risks and significant
cybersecurity incidents by the
Commission and by Covered Entities’
existing and prospective customers,
counterparties, members, registrants, or
users.844 The public disclosure
843 See section IV.B. of this release (discussing
broad economic considerations).
844 While the Commission would separately
receive the information significant cybersecurity
incidents impacting Covered Entities thought the
filings of Part I of proposed Form SCIR, those filings
would not include the Covered Entity’s summary
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
requirement of proposed Rule 10
expands Market Entities’, other market
participants’, the public’s, the
Commission’s, and other regulatory
bodies’ knowledge about the
cybersecurity risks faced by Covered
Entities as well as their past experiences
regarding significant cybersecurity
incidents that is beyond what is
provided by current Commission
regulations.
Requiring Covered Entities to file Part
II of proposed Form SCIR through the
EDGAR system would allow the
Commission—as well as customers,
counterparties, members, and users of
Covered Entity services—to download
the Part II disclosures directly from a
central location, thus facilitating
efficient access, organization, and
evaluation of the reported disclosures
about significant cybersecurity
incidents. Likewise, because Part II of
proposed Form SCIR would be
structured in SCIR-specific XML, the
public disclosures would be machinereadable and, therefore, more readily
accessible to the public and the
Commission for comparisons across
Covered Entities and time periods. With
centralized filing in EDGAR in a custom
XML, Commission staff as well as
Covered Entities’ customers,
counterparties, members, registrants, or
users (and the Covered Entities
themselves) would be better able to
assemble, analyze, review, and compare
a large collection of data about reported
cybersecurity risks and significant
cybersecurity incidents, which could
facilitate the efficient identification of
trends in cybersecurity risks and
significant cybersecurity incidents in
the U.S. securities markets.
Centralized filing of the summary
descriptions of the Covered Entity’s
cybersecurity risks and significant
cybersecurity incidents on Part II of
proposed Form SCIR in a structured
format on EDGAR would enable
investors and others—such as other
government agencies, standard-setting
groups, analysts, market data
aggregators, and financial firms—to
more easily and efficiently compare
how one Covered Entity compares with
others in terms of cybersecurity risks
and incidents. For example, banks
assessing potential security-based swap
counterparties could efficiently
aggregate and compare disclosures of
multiple security-based swap dealers.
Similarly, public companies deciding
which transfer agent to use could
description of the cybersecurity risks that could
materially affect the Covered Entity’s business and
operations and how it assesses, prioritizes, and
addresses those cybersecurity risks that would be
disclosed on Part II of proposed Form SCIR.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
efficiently aggregate and compare the
disclosures of many transfer agents.
These market participants would also
be able to discern broad trends in
cybersecurity risks and incidents more
efficiently due to the central filing
location and machine-readability of the
disclosures. The more efficient
dissemination of information about
trends regarding cybersecurity risks and
significant cybersecurity incidents
could, for example, enable Covered
Entities to better and more efficiently
determine if they need to modify,
change, or upgrade their cybersecurity
defense measures in light of those
trends. Likewise, more efficient
assimilation of information about trends
in significant cybersecurity incidents
could enable Covered Entities
customers, counterparties, members, or
users and their services to more
efficiently understand and manage their
cybersecurity risks. Accordingly,
centralized EDGAR filing of public
cybersecurity disclosures in a machinereadable data language could help
reduce the number of Covered Entities
or their customers, counterparties,
members, or users that suffer harm from
cybersecurity breaches, or reduce the
extent of such harm in the market, thus
helping prevent or mitigate
cybersecurity-related disruptions to the
orderly operations of the U.S. securities
markets.
Lastly, Covered Entities rely on
electronic information, communication,
and computer systems to perform their
functions.845 Because many Covered
Entities play critical global financial
system, a cyberattack against Covered
Entities without strong cybersecurity
protocols could lead to more
widespread breaches. Therefore, the
centralized, public, structured filing of
cybersecurity disclosures with Part II of
proposed Form SCIR, which would be
updated promptly upon the occurrence
of a new significant cybersecurity
incident, would increase the efficiency
with which new cybersecurity
information would be assimilated into
the market, thereby also likely
increasing the speed with which
Covered Entities could react to potential
contagion. This increased agility on the
part of Covered Entities could reduce
potential contagion in the U.S.
securities markets. Additionally,
Covered Entities would know that the
centralized, public filing of information
about significant cybersecurity incidents
would make comparison with their
competitors easier, and this could
motivate Covered Entities to take
845 See section I.A.2. of this release (discussing
how Covered Entities use information systems).
PO 00000
Frm 00099
Fmt 4701
Sfmt 4702
20309
cybersecurity preparedness and risk
management more seriously than they
might otherwise, either by devoting
more resources to cybersecurity or by
addressing cybersecurity risks in a more
effective manner. Such an effect could
help reduce the number and extent of
cybersecurity incidents, particularly
those that negatively impact the U.S.
securities markets.
As with Part I of proposed Form SCIR,
the Commission also is proposing to
require Covered Entities to identify
themselves on Part II of proposed Form
SCIR with a UIC, such as an LEI, if they
have obtained one, to help facilitate
efficient collection and analysis of
cybersecurity incidents in the financial
markets. The addition of UICs could
facilitate coordinated intergovernmental responses to cybersecurity
incidents that affect U.S. firms.846
Existing identifiers that are not UICs are
more limited in scope, such as CIK
numbers, which are Commissionspecific identifiers for companies and
individuals that have filed reports with
the Commission. This limits their utility
in analyzing and comparing significant
cybersecurity incidents among Covered
Entities and non-Commission-regulated
financial institutions.
The markets for different Covered
Entities present customers,
counterparties, members, registrants, or
users with a complex, multidimensional, choice problem. In
choosing a Covered Entity to work with,
customers, counterparties, members,
registrants, or users may consider
cybersecurity risk exposure (i.e.,
financial, operational, legal, etc.), past
significant cybersecurity incidents,
reputation, etc. While the Commission
is not aware of any studies that examine
the role perceptions of cybersecurity
play in this choice problem, the extant
academic literature suggests that
investors focus on salient, headlinegrabbing information, such as large
losses of customer information, when
846 The Commission has recognized the benefits
of LEIs in other contexts. See Joint Industry Plan;
Order Approving the National Market System Plan
Governing the Consolidated Audit Trail, Release
No. 34–79318; File No. 4–698 (Nov. 15, 2016), 81
FR 84696, 84745 (Nov. 23, 2016) (‘‘The Commission
believes use of the LEI enhances the quality of
identifying information for Customers by
incorporating a global standard identifier
increasingly used throughout the financial
markets.’’); Investment Company Reporting
Modernization, Release Nos. 33–10231; 34–79095;
IC–32314; File No. S7–08–15 (Oct. 13, 2016), 81 FR
81870, 81877 (Nov. 18, 2016) (‘‘Uniform reporting
of LEIs by funds [] will help provide a consistent
means of identification that will facilitate the
linkage of data reported on Form N–PORT with data
from other filings and sources that is or will be
reported elsewhere as LEIs become more widely
used by regulators and the financial industry.’’).
E:\FR\FM\05APP2.SGM
05APP2
20310
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
making such choices.847 Details
regarding significant cybersecurity
incidents may allow customers,
counterparties, members, registrants, or
users to assess the severity of one
incident compared to that of another.
However, the public disclosures will be
generalized (i.e., summary descriptions)
to a degree such that threat actors
cannot take advantage of known
vulnerabilities. Therefore, to the extent
that cybersecurity disclosures from
Covered Entities are ‘‘boilerplate,’’ they
may be less informative.848 Thus, it may
be difficult to choose among Covered
Entities that have experienced similar
significant cybersecurity incidents.
Significant cybersecurity incidents—
especially those that involve loss of data
or assets of customers, counterparties,
members, registrants, or users—are
likely to garner attention. Thus, the
Commission expects that the proposed
requirement to disclose significant
cybersecurity incidents would have a
direct effect on the choices of
customers, counterparties, members,
registrants, or users. In addition, third
parties such as industry analysts—who
may be more capable of extracting
useful information across Covered
Entities’ disclosures—may incorporate it
in assessment reports that are ultimately
provided to customers, counterparties,
members, registrants, or users. Whether
directly or indirectly, Covered Entities
with subpar cybersecurity policies and
procedures—as revealed by a relatively
large number of significant
cybersecurity incidents—could face
pressure to improve their policies
procedures to reduce such incidents.849
The disclosures of significant
cybersecurity incidents also should
benefit a Covered Entity’s current
customers, counterparties, members,
registrants, or users if the Covered
Entity experiences a significant
cybersecurity incident by providing
notice that, for example, personal
information, transaction data, securities,
or funds may have been compromised.
While the customers, counterparties,
members, registrants, or users that are
847 See, e.g., Brad M. Barber, Terrance Odean, and
Lu Zheng, Out of Sight, Out of Mind: The Effects
of Expenses on Mutual Fund Flows, 78 J. Bus. 2095
(2005) (‘‘Out of Sight, Out of Mind’’).
848 However, as discussed above, the process of
adopting ‘‘boilerplate’’ language by Covered Entities
may itself affect improvements in policies and
procedures.
849 This assumes that customers, counterparties,
members, registrants, or users evaluating the
Covered Entities would favor those Covered Entities
that include language that cites strong cybersecurity
procedures in their disclosures. Further, the
Commission assumes that customers,
counterparties, members, registrants, and users
would prefer to do business with Covered Entities
that have ‘‘superior’’ cybersecurity procedures.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
directly impacted may be individually
notified of significant cybersecurity
incidents based on individual state laws
and Commission rules, thus initiating
timely remedial actions, other parties
may benefit from the disclosures.
Specifically, customers, counterparties,
members, registrants, or users that are
not affected by a significant
cybersecurity incident may take the
time to change and strengthen
passwords, monitor account activity on
a more consistent basis, and audit their
financial statements for discrepancies.
b. Costs
The requirements to have reasonably
designed policies and procedures to
address cybersecurity risk and to report
significant cybersecurity incidents to
the Commission by filing Part I of
proposed Form SCIR on EDGAR
would—in practice—require the
collection of the information that also
would be used in the proposed public
disclosures required to be made on Part
II of proposed Form SCIR. Therefore, the
disclosure requirement itself would not
impose significant compliance costs
beyond those already discussed with
respect to the requirements to have
reasonably designed policies and
procedures to address cybersecurity risk
and to report significant cybersecurity
incidents to the Commission by filing
Part I of proposed Form SCIR on
EDGAR.850 Generally, it is expected that
a compliance analysis would be needed
to summarize the cybersecurity risks
faced by the Covered Entity and a
summary of previous significant
cybersecurity incidents. In addition,
there may be internal legal review of the
public disclosure and administrative
costs would be incurred associated with
posting the disclosure on the Covered
Entity’s website.
However, if the action of disclosing
summary descriptions of a Covered
Entity’s cybersecurity risks and
significant cybersecurity incidents
encourages the Covered Entity and/or
other Covered Entities to review their
policies and procedures and potentially
direct more resources to cybersecurity
protection, that would be an additional
cost. Moreover, the disclosures may
impose costs due to market reactions
and exploitable information they may
reveal to adverse parties.
Depending on the Covered Entity,
reports of many significant
cybersecurity incidents and, to a lesser
extent, reports of greater cybersecurity
risks and exposure to financial,
operational, legal, reputational, or other
850 See sections IV.D.2. and IV.D.3. of this release
(discussing the costs of those requirements).
PO 00000
Frm 00100
Fmt 4701
Sfmt 4702
consequences that could materially
affect its business and operations as a
result of a cybersecurity incident
adversely impacting its information
systems may bear costs arising from
reactions in the marketplace. That is, a
Covered Entity may lose business or
suffer harm to its reputation and brand
value.851 These costs would be borne by
the affected Covered Entity even if it
made reasonable efforts to prevent them.
If customers, counterparties, members,
registrants, or users ‘‘overreact’’ 852 to
disclosures of significant cybersecurity
incidents, Covered Entities may pursue
a strategy of overinvesting in
cybersecurity precautions (to avoid such
overreactions), resulting in reduced
efficiency. The extent of such costs
likely depends on a number of factors,
including the size of a Covered Entity
relative to others in the same category
(e.g., Covered Broker-Dealers, national
securities exchanges, and clearing
agencies), the severity and scope of the
cybersecurity incident, and the
availability of substitutes for a given
Covered Entity.853
The national securities exchanges and
clearing agencies that are currently
registered with the Commission but are
not active would not incur any costs
related to the proposed public
disclosure requirement if they remain
inactive. However, if their operations
restart, they likely would incur
851 Customers, counterparties, members,
registrants, and users would be more likely to act
in response to realized significant cybersecurity
incidents than in response to Covered Entities’
descriptions of their cybersecurity risks and how
they address those risks.
852 Such overreactions can be the result of
overconfidence about the precision of the signal.
See, e.g., Kent Daniel, David Hirshleifer and
Avanidhar Subrahmanyam, Investor Psychology
and Security Market Under- and Overreactions, 53
J. Fin. 1839 (1998); see also Out of Sight, Out of
Mind.
853 One can differentiate between the smallest and
largest Covered Broker-Dealer. A large broker-dealer
may be more able to absorb more costs associated
with a cybersecurity incident and continue to stay
in business than a small broker-dealer. In addition,
a large broker-dealer could have a more prestigious
reputation that may persuade customers to continue
using it despite the cybersecurity event. Or a large
broker-dealer could have more news about it in the
public domain that dilutes bad news about
cybersecurity incidents, whereas a smaller firm’s
name may become inextricably associated with one
significant cybersecurity incident. In addition,
significant cybersecurity incidents that are
crippling and affect all of a Covered Entity’s
customers, counterparties, members, registrants,
and users would be more costly its reputation than
ones that are more localized. Lastly, the cost of lost
business for a Covered Entity may be muted if there
are fewer competitors to choose from. For example,
there is only one national securities association (i.e.,
FINRA) relative to 353 transfer agents. It therefore
could be costly in terms of lost business for a
transfer agent as its customers can transfer their
business to one of the many others that perform the
same services.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
moderate costs associated with the
disclosure because they may need to
restart their websites and provide
summary descriptions of their
cybersecurity risks. No significant
cybersecurity incidents would need to
be disclosed initially since they have
been dormant for so long. In addition,
many transfer agents do not have
websites. Therefore, those transfer
agents that do not have websites would
incur the cost of obtaining a domain
name as well as establishing and
maintaining a website (either by
themselves or using a third party) before
being able to post their public
disclosures. Small, independent brokerdealers also may not have websites. In
a 2015 survey of 13 broker-dealers, 80%
of respondents stated that they have a
web policy or program; however, 7.6%
do not have a web policy or program
and 13.3% of the respondents were not
sure. Furthermore, 47% of respondents
reported that less than half of their
firm’s advisors (i.e., registered
representatives) currently have a
website. Interestingly, the survey
participants noted the value of having a
website to establish credibility (80%),
generate leads (53%), get referrals
(40%), qualify and engage prospects
(40%) and maintain existing client
relationships (47%).854 The remaining
Market Entities likely have websites.
Website costs can be broken into
several categories: (1) obtaining a
domain name ($12 to $15 per year); (2)
web hosting ($100 per month for
premium service); (3) website theme or
template (one-time fee of $20 to $200 or
more); and SSL certificate ($10 to $200
per year).855 Ongoing website costs
could be as high as $1,215 per year to
maintain.
Mandating the disclosure of
significant cybersecurity incidents
entails a tradeoff. While disclosure can
inform customers, counterparties,
members, registrants, and users,
disclosure can also inform cyber
attackers that they have been detected.
Also, disclosing too much (e.g., the
types of systems that were affected and
how they were compromised) could be
used by threat actors to better attack
their targets, imposing subsequent
potential losses on Covered Entities. For
example, announcing a significant
cybersecurity incident naming a specific
piece of malware and the degree of
compromise can provide details about
the structure of the target’s computer
systems, the security measures
employed (or not employed), and
potentially suggest promising attack
vectors for future targets by other
would-be attackers.
Under proposed Rule 10, to mitigate
these costs and to promote compliance
with the disclosure requirements, each
Covered Entity would be required to
disclose summary descriptions of their
cybersecurity risks and significant
cybersecurity incidents on Part II of
proposed Form SCIR.856 In the summary
description of the significant
cybersecurity incident, the Covered
Entity would need to identify: (1) the
person or persons affected; (2) the date
the incident was discovered and
whether it is still ongoing; (3) whether
any data were stolen, altered, or
accessed or used for any other
unauthorized purpose; (4) the effect of
the incident on the Covered Entity’s
operations; and (5) whether the Covered
Entity, or service provider, has
remediated or is currently remediating
the incident.857 Thus, Covered Entities
generally would not be required to
disclose technical details about
significant cybersecurity incidents that
could compromise their cybersecurity
protections going forward. As before,
the costs associated with conveying this
information to attackers is impracticable
to estimate.858
While registering with the EDGAR
system is free, the requirement to
centrally file Part II of proposed Form
SCIR in EDGAR would impose
incremental costs on Covered Entities
that have not previously filed
documents in EDGAR. More
specifically, Covered Entities that have
never made a filing with the
Commission via EDGAR would need to
file a notarized Form ID, which is used
to request the assignment of access
codes to file on EDGAR. Thus, first-time
EDGAR filers would incur modest costs
associated with filing Form ID.859 That
856 See
lotter on DSK11XQN23PROD with PROPOSALS2
854 See
Broker Dealers and Web Marketing: What
You Should Know (Dec. 9, 2015), available at
https://www.advisorwebsites.com/blog/blog/
general/broker-dealers-and-web-marketing-whatyou-should-know#:∼:text=While
%2080%25%20of%20Broker-Dealers%20reps
%20we%20polled%20say,to%20build
%20and%20maintain%20a%20strong%20web%20
presence.
855 See Jennifer Simonson, website Hosting Cost
Guide 2023, Forbes, available at https://
www.forbes.com/advisor/business/website-hostingcost/.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
paragraph (d)(1) of proposed Rule 10.
paragraph (d)(1)(ii) of proposed Rule 10.
858 As noted in section IV.B. of this release, firms
are generally hesitant to provide information about
cyberattacks. Similarly, cybercriminals are not
generally forthcoming with data on attacks, their
success, or factors that made the attacks possible.
Consequently, data from which plausible estimates
could be made is not available.
859 Any Covered Entity that has made at least one
filing with the Commission via EDGAR since 2002
has been entered into the EDGAR system by the
Commission and will not need to file Form ID to
file electronically on EDGAR.
857 See
PO 00000
Frm 00101
Fmt 4701
Sfmt 4702
20311
said, Covered Entities that already file
documents in EDGAR would not incur
the cost of having to register with
EDGAR. As discussed earlier, the extent
to which different categories of Covered
Entities are already required to file
documents in EDGAR varies. For
example, SBSDs, MSBSPs, SBSDRs, and
transfer agents are already required to
file some forms in EDGAR.
Likewise, as mentioned earlier, the
Commission approved a UIC—namely,
the LEI—in a previous rulemaking. The
Commission could approve another
standard identifier as a UIC in the
future, but currently the LEI is the only
approved UIC. Covered Entities that
already have an LEI would not bear any
cost to including it on proposed Form
SCIR, as they would have already paid
to obtain and maintain an LEI for some
other purpose. Covered Entities that do
not already have an LEI are not required
to obtain an LEI in order to file
proposed Form SCIR, thus, there is no
additional cost to those Covered Entities
that do not have an LEI.
In addition, a Covered Broker-Dealer
would be required to provide the
written disclosure form to a customer as
part of the account opening process.
Thereafter, the Covered Broker-Dealer
would need to provide the customer
with the written disclosure form
annually and when it is updated using
the same means that the customer elects
to receive account statements (e.g., by
email or through some type of postal
service). The Commission anticipates
that the cost of initial and annual
reporting will be negligible because the
report text can be incorporated into
other initial disclosures and periodic
statements. The cost of furnishing
updated reports in response to
significant cybersecurity incidents
depends on the degree to which such
incidents occur and are detected, which
cannot reliably be predicted. The
Commission assumes that the delivery
costs are the same regardless of the
delivery method.
To estimate the costs associated for a
Covered Entity to file a Part II of
proposed Form SCIR with the
Commission through EDGAR, as well as
post a copy of the form on its website,
the Commission considered the initial
and ongoing compliance costs.860 The
internal annual costs for these
requirements (which include an initial
burden estimate annualized over a three
year period) are estimated to be
$1,377.46 per Covered Entity, and
$2,739,767.94 in total. These costs
include a blended rate of $375.33 for an
860 See section V of this release (discussing these
costs in more detail).
E:\FR\FM\05APP2.SGM
05APP2
20312
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
assistant general counsel, senior
compliance examiner, and compliance
manager for a total of 3.67 hours. The
annual external costs for these
requirements are estimated to be $1,488
per Covered Entity, and $2,959,632 in
total. This includes the cost of using
outside legal counsel at a rate of $496
per hour for a total of three hours.
To estimate the costs associated for a
Covered Broker-Dealer to deliver its
disclosures to new customers, as well as
deliver disclosures to existing customers
on an annual basis, the Commission
considered the initial and ongoing
compliance costs.861 The internal
annual costs for these requirements
(which include an initial burden
estimate annualized over a three year
period) are estimated to be $3,536.94
per Covered Broker-Dealer, and
$5,450,424.54 in total. These costs
include a rate of $69 per hour for a
general clerk for a total of 51.26 hours.
It is estimated that there will be $0
annual external cost for this additional
disclosure requirement for Covered
Broker-Dealers. With respect to the
additional disclosure fees for broker
dealers, the cost covers the clerks
employed by the broker-dealers for
stuffing envelopes and mailing them
out. The legal fees associated with
drafting the disclosure is already tied to
the burden of filing the disclosure in
Part II of EDGAR and putting the
disclosure on its website.
c. Request for Comment
The Commission requests comment
on all aspects of the foregoing analysis
of the benefits and costs of the
requirements to provide immediate
notification and subsequent reporting of
significant cybersecurity incidents.
Commenters are requested to provide
empirical data in support of any
arguments or analyses. In addition, the
Commission is requesting comment on
the following matters:
16. Please provide views on the
benefits and costs associated with
posting the public disclosures on
Covered Entities’ websites and
submitting them to the Commission
through EDGAR. Will the general nature
of the public disclosure be useful to
Market Entities as well as customers,
counterparties, members, participants,
and users? Should the Commission
require Covered Entities to both post
cybersecurity risk and incident histories
on Covered Entity websites and file that
information on Part II of proposed Form
SCIR in EDGAR? Should the
Commission exempt some subset(s) of
861 See section V of this release (discussing these
costs in more detail).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Covered Entities from the requirement
to file Part II of proposed Form SCIR in
EDGAR? If so, please explain. Should
the Commission exempt some subset(s)
of Covered Entities from the
requirement to post cybersecurity risk
and incident history information on
their websites? Explain.
17. Are the cost estimates associated
with posting the public disclosure on
the Covered Entities’ websites,
submitting Part II of proposed Form
SCIR to the Commission through
EDGAR, and providing disclosures to
new and existing customers reasonable?
If not, explain why? Are there any other
benefits and costs of these proposed
requirements? If so, please describe
them.
18. Are there any other costs and
benefits associated with requiring
Covered Entities to file Part II of
proposed Form SCIR using a structured
data language? If so, please describe
them. Should the Commission require
Covered Entities to file Part II of
proposed Form SCIR using a structured
data language, such as a custom XML?
Should the Commission require Covered
Entities to file Part II of proposed Form
SCIR using a different structured data
language than a custom XML, such as
Inline XBRL? Why or why not?
19. Are there any Covered Entities for
whom the proposed structured data
requirements of Part II of proposed
Form SCIR should be exempted? If so,
what particular exemption threshold or
thresholds should the Commission use
for the structured data requirements
under the proposed rule amendments,
and why?
20. Please provide views on the
benefits and costs associated with
requiring Covered Entities to identify
themselves on Part II of proposed Form
SCIR with both a CIK number and a UIC
(such as an LEI)? What would be the
benefits and costs of requiring Covered
Entities without a UIC to obtain one in
order to file Part II of proposed Form
SCIR? What, if any, standard identifiers
should the Commission require Covered
Entities to use to identify themselves on
Part II of proposed Form SCIR?
21. What would be the benefits and
costs of requiring Covered Entities to
place the required cybersecurity risk
and incident history disclosures on
individual Covered Entity websites and
in EDGAR with Part II of proposed Form
SCIR relative to the alternatives
discussed below in section IV.F. of this
release? Should the Commission instead
adopt one of the alternatives for the
requirements around where Covered
Entities must place the public
cybersecurity disclosures? Specifically,
the Commission is proposing to require
PO 00000
Frm 00102
Fmt 4701
Sfmt 4702
Covered Entities to publish the
disclosures on their individual firm
websites and to file the information in
EDGAR using Part II of proposed Form
SCIR. Should the Commission eliminate
one, or both, of those requirements?
22. Are there any Covered Entities for
whom the proposed structured data
requirements for Part II of proposed
Form SCIR should be exempted? If so,
what particular exemption threshold or
thresholds should the Commission use
for the structured data requirements
under the proposed rule amendments,
and why?
5. Record Preservation and Maintenance
by Covered Entities
As discussed above, proposed Rule 10
would require a Covered Entity to: (1)
establish, maintain, and enforce written
policies and procedures that are
reasonably designed to address
cybersecurity risks; (2) create written
documentation of risk assessments; (3)
create written documentation of any
cybersecurity incident, including its
response to and recovery from the
incident; (4) prepare a written report
each year describing its annual review
of its policies and procedures to address
cybersecurity risks; (5) provide
immediate written notice of a significant
cybersecurity incident; (6) report a
significant cybersecurity incident on
Part I of proposed Form SCIR; and (7)
provide a written disclosure containing
a summary description of its
cybersecurity risk and significant
cybersecurity incidents on Part II of
proposed Form SCIR. Consequently,
proposed Rule 10 would require a
Covered Entity to create several
different types of records, but it would
not include its own record preservation
and maintenance provisions. Instead,
these requirements would be imposed
through amendments, as necessary, to
the existing record preservation and
maintenance rules applicable to the
Covered Entities. In particular, the
Commission is proposing to amend the
record preservation and maintenance
rules for: (1) broker-dealers (i.e., Rule
17a–4); (2) SBS Entities (i.e., Rule 18a–
6); and (3) transfer agents (i.e., Rule
17ad–7). The proposed amendments
would specify that the Rule 10 Records
must be retained for three years. In the
case of the written policies and
procedures to address cybersecurity
risks, the record would need to be
maintained until three years after the
termination of the use of the policies
and procedures.
The existing record maintenance and
preservation rule applicable to
registered clearing agencies, the MSRB,
national securities associations, and
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
national securities exchanges (i.e., Rule
17a–1) requires these categories of
Covered Entities keep and preserve at
least one copy of all documents,
including all correspondence,
memoranda, papers, books, notices,
accounts, and other such records as
shall be made or received by the
Covered Entity in the course of its
business as such and in the conduct of
its self-regulatory activity. Under the
existing provisions of Rule 17a–1,
registered clearing agencies, the MSRB,
national securities associations, and
national securities exchanges would be
required to preserve at least one copy of
the Rule 10 Records for at least five
years, with the first two years in an
easily accessible place. Similarly, the
existing record maintenance and
preservation rule applicable to SBSDRs
(i.e., Rule 13n–7) requires these Market
Entities to preserve records. And with
respect to exempt clearing agencies, the
Commission is proposing to amend the
clearing agency exemption orders to add
a condition that each exempt clearing
agency must retain the Rule 10 Records
for a period of at least five years after
the record is made or, in the case of the
written policies and procedures to
address cybersecurity risks, for at least
five years after the termination of the
use of the policies and procedures.
a. Benefits
There would be a number of benefits
for Covered Entities to preserving and
maintaining the Rule 10 records. With
respect to cybersecurity policies and
procedures and the written
documentation concerning risk
assessments and any cybersecurity
incidents, the Covered Entity’s records
could be reviewed for compliance
purposes as well as a reference in future
self-conducted audits of the Covered
Entity’s cybersecurity system. In
addition, the written report each year
describing the Covered Entity’s annual
review of its policies and procedures
could be used to determine if the
Covered Entity’s cybersecurity risk
management program is working as
expected and to see if any changes
should be made. Lastly, maintaining
records of compliance would assist the
Commission in its oversight role,
particularly when conducting
examinations of Covered Entities. With
respect to the immediate written notice
of a significant cybersecurity incident,
as well as any submitted Part I of
proposed Form SCIR, the records would
facilitate examination of Covered
Entities for compliance with proposed
Rule 10.
Finally, with respect to the public
disclosures that Covered Entities would
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
make on Part II of proposed Form SCIR,
keeping records of these forms and
submissions would be beneficial to
Covered Entities for compliance
purposes as well as use as a reference
when updating the public disclosure.
For example, a Covered Entity would
need to file an updated Part II of
proposed Form SCIR if the information
in the summary description of a
significant cybersecurity incident
included on the form is no longer
within the look-back period (i.e., the
current or previous calendar year).
However, the retention period for the
records (e.g., three years in the case of
broker-dealers, SBS Entities, and
transfer agents, or five years in the case
of registered clearing agencies, the
MSRB, national securities associations,
national securities exchanges, SBSDRs,
and certain exempt clearing agencies)
would require the Covered Entity to
maintain a record of that particular
public disclosure for a longer period of
time.
Benefits also arise due to the
Commission’s regulation and oversight
of Covered Entities with respect to their
books and records.862
b. Costs
The costs associated with preserving
the Covered Entity’s cybersecurity
policies and procedures and annual
review are likely to be small. The cost
would result from the requirement to
preserve the Rule 10 Records for either
three or five years. Given that the
incremental volume of records that each
Covered Entity would be required to
retain would be relatively small, the
costs should be minimal. Moreover,
Covered Entities subject to other record
retention requirements likely already
have a system in place to maintain those
records. Therefore, adding the records
associated with proposed Rule 10 likely
would be a small burden.
To estimate the costs associated for a
Covered Entity to comply with its
recordkeeping maintenance and
preservation requirement, the
Commission considered the initial and
ongoing compliance costs.863 The
internal annual cost for this requirement
is estimated to be $441 per Covered
Entity, and $877,149 in total. These
costs include a blended rate of $73.50
for a general clerk and compliance clerk
for a total of 6 hours. It is estimated that
there will be $0 annual external cost for
862 The Commission also would retain copies of
Parts I and II of proposed Form SCIR filed through
EDGAR.
863 See section V of this release (discussing these
costs in more detail).
PO 00000
Frm 00103
Fmt 4701
Sfmt 4702
20313
the recordkeeping maintenance and
preservation requirement.
c. Request for Comment
The Commission requests comment
on all aspects of the foregoing analysis
of the benefits and costs of the proposed
record preservation and maintenance
requirements. Commenters are
requested to provide empirical data in
support of any arguments or analyses. In
addition, the Commission is requesting
comment on the following matter:
23. Are there any other benefits and
cost associated with the requirements to
preserve the Rule 10 Records? If so,
please describe them.
6. Policies and Procedures, Annual
Review, Immediate Notification of
Significant Cybersecurity Incidents, and
Record Preservation Requirements for
Non-Covered Broker-Dealers
As discussed earlier, proposed Rule
10 would require Non-Covered BrokerDealers to establish, maintain, and
enforce written policies and procedures
that are reasonably designed to address
their cybersecurity risks taking into
account the size, business, and
operations of the firm.864 The proposed
rule also would require Non-Covered
Broker-Dealers to review the design and
effectiveness of their cybersecurity
policies and procedures annually,
including whether the policies and
procedures reflect changes in
cybersecurity risk over the time period
covered by the review. Furthermore,
Non-Covered Broker-Dealers would be
required to provide the Commission and
their examining authority with
immediate written electronic notice of
the occurrence of a significant
cybersecurity incident.865 The
Commission also is proposing to amend
the record preservation and
maintenance rule for broker-dealers
(Rule 17a–4) to specifically require NonCovered Broker-Dealers to preserve
certain records in connection with Rule
10.
a. Benefits
The requirement under proposed Rule
10 for Non-Covered Broker-Dealers to
establish, maintain, and enforce written
policies and procedures that are
reasonably designed to address their
cybersecurity risks would generally
864 See section II.C.1. of this release (discussing in
more detail the proposed policies and procedures,
annual review, and record preservation
requirements for Non-Covered Broker-Dealers).
865 The Commission is not proposing that NonCovered Broker Dealers be subject to the
requirements to file Parts I and II of proposed Form
SCIR and post copies of the most recently filed Part
II of proposed Form SCIR on their websites and
provide copies of that filing to their customers.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20314
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
improve cybersecurity preparedness of
Non-Covered Broker-Dealers—and
hence reduce their clients’ exposure to
cybersecurity incidents. This is because,
in establishing and maintaining a set of
cybersecurity policies and procedures in
a written format, a Non-Covered BrokerDealer can evaluate whether its
cybersecurity policies and procedures
continue to work as designed and
whether changes are needed to assure
their continued effectiveness. In
addition, by permitting Non-Covered
Broker-Dealers to take into account their
size, business, and operations of the
firm when designing their written
policies and procedures, Non-Covered
Broker-Dealers can more efficiently
utilize their resources. Moreover, by
requiring Non-Covered Broker-Dealers
to establish reasonably designed
cybersecurity policies and procedures,
the Commission would be better able to
understand the protections that these
broker-dealers put in place to address
cybersecurity risk. During an
examination, the Commission can assess
the adequacy and completeness of a
Non-Covered Broker-Dealers
cybersecurity policies and procedures.
Documenting a Non-Covered BrokerDealer’s cybersecurity policies and
procedures in a written format also
would aid the Commission in its review
and oversight.
Due to the varying sizes and
operations of Non-Covered BrokerDealers, the benefits that accrue from
the cybersecurity policies and
procedures requirement likely differ
across entities. Because Non-Covered
Broker-Dealers are generally smaller and
have fewer assets and interconnections
with other Market Entities than Covered
Broker-Dealers, there is less of a risk
that a significant cybersecurity incident
at a Non-Covered Broker-Dealer could
provide the threat actor with access to
other Market Entities. However, even
though a Non-Covered Broker-Dealer
may not pose a significant overall risk
to the U.S. securities markets, a
significant cybersecurity event at a NonCovered Broker-Dealer could have
profound negative effects if a threat
actor is able to misappropriate
customers’ confidential financial
information. Consequently, greater
cybersecurity investment by a NonCovered Broker-Dealer likely would
lead to significant benefits for itself and
its customers.
Non-Covered Broker-Dealers may
already have implemented cybersecurity
policies and procedures. The marginal
benefits of the proposed rule would be
mitigated to the extent that these
existing policies and procedures are
consistent with the proposed rule’s
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
requirements. However, existing
policies and procedures that are already
consistent with the proposed rule would
facilitate Non-Covered Broker-Dealers in
conducting annual reviews, assessing
the design and effectiveness of their
cybersecurity policies and procedures,
and making necessary adjustments.
The primary benefit of reviewing a
Non-Covered Broker-Dealer’s
cybersecurity policies and procedures
on an annual basis would help to ensure
that they are working as designed, that
they accurately reflect the firm’s
cybersecurity practices, and that they
reflect changes and developments in the
firm’s cybersecurity risk over the time
period covered by the review. The
documented policies and procedures
would serve as a benchmark when
conducting the annual review. The NonCovered Broker-Dealer would be
required, for compliance purposes and
future reference, to make a written
record that documents the steps taken in
performing the annual review and the
conclusions of the annual review.
Cybersecurity threats constantly
evolve, and threat actors consistently
identify new ways to infiltrate
information systems. An annual review
requirement would ensure that NonCovered Broker-Dealers conduct a
regular assessment and undertake
updates to prevent policies and
procedures from becoming stale or
ineffective, in light of the dynamism of
cybersecurity threats.
The primary benefit of requiring NonCovered Broker-Dealers to retain their
written cybersecurity policies and
procedures as well as a record of the
annual reviews, is to assist the
Commission in its oversight function. In
reviewing their records, Non-Covered
Broker-Dealers may see trends in their
own cybersecurity risks, which may
serve as an impetus to make
adjustments to their cybersecurity
policies and procedures. Furthermore,
Proposed Rule 10 would expand beyond
current Commission regulations NonCovered Broker-Dealers’ cybersecurity
policies and procedures that address all
cybersecurity risks that may affect their
information systems and the funds and
securities as well as personal,
confidential, and proprietary
information that may be stored on those
systems.
As noted above, Non-Covered BrokerDealers would be required to give the
Commission immediate written
electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring. Compared to
the suite of proposed requirements for
PO 00000
Frm 00104
Fmt 4701
Sfmt 4702
Covered Entities, including filing Parts
I and II of proposed Form SCIR and
publicly disclosing Part II (which would
contain summary descriptions of the
Covered Entity’s cybersecurity risks and
significant cybersecurity incidents that
occurred in current and previous
calendar years), the proposed
requirement to provide immediate
written electronic notice of significant
cybersecurity incidents is relatively
small but can yield significant benefits.
Most notably, such immediate
notifications would make Commission
staff aware of significant cybersecurity
incidents across all broker-dealers and
not just at Covered Broker-Dealers, thus
significantly increasing its oversight
powers in the broker-dealer space with
respect to cybersecurity incidents.
Trends that impact Non-Covered
Broker-Dealers, such as through
malware or a particular type of software,
may be detected by staff, which can
then inform other Market Entities of
emerging risks. This is particularly
important due to the interconnected
nature of the U.S. securities industry.
Breaches that occur at Non-Covered
Broker-Dealers may spread to larger
firms, such as Covered Entities, that
could cause more widespread financial
disruptions. Furthermore, we anticipate
that the burden on Non-Covered broker
dealers of furnishing immediate written
notification of a significant
cybersecurity incident will be
minimal.866
b. Costs
The costs associated with proposed
Rule 10 for Non-Covered Broker-Dealers
with respect to the written cybersecurity
policies and procedures requirements
would primarily result from establishing
written cybersecurity policies and
procedures that are reasonably
designed. Such costs may be passed on
to the Non-Covered Broker-Dealers’
customers, either in part or in full.
Many Non-Covered Broker-Dealers
currently have cybersecurity policies
and procedures in place; to the extent a
Non-Covered Broker-Dealer’s existing
policies and procedures are consistent
with the requirements of the proposed
rule, those Non-Covered Broker-Dealers
would have limited need to update
those policies and procedures, thus
mitigating the costs of the proposal.
Non-Covered Broker-Dealers may be
subject to Regulation S–P, Regulation S–
ID, and state regulations. In those
particular instances, they may have
already implemented policies and
procedures that are consistent with the
requirements of the proposed Rule 10,
866 See
E:\FR\FM\05APP2.SGM
section IV.D.6.b. of this release.
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
which would mitigate some of the
compliance costs associated with the
proposed policies and procedures
requirements.
The cost of complying with the
proposed annual review requirement
along with the accompanying written
review and conclusion would depend
on the size, business, and operations of
the Non-Covered Broker-Dealer. A NonCovered Broker-Dealer with simpler
operations likely would incur lower
annual review and modification costs
than firms with larger operations.
Furthermore, a Non-Covered BrokerDealer may choose to hire a third-party
for assistance or consultation regarding
the completion of a written annual
review and conclusion. This cost, in
those situations, would depend on the
services requested and the fees that are
charged by the third-parties and
consultants. Such costs could be passed
along to the Non-Covered BrokerDealer’s customers depending on the
competitive nature of the Non-Covered
Broker-Dealer’s market and its business
model.
In either case, Non-Covered BrokerDealers could tailor the policies and
procedures to its cybersecurity risks
taking into account its size, business,
and operations. This offers Non-Covered
Broker-Dealers the flexibility to
implement cybersecurity policies and
procedures based on the sophistication
and complexity of their information
systems. Of course, the cost of
cybersecurity systems and modifications
to cybersecurity policies and procedures
may be higher as the size, business, and
operation of a Non-Covered BrokerDealer increases and becomes more
complex.
The costs associated with giving the
Commission immediate written
electronic notice of a significant
cybersecurity incident are likely to be
relatively similar to, or possibly
somewhat larger, than those incurred by
Covered Broker-Dealers. As noted
previously, the cost of immediate
notification consists of notifying the
Commission of a significant
cybersecurity incident upon having a
reasonable basis to conclude it has
occurred or is occurring as well as
researching the detailing of the incident
in question. Non-Covered BrokerDealers may be able to make the same
determination and notify the
Commission in the same amount of time
as their Covered Broker-Dealer
counterparts. However, smaller brokerdealers may not have the staffing or
information technology expertise to
make a reasonable decision about a
suspected significant cybersecurity
event as quickly as a Covered Broker-
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Dealer that may have in-house staff
dedicated to this function, thus
increasing the overall immediate
notification cost. On the other hand,
smaller broker-dealers could instead
contract with third parties for
cybersecurity functions that could
identify plausible significant
cybersecurity attacks in the same
amount of time as Covered BrokerDealers. Unlike Covered Broker-Dealers,
Non-Covered Broker-Dealers do not
have to provide more detail beyond the
immediate written notification
requirement. Additional information
regarding significant cybersecurity
incidents do not have to be provided to
the Commission on a confidential basis
through the filing of Part I of proposed
Form SCIR. Moreover, a summary of
past incidents do not have to be
publicly disclosed on their websites and
with the Commission.
To estimate the costs associated with
the proposed policies and procedures
requirements and annual review
requirements, the Commission
considered the initial and ongoing
compliance costs.867 The internal
annual costs for these requirements
(which include an initial burden
estimate annualized over a three year
period) are estimated to be $9,702 per
Non-Covered Broker-Dealer, and
$19,103,238 in total. These costs
include a blended rate of $462 for a
compliance attorney and assistant
general counsel for a total of 21 hours.
The annual external costs for adopting
and implementing the policies and
procedures, as well as the annual review
of the policies and procedures are
estimated to be $2,480 per Non-Covered
Broker-Dealer, and $4,883,120 in total.
This includes the cost of using outside
legal counsel at a rate of $496 per hour
for a total of five hours.
The cost associated Non-Covered
Broker Dealer to research a suspected
cybersecurity incident and provide
immediate written notification to the
Commission were combined earlier with
those costs for Covered Entities.868
Broken out solely for Non-Covered
Broker-Dealers, the Commission
considered the initial and ongoing
compliance costs. The internal annual
costs for these requirements (which
include an initial burden estimate
annualized over a three year period) are
estimated to be $1,648.51 per NonCovered Broker-Dealer, and $3,245,916
in total. These costs include a blended
rate of $353 for an assistant general
867 See section V of this release (discussing these
costs in more detail).
868 See section IV.D.3.b. of this release (discussing
the cost of immediate notification).
PO 00000
Frm 00105
Fmt 4701
Sfmt 4702
20315
counsel, compliance manager, and
systems analyst for a total of 4.67 hours.
The annual external costs for these
requirements are estimated to be $1,488
per Non-Covered Broker-Dealer, and
$2,959,872 in total. This includes the
cost of using outside legal counsel at a
rate of $496 per hour for a total of three
hours.
Pursuant to proposed Rule 10, a NonCovered Broker-Dealer would be
required to: (1) establish, maintain, and
enforce written policies and procedures
that are reasonably designed to address
the cybersecurity risks of the firm; (2)
make a written record that documents
its annual review; and (3) provide
immediate electronic written notice to
the Commission of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring. The additional
cost of the proposed amendments to
Rule 17a–4 of preserving and
maintaining these documents for three
years, whether in paper or digital form,
is likely minimal.
To estimate the costs associated for a
Non-Covered Broker-Dealer to comply
with its recordkeeping maintenance and
preservation requirement, the
Commission considered the initial and
ongoing compliance costs.869 The
internal annual cost for this requirement
is estimated to be $220.50 per NonCovered Broker-Dealer, and $434,164.50
in total. These costs include a blended
rate of $73.50 for a general clerk and
compliance clerk for a total of 2 hours.
It is estimated that there will be $0
annual external cost for the
recordkeeping maintenance and
preservation requirement.
c. Request for Comment
The Commission requests comment
on all aspects of the foregoing analysis
of the benefits and costs of the proposed
requirements for Non-Covered BrokerDealers. Commenters are requested to
provide empirical data in support of any
arguments or analyses. In addition, the
Commission is requesting comment on
the following matters:
24. What level of cybersecurity
policies and procedures have NonCovered Broker-Dealers implemented?
For example, would they meet the
cybersecurity policies and procedures
requirements of the proposed rule, thus
making the compliance cost relatively
low? Are those policies and procedures
documented?
25. Are there any other benefits and
costs for a Non-Covered Broker-Dealer
869 See section V of this release (discussing these
costs in more detail).
E:\FR\FM\05APP2.SGM
05APP2
20316
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
in establishing, maintaining, and
enforcing written policies and
procedures under proposed Rule 10? If
so, please describe them.
26. Are the estimated costs of
compliance for Non-Covered BrokerDealers to establish, maintain, and
enforce written policies and procedures
cybersecurity policies and procedures
that comply with the proposed rule
reasonable? If not, why not?
27. Would Non-Covered BrokerDealers consult with a third party or
hire a consultant with cybersecurity
expertise in order to establish the
cybersecurity policies and procedures
under proposed Rule 10?
28. Are there quantifiable benefits to
complying with the cybersecurity
policies and procedures requirements of
the proposed rule? If so, please describe
them. Are there quantifiable costs for
Non-Covered Broker-Dealers to review
their cybersecurity policies annually
that are different than those discussed
above? If so, describe them.
29. Are there any other benefits in
reviewing and updating Non-Covered
Broker-Dealers’ cybersecurity policies
and procedures on an annual basis? If
so, please describe them.
30. Is the estimated cost to review
Non-Covered Broker-Dealers
cybersecurity policies and procedures
reasonable? If not, explain why?
31. Would it be more or less costly to
outsource the responsibility of an
annual review of cybersecurity policies
and procedures to a third party?
7. Substituted Compliance for Non-U.S.
SBS Entities
Commission Rule 3a71–6 states that
the Commission may, conditionally or
unconditionally, by order, make a
determination with respect to a foreign
financial regulatory system that
compliance with specified requirements
under such foreign financial regulatory
system by a registered SBS Entity or
class thereof, may satisfy the certain
requirements that would otherwise
apply to such an SBS Entity (or class
thereof). The Commission may make
such substituted compliance
determinations to permit SBS Entities
that are not U.S. persons (as defined in
17 CFR 240.3a71–3(a)(4)), but not SBS
Entities that are U.S. persons, to satisfy
the eligible requirements by complying
with comparable foreign
requirements.870 The Commission is
proposing to amend Rule 3a71–6 to
permit eligible applicants 871 to seek a
Commission determination with respect
to the cybersecurity requirements of
870 See
871 See
17 CFR 240.3a71–6(d).
17 CFR 240.3a71–6(c).
VerDate Sep<11>2014
18:14 Apr 04, 2023
proposed Rule 10 and Form SCIR as
applicable to SBS Entities that are not
U.S. persons.872 Additionally, Rule
3a71–6 currently permits eligible
applicants to seek a substituted
compliance determination from the
Commission with regard to the
requirements of Rule 18a–6, including
the proposed amendments to Rule 18a–
6 if adopted.873
a. Benefits
The Commission is proposing
amendments to Rule 3a71–6 to make
substituted compliance available to
eligible SBS Entities that are not U.S.
persons, if the Commission determines
that compliance with specified
requirements under a foreign financial
regulatory system by a registered SBS
Entity, or class thereof, satisfies the
corresponding requirements of proposed
Rule 10 and Form SCIR. Other
regulatory regimes may achieve
regulatory outcomes that are comparable
to the Commission’s proposed
cybersecurity risk management
requirements. Allowing for the
possibility of substituted compliance
may avoid regulatory duplication and
conflict that may increase entities’
compliance burdens without an
analogous increase in benefits. The
availability of substituted compliance
could decrease the compliance burden
for non-U.S. SBS Entities, in particular
as it pertains to the establishment,
maintenance, and enforcement of
cybersecurity policies and procedures,
notification and reporting to regulators,
disclosure of cybersecurity risks and
incidents, and record preservation.
Allowing for the possibility of
substituted compliance may help
achieve the benefits of proposed Rule
10, Form SCIR, and the proposed
amendments to Rule 18a–6 in a manner
that avoids the costs that SBS Entities
that are not U.S. persons would have to
bear due to regulatory duplication or
conflict.
Further, substituted compliance may
have broader market implications,
namely greater foreign SBSDs’ activity
in the U.S. market, expanded access by
both U.S. and foreign SBS Entities to
global liquidity, and reduced possibility
of liquidity fragmentation along
jurisdictional lines. The availability of
substituted compliance for non-U.S.
SBS Entities also could promote market
efficiency, while enhancing competition
in U.S. markets. Greater participation
and access to liquidity is likely to
improve efficiencies related to hedging
and risk sharing while simultaneously
872 See
873 See
Jkt 259001
PO 00000
section II.D.3.
paragraph (d)(6) of Rule 3a71–6.
Frm 00106
Fmt 4701
Sfmt 4702
increasing competition between
domestic and foreign SBS Entities.
b. Costs
The Commission believes that the
availability of substituted compliance
for proposed Rule 10, Form SCIR, and
the proposed amendments to Rule 18a–
6 will not substantially alter the benefits
intended by those requirements. In
particular, it is expected that the
availability of substituted compliance
will not detract from the risk
management benefits that stem from
implementing proposed Rule 10, Form
SCIR, and the proposed amendments to
Rule 18a–6.
To the extent that substituted
compliance reduces duplicative
compliance costs, non-U.S. SBS Entities
may incur lower overall costs associated
with cybersecurity preparedness than
they would otherwise incur without the
option of substituted compliance
availability, either because a non-U.S.
SBS Entity may have already
implemented foreign regulatory
requirements which have been deemed
comparable by the Commission, or
because security-based swap
counterparties eligible for substituted
compliance do not need to duplicate
compliance with two sets of comparable
requirements.
A substituted compliance request can
be made either by a foreign regulatory
jurisdiction on behalf of its market
participants, or by the registered market
participant itself.874 The decision to
request substituted compliance is
voluntary, and therefore, to the extent
that requests are made by individual
market participants, such participants
would request substituted compliance
only if compliance with foreign
regulatory requirements was less costly,
in their own assessment, than
compliance with both the foreign
regulatory regime and the relevant Title
VII requirements, including the
requirements of proposed Rule 10, Form
SCIR, and the proposed amendments to
Rule 18a–6. Even after a substituted
compliance determination is made,
market participants would only choose
substituted compliance if the benefits
that they expect to receive exceed the
costs that they expect to bear for doing
so.
E. Effects on Efficiency, Competition,
and Capital Formation
As discussed in the foregoing
sections, market imperfections could
lead to underinvestment in
cybersecurity by Market Entities, and
information asymmetry could contribute
874 See
E:\FR\FM\05APP2.SGM
17 CFR 240.3a71–6(c).
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
to a market-wide inefficient provision of
cybersecurity defenses. The proposed
rule aims to mitigate the inefficiencies
resulting from these imperfections by:
(1) imposing mandates for cybersecurity
policies and procedures that could
reduce cybersecurity underinvestment;
(2) creating a reporting framework that
could improve information sharing and
improved cybersecurity defense
investment and protection; and (3)
providing public disclosure to inform
Covered Entities’ customers,
counterparties, members, registrants, or
users about the Covered Entities’
cybersecurity efforts and experiences,
thus potentially reducing information
asymmetry.875 While the proposed rule
has the potential to mitigate
inefficiencies resulting from market
imperfections, the scale of the overall
effect would depend on numerous
factors, including the state of existing of
cybersecurity preparations,876 the
degree to which the proposed
provisions induce increases to these
preparations, the effectiveness of
additional preparations at reducing
cybersecurity risks,877 the degree to
which customers, counterparties,
members, registrants, and users value
additional cybersecurity
preparations,878 the degree of
information asymmetry and bargaining
power between customers,
counterparties, members, registrants,
and users vis-a`-vis Market Entities,879
the bargaining power of Market Entities
vis-a`-vis service providers,880 service
875 See sections IV.B. and IV.D. of this release
(discussing the broad economic considerations and
benefits and costs of the proposals, respectively.
876 See section IV.C.1. of this release. Here, the
Commission is concerned about the degree to which
Market Entities’ state of cybersecurity preparations
diverge from socially optimal levels.
877 Formally, the marginal product of the
proposed policies and procedures in the production
of cybersecurity defenses.
878 Formally, customers’, counterparties’,
members’, registrants’, and users’ utility functions—
specifically the marginal utilities of Covered
Entities’ and Non-Covered Broker-Dealers’
cybersecurity policies and procedures.
879 In other words, the degree to which customers,
counterparties, members, registrants, or users can
affect the policies of Market Entities. Generally, the
Commission expects that customers, counterparties,
members, registrants, or users may be smaller than
the affected Market Entity with which they conduct
business and thus be subject to asymmetry and have
limited ability to affect the policies of the Market
Entity. However, that may not always be the case.
For example, for customers of broker-dealers, the
situation is likely to involve more heterogeneity,
with some parties (e.g., small retail clients)
wielding very little power over the broker-dealer’s
policies while others (e.g., large institutional
investors) wielding considerable power.
880 In certain cases, a Covered Entity may
determine that a competing service provider can be
used as a bargaining chip in the renegotiation of
existing service agreements, potentially imposing
substantial contracting costs on the parties, which
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
providers’ willingness to provide
bespoke contractual provisions to
affected Market Entities,881 the
informational utility of the proposed
disclosures, the scale of the negative
externalities on the broader financial
system,882 the effectiveness of existing
information sharing arrangements, and
the informational utility of the required
regulatory reports (as well as the
Commission’s ability to make use of
them).883
However, since the proposed
cybersecurity policies and procedures
and related annual assessment are
intended to prevent cybersecurity
incidents at Market Entities that would
otherwise cause financial loss and
operational failure, compliance with the
proposed rule likely would result in a
safer environment to engage in
securities transactions that protects the
efficiency with which markets operate.
Specifically, the proposed requirements
are intended to protect the efficiency of
securities market through the
prevention of cybersecurity incidents
that can adversely impact Market
Entities and that, in turn, can interrupt
the normal operations of U.S. securities
markets and disrupt the efficient flow of
information and capital.
The additional requirements
applicable to Covered Entities (namely,
the specific elements of the
cybersecurity policies and procedures,
the reporting to the Commission of any
significant cybersecurity incident
through Part I of proposed Form SCIR,
and the disclosure of cybersecurity risks
and significant cybersecurity incidents)
would also allow for greater information
sharing and would reduce the risk of
underinvestment in cybersecurity across
the securities industry. For example,
confidential reporting to the
Commission through Part I of proposed
Form SCIR would provide regulators
with the opportunity to promptly begin
to assess the situation when a Covered
Entity is experiencing a significant
cybersecurity incident and begin to
evaluate potential impacts on the
market. In addition, public disclosures
by Covered Entities through Part II of
proposed Form SCIR and website
postings would allow their customers,
counterparties, members, registrants,
and users to manage risk and choose
with whom to do business, potentially
allocating their resources to Covered
Entities with greater cybersecurity
would eventually be passed on to the Covered
Entities’ customers, counterparties, members,
participants, or users.
881 Id.
882 See sections IV.D.2.a. and IV.D.2.b. of this
release.
883 See section IV.D.3. of this release.
PO 00000
Frm 00107
Fmt 4701
Sfmt 4702
20317
preparedness. In addition, the sharing of
information through public disclosures
could assist in the development and
implementation of cybersecurity
policies and procedures, particularly by
smaller and less sophisticated Market
Entities which likely have fewer
resources to develop robust
cybersecurity protocols. Such
information may be useful to them in in
choosing one option over another,
potentially allowing those smaller and
less sophisticated Market Entities to
develop their cybersecurity protection
in the most cost-effective way possible.
Because the proposed rule would
likely have differential effects on Market
Entities along a number of dimensions,
its overall effect on competition among
Market Entities may be difficult to
predict in certain instances. For
example, smaller Market Entities, such
as Non-Covered Broker-Dealers and
certain transfer agents are likely to face
disproportionately higher costs relative
to revenues resulting from the proposed
rule.884 With respect to broker-dealers,
the Commission has endeavored to
provide Non-Covered Broker-Dealers
with a more limited and flexible set of
requirements that better suits their
business models and would therefore be
less onerous. Still, a number of small
broker-dealers would be subject to the
proposed rule as Covered Entities,
which could tilt the competitive playing
field in favor of their larger Covered
Broker-Dealer counterparts.885 In
addition, all transfer agents would be
Covered Entities under the proposed
rule, regardless of their size, so the same
concern is present.
On the other hand, if customers,
counterparties, members, registrants, or
users believe that the proposed rule
effectively induces the appropriate level
of cybersecurity effort among Market
Entities, smaller Market Entities would
likely benefit the most from these
improved perceptions, as they would be
thought to have sufficient cybersecurity
policies and procedures in place
compared to not having enough
cybersecurity protections. Similar
differential effects can occur within a
particular group of Market Entities and
service providers that are more (or less)
focused on their cybersecurity.
With respect to competition among
Covered Entities’ service providers, the
overall effect of the proposed rule and
amendments is similarly ambiguous. It
is likely that requiring affected Covered
884 See
section IV.B. of this release.
section VI.C. of this release (noting that
certain small broker-dealers would meet the
definition of ‘‘covered entity’’ for purposes of the
proposed rule).
885 See
E:\FR\FM\05APP2.SGM
05APP2
20318
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Entities to request oversight of service
providers’ cybersecurity practices
pursuant to a written contract would
lead some service providers to cease
offering services to affected Covered
Entities.886 The additional regulation
could serve as a barrier to entry to new
service providers and could
disproportionally affect would-be
Market Entities.
In terms of capital formation, the
proposed rule would have second-order
effects, namely through a safer financial
marketplace. As noted above, FSOC
states that a destabilizing cybersecurity
incident could potentially threaten the
stability of the U.S. financial system by
causing, among other things, a loss of
confidence among a broad set of market
participants, which could cause
participants to question the safety or
liquidity of their assets or transactions,
and lead to significant withdrawal of
assets or activity.887 The Market Entities
covered by this rule play important
roles in capital formation through the
various services they provide.888 Due to
their interconnected systems, a
significant cybersecurity incident
affecting Market Entities could have a
cascading effect across the U.S. financial
system with a significant impact on
investor confidence, resulting in
withdrawal of assets and impairment of
capital formation.
The proposed rule provides the
backbone for having sufficient
cybersecurity measures in place to
protect customer information, funds,
and securities. Moreover, proposed
provisions likely would lead to
increased efficiency in the market, thus
resulting in improved capital
formation.889 With a more predictable
investment environment due to
improved cybersecurity implementation
by Market Entities and service
providers, capital formation through the
demand for securities offerings will be
less prone to interruptions.
As part of the analysis on
competition, efficiency, and capital
formation, the Commission requests
comment from all parties, particularly
the Market Entities that are affected by
these proposed rule:
a. Do firms within the Covered Entity
and Non-Covered Broker-Dealer groups
886 See
section I.A.1. of this release.
FSOC 2021 Annual Report.
888 See sections I.A.1. and II.A.1. of this release.
889 The proposed provisions do not implicate
channels typically associated with capital formation
(e.g., taxation policy, financial innovation, capital
controls, intellectual property, rule-of-law, and
diversification). Thus, the proposed rule are likely
to have only indirect, second order effects on
capital formation arising from any improvements to
economic efficiency. Qualitatively, these effects are
expected to be small.
lotter on DSK11XQN23PROD with PROPOSALS2
887 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
compare their cybersecurity safety
measures among themselves or among
firms of a particular type within a group
(e.g., national securities exchanges only
or transfer agents only)? Does one
entity’s level of cybersecurity protection
incentivize competing entities to
improve their cybersecurity policies and
procedures? Is it possible that an entity
with subpar cybersecurity protocols
may be forced to exit the market, either
because of business migrating to its
competitors or because of the sheer
number of cybersecurity incidents at
that entity?
b. Would better cybersecurity policies
and procedures, especially those that
are reviewed and updated, provide more
stability in the securities markets that
encourages additional investment?
c. Would public disclosures of
cybersecurity risks and significant
cybersecurity incidents during the
current or previous calendar year
encourage investment in cybersecurity
protections that later provide more
stability in the market, thus encouraging
capital formation?
d. Does the Commission’s knowledge
of cybersecurity incidents as well as of
the policy and procedures at Market
Entities lead to a calming effect on the
market though oversight and
compliance with the proposed rule,
which would then foster greater capital
formation?
F. Reasonable Alternatives
1. Alternatives to the Policies and
Procedures Requirements of Proposed
Rule 10
a. Require Only Disclosure of
Cybersecurity Policies and Procedures
Without Prescribing Specific Elements
Rather than requiring Covered Entities
to adopt cybersecurity policies and
procedures with specific enumerated
elements, the Commission considered
requiring Covered Entities to only
provide explanations or summaries of
their cybersecurity practices to their
customers, counterparties, members,
registrants, or users. In this alternative
scenario, each Covered Entity would
provide a disclosure containing a
general overview of its existing
cybersecurity policies and procedures,
rather than be required to establish
cybersecurity policies and procedures
pursuant to the requirements of
paragraph (b) of proposed Rule 10.
Under this alternative, the general
disclosure about the Covered Entity’s
cybersecurity policies and procedures
would be publicly available to its
customers, counterparties, members,
registrants, and users, but it would not
reveal specific details of the Covered
PO 00000
Frm 00108
Fmt 4701
Sfmt 4702
Entity’s policies and procedures.
Further, under this alternative, detailed
and comprehensive information about
the Covered Entity’s cybersecurity risks
and protocols—including the policies
and procedures themselves—would
remain internal to the Covered Entity.
The only other organizations that would
be able to review or examine this more
detailed information would be the
Commission, FINRA, the MSRB (to the
extent applicable), and other regulators
with authority to examine this
information in the course of their
oversight activities.
This alternative approach would
create weaker incentives for Covered
Entities to address potential
underspending on cybersecurity
measures, as it would rely, in part, on
customers’, counterparties’, members’,
registrants’, or users’ (or third parties’
providing analyses to those customers,
counterparties, members, registrants, or
users) 890 ability to assess the
effectiveness of Covered Entities’
cybersecurity practices from the
Covered Entities’ public disclosures.
Further, any benefits to be gained by
requiring public disclosure of a Covered
Entity’s cybersecurity policies and
procedures can also be realized through
the proposed rule’s public disclosure
requirement. In particular, proposed
Rule 10 would require each Covered
Entity to provide a summary description
of the cybersecurity risks that could
materially affect its business and
operations and how the Covered Entity
assesses, prioritizes, and addresses
those cybersecurity risks. In addition,
each Covered Entity would need to
disclose a summary description of each
significant cybersecurity incident that
occurred during the current or previous
calendar year, if applicable. This
disclosure would serve as another way
for market participants to evaluate the
Covered Entity’s cybersecurity risks and
vulnerabilities apart from the general
disclosure of its cybersecurity risks. As
mentioned above, this information
could be useful to the Covered Entity’s
customers, counterparties, members,
registrants, or users to manage their own
cybersecurity risks and, to the extent
they have choice, select a Covered
Entity with whom to transact or
otherwise conduct business.891
Given the cybersecurity risks of
disclosing detailed explanations of
890 See
section IV.D.1.a. of this release.
third-party financial service
firms could conduct studies on cybersecurity
preparedness at Market Entities, such as certain
entities not being in line with industry practices or
standards, which also could inform the choices of
customers, counterparties, members, registrants, or
users.
891 Furthermore,
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
cybersecurity practices (which would
necessarily be disclosed if the Covered
Entity would be required to disclose its
existing cybersecurity policies and
procedures),892 it is likely that requiring
such disclosure would result in the
Covered Entity including only general
language in its disclosure and providing
few, if any, specific details that could be
used by threat actors to take advantage
of weak links in a Covered Entity’s
cybersecurity preparedness.
Consequently, this alternative
‘‘disclosure-only’’ regime for
cybersecurity policies and procedures
would be unlikely to provide enough
information and detail to differentiate
between one Covered Entity’s
cybersecurity policies and procedures
from another’s policies and procedures,
thus maintaining information
asymmetry between the Covered Entity
and other market participants. If
information asymmetry was maintained,
it is unlikely that meaningful change
could be effected in the Covered
Entities’ cybersecurity practices through
market pressure or Commission
oversight over the Covered Entity’s
policies and procedures.893
Furthermore, not requiring specific
enumerated elements in cybersecurity
policies and procedures would likely
result in less uniform cybersecurity
preparedness across Covered Entities,
leaving market participants with
inconsistent information about the
robustness of Covered Entities’
cybersecurity practices. However, if
Market Entities believed that providing
more detailed information would give
them a competitive advantage, they
would do so.
On the other hand, the costs
associated with this alternative likely
would be minimal relative to those
associated with the proposed
requirements regarding written policies
and procedures, as Covered Entities
would be unlikely to face pressure to
adjust their existing cybersecurity
policies and procedures as long as they
do not experience any significant
cybersecurity incidents. However, if a
Covered Entity does experience a
significant cybersecurity incident, it
may force the Covered Entity to revise
its existing cybersecurity policies and
procedures and consequently revise its
disclosures to other market participants
concerning its cybersecurity policies
and procedures. It is also conceivable
that being required to make public
892 See section IV.D.2.b. of this release (discussing
tradeoffs of cybersecurity disclosure).
893 Here, changes in cybersecurity practices
would depend entirely on market discipline exerted
by relatively uninformed market participants.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
disclosures regarding its cybersecurity
policies and procedures or undergoing
third-party market analyses that
aggregate these types of disclosures (and
may focus on, for example, the Covered
Entity’s lack of conformity with
industry practices and standards) may
provide the impetus for a Covered
Entity to make its cybersecurity policies
and procedures more robust.
b. Limiting the Scope of the Proposed
Cybersecurity Policies and Procedures
With Respect to Third-Party Service
Providers
The Commission also considered
limiting the scope of the proposed
requirement that the Covered Entity’s
policies and procedures require
oversight of service providers that
receive, maintain, or process the
Covered Entity’s information, or are
otherwise permitted to access the
Covered Entity’s information systems
and the information residing on those
systems, pursuant to a written contract
between the Covered Entity and the
service provider.894 Specifically, the
Commission considered narrowing the
scope of service providers in the
enumerated categories discussed
above 895 and requiring a periodic
review and assessment of the pareddown list of service providers’
cybersecurity policies and procedures
rather than apply the Service Provider
Oversight requirement to each service
prover that receives, maintains, or
processes the Covered Entity’s
information, or is otherwise permitted
to access the Covered Entity’s
information systems and the
information residing on those systems.
The types of service providers that
would still be covered by the written
contract requirement would be those
that provide cybersecurity relatedservices as well as business-critical
services that are necessary for a Covered
Entity to operate its core functions. The
Commission further considered
requiring service providers that receive,
maintain, or process the Covered
Entity’s information, or are otherwise
permitted to access the Covered Entity’s
information systems and the
information residing on those systems to
provide security certifications in lieu of
the written contract requirement.
Narrowing the scope of the types of
service providers affected by the
proposal could lower costs for Covered
Entities, especially smaller Covered
Entities that rely on generic contracts
894 See paragraph (b)(1)(iii)(B) of proposed Rule
10 (setting forth the Service Provider Oversight
Requirement).
895 See section IV.C.2.h. of this release.
PO 00000
Frm 00109
Fmt 4701
Sfmt 4702
20319
with service providers (because they
have less negotiating power with their
service providers) and would have
difficulty effecting changes in
contractual terms with such service
providers.896 However, in the current
technological context in which
businesses increasingly rely on thirdparty ‘‘cloud services’’ that effectively
place business data out of the business’
immediate control, the cybersecurity
risk exposure of Covered Entities is
unlikely to be limited to (or even
concentrated in) certain named service
providers. Narrowing the scope of
service providers likely would lead to
lower costs only insofar as it reduces
effectiveness of the regulation. A related
basis to reject this alternative is the
signaling effect that it sends to threat
actors. By excluding certain categories
of service providers, the Commission
could be providing information to threat
actors about which service providers
would be easiest to attack, as that
universe of excluded vendors may have
relatively inferior policies and
procedures than vendors that are
covered by the proposed rule.
Alternatively, maintaining the
proposed scope but only requiring a
standard, recognized, certification in
lieu of a written contract could also lead
to cost savings for Covered Entities,
particularly if the certification is
completed in-house or if a particular
entity has many service contracts with
different third parties that specify they
are in compliance with the
certification.897 However, the
Commission preliminary believes that it
would be difficult to prescribe a set of
characteristics for such a ‘‘standard’’
certification that would sufficiently
address the varied types of Covered
Entities and their respective service
providers.898 Another difficulty may be
that if a single third-party entity is used
for the certification, that entity would
have to be well-versed in all contracted
services in order to accurately assess
them for compliance. In contrast,
individualized contracts with each
896 See section IV.D.1.b. of this release (discussing
service providers).
897 Service providers may currently be providing
certifications as part of a registrant’s policies and
procedures. See also section II.B.1.g. of this release
(seeking comment on alternative approaches to the
Service Provider Oversight Requirement, including
whether this cybersecurity risk could be addressed
through policies and procedures to obtain written
assurances or certifications from service providers
that the service provider manages cybersecurity risk
in a manner that would be consistent with how the
Covered Entity would need to manage this risk
under paragraph (b) of proposed Rule 10).
898 See section IV.C.3. of this release(discussing
the variety of affected registrants); see also section
IV.F.1. of this release (discussing the limitations of
uniform prescriptive requirements).
E:\FR\FM\05APP2.SGM
05APP2
20320
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
service provider likely would ensure
better compliance with the intent of the
proposed rule as those third-party
providers specialize in the services that
they offer.
c. Require Specific Standardized
Elements for Addressing Cybersecurity
Risks of Covered Entities
The Commission considered
including more standardized elements
in that would need to be included in a
Covered Entity’s cybersecurity policies
and procedures. For example, Covered
Entities could be required to implement
particular controls (e.g., specific
encryption protocols, network
architecture, or authentication
procedures) that are designed to address
each general element of the required
cybersecurity policies and procedures.
Given the considerable diversity in the
size, focus, and technical sophistication
of affected Covered Entities,899 any
specific requirements likely would
result in some Covered Entities needing
to substantially alter their cybersecurity
policies and procedures.
The potential benefit of such an
approach would be to provide assurance
that Covered Entities have implemented
certain specific cybersecurity practices.
But this approach would also entail
considerably higher costs, as many
Covered Entities would need to adjust
their existing practices to something
else that is more costly than potential
alternatives that could provide the same
outcome level of protection. In addition,
considering the variety of Covered
Entities registered with the Commission,
it would be exceedingly difficult for the
Commission to devise specific
requirements that are appropriately
suited for all Covered Entities: a
uniform set of requirements would
certainly be both over- and underinclusive, while providing varied
requirements based on the
circumstances of each Covered Entity
would be complex and impractical. For
example, standardized requirements
that ensure reasonably designed
cybersecurity policies and procedures
for the largest, most sophisticated and
active Covered Entities would likely be
overly burdensome for smaller and less
sophisticated Covered Entities with
more limited cybersecurity risk
exposures. Conversely, if these
standardized requirements were tailored
to smaller Covered Entities with more
limited operations or cybersecurity
risks, such requirements likely would be
inadequate in addressing larger Covered
Entities’ cybersecurity risks. As a result,
instituting blanket requirements likely
899 See
section IV.C.3. of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
would not provide the most efficient
and cost-effective way of instituting
appropriate cybersecurity policies and
procedures.
An important cost associated with
this approach is the burden and
complexity of prescribing detailed
technical requirements tailored to the
broad variety of Covered Entities that
would be subject to proposed Rule 10.
More broadly, imposing standardized
requirements would effectively place
the Commission in the role of dictating
details related to the information
technology practices of Covered Entities
without the benefit of the Covered
Entities’ knowledge of their own
particular circumstances. Moreover,
given the complex and constantly
evolving cybersecurity landscape,
detailed regulatory requirements for
cybersecurity practices would likely
limit Covered Entities’ ability to adapt
quickly to changes in the cybersecurity
landscape.900
d. Require Audits of Internal Controls
Regarding Cybersecurity
Instead of requiring all Market
Entities to establish, maintain, and
enforce cybersecurity policies and
procedures, the Commission considered
requiring these entities to obtain audits
of the effectiveness of their existing
cybersecurity controls—for example,
obtaining third-party audits with respect
to their cybersecurity practices. This
approach would not require Market
Entities to establish, maintain, and
enforce written policies and procedures
that are reasonably designed to address
their cybersecurity risks as proposed,
but instead would require Market
Entities to engage an independent,
qualified third party to assess their
cybersecurity controls and prepare a
report describing its assessment and any
potential deficiencies.
Under this alternative, an
independent third party (e.g., an
auditing firm) would certify to the
effectiveness of the Market Entities’
cybersecurity practices. If the firms
providing such certifications have
sufficient reputational motives to issue
credible assessment,901 and if the scope
of such certifications is not overly
900 If as in the previous example, the Commission
were to require Covered Entities to adopt a specific
encryption algorithm, future discovery of
vulnerabilities in that algorithm would prevent
registrants from fully mitigating the vulnerability
(i.e., switching to improved algorithms) in the
absence of Commission action.
901 This would be the case if there was sufficient
market pressure or regulatory requirements to
obtain certification from ‘‘reputable’’ third-parties
with business models premised on operating as a
going-concern and maintaining a reputation for
honesty.
PO 00000
Frm 00110
Fmt 4701
Sfmt 4702
circumscribed,902 it is likely that Market
Entities’ cybersecurity practices would
end up being more robust under this
alternative than under the current
proposal. By providing certification of a
Market Entities’ cybersecurity practices,
a firm would—in effect—be lending its
reputation to the Market Entity. Because
‘‘lenders’’ are naturally most sensitive to
downside risks (here, loss of reputation,
lawsuits, damages, and regulatory
enforcement actions), one would expect
them to avoid ‘‘lending’’ to Market
Entities with cybersecurity practices
whose effectiveness is questionable.903
While certification by industryapproved third parties could lead to
more robust cybersecurity practices, the
costs of such an approach would likely
be considerably higher. Because of the
aforementioned sensitivity to downside
risk, firms would likely be hesitant to
provide cybersecurity certifications
without a thorough understanding of a
Market Entity’s systems and practices.
In many cases, developing such an
understanding would involve
considerable effort particularly for
certain larger and more sophisticated
Covered Entities.904 In addition, there
may be a need for a consensus as to
what protocols constitute industry
standards in which certifying third
parties would need to stay proficient.
Finally, while such a scenario is
somewhat similar to the Service
Provider Oversight Requirement, this
alternative does not allow for immediate
repercussions or remediation if the
third-party finds deficiencies in the
Covered Entity’s cybersecurity policies
and procedures. The Commission would
need to have a copy of the report and
audit the Market Entity to ensure that
Market Entity subsequently resolved the
problem(s). This leads to an inefficient
method of implementing reasonably
902 In this alternative, it is assumed that
certification would not be limited to only
evaluating whether a Market Entity’s stated policies
and procedures are reasonably designed, but rather
also would include an assessment of whether the
policies and procedures are actually implemented
in an effective manner.
903 Under the proposal it is the Market Entity
itself that effectively ‘‘certifies’’ its own
cybersecurity policies and procedures. Like the
third-party auditor, the Market Entity faces downside risks from ‘‘certifying’’ inadequate
cybersecurity practices (i.e., Commission
enforcement actions). However, unlike the auditor,
the Market Entity also realizes the potential up-side:
cost savings through reduced cybersecurity
expenditures.
904 It would be difficult for an auditor to provide
a credible assessment of the effectiveness of the
Market Entity’s cybersecurity practices without first
understanding the myriad of systems involved and
how those practices are implemented. Presumably,
a Market Entity would not bear these costs as it is
likely to possess such an understanding.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
designed cybersecurity policies and
procedures.
e. Bifurcate Non-Broker-Dealer Market
Entities Into Covered Entities and NonCovered Entities
lotter on DSK11XQN23PROD with PROPOSALS2
The Commission considered
bifurcating other categories of Market
Entities into Covered Entities and NonCovered Entities (in addition to brokerdealers) based on certain characteristics
of the firm such that the Non-Covered
Entities would not be required to
include certain elements in their
cybersecurity risk management policies
and procedures. For example, the
Commission considered defining as
Non-Covered Entities Market Entities
with assets below a certain threshold or
with only a limited number of
customers, counterparties, members,
registrants, or users. This approach also
could be scaled based on a Covered
Entity’s size, business, or another
criterion, similar to the proposed
distinction between Covered BrokerDealers and Non-Covered BrokerDealers. However, as discussed above,
cybersecurity risks are likely to be
unique to each Covered Entity primarily
because Covered Entities vary
drastically based on their size, business,
and the services they provide. It would
be difficult come up with one
characteristic that is common to all
Covered Entities such that each of them
can be both broken out into separate
groups. For example, it would be
difficult to differentiate between transfer
agents the same way one could
distinguish between large and small
clearing agencies or even harder,
national securities associations. The
only effective way to differentiate firms
with a given Covered Entity category is
to choose a characteristic that is sensible
for the type of Covered Entity.905
Finally, as discussed earlier, in
determining which Market Entities
should be Covered Entities and which
should be Non-Covered Entities, the
Commission considered: (1) how the
category of Market Entity supports the
fair, orderly, and efficient operation of
the U.S. securities markets and the
consequences if that type of Market
Entity’s critical functions were
disrupted or degraded by a significant
cybersecurity incident; (2) the harm that
could befall investors, including retail
905 For
additional detail on the importance of
each of the proposed Covered Entity’s role in the
U.S. securities markets, see section I.A.2. of this
release (discussing critical operations of each
Market Entity). See also section II.A.1. of this
release (discussing why it would not be appropriate
to exclude small transfer agents and certain small
broker-dealers from the definition of Covered
Entity).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
investors, if that category of Market
Entity’s functions were disrupted or
degraded by a significant cybersecurity
incident; (3) the extent to which the
category of Market Entity poses
cybersecurity risk to other Market
Entities though information system
connections, including the number of
connections; (4) the extent to which the
category of Market Entity would be an
attractive target for threat actors; and (5)
the personal, confidential, and
proprietary business information about
the category of Market Entity and other
persons (e.g., investors) stored on the
Market Entity’s information systems and
the harm that could be caused if that
information were accessed or used by
threat actors through a cybersecurity
breach.906 However, the Commission
seeks comment on this topic,
particularly if certain proposed Covered
Entities should be Non-Covered Entities
with attendant reduced requirements.907
f. Administration and Oversight of
Cybersecurity Policies and Procedures
of Covered Entities
The Commission considered various
alternative requirements with respect to
administration and oversight of Covered
Entities’ cybersecurity policies and
procedures, such as requiring them to
designate a CISO (or another individual
that serves in a similar capacity) or
requiring the boards of directors (to the
extent applicable), to oversee directly a
Covered Entity’s cybersecurity policies
and procedures. There is a broad
spectrum of potential approaches to this
alternative, ranging from the largely
nominal (e.g., requiring Covered Entities
simply to designate someone to be a
CISO) to the stringent (e.g., requiring a
highly-qualified CISO to attest to the
effectiveness of the Covered Entities’
policies).
Stringent requirements, such as
requiring an attestation from a highly
qualified CISO as to the effectiveness of
a Covered Entity’s cybersecurity
practices in specific enumerated areas,
could be quite effective. Expert
practitioners in cybersecurity are in
high demand and command high
salaries.908 Thus, such an approach
would impose substantial ongoing costs
on Covered Entities who do not already
906 See
section II.A.1. of this release.
section II.A.10. of this release.
908 A recent survey reports CISO median total
compensation of $668,903 for CISOs at companies
with revenues of $5 billion or less. See Matt Aiello
and Scott Thompson, 2020 North American Chief
Information Security Officer (CISO) Compensation
Survey (2020), available at https://
www.heidrick.com/-/media/heidrickcom/
publications-and-reports/2020-north-americanchief-information-security-officer-cisocompensation-survey.pdf.
20321
have appropriately qualified individuals
on staff. This burden would be
disproportionately borne by smaller
Covered Entities, such as small Covered
Broker-Dealers or small transfer agents,
for whom keeping a dedicated CISO on
staff would be cost prohibitive.
Allowing Covered Entities to employ
part-time CISOs would mitigate this cost
burden, but such requirements would
likely create a de facto audit regime.
Such an audit regime would certainly be
more effective if explicitly designed to
function as such.909
2. Alternatives to the Requirements of
Proposed Form SCIR and Related
Notification and Disclosure
Requirements of Proposed Rule 10
a. Public Disclosure of Part I of
Proposed Form SCIR
The Commission considered requiring
the public disclosure of Part I of
proposed Form SCIR. Making Part I of
proposed Form SCIR filings public
would increase the knowledge of a
Covered Entity’s customer,
counterparties, members, registrants, or
users about significant cybersecurity
incidents impacting the Covered Entity
and thus improve their ability to draw
inferences about a Covered Entity’s level
of cybersecurity preparations. At the
same time, doing so could assist wouldbe threat actors, who may gain
additional insight into the
vulnerabilities of a Covered Entity’s
system. As discussed above, releasing
too much detail about a significant
cybersecurity incident could further
compromise cybersecurity of the victim,
especially in the short term.910 Given
these risks, requiring public disclosure
of Part I of proposed Form SCIR filings
would likely have the effect of
incentivizing Covered Entities to
significantly reduce the detail provided
in these filings. As a result, the
information set of customers,
counterparties, members, registrants,
users, and would-be attackers would
remain largely unchanged (vis-a`-vis the
proposal), while the ability of the
Commission to facilitate information
sharing and to coordinate responses
aimed at reducing overall risks to the
financial system would be diminished.
907 See
PO 00000
Frm 00111
Fmt 4701
Sfmt 4702
909 In designing an effective audit regime, aligning
incentives of auditors to provide credible
assessments is a central concern. In the context of
audit regimes, barriers to entry and the reputation
motives of auditing firms helps align incentives. It
would be considerably more difficult to obtain
similar incentive alignment with itinerant part-time
CISOs. See section IV.F.1.e. of this release
(describing the audit regime alternative).
910 See section IV.B. of this release.
E:\FR\FM\05APP2.SGM
05APP2
20322
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
b. Modify the Standard Identifier
Requirements for Proposed Form SCIR
In addition to proposing to require
Covered Entities to identify themselves
on Parts I and II of proposed Form SCIR
with CIK numbers, the proposed rule
requests that Covered Entities with a
UIC—such as an LEI—include that
identifier, if available, on both parts of
proposed Form SCIR. Those Covered
Entities that do not have a UIC may file
either part of proposed Form SCIR
without a UIC; they are not required to
obtain a UIC prior to filing proposed
Form SCIR.
The Commission considered
modifying the requirement that Covered
Entities identify themselves on
proposed Form SCIR with CIK numbers
and UICs (if they have UICs). For
example, the Commission could
eliminate the requirement that Covered
Entities identify themselves on the
forms with a standard identifier, or the
Commission could allow Covered
Entities to select a different standard
identifier (or identifiers) other than CIK
numbers or UICs (if available).
Alternatively, the Commission could
require the use of only one proposed
standard identifier—either CIK
numbers, UICs (which would require
Covered Entities to obtain a UIC—such
as an LEI—if they do not have one),911
or some other standard identifier. While
CIK numbers are necessary to file in
EDGAR and, as discussed earlier, the
Commission anticipates that significant
benefits would flow from requiring Parts
I and II of proposed Form SCIR to be
filed centrally in EDGAR using a
structured data language. Accordingly,
the Commission’s proposal would
require Covered Entities to identify
themselves on the forms with CIK
numbers. One limitation of CIK
numbers, however, is that they are a
Commission-specific identifier, which
limits their utility for aggregating,
analyzing, and comparing financial
market data involving market
participants that are not Commission
registrants and EDGAR filers.
While the proposed rule does not
require the inclusion of UICs on
911 Further, the Commission recognizes that some
Covered Entities may not have LEIs, which means
that those Covered Entities would have to register
with a Local Operating Unit (‘‘LOU’’) of the Global
LEI System and pay fees initially and annually to
obtain and renew the LEI. See LEIROC, How To
Obtain an LEI, available at https://www.leiroc.org/
lei/how.htm. A list of LOUs accredited by GLEIF
can be found at https://www.gleif.org/en/about-lei/
get-an-lei-find-lei-issuing-organizations. Currently,
U.S. entities may obtain an LEI for a one-time fee
of $65 and an annual renewal fee of $50. See
Bloomberg Finance L.P., Fees, Payments & Taxes
(2022), available at https://lei.bloomberg.com/docs/
faq#what-fees-are-involved.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
proposed Form SCIR for those Covered
Entities that do not have a UIC, the
Commission notes that the use of UICs
would be beneficial because the LEI, as
a Commission-approved UIC, is a lowcost, globally-utilized financial
institution identifier that is available
even to firms that are not EDGAR filers
or Commission registrants. For that
reason, the Commission considered
proposing to require that every Covered
Entity that would need to file Part I or
II of proposed Form SCIR to identify
themselves with a UIC. There is benefit
to including a UIC identifier on
proposed Form SCIR. Among the
alternative entity identifier policy
choices considered, requiring Covered
Entities to identify themselves on Parts
I and II of proposed Form SCIR with a
UIC is superior to other alternatives,
such as not requiring an entity identifier
on proposed Form SCIR or requiring
only CIK numbers. Specifically, the
mandatory inclusion of a UIC on (Parts
I and II of) proposed Form SCIR could
allow for greater inter-governmental and
international coordination of responses
to cybersecurity incidents affecting
financial institutions globally because
the LEI is a globally-utilized digital
identifier that is not specific to the
Commission. Other regulatory entities
and bodies, including the CFTC, Alberta
Securities Commission (Canada),
European Markets and Securities
Authority, and Monetary Authority of
Singapore, require the use of an LEI.912
Another benefit of the LEI is that the
legal entity’s identity is verified by a
third party upon issuance of the LEI and
upon annual renewal of the LEI.
Additionally, LEIs contain ‘‘Level 2’’
information about the linkages between
the entities being identified and their
various parents and subsidiaries, which
is particularly beneficial considering
that some financial firms and
Commission registrants have complex,
interlocking relationships with affiliates
and subsidiaries that can be different
types of Commission-regulated firms.
A UIC requirement for Parts I and II
of proposed Form SCIR would not
impose additional costs on those
Covered Entities that already have an
LEI. For those Covered Entities that do
not have an LEI, they would need to
obtain one before filing either part of
proposed Form SCIR. An LEI can be
obtained for a $65 initial cost and a $50
per year renewal cost.913 There also are
administrative costs associated with
912 In addition, the FSB has stated that ‘‘[t]he use
of the LEI in regulatory reporting can significantly
improve the ability of the public sector to
understand and identify the build-up of risk across
multiple jurisdictions and across complex global
financial processes.’’ FSB Peer Review Report.
PO 00000
Frm 00112
Fmt 4701
Sfmt 4702
filling out the paperwork to obtain the
LEI as well as to process payments for
the initial issuance of an LEI and its
maintenance. The Commission expects
that this cost would be small relative to
the benefit that could be reaped if a
significant cybersecurity incident were
to occur that impacted financial
institutions across multiple domestic
and international jurisdictions.
After considering the benefits and
costs of requiring the LEI as an identifier
for all Covered Entities via a UIC
requirement, the Commission is
proposing to require Covered Entities to
identify themselves with a UIC on
proposed Form SCIR only if they
already have a UIC so as to minimize
the burden on Covered Entities and
because multiple other Commission
disclosure forms also only require
registrants to identify themselves with
UICs if they already have UICs.914 In
conclusion, requiring Covered Entities
to identify themselves on both parts of
proposed Form SCIR with a CIK and
with a UIC (i.e., the LEI) if they already
have a UIC is consistent with the
existing regulatory framework.
Although CIK numbers and UICs
(such as in the form of LEIs) are the
primary two entity standard identifiers
used in Commission regulations, the
Commission could instead propose to
require Covered Entities to identify
themselves with an alternative entity
identifier other than CIK numbers and
UICs for the proposed rule. For the
reasons stated above, there are benefits
from the use of CIK numbers (i.e., CIK
numbers enable EDGAR filing, which
facilitates aggregation and analysis of
the information) and LEIs (i.e., the LEI
is an affordable, international standard
identifier that facilitates information
sharing). Accordingly, the Commission
decided against proposing to require the
use of another standard entity identifier
for the purposes of this proposal.
c. Require Only One Location for the
Public Disclosures
Rather than requiring Covered Entities
to publicly disclose their cybersecurity
risks and significant cybersecurity
incidents during the current or previous
calendar year both on their websites and
also file that information centrally on
Part II of proposed Form SCIR in
EDGAR, the Commission considered
requiring that Covered Entities provide
the public disclosures on their websites
only.
Requiring Covered Entities to place
the cybersecurity disclosures only on
their websites could provide modest,
914 Covered Entities that do not have an LEI may
obtain one if they so choose.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
incremental reductions in the burdens
associated with providing those
disclosures both on Covered Entity
websites and through filing Part II of
proposed Form SCIR with the
Commission. Additionally, the websites
of Covered Entities might be the natural
place for their customers,
counterparties, members, registrants, or
users to look for information about the
Covered Entity. Alternatively, requiring
Covered Entities to place their
cybersecurity disclosures (Part II of
Form SCIR) only in EDGAR in a
structured data language also could
provide modest, incremental reductions
in the burdens associated with placing
those disclosures on their websites.
Accordingly, the Commission is
proposing to require Covered Entities to
provide the information both on their
websites and in EDGAR on Part II of
proposed Form SCIR.915 Publication on
Covered Entity websites is advantageous
because that is where many Covered
Entities’ customers, counterparties,
members, registrants, or users will look
for information about their financial
intermediaries. Centralized filing of
structured public disclosures of
cybersecurity risks and significant
cybersecurity incidents during the
current or previous calendar year in
EDGAR by Covered Entities would
enable customers, counterparties,
members, registrants, and users, as well
as financial analysts—and even the
Covered Entities themselves—to more
efficiently discern broad trends in
cybersecurity risks and incidents, which
would enable Covered Entities and
other market participants to more
efficiently determine if they need to
modify, change, or upgrade their
cybersecurity defense measures in light
of those trends. Accordingly, the
Commission is proposing to require
Covered Entities to publish the required
cybersecurity disclosures on their
websites and provide the information in
Part II of proposed Form SCIR, which
would be filed in EDGAR using a
custom XML.
Entities and transfer agents are required
to file EDGAR forms. SBSDs and
MSBSPs must file in EDGAR
registration applications on Form SBSE,
SBSE–A, or SBSE–BD, amendments to
those Forms if the information in them
is or has become inaccurate, and
certifications on Form SBSE–C.916 As
discussed above, Commission
regulations require SBSDRs to file Form
SDR in EDGAR but the Commission
temporarily relieved SBSDRs of the
EDGAR-filing requirement. Transfer
agents file Forms TA–1, TA–2, and TA–
W in EDGAR in a custom XML.917 The
Commission considered permitting
those types of Covered Entities that are
not currently subject to an EDGAR-filing
requirement to file the cybersecurity
disclosures only on their individual
firm websites (without needing to also
file the disclosures in EDGAR).
Therefore, rather than requiring all
Covered Entities to file the cybersecurity
disclosures using Part II of proposed
Form SCIR, the Commission could
require Covered Entities that are SBS
Entities or transfer agents to provide the
same information as structured
attachments to Form SBSE (for SBS
Entities) and Form TA–1 (for transfer
agents). Likewise, the Commission
could require SBSDRs to file the
cybersecurity disclosures as attachments
to Form SDR once the Commission
temporary relief from the EDGAR-filing
requirement expires.
Requiring all Covered Entities to
provide the disclosures on a single,
uniform form would likely be simpler
(because the information would be in
one location)—and thereby more
efficient—for the Commission, Covered
Entities, and others who might seek the
information in the cybersecurity
disclosures (including Covered Entities’
users, members, customers, or
counterparties) than putting the
cybersecurity disclosures in attachments
on disparate forms and (for those firms
not subject to EDGAR-filing
requirements) on individual Covered
Entity websites.
d. Modify the Location of the EDGARFiled Public Cybersecurity Disclosures
for Some Covered Entities
Rather than requiring Covered Entities
to provide the public cybersecurity
disclosures in EDGAR using Part II of
proposed Form SCIR, the Commission
considered requiring Covered Entities
that currently are required to file forms
in EDGAR to provide the disclosures in
structured attachments to existing
EDGAR-filed forms. Currently, only SBS
e. Modify the Structured Data
Requirement for the Public
Cybersecurity Disclosures
Rather than requiring Covered Entities
to file Part II of proposed Form SCIR in
EDGAR using a custom XML, the
Commission could either eliminate the
structured data language requirement
for some or all Covered Entities or
915 The Commission is seeking comment on this
topic. See section II.B.3.c. of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
916 See Instruction A.2 to Form SBSE, Instruction
A.2 to Form SBSE–A, Instruction A.3 to Form
SBSE–BD, and Instruction A.2 to Form SBSE–C.
917 See Commission, Electronic Filing of Transfer
Agent Forms (Nov. 14, 2007), available at https://
www.sec.gov/info/edgar/ednews/ta-filing.htm.
PO 00000
Frm 00113
Fmt 4701
Sfmt 4702
20323
require the use of a different structured
data language, such as Inline XBRL.918
For example, the Commission could
eliminate the requirement that Covered
Entities file Part II of proposed Form
SCIR in a custom XML or in any
structured data language. By eliminating
the structured data requirement, the
Commission would allow Covered
Entities to submit the new cybersecurity
disclosures in unstructured HTML or
ASCII, thereby avoiding the need to put
the information for Part II of proposed
Form SCIR into a fillable web form that
EDGAR would use to generate the
custom XML filing, or instead file Part
II of proposed Form SCIR directly in
custom XML using the XML schema for
proposed Form SCIR, as published on
the Commission’s website.
Another option is that the
Commission could remove the
structured data filing requirement for
some subset of Covered Entities. For
example, the Commission could instead
require only certain types of Covered
Entities, such as national securities
exchanges or SBS Entities, to file Part II
of proposed Form SCIR in a custom
XML. Alternatively, the Commission
could require the use of a structured
data language only for those Covered
Entities that exceeded some threshold,
be it assets or trading volumes,
depending on the type of Covered Entity
in question. Eliminating the
requirement that Part II of proposed
Form SCIR be filed in a structured data
language, however, would reduce the
benefits of the proposed rule because
the use of a structured data language
would make the information contained
in Part II of proposed Form SCIR easier
and more efficient for Commission
staff—as well as the Covered Entity’s
customers, counterparties, members,
registrants, or users—to assemble,
review, and analyze. Financial analysts
at third-party information providers also
could use the public disclosures to
produce analyses and reports that
market participants may find useful.
The Commission could require
Covered Entities to file Part II of
proposed Form SCIR in Inline XBRL
rather than in custom XML on the
grounds that Inline XBRL is an
internationally-recognized freely
available industry standard for reporting
business-related information and a data
918 XBRL is a structured data language that is
specifically designed to handle business-related
information, including financial information, entity
descriptions, corporate actions, ledgers and subledgers, and other summary and ledger-level
information. By comparison, Inline XBRL is a
structured data language that embeds XBRL data
directly into an HTML document, enabling a single
document to provide both human-readable and
structured machine-readable data.
E:\FR\FM\05APP2.SGM
05APP2
20324
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
language that allows EDGAR filers to
prepare single documents that are both
human-readable and machine-readable,
particularly in connection with forms
containing publicly-available registrant
financial statements. The Commission
believes that the use of a form-specific
XML would be appropriate here given
the relative simplicity of Part II of
proposed Form SCIR disclosures and
the ability for EDGAR to provide fillable
web forms for entities to comply with
their custom XML requirements, leading
to a lower burden of compliance for
Covered Entities without Inline XBRL
experience.
3. General Request for Comment
The Commission requests comment
on the benefits and costs associated the
alternatives outlined above.
lotter on DSK11XQN23PROD with PROPOSALS2
V. Paperwork Reduction Act Analysis
Certain provisions of the proposed
rule, form, and rule amendments in this
release would contain a new ‘‘collection
of information’’ within the meaning of
the Paperwork Reduction Act of 1995
(‘‘PRA’’).919 The Commission is
submitting the proposed rule
amendments and proposed new rules to
the Office of Management and Budget
(‘‘OMB’’) for review and approval in
accordance with the PRA and its
implementing regulations.920 An agency
may not conduct or sponsor, and a
person is not required to respond to a
collection of information unless it
displays a currently valid OMB control
number.921 The titles for the collections
of information are:
(1) Rule 10;
(2) Form SCIR;
(3) Rule 17a–4—Records to be
preserved by certain exchange members,
brokers and dealers (OMB control
number 3235–0279);
(4) Rule 17ad–7—Record retention
(OMB control number 3235–0291);
(5) Rule 18a–6—Records to be
preserved by certain security-based
swap dealers and major security-based
swap participants (OMB control number
3235–0751); and
(6) Rule 3a71–6—Substituted
Compliance for Foreign Security-Based
Swap Entities (OMB control number
3235–0715).
The burden estimates contained in
this section do not include any other
possible costs or economic effects
beyond the burdens required to be
calculated for PRA purposes.
919 See
44 U.S.C. 3501 et seq.
44 U.S.C. 3507; 5 CFR 1320.11.
921 See 5 CFR 1320.11(l).
920 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
A. Summary of Collections of
Information
1. Proposed Rule 10
Proposed Rule 10 would require all
Market Entities (Covered Entities and
non-Covered Entities) to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks.922 All Market Entities also, at least
annually, would be required to review
and assess the design and effectiveness
of their cybersecurity policies and
procedures, including whether the
policies and procedures reflect changes
in cybersecurity risk over the time
period covered by the review.923 They
also would be required to prepare a
report (in the case of Covered Entities)
and a record (in the case of non-Covered
Entities) with respect to the annual
review.924 Finally, all Market Entities
would need to give the Commission
immediate written electronic notice of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the significant cybersecurity
incident has occurred or is occurring.925
Market Entities that meet the
definition of ‘‘covered entity’’ would be
subject to certain additional
requirements under proposed Rule
10.926 First, their cybersecurity risk
management policies and procedures
would need to include the following
elements:
• Periodic assessments of
cybersecurity risks associated with the
Covered Entity’s information systems
and written documentation of the risk
assessments;
• Controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems;
• Measures designed to monitor the
Covered Entity’s information systems
922 See paragraphs (b) through (d) of proposed
Rule 10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e)(1) of proposed Rule 10. See
also Sections II.B.1 and II.C. of this release
(discussing these proposed requirements in more
detail).
923 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10. See also
Sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
924 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10. See also
Sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
925 See paragraph (c)(1) of proposed Rule 10;
paragraph (e)(2) of proposed Rule 10. See also
sections II.B.2.a. and II.C. of this release (discussing
these proposed requirements in more detail).
926 See paragraph (b) through (d) of proposed Rule
10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do
not meet the definition of ‘‘covered entity’’).
PO 00000
Frm 00114
Fmt 4701
Sfmt 4702
and protect the Covered Entity’s
information from unauthorized access
or use, and oversight of service
providers that receive, maintain, or
process information, or are otherwise
permitted to access the Covered Entity’s
information systems;
• Measures to detect, mitigate, and
remediate any cybersecurity threats and
vulnerabilities with respect to the
Covered Entity’s information systems;
and
• Measures to detect, respond to, and
recover from a cybersecurity incident
and written documentation of any
cybersecurity incident and the response
to and recovery from the incident.927
Second, Covered Entities—in addition
to providing the Commission with
immediate written electronic notice of a
significant cybersecurity incident—
would need to report and update
information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission through the EDGAR
system.928 The form would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s efforts to respond to, and
recover from, the incident.
Third, Covered Entities would need to
publicly disclose summary descriptions
of their cybersecurity risks and the
significant cybersecurity incidents they
experienced during the current or
previous calendar year on Part II of
proposed Form SCIR.929 The form
would need to be filed with the
Commission through the EDGAR system
and posted on the Covered Entity’s
business internet website and, in the
case of Covered Entities that are
carrying or introducing broker-dealers,
provided to customers at account
opening and annually thereafter.
Covered Entities and Non-Covered
Entities would need to preserve certain
records relating to the requirements of
proposed Rule 10 in accordance with
amended or existing recordkeeping
requirements applicable to them or, in
the case of exempt clearing agencies,
927 See sections II.B.1.a. through II.B.1.e. of this
release (discussing these proposed requirements in
more detail). In the case of non-Covered Entities, as
discussed in more detail below in Section II.C. of
this release, the design of the cybersecurity risk
management policies and procedures would need to
take into account the size, business, and operations
of the broker-dealer. See paragraph (e) of proposed
Rule 10.
928 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
929 See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more
detail).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
pursuant to conditions in relevant
exemption orders.930
2. Form SCIR
Proposed Rule 10 would require
Covered Entities to: (1) report and
update information about a significant
cybersecurity incident; 931 and (2)
publicly disclose summary descriptions
of their cybersecurity risks and the
significant cybersecurity incidents they
experienced during the current or
previous calendar year.932 Parts I and II
of proposed Form SCIR would be used
by Covered Entities, respectively, to
report and update information about a
significant cybersecurity incident and
publicly disclose summary descriptions
of their cybersecurity risks and the
significant cybersecurity incidents they
experienced during the current or
previous calendar year.
lotter on DSK11XQN23PROD with PROPOSALS2
3. Rules 17a–4, 17ad–7, 18a–6 and
Clearing Agency Exemption Orders
Rules 17a–4, 17ad–7, and 18a–6—
which apply to broker-dealers, transfer
agents, and SBS Entities, respectively—
would be amended to establish
preservation and maintenance
requirements for the written policies
and procedures, annual reports, Parts I
and II of proposed Form SCIR, and
records required to be made pursuant to
proposed Rule 10 (i.e., the Rule 10
Records).933 The proposed amendments
would specify that the Rule 10 Records
must be retained for three years. In the
case of the written policies and
procedures to address cybersecurity
risks, the record would need to be
maintained until three years after the
termination of the use of the policies
and procedures. In addition, orders
exempting certain clearing agencies
from registering with the Commission
would be amended to establish
preservation and maintenance
requirements for the Rule 10 Records
that would apply to the exempt clearing
agencies subject to those orders.934 The
amendments to the orders would
930 See sections II.B.5. and II.C. of this release
(discussing these proposed requirements in more
detail).
931 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
932 See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more
detail).
933 See sections II.B.5. and II.C. of this release
(discussing these proposed amendments in more
detail). Rule 17a-4 sets forth record preservation
and maintenance requirements for broker-dealers,
Rule 17ad–7 sets forth record preservation and
maintenance requirements for transfer agents, and
Rule 18a–6 sets forth record preservation and
maintenance requirements for SBS Entities.
934 See section II.B.5. of this release (discussing
these proposed amendments in more detail).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
provide that the records need to be
retained for five years (consistent with
Rules 13n–7 and 17a–1).935 In the case
of the written policies and procedures to
address cybersecurity risks, the record
would need to be maintained until five
years after the termination of the use of
the policies and procedures.
4. Substituted Compliance (Rule 3a71–
6)
Paragraph (d)(1) of Rule 3a71–6
would be amended to add proposed
Rule 10 and Form SCIR to the list of
Commission requirements eligible for a
substituted compliance
determination.936 If adopted, this
amendment together with existing
paragraph (d)(6) of Rule 3a71–6 would
permit eligible SBS Entities to file an
application requesting that the
Commission make a determination that
compliance with specified requirements
under a foreign regulatory system may
satisfy the requirements of proposed
Rule 10, Form SCIR, and the related
record preservation requirements. As
provided by Exchange Act Rule 0–13,937
which the Commission adopted in
2014,938 applications for substituted
compliance determinations must be
accompanied by supporting
documentation necessary for the
Commission to make the determination,
including information regarding
applicable requirements established by
the foreign financial regulatory
authority or authorities, as well as the
methods used by the foreign financial
regulatory authority or authorities to
monitor and enforce compliance;
applications should cite to and discuss
applicable precedent.939
935 For the reasons discussed in section II.B.5.a.
of this release, the proposal would not amend Rules
13n–7 or 17a–1. As explained in that section of the
release, the existing requirements of Rule 13n–7
(which applies to SBSDRs) and Rule 17a–1 (which
applies to registered clearing agencies, the MSRB,
national securities associations, and national
securities exchanges) will require these Market
Entities to retain the Rule 10 Records for five years
and, in the case of the written policies and
procedures, for five years after the termination of
the use of the policies and procedures.
936 See section II.D. of this release (discussing
these proposed amendments in more detail).
937 17 CFR 240.0–13.
938 See SBS Entity Definitions Adopting Release,
79 FR at 47357–59.
939 See 17 CFR 240.0–13(e). In adopting Rule 0–
13, the Commission noted that because Rule 0–13
was a procedural rule that did not provide any
substituted compliance rights, ‘‘collections of
information arising from substituted compliance
requests, including associated control numbers,
[would] be addressed in connection with any
applicable substantive rulemakings that provide for
substituted compliance.’’ See SBS Entity
Definitions Adopting Release, 79 FR at 47366 n.778.
PO 00000
Frm 00115
Fmt 4701
Sfmt 4702
20325
B. Proposed Use of Information
The proposed requirements to have
written policies and procedures to
address cybersecurity risks, to
document risk assessments and
significant cybersecurity incidents, to
create a report or record of the annual
review of the policies and procedures,
to provide immediate notification and
subsequent reporting of significant
cybersecurity incidents, to publicly
disclose summary descriptions of
cybersecurity risks and significant
cybersecurity incidents, and to preserve
the written policies and procedures,
reports, and records would constitute
collection of information requirements
under the PRA. Collectively, these
collections of information are designed
to address cybersecurity risk and the
threat it poses to Market Entities and the
U.S. securities markets.
Market Entities would use the written
policies and procedures, the records
required to be made pursuant to those
policies and procedures, and the report
or record of the annual review of the
policies and procedures to address the
specific cybersecurity risks to which
they are exposed. The Commission
could use the written policies and
procedures, reports, and records to
review Market Entities’ compliance with
proposed Rule 10.
Market Entities would use the
immediate written electronic
notifications to notify the Commission
(and, in some cases, other regulators)
about significant cybersecurity incidents
they experience pursuant to proposed
Rule 10. The Commission could use the
immediate written electronic
notification to promptly begin to assess
the situation by, for example, when
warranted, assessing the Market Entity’s
operating status and engaging in
discussions with the Market Entity to
understand better what steps it is taking
to protect its customers, counterparties,
members, registrants, or users.
Covered Entities would use Part I of
proposed Form SCIR to report to the
Commission (and, in some cases, other
regulators) significant cybersecurity
incidents they experienced pursuant to
proposed Rule 10. The Commission
could use the reports of significant
cybersecurity incidents filed using Part
I of proposed Form SCIR to understand
better the nature and extent of a
particular significant cybersecurity
incident and the efficacy of the Covered
Entity’s response to mitigate the
disruption and harm caused by the
incident. The Commission staff could
use the reports to focus on the Covered
Entity’s operating status and to facilitate
their outreach to, and discussions with,
E:\FR\FM\05APP2.SGM
05APP2
20326
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
personnel at the Covered Entity who are
addressing the significant cybersecurity
incident. In addition, the reporting
would provide the staff with a view into
the Covered Entity’s understanding of
the scope and impact of the significant
cybersecurity incident. All of this
information would be used by the
Commission and its staff in assessing
the significant cybersecurity incident
impacting the Covered Entity. Further,
the Commission would be use the
database of reports to assess the
potential cybersecurity risks affecting
U.S. securities markets more broadly.
This information could be used to
address future significant cybersecurity
incidents. For example, these reports
could assist the Commission in
identifying patterns and trends across
Covered Entities, including widespread
cybersecurity incidents affecting
multiple Covered Entities at the same
time. Further, the reports could be used
to evaluate the effectiveness of various
approaches to respond to and recover
from a significant cybersecurity
incident.
Covered Entities would use Part II of
proposed Form SCIR to publicly
disclose summary descriptions of their
cybersecurity risks and the significant
cybersecurity incidents they
experienced during the current or
previous calendar year pursuant to
proposed Rule 10. These disclosures
would be used to provide greater
transparency to customers,
counterparties, registrants, or members
of the Covered Entity, or to users of its
services, about the Covered Entity’s
cybersecurity risk profile. This
information could be used by these
persons to manage their own
cybersecurity risk and, to the extent
they have choice, select a Covered
Entity with whom to transact or
otherwise conduct business. In addition,
because the reports would be filed
through EDGAR, Covered Entities’
customers, counterparties, members,
registrants, or users would be able to
run search queries to compare the
disclosures of multiple Covered Entities.
This would make it easier for
Commission staff and others to assess
the cybersecurity risk profiles of
different types of Covered Entities and
could facilitate trend analysis by
members of the public of significant
cybersecurity incidents.
Under the proposed amendment to
Rule 3a71–6, the Commission would
use the information collected to
evaluate requests for substituted
compliance with respect to proposed
Rule 10, Form SCIR, and the related
record preservation requirements
applicable to SBS Entities. Consistent
with Exchange Act Rule 0–13(h),940 the
Commission would publish in the
Federal Register a notice that a
complete application had been
submitted, and provide the public the
opportunity to submit to the
Commission any information that
relates to the Commission action
requested in the application, subject to
appropriate requests for confidential
treatment being submitted pursuant to
any applicable provisions governing
confidentiality under the Exchange
Act.941
C. Respondents
The following table summarizes the
estimated number of respondents that
would be subject to the proposed Rule
10, Form SCIR, and recordkeeping
burdens.
Type of registrant
Covered Broker-Dealers ......................................................................................................................................................................
Non-Covered Broker-Dealers ..............................................................................................................................................................
Clearing agencies and exempt clearing agencies ..............................................................................................................................
MSRB ...................................................................................................................................................................................................
National securities exchanges .............................................................................................................................................................
National securities associations ..........................................................................................................................................................
SBS Entities .........................................................................................................................................................................................
SBSDRs ...............................................................................................................................................................................................
Transfer agents ....................................................................................................................................................................................
1,541
1,969
16
1
24
1
50
3
353
Total Covered Entities ..................................................................................................................................................................
Total Non-Covered Broker-Dealers ..............................................................................................................................................
Total Respondents .......................................................................................................................................................................
1,989
1,969
3,958
The respondents subject to these
collection of information requirements
include the following:
lotter on DSK11XQN23PROD with PROPOSALS2
Number
1. Broker-Dealers
Each broker-dealer registered with the
Commission would be subject to
proposed Rule 10 as either a Covered
Entity or a Non-Covered Broker-Dealer.
As of September 30, 2022, there were
3,510 broker-dealers registered with the
Commission.942 The Commission
estimates that 1,541 of these brokerdealers would be Covered Entities under
the proposed rule because they fit
940 17
CFR 240.0–13(h).
section V.F of this release.
942 This estimate is derived from broker-dealer
FOCUS filings and ATS Form ATS–R quarterly
reports as of September 30, 2022.
943 Id.
941 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
within one or more of the following
categories: carrying broker-dealer;
broker-dealer that introduces customer
accounts to a carrying broker-dealer on
a fully disclosed basis; broker-dealer
with regulatory capital equal to or
exceeding $50 million; broker-dealer
with total assets equal to or exceeding
$1 billion; broker-dealer that operates as
a market maker under the securities
laws; or a broker-dealer that operates as
an ATS.943 The Commission estimates
that 1,969 broker-dealers (i.e., the
remaining broker-dealers registered
944 The registered and active clearing agencies
are: (1) DTC; (2) FICC; (3) NSCC; (4) ICC; (5) ICEEU;
(6) the Options Clearing Corp.; and (7) LCH SA. The
clearing agencies that are registered with the
Commission but conduct no clearance or settlement
operations are: (1) BSECC; and (2) SCCP.
PO 00000
Frm 00116
Fmt 4701
Sfmt 4702
with/the Commission) would be NonCovered Broker-Dealers for purposes of
the rules.
2. Clearing Agencies
With regard to clearing agencies,
respondents under these rules are: (1)
nine registered clearing agencies; 944 and
(2) five exempt clearing agencies.945 The
Commission estimates for purposes of
the PRA that two additional entities
may seek to register as a clearing agency
in the next three years, and so for
purposes of this proposal the
Commission has assumed sixteen total
945 The exempt clearing agencies that provide
matching services are: (1) DTCC ITP Matching U.S.
LLC; (2) Bloomberg STP LLC; (3) SS&C
Technologies, Inc.; (4) Euroclear Bank SA/NV; and
(5) Clearstream Banking, S.A.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
clearing agency and exempt clearing
agency respondents.
3. The MSRB
The sole respondent to the proposed
collection of information for the MSRB
is the MSRB itself.
4. National Securities Exchanges and
National Securities Associations
The respondents to the proposed
collections of information for national
securities exchanges and national
securities associations would be the 24
national securities exchanges currently
registered with the Commission under
section 6 of the Exchange Act,946 and
the one national securities association
currently registered with the
Commission under section 15A of the
Exchange Act.947
5. SBS Entities
lotter on DSK11XQN23PROD with PROPOSALS2
As of January 4, 2023, 50 SBSDs have
registered with the Commission, while
no MSBSPs have registered with the
Commission.948 Of the 50 SBSDs that
have registered with the Commission, 7
entities are also broker-dealers.949
Requests for a substituted compliance
determination under Rule 3a71–6 with
respect to the proposed Rule 10, Form
SCIR, and the related record
preservation requirements may be filed
by foreign financial authorities, or by
non-U.S. SBSDs or MSBSPs. The
Commission had previously estimated
that there may be approximately 22 nonU.S. entities that may potentially
register as SBSDs, out of approximately
946 See 15 U.S.C. 78f. The national securities
exchanges registered with the Commission are: (1)
BOX Options Exchange LLC; (2) Cboe BZX
Exchange, Inc.; (3) Cboe BYX Exchange, Inc.; (4)
Cboe C2 Exchange, Inc.; (5) Cboe EDGA Exchange,
Inc.; (6) Cboe EDGX, Inc.; (7) Cboe Exchange, Inc.;
(8) Investors Exchange Inc.; (9) Long-Term Stock
Exchange, Inc.; (10) MEMX, LLC; (11) Miami
International Securities Exchange LLC; (12) MIAX
PEARL, LLC; (13) MIAX Emerald, LLC; (14)
NASDAQ BX, Inc.; (15) NASDAQ GEMX, LLC; (16)
NASDAQ ISE, LLC; (17) NASDAQ MRX, LLC; (18)
NASDAQ PHLX LLC; (19) The NASDAQ Stock
Market LLC; (20) New York Stock Exchange LLC;
(21) NYSE MKT LLC; (22) NYSE Arca, Inc.; (23)
NYSE Chicago Stock Exchange, Inc.; and (24) NYSE
National, Inc.
947 See 15 U.S.C. 78o-3. The one national
securities association registered with the
Commission is FINRA.
948 See List of Registered Security-Based Swap
Dealers and Major Security-Based Swap
Participants, available at: https://www.sec.gov/tm/
List-of-SBS-Dealers-and-Major-SBS-Participants.
949 A Covered Entity that is both a broker-dealer
and an SBS Entity (which includes all seven of
these broker-dealers) will have burdens with
respect to the proposed rule, Form SCIR, and
recordkeeping amendments as they apply to both its
broker-dealer business and its security-based swap
business. Therefore, such ‘‘dual-hatted’’ entities
will be counted as both Covered Entities that are
broker-dealers and as SBS Entities for purposes of
the PRA.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
50 total entities that may register as
SBSDs.950 Potentially all non-U.S.
SBSDs, or some subset thereof, may seek
to rely on a substituted compliance
determination in connection with the
proposed cybersecurity risk
management requirements.951 However,
the Commission had expected that the
great majority of substituted compliance
applications would be submitted by
foreign authorities 952 given their
expertise in connection with the
relevant substantive requirements, and
in connection with their supervisory
and enforcement oversight with regard
to SBSDs and their activities.953 The
Commission expected that very few
substituted compliance requests would
come from SBS Entities.954 For purposes
of PRA assessments, the Commission
estimated that three SBS Entities would
submit such applications.955 Although,
as of January 4, 2023, 30 entities had
identified themselves as a nonresident
SBSD in their application for
950 See Proposed Rule Amendments and
Guidance Addressing Cross-Border Application of
Certain Security-Based Swap Requirements,
Exchange Act Release No. 85823 (May 10, 2019), 84
FR 24206, 24253 (May 24, 2019). See also SecurityBased Swap Transactions Connected With a NonU.S. Person’s Dealing Activity That Are Arranged,
Negotiated, or Executed by Personnel Located in a
U.S. Branch or Office or in a U.S. Branch or Office
of an Agent; Security-Based Swap Dealer De
Minimis Exception, Exchange Act Release No.
77104 (Feb. 10, 2016), 81 FR 8597, 8605 (Feb. 19,
2016) (‘‘SBS Entity U.S. Activity Adopting
Release’’); Business Conduct Standards Adopting
Release, 81 FR at 30090, 30105; SBS Entity
Recordkeeping and Reporting Release, 84 FR at
68607–09; and Capital, Margin, and Segregation
Requirements Adopting Release, 84 FR at 43960–61.
951 Consistent with prior estimates, the
Commission further believes that there may up to
five MSBSPs. See Registration Process for SecurityBased Swap Dealers and Major Security-Based
Swap Participants, Exchange Act Release No. 75611
(Aug. 5, 2015), 80 FR 48963, 48990 (Aug. 14, 2015)
(‘‘SBS Entity Registration Adopting Release’’); see
also SBS Entity Business Conduct Standards
Adopting Release, 81 FR at 30089, 30099. It is
possible that some subset of those entities will be
non-U.S. MSBSPs that will seek to rely on
substituted compliance in connection with
proposed Rule 10, Form SCIR, and the related
record preservation requirements.
952 See SBS Entity Risk Mitigation Adopting
Release, 85 FR at 6389. See also SBS Entity
Business Conduct Standards Adopting Release, 81
FR at 30097; SBS Entity Trade Acknowledgement
and Verification Adopting Release, 81 FR at 39832.
953 See SBS Entity Risk Mitigation Adopting
Release, 85 FR at 6384. See also SBS Entity
Business Conduct Standards Adopting Release, 81
FR at 30090; SBS Entity Trade Acknowledgement
and Verification Adopting Release, 81 FR at 39832.
954 See SBS Entity Risk Mitigation Adopting
Release, 85 FR at 6389. See also SBS Entity
Business Conduct Standards Adopting Release, 81
FR at 30097, n.1582 and accompanying text; SBS
Entity Trade Acknowledgement and Verification
Adopting Release, 81 FR at 39832.
955 Id. See also SBS Entity Recordkeeping and
Reporting Adopting Release, 84 FR at 68609;
Capital, Margin, and Segregation Requirements
Adopting Release, 84 FR at 43967.
PO 00000
Frm 00117
Fmt 4701
Sfmt 4702
20327
registration with the Commission,956 the
Commission has issued only one order
in response to a request for substituted
compliance from potential
registrants.957 The Commission
continues to believe that its estimate
that three such entities will submit
applications remains appropriate for
purposes of this PRA assessment
because applicants may file additional
requests.
6. SBSDRs
Two SBSDRs are currently registered
with the Commission.958 The
Commission estimates for purposes of
the PRA that one additional entity may
seek to register as an SBSDR in the next
three years, and so for purposes of this
proposal the Commission has assumed
three SBSDR respondents.
7. Transfer Agents
The proposed rule would apply to
every transfer agent as defined in
section 3(a)(25) of the Exchange Act that
is registered or required to be registered
with an appropriate regulatory agency
as defined in section 3(a)(34)(B) of the
Exchange Act. As of December 31, 2022,
there were 353 transfer agents that were
either registered with the Commission
through Form TA–1 or registered with
other appropriate regulatory agencies.
D. Total Initial and Annual Reporting
Burdens
As stated above, each requirement to
disclose information, offer to provide
information, or adopt policies and
procedures constitutes a collection of
information requirement under the PRA.
The Commission discusses below the
collection of information burdens
associated with the proposed rule and
rule amendment.
1. Proposed Rule 10
The Commission has made certain
estimates of the burdens associated with
956 No entity has registered as an MSBSP. See List
of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants, available
at: https://www.sec.gov/tm/List-of-SBS-Dealers-andMajor-SBS-Participants (providing the list of
registered SBSDs and MSBSPs that was updated as
of January 4, 2023).
957 See Order Granting Conditional Substituted
Compliance in Connection With Certain
Requirements Applicable to Non-U.S. SecurityBased Swap Dealers Subject to Regulation in the
Swiss Confederation, Exchange Act Release No.
93284 (Oct. 8, 2021), 86 FR 57455 (Oct. 15, 2021)
(File No. S7–07–21). The Commission’s other
substituted compliance orders have been in
response to requests from foreign authorities; see
https://www.sec.gov/tm/Jurisdiction-Specific-AppsOrders-and-MOU.
958 The Commission approved the registration of
two SBSDRs in 2021. The two registered SBSDRs
are: (1) DTCC Data Repository (U.S.), LLC; and (2)
ICE Trade Vault, LLC.
E:\FR\FM\05APP2.SGM
05APP2
20328
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
the policies and procedures and review
and report of the review requirements of
proposed Rule 10 applicable to Covered
Entities solely for the purpose of this
PRA analysis.959 Table 1 below
summarizes the initial and ongoing
annual burden and cost estimates
associated with the policies and
procedures and review and report of the
review requirements.
TABLE 1—RULE 10 PRA ESTIMATES—CYBERSECURITY POLICIES AND PROCEDURES AND REVIEW AND REPORT OF THE
REVIEW REQUIREMENTS FOR COVERED ENTITIES
Internal initial
burden hours
Internal annual
burden hours 1
Internal
time costs
Wage rate 2
Annual external
cost burden
PROPOSED RULE 10 ESTIMATES
Adopting and implementing policies and procedures 3.
50
4 21.67
$462 (blended rate for compliance attorney and assistant general counsel).
$10,011.54
5 $1,488
Annual review of policies and procedures and
report of review.
0
6 10
$462 (blended rate for compliance attorney and assistant general counsel).
4,620
7 1,984
Total new annual burden per Covered Entity.
Number of Covered Entities .............................
..........................
31.67
....................................................................
14,631.54
3,472
..........................
× 1,989
....................................................................
× 1,989
× 1,989
Total new annual aggregate burden .........
..........................
62,991.63
....................................................................
29,102,133.06
6,905,808
Notes:
1 Includes initial burden estimates annualized over a 3-year period.
2 The Commission’s estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry and Financial
Markets Association’s Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (‘‘SIFMA Wage Report’’). The estimated figures are
modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
3 These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with respect
to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
4 Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 21.67 hours is based on the following
calculation: ((50 initial hours/3) + 5 additional ongoing burden hours) = 21.67 hours.
5 This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a variety of
sources including general information websites, and adjustments for inflation.
6 The Commission estimates 10 additional ongoing burden hours.
7 This estimated burden is based on the estimated wage rate of $496/hour, for 4 hours, for outside legal services. See note 5 (regarding wage rates with respect to
external cost estimates).
The Commission has made certain
estimates of the burdens associated with
the policies and procedures and review
and record of the review requirements
of proposed Rule 10 applicable to Non-
Covered Broker-Dealers solely for the
purpose of this PRA analysis.960 Table
2 below summarizes the initial and
ongoing annual burden and cost
estimates associated with the proposed
rule’s policies and procedures and
review and record of the review
requirements for Non-Covered BrokerDealers.
TABLE 2—RULE 10 PRA ESTIMATES—CYBERSECURITY POLICIES AND PROCEDURES AND REVIEW AND RECORD OF THE
REVIEW REQUIREMENTS FOR NON-COVERED BROKER-DEALERS
Internal initial
burden hours
Internal annual
burden hours 1
Internal
time costs
Wage rate 2
Annual external
cost burden
lotter on DSK11XQN23PROD with PROPOSALS2
PROPOSED RULE 10 ESTIMATES
Adopting and implementing policies and procedures 3.
30
4 15
$462 (blended rate for compliance attorney and assistant general counsel).
$6,930
5 $1,488
Annual review of policies and procedures and
report of review.
0
66
$462 (blended rate for compliance attorney and assistant general counsel).
2,772
7 992
Total new annual burden per Non-Covered Broker-Dealer.
Number of Non-Covered Broker-Dealers .........
..........................
21
....................................................................
9,702
2,480
..........................
× 1,969
....................................................................
× 1,969
× 1,969
Total new annual aggregate burden .........
..........................
41,349
....................................................................
19,103,238
4,883,120
Notes:
1 Includes initial burden estimates annualized over a 3-year period.
2 The Commission’s estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry and Financial
Markets Association’s Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (‘‘SIFMA Wage Report’’). The estimated figures are
modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
3 These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with respect
to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
4 Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 15 hours is based on the following calculation: ((30 initial hours/3) + 5 additional ongoing burden hours) = 15 hours.
5 This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a variety of
sources including general information websites, and adjustments for inflation.
6 The Commission estimates 6 additional ongoing burden hours.
7 This estimated burden is based on the estimated wage rate of $496/hour, for 2 hours, for outside legal services. See note 5 (regarding wage rates with respect to
external cost estimates).
959 These requirements are discussed in section
II.B.1. of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
960 These requirements are discussed in section
II.C. of this release.
PO 00000
Frm 00118
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
20329
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
The Commission has made certain
estimates of the burdens associated with
the notification requirement of proposed
Rule 10 applicable to Market Entities
solely for the purpose of this PRA
analysis.961 Table 3 below summarizes
the initial and ongoing annual burden
and cost estimates associated with the
proposed rule’s notification
requirements for Market Entities.
TABLE 3—RULE 10 PRA ESTIMATES—NOTIFICATION REQUIREMENTS FOR MARKET ENTITIES
Internal initial
burden hours
Internal annual
burden hours
Internal
time costs
Wage rate
Annual external
cost burden
PROPOSED RULE 10 ESTIMATES
×
$1,648.51
2 $1,488
...............................................................
1,648.51
1,488
× 3,958
...............................................................
× 3,958
× 3,958
18,483.86
...............................................................
6,524,802.58
5,889,504
Making a determination of significant cybersecurity incident and immediate notice to
the Commission.
5
1 4.67
Total new annual burden per Market
Entity.
Number of Market Entities ..........................
..........................
4.67
..........................
Total new aggregate annual burden ....
..........................
$353 (blended rate for assistant general counsel, compliance manager
and systems analyst).
Notes:
1 Includes initial burden estimates annualized over a three-year period, plus 3 ongoing annual burden hours. The estimate of 4.67 hours is based on the following
calculation: ((5 initial hours/3) + 3 additional ongoing burden hours) = 4.67 hours.
2 This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a variety of
sources including general information websites, and adjustments for inflation.
The Commission has made certain
estimates of the burdens associated with
the requirement of proposed Rule 10
that Covered Broker-Dealers provide the
disclosures that would need to made on
Part II of proposed Form SCIR
requirements to their customers solely
for the purpose of this PRA analysis.962
Table 4 below summarizes the initial
and ongoing annual burden and cost
estimates associated with the
requirement of proposed Rule 10 that
Covered Broker-Dealers provide the
disclosures that would need to made on
Part II of proposed Form SCIR
requirements to their customers.
TABLE 4—RULE 10 PRA ESTIMATES—ADDITIONAL DISCLOSURE REQUIREMENTS FOR BROKER-DEALERS THAT ARE
COVERED ENTITIES
Internal initial
burden hours
Internal annual
burden hours
Internal
time costs
Wage rate
Annual external
cost burden
PROPOSED RULE 10 ESTIMATES
Delivery of disclosures to new customers ...
Total new aggregate annual burden ....
6.68
2 44.48
×
$69 (general clerk) ................................
$460.92
$0
44.48
$69 (general clerk) ................................
3,076.02
0
..........................
51.26
...............................................................
3,536.94
..........................
..........................
× 1,541
...............................................................
× 1,541
..........................
..........................
78,991.66
...............................................................
5,450,424.54
..........................
Annual delivery of disclosures to existing
customers.
Total new annual burden per brokerdealer Covered Entities.
Number of broker-dealer Covered Entities
1 6.68
Notes:
1 The Commission estimates that a broker-dealer that isa Covered Entity will require no more than 0.02 hours to send the broker-dealer’srequired disclosures to
each new customer, or an annual burden of 6.68 hours perbroker-dealer. (0.02 hours per customer × 334 median number of new customers per broker-dealer based
on FOCUS Schedule I data as of December 31, 2022 = approximately 6.68 hours per broker-dealer.) The Commission notes that the burden for preparing disclosures
to customers is already incorporated into a separate burden estimate under other broker-dealer rules promulgated by the Commission (e.g., 17 CFR 240.17a–3) and
FINRA rules. The Commission expects that broker-dealers subject to this new disclosure requirement will make their delivery of disclosures to new customers as part
of an email or mailing they already send to new customers; therefore, the Commission estimates that the additional burden will be adding a few pages to the email attachment or mailing.
2 The Commission estimates that, with a bulk mailing or email, a broker-dealer that is a Covered Entity will require no more than 0.02 hours to send the brokerdealer’s required disclosures to each existing customer, or an annual burden of 44.58 hours per broker-dealer. (0.02 hours per customer × 2,229 median number of
customers per broker-dealer based on FOCUS Schedule I data as of December 31, 2022 = approximately 44.58 hours per broker-dealer.) The Commission notes
that the burden for preparing disclosures to customers is already incorporated into a separate burden estimate under other broker-dealer rules promulgated by the
Commission (e.g., 17 CFR 240.17a–3) and FINRA rules. The Commission expects that broker-dealers subject to this new disclosure requirement will make their annual delivery to existing customers as part of an email or mailing of an account statement they already send to customers; therefore, the Commission estimates that
the additional burden will be adding a few pages to the email attachment or mailing.
lotter on DSK11XQN23PROD with PROPOSALS2
2. Form SCIR
The Commission has made certain
estimates of the burdens associated with
961 This requirement is discussed in section
II.B.2.a. of this release.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
filing the initial and amended Part I of
Form SCIR under proposed Rule 10
applicable to Covered Entities solely for
the purpose of this PRA analysis.963
Table 5 below summarizes the initial
and ongoing annual burden and cost
estimates associated with filing
proposed Form SCIR.
962 These requirements are discussed in section
II.B.3.b. of this release.
963 These requirements are discussed in sections
II.B.2. and II.B.4. of this release.
PO 00000
Frm 00119
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
20330
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
TABLE 5—PART I OF FORM SCIR PRA ESTIMATES
Internal initial
burden hours
Internal annual
burden hours
Internal
time costs
Wage rate
Annual external
cost burden
PROPOSED PART I OF FORM SCIR ESTIMATES
Filing out initial Part I of Form SCIR ...........
3
1 1.5
$431 (blended rate for assistant general counsel, compliance manager).
$646.50
2 $496
Filing an amended Part I of SCIR ...............
1
1
$431 (blended rate for assistant general counsel, compliance manager).
431
3 496
Total new annual burden per Covered
Entity.
Number of Covered Entity ...........................
..........................
2.5
...............................................................
1077.50
992
..........................
× 1,989
...............................................................
× 1,989
× 1,989
Total new aggregate annual burden ....
..........................
4,972.5
...............................................................
2,143,147.5
1,973,088
Notes:
1 Includes initial burden estimates annualized over a three-year period, plus 0.5 ongoing annual burden hours. The estimate of 1.5 hours is based on the following
calculation: ((3 initial hours/3) + 0.5 additional ongoing burden hours) = 1.5 hours.
2 This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of
sources including general information websites, and adjustments for inflation.
3 This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission has made certain
estimates of the burdens associated with
filing the Part II of Form SCIR under
proposed Rule 10 applicable to Covered
Entities solely for the purpose of this
PRA analysis.964 Table 6 below
summarizes the initial and ongoing
annual burden and cost estimates
associated with the proposed rule’s
disclosure requirements for Covered
Entities.
TABLE 6—PART II OF FORM SCIR PRA ESTIMATES
Internal initial
burden hours
Internal annual
burden hours
Internal
time costs
Wage rate
Annual external
cost burden
PROPOSED PART II OF FORM SCIR ESTIMATES
5
1 3.67
Total new annual burden per Covered
Entity.
Number of Covered Entities ........................
..........................
3.67
..........................
Total new aggregate annual burden ....
..........................
Disclosure of significant cybersecurity incidents and cybersecurity risks on Part II
of Form SCIR and posting form on
website.
×
$1,377.46
2 $1,488
...............................................................
1,377.46
1,488
× 1,989
...............................................................
× 1,989
× 1,989
7,299.63
...............................................................
2,739,767.94
2,959,632
$375.33 per hour (blended rate for assistant general counsel, senior compliance examiner and compliance
manager) 3.
lotter on DSK11XQN23PROD with PROPOSALS2
Notes:
1 Includes initial burden estimates annualized over a three-year period, plus 2 ongoing annual burden hours. The estimate of 3 hours is based on the following calculation: ((5 initial hours/3) + 2 additional ongoing burden hours) = 3.67 hours.
2 This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission’s estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a variety of
sources including general information websites, and adjustments for inflation.
3 The $375.33 wage rate reflects current estimates from the SIFMA Wage Report of the blended hourly rate for an assistant general counsel ($518), senior compliance examiner ($264) and a compliance manager ($344). ($518 + $264 + $344)/3 = $375.33.
In addition, the requirement to file
Form SCIR in EDGAR using a formspecific XML may impose some
compliance costs. Covered Entities that
are not otherwise required to file in
EDGAR—for example, clearing agencies,
the MSRB, national securities
associations, and national securities
exchanges, as well as any broker-dealer
Covered Entities that choose not to file
Form X–17A–5 Part III or Form 17–H
through the EDGAR system, would need
to complete Form ID to obtain the
EDGAR-system access codes that enable
entities to file documents through the
EDGAR system.965 The Commission
estimates that each filer that currently
does not have access to EDGAR would
incur an initial, one-time burden of 0.30
hours to complete and submit a Form
ID.966 Therefore, the Commission
believes the one-time industrywide
reporting burden associated with the
proposed requirements to file on
964 These requirements are discussed in sections
II.B.3. and II.B.4. of this release.
965 Form ID (OMB control number 3235–0328)
must be completed and filed with the Commission
by all individuals, companies, and other
organizations who seek access to file electronically
on EDGAR. Accordingly, a filer that does not
already have access to EDGAR must submit a Form
ID, along with the notarized signature of an
authorized individual, to obtain an EDGAR
identification number and access codes to file on
EDGAR. The Commission currently estimates that
Form ID would take 0.30 hours to prepare, resulting
in an annual industry-wide burden of 17,199 hours.
See Supporting Statement for the Paperwork
Reduction Act Information Collection Submission
for Form ID (Dec. 20 2021), available at https://
www.reginfo.gov/public/do/PRAViewDocument?
ref_nbr=202112-3235-003.
966 The Commission does not estimate a burden
for SBS Entities since these firms have already filed
Form ID so they can file Form SBSE on EDGAR.
Similarly, the Commission does not estimate a
burden for transfer agents since these firms already
file their annual report on Form TA–2 on EDGAR.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00120
Fmt 4701
Sfmt 4702
E:\FR\FM\05APP2.SGM
05APP2
20331
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
EDGAR is 4.8 hours for clearing
agencies,967 0.30 hours for the MSRB,968
7.5 hours for national securities
exchanges and associations; 969 0.9
hours for SBSDRs; 970 and 242.4 hours
for Covered Broker-Dealers not already
filing their annual audits on EDGAR.971
In addition, the requirement to file Form
SCIR using custom XML (with which a
Covered Entity would be able to comply
by inputting its disclosures into a
fillable web form), the Commission
estimates each Covered Entity would
incur an internal burden of 0.5 hours
per filing.972 Accordingly, the
Commission estimates that Covered
Entities will collectively have an
ongoing burden of 994.5 hours 973 with
respect to filing Form SCIR in custom
XML.
3. Rules 17a–4, 17ad–7, 18a–6, and
Clearing Agency Exemption Orders (and
Existing Rules 13n–7 and 17a–1)
The Commission has made certain
estimates of the burdens associated with
the proposed record preservation
requirements solely for the purpose of
this PRA analysis.974 Table 7 below
summarizes the initial and ongoing
annual burden and cost estimates
associated with the additional
recordkeeping requirements.
TABLE 7—PRA ESTIMATES—PROPOSED AMENDMENTS TO RULES 17a–4, 18a–6, AND 17ad–7 AND CLEARING AGENCY
EXEMPTION ORDERS (AND EXISTING RULES 17a–1 AND 13n–7) 975
Internal annual
hour burden
Internal time
costs
Wage rate
Annual
external
cost burden
PROPOSED ESTIMATES FOR RECORDKEEPING BURDENS
Retention of cybersecurity policies and
procedures.
1 ...........................................................
Total burden per Covered Entity or
Non-Covered Broker-Dealer.
Total number of affected entities ...
Sub-total burden .....................
Retention of written report documenting annual review.
Total annual burden per Covered Entity or Non-Covered Broker-Dealer.
Total number of affected entities ...
Sub-total burden .....................
Retention of copy of any Form SCIR or
immediate notice to the Commission.
Total annual burden per Covered
Entity or Non-Covered BrokerDealer.
Total number of affected entities ...
Sub-total burden .....................
Retention of records documenting a cybersecurity incident.
Total annual burden per Covered
Entity.
Total number of affected Covered
Entities.
Sub-total burden .....................
Retention of records documenting a
Covered Entity’s cybersecurity risk
assessment.
Total annual burden per Covered
Entity.
Total number of affected Covered
Entities.
Sub-total burden .....................
Retention of copy of any public disclosures.
Total annual burden per Covered
Entity.
Total number of affected Covered
Entities.
Sub-total burden .....................
$73.5
$0
1 ...........................................................
73.5
0
× 3,918 .................................................
3,918 hours ..........................................
1 ...........................................................
× 3,918
287,973
73.5
0
0
0
1 ...........................................................
73.5
0
× 3,918 .................................................
3,918 hours ..........................................
1 ...........................................................
× 3,918
287,973
73.5
0
0
0
1 ...........................................................
73.5
0
× 3,918 .................................................
3,918 hours ..........................................
1 ...........................................................
× 3,918
287,973
73.5
0
0
0
1 ...........................................................
73.5
0
× 1,949 .................................................
× 1,949
0
143,251.50
73.5
0
0
1 ...........................................................
73.5
0
× 1,949 .................................................
× 1,949
0
143,251.50
73.5
0
0
1 ...........................................................
73.5
0
× 1,949 .................................................
× 1,949
0
1,949 hours ..........................................
143,251.50
0
1,949 hours ..........................................
1 ...........................................................
1,949 hours ..........................................
1 ...........................................................
hours × 16 clearing agencies = 4.8 hours.
hours × 1 MSRB = 0.30 hours.
969 0.30 hours × (24 national securities exchanges
and 1 national securities association) = 7.5 hours.
970 0.30 hours × 3 SBSRs = 0.9 hours.
971 0.30 hours × 808 Covered Broker-Dealers not
already filing on EDGAR = 242.4 hours.
972 This estimate would mirror the Commission’s
internal burden hour estimate for a proposed
custom XML requirement for Schedules 13D and
13G. See Modernization of Beneficial Ownership
Reporting Release.
967 0.30
lotter on DSK11XQN23PROD with PROPOSALS2
968 0.30
VerDate Sep<11>2014
18:14 Apr 04, 2023
×
Jkt 259001
×
×
×
×
×
$73.5 ....................................................
(blended rate for general clerk and
compliance clerk).
73.5 ......................................................
(blended rate for general clerk and
compliance clerk).
73.5 ......................................................
(blended rate for general clerk and
compliance clerk).
73.5 ......................................................
(blended rate for general clerk and
compliance clerk).
73.5 ......................................................
(blended rate for general clerk and
compliance clerk).
73.5 ......................................................
(blended rate for general clerk and
compliance clerk).
973 1,989 Covered Entities × .5 hours = 994.5
hours.
974 These requirements are discussed in sections
II.B.5.a. and II.C. of this release.
975 Given the general nature of the recordkeeping
requirements for national securities exchanges,
national securities associations, registered clearing
agencies, and the MSRB under Rule 17a–1 (OMB
control number 3235–0208, Recordkeeping Rule for
National Securities Exchanges, National Securities
Associations, Registered Clearing Agencies, and the
Municipal Securities Rulemaking Board) and for
PO 00000
Frm 00121
Fmt 4701
Sfmt 4702
SBSDRs under Rule 13n–7 (OMB control number
3235–0719, Security-Based Swap Data Repository
Registration, Duties, and Core Principles and Form
SDR), it is anticipated that the new recordkeeping
requirements proposed in this release would result
in a one-time nominal increase in burden per entity
that would effectively be encompassed by the
existing burden estimates associated with these
existing rules as described in those collections of
information. Below, the Commission solicits
comment regarding all of the PRA estimates
discussed in this release.
E:\FR\FM\05APP2.SGM
05APP2
20332
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
TABLE 7—PRA ESTIMATES—PROPOSED AMENDMENTS TO RULES 17a–4, 18a–6, AND 17ad–7 AND CLEARING AGENCY
EXEMPTION ORDERS (AND EXISTING RULES 17a–1 AND 13n–7) 975—Continued
Internal annual
hour burden
Total annual aggregate burden of recordkeeping obligations.
17,601 hours ........................................
lotter on DSK11XQN23PROD with PROPOSALS2
4. Substituted Compliance—Rule 3a71–
6
Rule 3a71–6 would require
submission of certain information to the
Commission to the extent SBS Entities
elect to request a substituted
compliance determination with respect
to proposed Rule 10, Form SCIR, and
the related record preservation
requirements. Consistent with Exchange
Act Rule 0–13, such applications must
be accompanied by supporting
documentation necessary for the
Commission to make the determination,
including information regarding
applicable foreign requirements, and the
methods used by foreign authorities to
monitor and enforce compliance. If Rule
3a71–6 is amended as proposed, the
Commission expects that the majority of
such requests will be made during the
first year following the effective date.
The Commission expects that the
great majority of substituted compliance
applications will be submitted by
foreign authorities, and that very few
substituted compliance requests will
come from SBS Entities. For purposes of
this assessment, the Commission
estimates that three such SBS Entities
will submit such an application.976
The Commission has previously
estimated that the paperwork burden
associated with filing a request for a
substituted compliance determination
related to existing business conduct,
supervision, chief compliance officer,
and trade acknowledgement and
verification requirements described in
Rule 3a71–6(d)(1)–(3) was
approximately 80 hours of in-house
counsel time, plus $84,000 977 for the
services of outside professionals, and
976 See SBS Entity Risk Mitigation Adopting
Release, 85 FR at 6389. See also SBS Entity
Business Conduct Standards Adopting Release, 81
FR at 30097, n.1582 and accompanying text; SBS
Entity Trade Acknowledgement and Verification
Adopting Release, 81 FR at 39832; SBS Entity
Recordkeeping and Reporting Adopting Release, 84
FR at 68609; Capital, Margin, and Segregation
Requirements Adopting Release, 84 FR at 43967.
977 Based on 200 hours of outside time × $420 per
hour. This estimated burden also includes the
burden associated with making a request for a
substituted compliance determination related to the
portfolio reconciliation, portfolio compression, and
trading relationship documentation requirements
described in Rule 3a71–6(d)(7); see SBS Entity Risk
Mitigation Adopting Release, 85 FR at 6389.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Internal time
costs
Wage rate
Jkt 259001
1,293,673.5
the paperwork burden estimate
associated with making a request for a
substituted compliance determination
related to the existing recordkeeping
and reporting requirements described in
Rule 3a71–6(d)(6) was approximately 80
hours of in-house counsel time, plus
$84,000 978 for the services of outside
professionals.979 To the extent that an
SBS Entity files a request for a
substituted compliance determination
in connection with Rule 10, Form SCIR,
the related record preservation
requirements, and requirements
currently identified in Rule 3a71–6(d) as
eligible for substituted compliance
determinations, the Commission
believes that the paperwork burden
associated with the request would be
greater than that associated with a
narrower request due to the need for
more information regarding the
comparability of the relevant rules and
the adequacy of the associated
supervision and enforcement practices.
However, the Commission believes that
its prior paperwork burden estimate is
sufficient to cover a combined
substituted compliance request that also
seeks a determination in connection
with Rule 10, Form SCIR, and the
related record preservation
requirements.980
Nevertheless, the Commission is
revising its estimate of the hourly rate
for outside professionals to $496,
978 Based
on 200 hours of outside time × $420 per
hour.
979 See Supporting Statement for the Paperwork
Reduction Act Information Collection Submission
for Exchange Act Rule 3a71–6 (June 10, 2021),
available at https://www.reginfo.gov/public/do/
PRAViewICR?ref_nbr=202106-3235-008.
980 Although applicants may file requests for
substituted compliance determinations related
multiple eligible requirements, applicants may
instead file requests for substituted compliance
determinations related to individual eligible
requirements. As such, the Commission’s estimates
reflect the total paperwork burden of requests filed
by (i) applicants that would be seeking a substituted
compliance determination related to Rule 10, Form
SCIR, and the related record preservation
requirements combined with a request for a
substituted compliance determination related to
other eligible requirements, and (ii) applicants that
previously filed requests for substituted compliance
determinations related to other eligible
requirements and would be seeking an additional
substituted compliance determination in
connection with Rule 10, Form SCIR, and the
related record preservation requirements.
PO 00000
Frm 00122
Fmt 4701
Annual
external
cost burden
Sfmt 4702
0
consistent with the other paperwork
burden estimates in this release.
Therefore, the Commission estimates
that the total paperwork burden
incurred by entities associated with
preparing and submitting a request for
a substituted compliance determination
in connection with the proposed
cybersecurity risk management
requirements applicable to SBS Entities
would be reflected in the estimated
burden of a request for a substituted
compliance determination related to the
business conduct, supervision, chief
compliance officer, trade
acknowledgement and verification, and
the portfolio reconciliation, portfolio
compression, and trading relationship
documentation requirements described
in Rule 3a71–6(d)(1)–(3) and (7) of
approximately 80 hours of in-house
counsel time, plus $99,200 for the
services of outside professionals,981 and
the paperwork burden associated with
making a request for a substituted
compliance determination related to the
recordkeeping and reporting
requirements described in Rule 3a71–
6(d)(6) of approximately 80 hours of inhouse counsel time, plus $99,200 for the
services of outside professionals.982
This estimate results in an aggregate
total one-time paperwork burden
associated with preparing and
submitting requests for substituted
compliance determinations relating to
the requirements described in Rule
3a71–6(d)(1) through (3), (6) and (7),
including the proposed cybersecurity
risk management requirements, of
approximately 480 internal hours,983
plus $595,200 for the services of outside
professionals 984 for all three requests.
E. Collection of Information is
Mandatory
The collections of information
pursuant to proposed Rule 10, Form
SCIR, and the relevant recordkeeping
981 Based
hour.
982 Based
on 200 hours of outside time × $496 per
on 200 hours of outside time × $496 per
hour.
983 (80 hours related to Rule 3a71–6(d)(1) through
(3), (7) plus 80 hours related to Rule 3a71–6(d)(6))
* 3 requests.
984 ($99,200 related to Rule 3a71–6(d)(1) through
(3), (7) plus $99,200 related to Rule 3a71–6(d)(6))
* 3 requests.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
rules are mandatory, as applicable, for
Market Entities. With respect to Rule
3a71–6, the application for substituted
compliance is mandatory for all foreign
financial regulatory authorities or SBS
Entities that seek a substituted
compliance determination.
F. Confidentiality of Responses to
Collection of Information
The Commission expects to receive
confidential information in connection
with the collections of information. A
Market Entity can request confidential
treatment of the information.985 If such
confidential treatment request is made,
the Commission anticipates that it will
keep the information confidential
subject to applicable law.986
With regard to Rule 3a71–6, the
Commission generally will make
requests for a substituted compliance
determination public, including
supporting documentation provided by
the requesting party, subject to requests
for confidential treatment being
submitted pursuant to any applicable
provisions governing confidentiality
under the Exchange Act.987 If
confidential treatment is granted, the
Commission would keep such
information confidential, subject to the
provisions of applicable law.988
G. Retention Period for Recordkeeping
Requirements
Rule 17a–4, as proposed to be
amended, specifies the required
retention periods for records required to
be made and preserved by a brokerdealer, whether electronically or
otherwise.989 Rule 17ad–7, as proposed
to be amended, specifies the required
retention periods for records required to
be made and preserved by transfer
agents, whether electronically or
otherwise.990 Rule 18a–6, as proposed to
be amended, specifies the required
retention periods for records required to
be made and preserved by SBSDs or
MSBSPs, whether electronically or
otherwise.991 All records required of
certain of the Market Entities pursuant
to the proposed rule amendments must
lotter on DSK11XQN23PROD with PROPOSALS2
985 See
17 CFR 200.83. Information regarding
requests for confidential treatment of information
submitted to the Commission is available on the
Commission’s website at https://www.sec.gov/foia/
howfo2.htm#privacy.
986 See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x
(governing the public availability of information
obtained by the Commission).
987 See, e.g., 17 CFR 200.83; 17 CFR 240.24b–2;
see also SBS Entity Definitions Adopting Release,
79 FR at 47359.
988 See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x
(governing the public availability of information
obtained by the Commission).
989 See Rule 17a–4, as proposed to be amended.
990 See Rule 17ad–7, as proposed to be amended.
991 See Rule 18a–6, as proposed to be amended.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
be retained for three years.992 Existing
Rule 17a–1 specifies the required
retention periods for records required to
be made and preserved by national
securities exchanges, national securities
associations, registered clearing
agencies, and the MSRB, whether
electronically or otherwise.993 Under
the existing provisions of Rule 17a–1,
registered clearing agencies, the MSRB,
national securities associations, and
national securities exchanges would be
required to preserve at least one copy of
the Rule 10 Records for at least five
years, the first two years in an easily
accessible place. Existing Rule 13n–7,
which is not proposed to be amended,
specifies the required retention periods
for records required to be made and
preserved by SBSDRs, whether
electronically or otherwise.994 Rule
13n–7 provides that the SBSDR must
keep the documents for a period of not
less than five years, the first two years
in a place that is immediately available
to representatives of the Commission for
inspection and examination.995 Finally,
exempt clearing agencies are generally
subject to conditions that mirror certain
of the recordkeeping requirements in
Rule 17a–1.996 Nonetheless, the
Commission is proposing to amend the
clearing agency exemption orders to add
a condition that each exempt clearing
agency must retain the Rule 10 Records
for a period of at least five years after
the record is made or, in the case of the
written policies and procedures to
address cybersecurity risks, for at least
five years after the termination of the
use of the policies and procedures.
H. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B),
the Commission solicits comment on
the proposed collections of information
in order to:
• Evaluate whether the proposed
collections of information are necessary
for the proper performance of the
functions of the Commission, including
whether the information would have
practical utility;
992 See Rules 17a–4, 17A–d, and 18a–6, as
proposed to be amended.
993 See Rule 17a–1.
994 See Rule 13n–7.
995 See paragraph (b)(2) of Rule 13n–7.
996 See, e.g., BSTP SS&C Order, 80 FR at 75411
(conditioning BSTP’s exemption by requiring BSTP
to, among other things, preserve a copy or record
of all trade details, allocation instructions, central
trade matching results, reports and notices sent to
customers, service agreements, reports regarding
affirmation rates that are sent to the Commission or
its designee, and any complaint received from a
customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall
retain these records for a period of not less than five
years, the first two years in an easily accessible
place).
PO 00000
Frm 00123
Fmt 4701
Sfmt 4702
20333
• Evaluate the accuracy of the
Commission’s estimates of the burden of
the proposed collections of information;
• Determine whether there are ways
to enhance the quality, utility, and
clarity of the information to be
collected; and
• Evaluate whether there are ways to
minimize the burden of the collection of
information on those who respond,
including through the use of automated
collection techniques or other forms of
information technology.
Persons submitting comments on the
collection of information requirements
should direct them to the Office of
Management and Budget, Attention:
Desk Officer for the Securities and
Exchange Commission, Office of
Information and Regulatory Affairs,
Washington, DC 20503, and should also
send a copy of their comments to
Vanessa A. Countryman, Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090, with reference to File
Number S7–06–23. Requests for
materials submitted to OMB by the
Commission with regard to this
collection of information should be in
writing, with reference to File Number
S7–06–23 and be submitted to the
Securities and Exchange Commission,
Office of FOIA/PA Services, 100 F Street
NE, Washington, DC 20549–2736. As
OMB is required to make a decision
concerning the collections of
information between 30 and 60 days
after publication, a comment to OMB is
best assured of having its full effect if
OMB receives it within 30 days of
publication.
VI. Initial Regulatory Flexibility Act
Analysis
The RFA requires the Commission, in
promulgating rules, to consider the
impact of those rules on small
entities.997 Section 603(a) of the
Administrative Procedure Act,998 as
amended by the RFA, generally requires
the Commission to undertake a
regulatory flexibility analysis of all
proposed rules to determine the impact
of such rulemaking on ‘‘small
entities.’’ 999 Section 605(b) of the RFA
states that this requirement shall not
apply to any proposed rule which, if
adopted, would not have a significant
997 See
5 U.S.C. 601 et seq.
U.S.C. 603(a).
999 Section 601(b) of the RFA permits agencies to
formulate their own definitions of ‘‘small entities.’’
See 5 U.S.C. 601(b). The Commission has adopted
definitions for the term ‘‘small entity’’ for the
purposes of rulemaking in accordance with the
RFA. These definitions, as relevant to this proposed
rulemaking, are set forth in Rule 0–10.
998 5
E:\FR\FM\05APP2.SGM
05APP2
20334
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
economic impact on a substantial
number of small entities.1000
The Commission has prepared the
following Initial Regulatory Flexibility
Analysis (‘‘IRFA’’) in accordance with
section 3(a) of the RFA.1001 It relates to:
(1) proposed Rule 10 under the
Exchange Act; (2) proposed Form SCIR;
and (3) proposed amendments to Rules
17a–4, 17ad–7, and 18a–6 under the
Exchange Act.1002
A. Reasons for, and Objectives of,
Proposed Action
The reasons for, and objectives of, the
proposed rule and rule amendments are
discussed above.1003
1. Proposed Rule 10 and Parts I and II
of Proposed Form SCIR
Proposed Rule 10 would require all
Market Entities (Covered Entities and
non-Covered Entities) to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks.1004 All Market Entities also, at
least annually, would be required to
review and assess the design and
effectiveness of their cybersecurity
policies and procedures, including
whether the policies and procedures
reflect changes in cybersecurity risk
over the time period covered by the
review.1005 They also would be required
to prepare a report (in the case of
Covered Entities) and a record (in the
case of non-Covered Entities) with
respect to the annual review.1006
Finally, all Market Entities would need
to give the Commission immediate
written electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring.1007
1000 See
5 U.S.C. 605(b).
U.S.C. 603(a).
1002 The Commission is also certifying that that
amendments to Rule 3a71–6 will not have a
significant economic impact on a substantial
number of small entities for purposes of the RFA.
See section VI.C.5. of this release.
1003 See sections I and II of this release.
1004 See paragraphs (b) through (d) of proposed
Rule 10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e)(1) of proposed Rule 10. See
also sections II.B.1 and II.C. of this release
(discussing these proposed requirements in more
detail).
1005 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10. See also
sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
1006 See paragraph (b)(2) of proposed Rule 10;
paragraph (e)(1) of proposed Rule 10. See also
sections II.B.1.f. and II.C. of this release (discussing
these proposed requirements in more detail).
1007 See paragraph (c)(1) of proposed Rule 10;
paragraph (e)(2) of proposed Rule 10. See also
sections II.B.2.a. and II.C. of this release (discussing
these proposed requirements in more detail).
lotter on DSK11XQN23PROD with PROPOSALS2
1001 5
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Market Entities that meet the
definition of ‘‘covered entity’’ would be
subject to certain additional
requirements under proposed Rule
10.1008 First, their cybersecurity risk
management policies and procedures
would need to include the following
elements:
• Periodic assessments of
cybersecurity risks associated with the
Covered Entity’s information systems
and written documentation of the risk
assessments;
• Controls designed to minimize userrelated risks and prevent unauthorized
access to the Covered Entity’s
information systems;
• Measures designed to monitor the
Covered Entity’s information systems
and protect the Covered Entity’s
information from unauthorized access
or use, and oversight of service
providers that receive, maintain, or
process information, or are otherwise
permitted to access the Covered Entity’s
information systems;
• Measures to detect, mitigate, and
remediate any cybersecurity threats and
vulnerabilities with respect to the
Covered Entity’s information systems;
and
• Measures to detect, respond to, and
recover from a cybersecurity incident
and written documentation of any
cybersecurity incident and the response
to and recovery from the incident.1009
Second, Covered Entities—in addition
to providing the Commission with
immediate written electronic notice of a
significant cybersecurity incident—
would need to report and update
information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission through the EDGAR
system.1010 The form would elicit
information about the significant
cybersecurity incident and the Covered
Entity’s efforts to respond to, and
recover from, the incident.
Third, Covered Entities would need to
publicly disclose summary descriptions
of their cybersecurity risks and the
1008 See paragraph (b) through (d) of proposed
Rule 10 (setting forth the requirements for Market
Entities that meet the definition of ‘‘covered
entity’’); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do
not meet the definition of ‘‘covered entity’’).
1009 See sections II.B.1.a. through II.B.1.e. of this
release (discussing these proposed requirements in
more detail). In the case of non-Covered Entities, as
discussed in more detail below in section II.C. of
this release, the design of the cybersecurity risk
management policies and procedures would need to
take into account the size, business, and operations
of the broker-dealer. See paragraph (e) of proposed
Rule 10.
1010 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
PO 00000
Frm 00124
Fmt 4701
Sfmt 4702
significant cybersecurity incidents they
experienced during the current or
previous calendar year on Part II of
proposed Form SCIR.1011 The form
would need to be filed with the
Commission through the EDGAR system
and posted on the Covered Entity’s
business internet website and, in the
case of Covered Entities that are
carrying or introducing broker-dealers,
provided to customers at account
opening and annually thereafter.
Covered Entities and Non-Covered
Entities would need to preserve certain
records relating to the requirements of
proposed Rule 10 in accordance with
amended or existing recordkeeping
requirements applicable to them or, in
the case of exempt clearing agencies,
pursuant to conditions in relevant
exemption orders.1012
Collectively, these requirements are
designed to address cybersecurity risk
and the threat it poses to Market Entities
and the U.S. securities markets. The
written policies and procedures, the
records required to be made pursuant to
those policies and procedures, and the
report or record of the annual review of
the policies and procedures would
address the specific cybersecurity risks
to which Market Entities are exposed.
The Commission could use these
written policies and procedures, reports,
and records to review Market Entities’
compliance with proposed Rule 10.
The Commission could use the
immediate written electronic
notification of significant cybersecurity
incidents to promptly begin to assess
the situation by, for example, when
warranted, assessing the Market Entity’s
operating status and engaging in
discussions with the Market Entity to
understand better what steps it is taking
to protect its customers, counterparties,
members, registrants, or user. The
Commission could use the subsequent
reports about the significant
cybersecurity incident filed by Covered
Entities using Part I of proposed Form
SCIR to understand better the nature
and extent of a particular significant
cybersecurity incident and the efficacy
of the Covered Entity’s response to
mitigate the disruption and harm caused
by the incident. The Commission staff
could use the reports to focus on the
Covered Entity’s operating status and to
facilitate their outreach to, and
discussions with, personnel at the
Covered Entity who are addressing the
significant cybersecurity incident. In
1011 See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more
detail).
1012 See sections II.B.5. and II.C. of this release
(discussing these proposed requirements in more
detail).
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
addition, the reporting would provide
the staff with a view into the Covered
Entity’s understanding of the scope and
impact of the significant cybersecurity
incident. All of this information could
be used by the Commission and its staff
in assessing the significant
cybersecurity incident impacting the
Covered Entity. Further, the
Commission could be use the database
of reports to assess the potential
cybersecurity risks affecting U.S.
securities markets more broadly. This
information could be used to address
future significant cybersecurity
incidents. For example, these reports
could assist the Commission in
identifying patterns and trends across
Covered Entities, including widespread
cybersecurity incidents affecting
multiple Covered Entities at the same
time. Further, the reports could be used
to evaluate the effectiveness of various
approaches to respond to and recover
from a significant cybersecurity
incident.
The disclosures by Covered Entities
on Part II of proposed Form SCIR would
be used to provide greater transparency
to customers, counterparties, registrants,
or members of the Covered Entity, or to
users of its services, about the Covered
Entity’s cybersecurity risk profile. This
information could be used by these
persons to manage their own
cybersecurity risk and, to the extent
they have choice, select a Covered
Entity with whom to transact or
otherwise conduct business. In addition,
because the reports would be filed
through EDGAR, Covered Entities’
customers, counterparties, members,
registrants, or users would be able to
run search queries to compare the
disclosures of multiple Covered Entities.
This would make it easier for
Commission staff and others to assess
the cybersecurity risk profiles of
different types of Covered Entities and
could facilitate trend analysis by
members of the public of significant
cybersecurity incidents.
2. Rules 17a–4, 17ad–7, 18a–6 and
Clearing Agency Exemption Orders
Rules 17a–4, 17ad–7, and 18a–6—
which apply to broker-dealers, transfer
agents, and SBS Entities, respectively—
would be amended to establish
preservation and maintenance
requirements for the written policies
and procedures, annual reports, Parts I
and II of proposed form SCIR, and
records required to be made pursuant to
proposed Rule 10 (i.e., the Rule 10
Records).1013 The proposed
1013 See sections II.B.5. and II.C. of this release
(discussing these proposed amendments in more
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
amendments would specify that the
Rule 10 Records must be retained for
three years. In the case of the written
policies and procedures to address
cybersecurity risks, the record would
need to be maintained until three years
after the termination of the use of the
policies and procedures.1014 In addition,
orders exempting certain clearing
agencies from registering with the
Commission would be amended to
establish preservation and maintenance
requirements for the Rule 10 Records
that would apply to the exempt clearing
agencies subject to those orders.1015 The
amendments would provide that the
records need to be retained for five years
(consistent with Rules 13n–7 and 17a–
1).1016 In the case of the written policies
and procedures to address cybersecurity
risks, the record would need to be
maintained until five years after the
termination of the use of the policies
and procedures. The preservation of
these records would make them
available for examination by the
Commission and other regulators.
B. Legal Basis
The Commission is proposing Rule 10
and Form SCIR under the Exchange Act,
as well as amendments to Rules 17a–4,
17ad–7, and 18a–6 under the Exchange
Act, under the following authorities
under the Exchange Act: (1) Sections 15,
17, and 23 for broker-dealers (15 U.S.C.
78o, 78q, and 78w); (2) Sections 17,
17A, and 23 for clearing agencies (15
U.S.C. 78q, 17q–1, and 78w(a)(1)); (3)
Sections 15B, 17, and 23 for the MSRB
(15 U.S.C. 78o–4, 78q(a), and 78w); (4)
Sections 6(b), 11A, 15A, 17, and 23 for
national securities exchanges and
national securities associations (15
U.S.C. 78f, 78k–1, 78o–3, and 78w); (5)
Sections 15F, 23, and 30(c) for SBS
Entities (15 U.S.C. 78o–10, 78w, and
78dd(c)); (6) Sections 13 and 23 for
SBSDRs (15 U.S.C. 78m and 78w); and
(7) Sections 17a, 17A, and 23 for
transfer agents (78q, 17q–1, and 78w).
detail). Rule 17a–4 sets forth record preservation
and maintenance requirements for broker-dealers,
Rule 17ad–7 sets forth record preservation and
maintenance requirements for transfer agents, and
Rule 18a–6 sets forth record preservation and
maintenance requirements for SBS Entities.
1014 See proposed amendments to Rule 17a–4.
1015 See section II.B.5. of this release (discussing
these proposed amendments in more detail).
1016 For the reasons discussed in section II.B.5.a.
of this release, the proposal would not amend Rules
13n–7 or 17a–1. As explained in that section of the
release, the existing requirements of Rule 13n–7
(which applies to SBSDRs) and Rule 17a–1 (which
applies to registered clearing agencies, the MSRB,
national securities associations, and national
securities exchanges) will require these Market
Entities to retain the Rule 10 Records for five years
and, in the case of the written policies and
procedures, for five years after the termination of
the use of the policies and procedures.
PO 00000
Frm 00125
Fmt 4701
Sfmt 4702
20335
C. Small Entities Subject to Proposed
Rule, Form SCIR, and Recordkeeping
Rule Amendments
As discussed above, the Commission
estimates that a total of approximately
1,989 Covered Entities (consisting of
1,541 broker-dealers, 16 clearing
agencies, the MSRB, 25 total national
securities exchanges and national
securities associations, 50 SBS Entities,
3 SBSDRs, and 353 transfer agents) and
1,969 Non-Covered Broker-Dealers
would be subject to the new
cybersecurity requirements and related
recordkeeping requirements as a result
of: (1) proposed Rule 10 under the
Exchange Act; (2) proposed Form SCIR;
and (3) proposed amendments to Rules
17a–4, 17ad–7, and 18a–6 under the
Exchange Act. The number of these
firms that may be considered ‘‘small
entities’’ are discussed below.
1. Broker-Dealers
For purposes of Commission
rulemaking, a small entity includes,
when used with reference to a brokerdealer, a broker-dealer that: (1) had total
capital (net worth plus subordinated
liabilities) of less than $500,000 on the
date in the prior fiscal year as of which
its audited financial statements were
prepared pursuant to Rule 17a–5(d)
under the Exchange Act, or, if not
required to file such statements, a
broker-dealer with total capital (net
worth plus subordinated liabilities) of
less than $500,000 on the last day of the
preceding fiscal year (or in the time that
it has been in business, if shorter); and
(2) is not affiliated with any person
(other than a natural person) that is not
a small business or small
organization.1017
Based on FOCUS Report data, the
Commission estimates that as of
September 30, 2022, approximately 764
broker-dealers total (195 broker-dealers
that are Covered Entities and 569
broker-dealers that are Non-Covered
Broker-Dealers) that might be deemed
small entities for purposes of this
analysis.
2. Clearing Agencies
For the purposes of Commission
rulemaking, a small entity includes,
when used with reference to a clearing
agency, a clearing agency that: (1)
compared, cleared, and settled less than
$500 million in securities transactions
during the preceding fiscal year; (2) had
less than $200 million of funds and
securities in its custody or control at all
times during the preceding fiscal year
(or at any time that it has been in
business, if shorter); and (3) is not
1017 See
E:\FR\FM\05APP2.SGM
paragraph (c) of Rule 0–10.
05APP2
20336
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
affiliated with any person (other than a
natural person) that is not a small
business or small organization.1018
Based on the Commission’s existing
information about the clearing agencies
currently registered with the
Commission, the Commission
preliminarily believes that such entities
exceed the thresholds defining ‘‘small
entities’’ set out above. While other
clearing agencies may emerge and seek
to register as clearing agencies, the
Commission preliminarily does not
believe that any such entities would be
‘‘small entities’’ as defined in Exchange
Act Rule 0–10. Consequently, the
Commission certifies that the proposed
rule and form would not, if adopted,
have a significant economic impact on
a substantial number of small entities.
3. The MSRB
The Commission’s rules do not define
‘‘small business’’ or ‘‘small
organization’’ for purposes of entities
like the MSRB. The MSRB does not fit
into one of the categories listed under
the Commission rule that provides
guidelines for a defined group of entities
to qualify as a small entity for purposes
of Commission rulemaking under the
RFA.1019 The RFA in turn, refers to the
Small Business Administration (‘‘SBA’’)
in providing that the term ‘‘small
business’’ is defined as having the same
meaning as the term ‘‘small business
concern’’ under section 3 of the Small
Business Act.1020 The SBA provides a
comprehensive list of categories with
accompanying size standards that
outline how large a business concern
can be and still qualify as a small
business.1021 The industry
categorization that appears to best fit the
MSRB under the SBA table is
Professional Organization. The SBA
defines a Professional Organization as
an entity having average annual receipts
of less than $15 million. Within the
MSRB’s 2021 Annual Report the
organization reported total revenue
exceeding $35 million for fiscal year
2021.1022 The Report also stated that the
organization’s total revenue for fiscal
year 2020 exceeded $47 million.1023 The
Commission is using the SBA’s
1018 See
paragraph (d) of Rule 0–10.
Rule 0–10.
1020 See 5 U.S.C. 601(3).
1021 See 13 CFR 121.201. See also SBA, Table of
Small Business Size Standards Marched to North
American Industry Classification System Codes,
available at https://www.sba.gov/sites/default/files/
files/Size_Standards_Table.pdf (outlining the list of
small business size standards within 13 CFR
121.201).
1022 See MSRB, 2021 Annual Report, 16, available
at https://msrb.org/-/media/Files/Resources/MSRB2021-Annual-Report.ashx.
1023 Id.
lotter on DSK11XQN23PROD with PROPOSALS2
1019 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
definition of small business to define
the MSRB for purposes of the RFA and
has concluded that the MSRB is not a
‘‘small entity.’’ Consequently, the
Commission certifies that the proposed
rule and form would not, if adopted,
have a significant economic impact on
a substantial number of small entities.
4. National Securities Exchanges and
National Securities Associations
For the purposes of Commission
rulemaking, and with respect to the
national securities exchanges, the
Commission has defined a ‘‘small
entity’’ as an exchange that has been
exempt from the reporting requirements
of Rule 601 of Regulation NMS and is
not affiliated with any person (other
than a natural person) that is not a small
business or small organization.1024 None
of the national securities exchanges
registered under section 6 of the
Exchange Act that would be subject to
the proposed rule and form is a ‘‘small
entity’’ for purposes of the RFA.
There is only one national securities
association (FINRA), and the
Commission has previously stated that
it is not a small entity as defined by 13
CFR 121.201.1025 Consequently, the
Commission certifies that the proposed
rule and form would not, if adopted,
have a significant economic impact on
a substantial number of small entities.
5. SBS Entities
For purposes of Commission
rulemaking, a small entity includes: (1)
when used with reference to an ‘‘issuer’’
or a ‘‘person,’’ other than an investment
company, an ‘‘issuer’’ or ‘‘person’’ that,
on the last day of its most recent fiscal
year, had total assets of $5 million or
less; 1026 or (2) a broker-dealer with total
capital (net worth plus subordinated
liabilities) of less than $500,000 on the
date in the prior fiscal year as of which
its audited financial statements were
prepared pursuant to Rule 17a–5(d)
under the Exchange Act,1027 or, if not
required to file such statements, a
broker-dealer with total capital (net
worth plus subordinated liabilities) of
less than $500,000 on the last day of the
preceding fiscal year (or in the time that
it has been in business, if shorter); and
is not affiliated with any person (other
than a natural person) that is not a small
business or small organization.1028
1024 See
paragraph (e) of Rule 0–10.
e.g., Securities Exchange Act Release No.
62174 (May 26, 2010), 75 FR 32556, 32605 n.416
(June 8, 2010) (‘‘FINRA is not a small entity as
defined by 13 CFR 121.201.’’).
1026 See paragraph (a) of Rule 0–10.
1027 17 CFR 240.17a–5(d).
1028 See paragraph (c) of Rule 0–10.
1025 See,
PO 00000
Frm 00126
Fmt 4701
Sfmt 4702
With respect to SBS Entities, based on
feedback from market participants and
our information about the securitybased swap markets, and consistent
with our position in prior rulemakings
arising out of the Dodd-Frank Act, the
Commission continues to believe that:
(1) the types of entities that will engage
in more than a de minimis amount of
dealing activity involving security-based
swaps—which generally would be large
financial institutions—would not be
‘‘small entities’’ for purposes of the
RFA, and (2) the types of entities that
may have security-based swap positions
above the level required to be MSBSPs
would not be ‘‘small entities’’ for
purposes of the RFA.1029
Consequently, the Commission
certifies that with respect to SBS
Entities the proposed rule and form (as
well as the amendments to Rule 3a71–
6) would not, if adopted, have a
significant economic impact on a
substantial number of small entities.
6. SBSDRs
For purposes of Commission
rulemaking regarding SBSDRs, a small
entity includes: (1) when used with
reference to an ‘‘issuer’’ or a ‘‘person,’’
other than an investment company, an
‘‘issuer’’ or ‘‘person’’ that, on the last
day of its most recent fiscal year, had
total assets of $5 million or less; 1030 or
(2) a broker-dealer with total capital (net
worth plus subordinated liabilities) of
less than $500,000 on the date in the
prior fiscal year as of which its audited
financial statements were prepared
pursuant to Rule 17a–5(d) under the
Exchange Act,1031 or, if not required to
file such statements, a broker-dealer
with total capital (net worth plus
subordinated liabilities) of less than
$500,000 on the last day of the
preceding fiscal year (or in the time that
it has been in business, if shorter); and
is not affiliated with any person (other
than a natural person) that is not a small
business or small organization.1032
Based on the Commission’s existing
information about the SBSDRs currently
registered with the Commission, and
consistent with the Commission’s prior
1029 See, e.g., SBS Entity Risk Mitigation
Adopting Release, 85 FR at 6411; SBS Entity
Registration Adopting Release, 80 FR at 49013;
Recordkeeping and Reporting Requirements for
Security-Based Swap Dealers, Major Security-Based
Swap Participants, and Broker-Dealers; Capital Rule
for Certain Security-Based Swap Dealers, Exchange
Act Release No. 71958 (Apr. 17, 2014), 79 FR 25193,
25296–97 and n.1441 (May 2, 2014); Further
Definition Release, 77 FR at 30743.
1030 See paragraph (a) of Rule 0–10.
1031 17 CFR 240.17a–5(d).
1032 See paragraph (c) of Rule 0–10.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
rulemakings,1033 the Commission
preliminarily believes that such entities
exceed the thresholds defining ‘‘small
entities’’ set out above. While other
SBSDRs may emerge and seek to register
as SBSDRs, the Commission
preliminarily does not believe that any
such entities would be ‘‘small entities’’
as defined in Exchange Act Rule 0–10.
Consequently, the Commission certifies
that the proposed rule and form would
not, if adopted, have a significant
economic impact on a substantial
number of small entities.
lotter on DSK11XQN23PROD with PROPOSALS2
7. Transfer Agents
For purposes of Commission
rulemaking, Exchange Act Rule 0–10(h)
provides that the term small business or
small organization shall, when used
with reference to a transfer agent, mean
a transfer agent that: (1) received less
than 500 items for transfer and less than
500 items for processing during the
preceding six months (or in the time
that it has been in business, if shorter);
(2) transferred items only of issuers that
would be deemed ‘‘small businesses’’ or
‘‘small organizations’’ as defined in this
section; and (3) maintained master
shareholder files that in the aggregate
contained less than 1,000 shareholder
accounts or was the named transfer
agent for less than 1,000 shareholder
accounts at all times during the
preceding fiscal year (or in the time that
it has been in business, if shorter); and
(4) is not affiliated with any person
(other than a natural person) that is not
a small business or small organization
under this section.1034 As of March 31,
2022, the Commission estimates there
were 158 transfer agents that were
considered small organizations. Our
estimate is based on the number of
transfer agents that reported a value of
fewer than 1,000 for items 4(a) and 5(a)
on Form TA–2 for the 2021 annual
1033 See, e.g., SBSDR Adopting Release, 80 FR at
14548–49 (stating that ‘‘[i]n the Proposing Release,
the Commission stated that it did not believe that
any persons that would register as SBSDRs would
be considered small entities. The Commission
stated that it believed that most, if not all, SBSDRs
would be part of large business entities with assets
in excess of $5 million and total capital in excess
of $500,000. As a result, the Commission certified
that the proposed rules would not have a significant
impact on a substantial number of small entities
and requested comments on this certification. The
Commission did not receive any comments that
specifically addressed whether Rules 13n–1
through 13n–12 and Form SBSDR would have a
significant economic impact on small entities.
Therefore, the Commission continues to believe that
Rules 13n–1 through 13n–12 and Form SBSDR will
not have a significant economic impact on a
substantial number of small entities. Accordingly,
the Commission hereby certifies that, pursuant to 5
U.S.C. 605(b), Rules 13n–1 through 13n–12, Form
SBSDR will not have a significant economic impact
on a substantial number of small entities’’).
1034 See paragraph (h) of Rule 0–10.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
reporting period (which was required to
be filed by March 31, 2022).1035
D. Reporting, Recordkeeping, and Other
Compliance Requirements
1. Proposed Rule 10 and Parts I and II
of Proposed Form SCIR
The proposed requirements under
proposed Rule 10 and Parts I and II of
proposed Form SCIR, including
compliance and recordkeeping
requirements, are summarized in this
IRFA.1036 The burdens on respondents,
including those that are small entities,
are discussed above in the
Commission’s economic analysis and
PRA analysis.1037 They also are
discussed below.
As discussed above, there are
approximately 764 small entity brokerdealers. 195 of these broker-dealers
would be Covered Entities and 569 of
these broker-dealers would be NonCovered Broker-Dealers under proposed
Rule 10. In addition, there are
approximately 158 small entity transfer
agents, all of which would be Covered
Entities (resulting in a total of 353 small
entities that would be Covered Entities).
The total number of small entity brokerdealers or transfer agents that would be
subject to the requirements of proposed
Rule 10 as either Covered Entities or
Non-Covered Broker-Dealers is 922.
The requirements under proposed
Rule 10 to implement and review
certain policies and procedures would
result in costs to these small entities.
For Covered Entities, this would create
a new annual burden of approximately
31.67 hours per firm, or 11,179.51 hours
in aggregate for small entities. The
Commission therefore expects the
annual monetized aggregate cost to
small entities to be $5,164,933.62.1038
For Non-Covered Broker-Dealers, the
requirements would create a new
annual burden of approximately 21
hours per firm, or 11,949 hours in
aggregate for small entities. The
Commission therefore expects the
1035 Item 4(a) on Form TA–2 requires each
transfer agent to provide the number of items
received for transfer during the reporting period.
Item 5(a) on Form TA–2 requires each transfer agent
to provide its total number of individual
securityholder accounts, including accounts in the
Direct Registration System (DRS), dividend
reinvestment plans and/or direct purchase plans as
of December 31.’’
1036 See section VI.A. of this release. See also
section II of this release (discussing the
requirements of proposed Rule 10 and Parts I and
II of proposed Form SCIR in more detail).
1037 See sections IV and V of this release (setting
forth the Commission’s economic analysis and PRA
analysis, respectively).
1038 $29,102,133.06 total cost × (353 small
entities/1,989 total entities) = $5,164,933.62.
PO 00000
Frm 00127
Fmt 4701
Sfmt 4702
20337
annual monetized aggregate cost to
small entities to be $5,520,438.1039
In addition, there are approximately
922 small entities that would be subject
to the notification requirements of
proposed Rule 10. The requirement to
make a determination regarding a
significant cybersecurity incident and
immediate notice to the Commission
would create a new annual burden of
approximately 4.67 hours per Market
Entity, or 4,305.74 hours in aggregate for
small entities. The Commission
therefore expects the annual monetized
aggregate cost to small entities
associated with the proposed
notification requirement under Rule 10
to be $1,519,926.22.1040 The 353 small
entities that would be Covered Entities
would also be subject to the
requirements to file Part I of proposed
Form SCIR. This would create a new
annual burden of approximately 2.5
hours per Covered Entity, or 882.5 hours
in aggregate for small entities. The
Commission therefore expects the
annual monetized aggregate cost to
small entities associated with Part I of
proposed Form SCIR to be
$380,357.50.1041
In addition, the approximately 353
small entities that are Covered Entities
would be subject to the disclosure
requirements of proposed Rule 10.
These 353 small entities would be
required to make certain public
disclosures on Part II of proposed Form
SCIR. This would create a new annual
burden of approximately 3.67 hours per
Covered Entity, or 1,295.51 hours in
aggregate for small entities. The
Commission therefore expects the
annual monetized aggregate cost to
small entities associated with Part II of
proposed Form SCIR to be
$486,243.38.1042
Furthermore, the requirement to file
Form SCIR using a form-specific XML
may impose some compliance costs for
entities not already required to file in
EDGAR. Because all transfer agents are
already required to file in EDGAR their
annual reports on Form TA–2, no small
entity transfer agent will incur an
additional burden for filing their public
disclosures in EDGAR. Assuming all
195 small broker-dealers that are
Covered Entities do not already file in
EDGAR, the requirement to file the
public disclosures in EDGAR would
create an initial, one-time burden of
1039 $19,103,238 total cost × (569 small entities/
1,969 total entities) = $5,520,438.
1040 $6,524,802.58 total cost × (922 small entities/
3,958 total entities) = $1,519,926.22.
1041 $2,143,147.5 total cost × (353 small entities/
1,989 total entities) = $380,357.50.
1042 $2,739,767.94 total cost × (353 small entities/
1,989 total entities) = $486,243.38.
E:\FR\FM\05APP2.SGM
05APP2
20338
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
approximately 0.30 hours per Covered
Entity, or 58.5 hours in aggregate for
small entities, to complete and submit a
Form ID. In addition, the requirement to
file Form SCIR using custom XML (with
which a Covered Entity would be able
to comply by inputting its disclosures
into a fillable web form) would create an
ongoing burden of 0.5 hours per filing,
or 176.5 hours for all small entities
collectively.
As discussed above, there are
approximately 195 small entity brokerdealers that would be subject to the
additional disclosure requirements
under proposed Rule 10 for customers
of Covered Broker-Dealers. This would
create a new annual burden of
approximately 51.26 hours per Covered
Entity, or 9,995.7 hours in aggregate for
small entities. The Commission
therefore expects the annual monetized
aggregate cost to small entities
associated with the proposed disclosure
requirements for Covered BrokerDealers to be $689,703.30.1043
2. Rules 17a–4, 17ad–7, and 18a–6
The proposed amendments to Rules
17a–4, 17ad–7, and 18a–6 would
impose certain recordkeeping
requirements, which—with respect to
17a–4 and 17ad–7—includes
requirements for those that are small
entities.1044 The proposed amendments
are discussed above in detail,1045 and
the requirements and the burdens on
respondents, including those that are
small entities, are discussed above in
the economic analysis and PRA,
respectively.1046
There are approximately 353 small
entities that would be subject to the
proposed amendments to Rules 17a–4
and 17ad–7 as Covered Entities. As
discussed above in the PRA analysis in
section V, the proposed amendments to
Rules 17a–4 and 17ad–7 would require
Market Entities to retain certain copies
of documents required under proposed
Rule 10, and would create a new annual
burden of approximately 6 hours per
entity, or 2,118 hours in aggregate for
small entities. The Commission
therefore expects the annual monetized
aggregate cost to small entities
associated with the proposed
amendments would be $155,673.1047
As discussed above, there are
approximately 569 small entity brokerdealers that would be subject to the
proposed amendments to Rule 17a–4 as
1043 $5,450,424.54 total cost × (195 small entities/
1,541 total entities) = $689,703.30.
1044 See section VI.A.3. of this release.
1045 See sections II.B.5. and II.C. of this release
1046 See sections IV and V of the release.
1047 $877,149 total cost × (353 small entities/1,989
total entities) = $155,673.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
Non-Covered Broker-Dealers. As
discussed above in the PRA analysis, in
section V, the proposed amendments to
Rule 17a–4 would require Market
Entities to retain certain copies of
documents required under proposed
Rule 10, which would create a new
annual burden of approximately 3 hours
per entity, or 1,707 hours in aggregate
for small entities. The Commission
therefore expects the annual monetized
aggregate cost to small entities
associated with the proposed
amendments would be $125,464.50.1048
E. Duplicative, Overlapping, or
Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II
of Proposed Form SCIR
As discussed above certain brokerdealers—including an operator of an
ATS—and transfer agents would be
small entities. Proposed Rule 10 would
require all Market Entities to establish,
maintain, and enforce written policies
and procedures that are reasonably
designed to address their cybersecurity
risks, and, at least annually, review and
assess the design and effectiveness of
these policies and procedures.1049 As
discussed earlier, broker-dealers are
subject to Regulation S–P and
Regulation S–ID.1050 In addition, ATSs
that trade certain stocks exceeding
specific volume thresholds are subject
to Regulation SCI. Further, an ATS is
subject to Regulation ATS. Transfer
agents registered with the Commission
(but not transfer agents registered with
another appropriate regulatory agency)
are subject to the Regulation S–P
Disposal Rule.1051 Transfer agents also
may be subject to Regulation S–ID if
they are ‘‘financial institutions’’ or
‘‘creditors.’’ 1052
As discussed earlier, these other
regulations have provisions that require
policies and procedures that address
1048 $434,164.50 total cost × (569 small entities/
1,969 total entities) = $125,464.50.
1049 See paragraphs (b)(1) and (e)(1) of proposed
Rule 10 (requiring Covered Entities and NonCovered Broker-Dealers, respectively, to have
policies and procedures to address their
cybersecurity risks); sections II.B.1. and II.C.1. of
this release (discussing the requirements of
paragraphs (b)(1) and (e)(1) of proposed Rule 10 in
more detail).
1050 See section IV.C.1.b.i. of this release
(discussing current relevant regulations applicable
to broker-dealers).
1051 See section IV.C.1.b.v. of this release
(discussing current relevant regulations applicable
to transfer agents).
1052 See 17 CFR 248.201 and 202. The scope of
Regulation S–ID includes any financial institution
or creditor, as defined in the Fair Credit Reporting
Act (15 U.S.C. 1681) that is required to be
‘‘registered under the Securities Exchange Act of
1934.’’ See 17 CFR 248.201(a).
PO 00000
Frm 00128
Fmt 4701
Sfmt 4702
certain cybersecurity risks.1053
However, the policies and procedures
requirements of proposed Rule 10 are
intended to differ in scope and purpose
from those other regulations, and
because the policies and procedures
required under proposed Rule 10 are
consistent with the existing and
proposed requirements of those other
regulations that pertain to cybersecurity.
Proposed Rule 10 would require all
Market Entities to give the Commission
immediate written electronic notice of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the significant cybersecurity
incident has occurred or is
occurring.1054 Covered Entities—in
addition to providing the Commission
with immediate written electronic
notice of a significant cybersecurity
incident—would need to report and
update information about the significant
cybersecurity incident by filing Part I of
proposed Form SCIR with the
Commission.1055 Recently, the OCC,
Federal Reserve Board, and FDIC
adopted a new rule that would require
certain banking organizations to notify
the appropriate banking regulator of any
cybersecurity incidents within 36 hours
of discovering an incident.1056 Certain
transfer agents are banking
organizations and, therefore, may be
required to provide notification to the
Commission and other regulators under
proposed Rule 10 and to their banking
regulator under this new rule if they
experience a significant cybersecurity
incident.1057 However, the burdens of
providing these notices are minor and
each requirement is designed to alert
separate regulators who have oversight
responsibilities with respect to transfer
agents about cybersecurity incidents
that could adversely impact the transfer
agent.
Proposed Rule 10 would require a
Covered Entity to make two types of
public disclosures relating to
cybersecurity on Part II of proposed
1053 See
section II.F.1.c. of this release.
paragraph (c)(1) of proposed Rule 10;
paragraph (e)(2) of proposed Rule 10. See also
sections II.B.2.a. and II.C. of this release (discussing
these proposed requirements in more detail).
1055 See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more
detail).
1056 See section IV.C.1.d. of this release
(discussing this requirement in more detail).
1057 Similarly, to the extent that a Covered Entity
is subject to NFA rules, there may be overlapping
notification requirements. See NFA Interpretive
Notice 9070—NFA Compliance Rules 2–9, 2–36 and
2–49: Information Systems Security Programs
(effective March 1, 2016; April 1, 2019 and
September 30, 2019) available at https://
www.nfa.futures.org/rulebook/rules.aspx?RuleID=
9070&Section=9.
1054 See
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS2
Form SCIR.1058 Covered Entities would
be required to make the disclosures by
filing Part II of proposed Form SCIR on
EDGAR and posting a copy of the filing
on their business internet websites.1059
In addition, a Covered Entity that is
either a carrying or introducing brokerdealer would be required to provide a
copy of the most recently filed Part II of
Form SCIR to a customer as part of the
account opening process. Thereafter, the
carrying or introducing broker-dealer
would need to provide the customer
with the most recently filed form
annually. Regulation SCI requires that
SCI entities disseminate information to
their members, participants, or
customers (as applicable) regarding SCI
events, including systems
intrusions.1060
Consequently, a Covered Entity
would, if it experiences a ‘‘significant
cybersecurity incident,’’ be required to
make updated disclosures under
proposed Rule 10 by filing Part II of
proposed Form SCIR on EDGAR,
posting a copy of the form on its
business internet website, and, in the
case of a carrying or introducing brokerdealer, by sending the disclosure to its
customers using the same means that
the customer elects to receive account
statements. Moreover, if Covered Entity
is an SCI entity and the significant
cybersecurity incident is or would be an
SCI event under the current or proposed
requirements of Regulation SCI, the
Covered Entity also could be required to
disseminate certain information about
the SCI event to certain of its members,
participants, or customers (as
applicable).
As discussed above, proposed Rule 10
and Regulation SCI require different
types of information to be disclosed. In
addition, the disclosures, for the most
part, would be made to different
persons: (1) the public at large in the
case of proposed Rule 10; 1061 and (2)
affected members, participants, or
customers (as applicable) of the SCI
entity in the case of Regulation SCI. For
these reasons, the Commission proposes
to apply the disclosure requirements of
proposed Rule 10 to Covered Entities
even if they would be subject to the
disclosure requirements of Regulation
SCI.
1058 See
paragraph (d)(1) of proposed Rule 10.
section II.B.3.b. of this release (discussing
these proposed requirements in more detail).
1060 See 17 CFR 242.1002(c).
1061 A carrying broker-dealer would be required to
make the disclosures to its customers as well
through the means by which they receive account
statements.
1059 See
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
2. Rules 17a–4, 17ad–7, 18a–6 and
Clearing Agency Exemption Orders
As part of proposed Rule 10, the
Commission is proposing corresponding
amendments to the books and records
rules for Market Entities. There are no
duplicative, overlapping, or conflicting
Federal rules with respect to the
proposed amendments to Rules 17a–4,
17ad–7, 18a–6 and clearing agency
exemption orders.
F. Significant Alternatives
The RFA directs the Commission to
consider significant alternatives that
would accomplish our stated objectives,
while minimizing any significant
adverse effect on small entities.
1. Broker-Dealers
As discussed above, the proposal
would apply to all registered brokerdealers. Under the proposal, the
following broker-dealers would be
Covered Entities: (1) broker-dealers that
maintain custody of securities and cash
for customers or other broker-dealers
(i.e., carrying broker-dealers); (2) brokerdealers that introduce their customer
accounts to a carrying broker-dealer on
a fully disclosed basis (i.e., introducing
broker-dealers); (3) broker-dealers with
regulatory capital equal to or exceeding
$50 million; (4) broker-dealers with total
assets equal to or exceeding $1 billion;
(5) broker-dealers that operate as market
makers; and (6) broker-dealers that
operate an ATS. Broker-dealers that do
not fit into at least one of these
categories would not be Covered
Entities (i.e., they would be NonCovered Broker-Dealers). As discussed
earlier, Covered Entities would be
subject to additional requirements
under proposed Rule 10.1062
Of the 1,541 broker-dealers that
would be Covered Entities,
approximately 195 are considered small
entities. All but one of these small
entities are broker-dealers that introduce
their customer accounts to a carrying
broker-dealer on a fully disclosed basis.
The remaining small entity brokerdealer is an operator of an ATS. The
Commission considered the following
alternatives for small entities that are
Covered Broker-Dealers in relation to
the proposal: (1) differing compliance or
reporting requirements that take into
account the resources available to small
entities; (2) the clarification,
consolidation, or simplification of
compliance and reporting requirements
1062 See
paragraphs (b), (c), and (d) of proposed
Rule 10 (setting forth the requirements for Covered
Entities); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Non-Covered BrokerDealers).
PO 00000
Frm 00129
Fmt 4701
Sfmt 4702
20339
under the proposed rule for such small
entities; (3) the use of design rather than
performance standards; and (4) an
exemption from coverage of the
proposed rule, or any part thereof, for
such small entities.
Regarding the first and fourth
alternatives, the Commission decided
not to include differing requirements or
exemptions for introducing brokerdealers, regardless of size, and therefore,
they would be Covered Entities under
the proposed rule. This decision was
based on a number of
considerations.1063 For example,
introducing broker-dealers are a conduit
to their customers’ accounts at the
carrying broker-dealer and have access
to information and trading systems of
the carrying broker-dealer.
Consequently, a cybersecurity incident
at an introducing firm could directly
harm the introducing firm’s customers
to the extent it causes them to lose
access to the systems allowing them to
view and transact in their securities
accounts at the carrying broker-dealer.
Further, a significant cybersecurity
incident at an introducing broker-dealer
could spread to the carrying brokerdealer given the information systems
that connect the two firms. These
connections also may make introducing
broker-dealers attractive targets for
threat actors seeking to access the
information systems of the carrying
broker-dealer to which the introducing
broker-dealer is connected. In addition,
introducing broker-dealers may store
personal information about their
customers on their information systems
or be able to access this information on
the carrying broker-dealer’s information
systems. If this information is accessed
or stolen by unauthorized users, it could
result in harm (e.g., identity theft or
conversion of financial assets) to many
individuals, including retail investors.
The Commission decided not to
include differing requirements or
exemptions for broker-dealers that
operate an ATS, regardless of size, and
therefore, they would be Covered
Entities under the proposed rule. This
decision was based on a number of
considerations.1064 The Commission
also decided to include all brokerdealers, regardless of size, that operate
an ATS as Covered Entities in the
proposed rule because ATSs have
become increasingly important venues
for trading securities in a fast and
automated manner. ATSs perform
1063 See section II.A.1.b. of this release
(discussing why introducing broker-dealers would
be Covered Entities in more detail).
1064 See section II.A.1.b. of this release
(discussing why broker-dealers that operate an ATS
would be Covered Entities in more detail).
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20340
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
exchange functions to bring together
buyers and sellers using limit order
books and order types. These
developments have made ATSs
significant sources of orders and trading
interest for securities. ATSs use data
feeds, algorithms, and connectivity to
perform their functions. In this regard,
ATSs rely heavily on information
systems, including to connect to other
Market Entities such as other brokerdealers and principal trading firms. A
significant cyber security incident that
disrupts a broker-dealer that operates as
an ATS could negatively impact the
ability of investors to liquidate or
purchase certain securities at favorable
or predictable prices or in a timely
manner to the extent the ATS provides
liquidity to the market for those
securities. Further, a significant
cybersecurity incident at an ATS could
provide a gateway for threat actors to
attack other Market Entities that connect
to it through information systems and
networks of interconnected information
systems. This could cause a cascading
effect where a significant cybersecurity
incident initially impacting an ATS
spreads to other Market Entities causing
major disruptions to the U.S. securities
markets. In addition, ATS are connected
to a number of different Market Entities
through information systems, including
national securities exchanges and other
broker-dealers. Therefore, they create
and are exposed to cybersecurity risk
through the channels of these
information systems.
Regarding the second alternative, the
Commission believes the current
proposal is clear and that further
clarification, consolidation, or
simplification of the compliance
requirements is not necessary for small
entities that are introducing brokerdealers or broker-dealers that operate as
ATSs. As discussed above, proposed
Rule 10 would require Covered Entities
to establish, maintain, and enforce
written cybersecurity policies and
procedures that are reasonably designed
to address their cybersecurity risks and
that specifically address: (1) risk
assessment; (2) user security and access;
(3) information protection; (4)
cybersecurity threat and vulnerability
management; and (5) cybersecurity
incident response and recovery.1065 It
also would require Covered Entities to
conduct an annual review and
assessment of these policies and
procedures and produce a report
documenting the review and
assessment. Further, the proposed rule
1065 See
paragraph (b) of proposed Rule 10. See
also section II.B.1. of this release (discussing these
requirements in more detail).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
would require them to provide
immediate notification and subsequent
reporting of significant cybersecurity
incidents and to publicly disclose
summary descriptions of their
cybersecurity risks and, if applicable,
summary descriptions of their
significant cybersecurity incidents.1066
The proposed rule would provide
clarity in the existing regulatory
framework regarding cybersecurity and
serve as an explicit requirement for
firms to establish, maintain, and enforce
comprehensive cybersecurity programs
to their address cybersecurity risks,
provide information to the Commission
about the significant cybersecurity
incidents they experience, and publicly
disclose information about their
cybersecurity risks and significant
cybersecurity incidents.
Regarding the third alternative, the
Commission determined to use
performance standards rather than
design standards. Although the
proposed rule requires Covered Entities
to implement policies and procedures
that are reasonably designed and that
must include certain elements, the
Commission does not place certain
conditions or restrictions on how to
establish, maintain, and enforce such
policies and procedures. The general
elements required to be included in the
policies and procedures are designed to
enumerate the core areas that firms
would need to address when adopting,
implementing, reassessing and updating
their cybersecurity policies and
procedures.
The policies and procedures that
would be required by proposed Rule
10—because they would need to address
the Covered Entity’s cybersecurity
risks—generally should be tailored to
the nature and scope of the Covered
Entity’s business and address the
Covered Entity’s specific cybersecurity
risks. Thus, proposed Rule 10 is not
intended to impose a one-size-fits-all
approach to addressing cybersecurity
risks. In addition, cybersecurity threats
are constantly evolving and measures to
address those threats continue to evolve.
Therefore, proposed Rule 10 is designed
to provide Covered Entities with the
flexibility to update and modify their
policies and procedures as needed so
that that they continue to be reasonably
designed to address the Covered Entity’s
cybersecurity risks over time.
The remaining 569 small entity
broker-dealers registered would not be
Covered Entities. These firms are not
1066 See paragraphs (c) and (d) of proposed Rule
10. See also sections II.B.2. through II.B.4. of this
release (discussing these requirements in more
detail).
PO 00000
Frm 00130
Fmt 4701
Sfmt 4702
conduits to their customer accounts at a
carrying broker-dealer. These firms also
do not perform exchange-like functions
such as offering limit order books and
other order types, like an ATS would.
As such, these firms are subject to
differing compliance, reporting, and
disclosure requirements that take into
account the resources available to the
entities. For example, these firms are
subject to simplified requirements
concerning their cybersecurity policies
and procedures and annual review.1067
In addition, these firms are exempted
from the cybersecurity reporting and
disclosure requirements that apply to
Covered Entities.
2. Clearing Agencies
For the reasons stated above, this
requirement is not applicable to clearing
agencies.
3. The MSRB
For the reasons stated above, this
requirement is not applicable to the
MSRB.
4. National Securities Exchanges and
National Securities Associations
For the reasons stated above, this
requirement is not applicable to
national securities exchanges and
national securities associations.
5. SBS Entities
For the reasons stated above, this
requirement is not applicable to SBS
Entities.
6. SBSDRs
For the reasons stated above, this
requirement is not applicable to
SBSDRs.
7. Transfer Agents
The proposed rule would apply to
every transfer agent as defined in
section 3(a)(25) of the Exchange Act that
is registered or required to be registered
with an appropriate regulatory agency
as defined in section 3(a)(34)(B) of the
Exchange Act. As of December 31, 2022,
there were 353 transfer agents that were
either registered with the Commission
through Form TA–1 or registered with
1067 Non-Covered Broker-Dealers that are small
entities are not, however, altogether exempted from
the policies and procedures requirements because
having appropriate cybersecurity policies and
procedures in place would help address any
cybersecurity risks and incidents that occur at the
broker-dealer and help protect broker-dealers and
their customers from greater risk of harm. The
Commission anticipates that these benefits should
apply to customers of smaller firms as well as larger
firms. Non-Covered Broker-Dealers are also not
exempted from the requirement to provide the
Commission with immediate written electronic
notice of a significant cybersecurity incident
affecting the entity.
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
other appropriate regulatory agencies
through Form TA–2. As of March 31,
2022, the Commission estimates there
were 158 transfer agents that were
considered small organizations.
The Commission considered the
following alternatives for small
organizations that are transfer agents in
relation to the proposal: (1) differing
compliance or reporting requirements
that take into account the resources
available to small entities; (2) the
clarification, consolidation, or
simplification of compliance and
reporting requirements under the
proposed rule for such small entities; (3)
the use of design rather than
performance standards; and (4) an
exemption from coverage of the
proposed rule, or any part thereof, for
such small entities.
Regarding the first and fourth
alternatives, the Commission decided
not to include differing requirements or
exemptions for transfer agents,
regardless of size, and therefore, they
would be Covered Entities under the
proposed rule. This decision was based
on a number of considerations.1068 A
transfer agents engage on behalf of an
issuer of securities or on behalf of itself
as an issuer of securities in (among
other functions): (1) tracking, recording,
and maintaining the official record of
ownership of each issuer’s securities; (2)
canceling old certificates, issuing new
ones, and performing other processing
and recordkeeping functions that
facilitate the issuance, cancellation, and
transfer of those securities; (3)
facilitating communications between
issuers and registered securityholders;
and (4) making dividend, principal,
interest, and other distributions to
securityholders. Their core
recordkeeping systems provide a direct
conduit to their issuer clients’ master
records that document and, in many
instances provide the legal
underpinning for, registered
securityholders’ ownership of the
issuer’s securities. If these functions
were disrupted, investors might not be
able to transfer ownership of their
securities or receive dividends and
interest due on their securities
positions.
Transfer agents store proprietary
information about securities ownership
and corporate actions. A significant
cybersecurity incident at a transfer agent
could lead to the improper use of this
information to harm securities holders
(e.g., public exposure of confidential
financial information) or provide the
1068 See section II.A.1.c. of this release (discussing
why transfer agents would be Covered Entities in
more detail).
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
unauthorized user with an unfair
advantage over other market
participants (e.g., trading based on
confidential business information).
Transfer agents also may store personal
information including names, addresses,
phone numbers, email addresses,
employers, employment history, bank
and specific account information, credit
card information, transaction histories,
securities holdings, and other detailed
and individualized information related
to the transfer agents’ recordkeeping and
transaction processing on behalf of
issuers. Threat actors breaching the
transfer agent’s information systems
could use this information to steal
identities or financial assets of the
persons to whom this information
pertains. They also could sell it to other
threat actors.
Regarding the second alternative, the
Commission is not proposing further
clarification, consolidation, or
simplification of the compliance
requirements for small organizations
that are transfer agents. As discussed
above, proposed Rule 10 would require
Covered Entities to establish, maintain,
and enforce written cybersecurity
policies and procedures that are
reasonably designed to address their
cybersecurity risks and that specifically
address: (1) risk assessment; (2) user
security and access; (3) information
protection; (4) cybersecurity threat and
vulnerability management; and (5)
cybersecurity incident response and
recovery.1069 It also would require
Covered Entities to conduct an annual
review and assessment of these policies
and procedures and produce a report
documenting the review and
assessment. Further, the proposed rule
would require them to provide
immediate notification and subsequent
reporting of significant cybersecurity
incidents and to publicly disclose
summary descriptions of their
cybersecurity risks and, if applicable,
summary descriptions of their
significant cybersecurity incidents.1070
The proposed rule would provide
clarity in the existing regulatory
framework regarding cybersecurity and
serve as an explicit requirement for
firms to establish, maintain, and enforce
comprehensive cybersecurity programs
to their address cybersecurity risks,
provide information to the Commission
about the significant cybersecurity
incidents they experience, and publicly
1069 See paragraph (b) of proposed Rule 10. See
also section II.B.1. of this release (discussing these
requirements in more detail).
1070 See paragraphs (c) and (d) of proposed Rule
10. See also sections II.B.2. through II.B.4. of this
release (discussing these requirements in more
detail).
PO 00000
Frm 00131
Fmt 4701
Sfmt 4702
20341
disclose information about their
cybersecurity risks and significant
cybersecurity incidents.
Regarding the third alternative, the
proposed rule requires Covered Entities
to implement policies and procedures
that are reasonably designed and that
must include certain elements.
However, the proposed rule does not
place certain conditions or restrictions
on how to establish, maintain, and
enforce such policies and procedures.
The general elements required to be
included in the policies and procedures
are designed to enumerate the core areas
that firms would need to address when
adopting, implementing, reassessing
and updating their cybersecurity
policies and procedures.
The policies and procedures that
would be required by proposed Rule
10—because they would need to address
the Covered Entity’s cybersecurity
risks—generally should be tailored to
the nature and scope of the Covered
Entity’s business and address the
Covered Entity’s specific cybersecurity
risks. Thus, proposed Rule 10 is not
intended to impose a one-size-fits-all
approach to addressing cybersecurity
risks. In addition, cybersecurity threats
are constantly evolving and measures to
address those threats continue to evolve.
Therefore, proposed Rule 10 is designed
to provide Covered Entities with the
flexibility to update and modify their
policies and procedures as needed so
that that they continue to be reasonably
designed to address the Covered Entity’s
cybersecurity risks over time.
G. Request for Comment
The Commission encourages written
comments on the matters discussed in
this IRFA. The Commission solicits
comment on the number of small
entities subject to the proposed Rule 10,
Form SCIR, and proposed amendments
to Rules 3a71–6, 17a–4, 18a–6, and
17ad–7. The Commission also solicits
comment on the potential effects
discussed in this analysis; and whether
this proposal could have an effect on
small entities that have not been
considered. The Commission requests
that commenters describe the nature of
any effect on small entities and provide
empirical data to support the extent of
such effect. Such comments will be
placed in the same public file as
comments on the proposed rule and
form and associated amendments.
Persons wishing to submit written
comments should refer to the
instructions for submitting comments
located at the front of this release.
E:\FR\FM\05APP2.SGM
05APP2
20342
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
VII. Small Business Regulatory
Enforcement Fairness Act
For purposes of the Small Business
Regulatory Enforcement Fairness Act of
1996, or ‘‘SBREFA,’’ the Commission
must advise OMB whether a proposed
regulation constitutes a ‘‘major’’ rule.
Under SBREFA, a rule is considered
‘‘major’’ where, if adopted, it results in
or is likely to result in (1) an annual
effect on the economy of $100 million
or more; (2) a major increase in costs or
prices for consumers or individual
industries; or (3) significant adverse
effects on competition, investment or
innovation. The Commission requests
comment on the potential effect of the
proposed amendments on the U.S.
economy on an annual basis; any
potential increase in costs or prices for
consumers or individual industries; and
any potential effect on competition,
investment or innovation. Commenters
are requested to provide empirical data
and other factual support for their views
to the extent possible.
lotter on DSK11XQN23PROD with PROPOSALS2
VIII. Statutory Authority
The Commission is proposing new
Rule 10 (17 CFR 242.10) and Form SCIR
(17 CFR 249.624) and amending
Regulation S–T (17 CFR 232.101), Rule
3a71–6 (17 CFR 240.3a71–6), Rule 17a–
4 (17 CFR 240.17a–4), Rule 17ad–7 (17
CFR 240.17ad–7), Rule 18a–6 (17 CFR
18a–6), and Rule 18a–10 (17 CFR
240.18a–10) under the Commission’s
rulemaking authority set forth in the
following sections of the Exchange Act:
(1) sections 15, 17, and 23 for brokerdealers (15 U.S.C. 78o, 78q, and 78w);
(2) sections 17, 17A, and 23 for clearing
agencies (15 U.S.C. 78q, 17q–1, and
78w(a)(1)); (3) sections 15B, 17 and 23
for the MSRB (15 U.S.C. 78o–4, 78q(a),
and 78w); (4) sections 6(b), 11A, 15A,
17, and 23 for national securities
exchanges and national securities
associations (15 U.S.C. 78f, 78k–1, 78o–
3, and 78w); (5) sections 15F, 23, and
30(c) for SBS Entities (15 U.S.C. 78o–10,
78w, and 78dd(c)); (6) sections 13 and
23 for SBSDRs (15 U.S.C. 78m and 78w);
and (7) sections 17a, 17A, and 23 for
transfer agents (78q, 17q–1, and 78w).
List of Subjects in 17 CFR Part 232, 240,
242 and 249
Brokers, Confidential business
information, Reporting and
recordkeeping requirements, Securities,
Security-based swaps, Security-based
swap dealers, Major security-based
swap participants.
Text of Proposed Rules and Rule
Amendments
For the reasons set out in the
preamble, the Commission is proposing
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
to amend title 17, chapter II of the Code
of Federal Regulations as follows:
PART 232—REGULATION S–T—
GENERAL RULES AND REGULATIONS
FOR ELECTRONIC FILINGS
1. The general authority citation for
part 232 is revised to read as follows:
■
Authority: 15 U.S.C. 77c, 77f, 77g, 77h,
77j, 77s(a), 77z–3, 77sss(a), 78c(b), 78l, 78m,
78n, 78o(d), 78o–10, 78w(a), 78ll, 80a–6(c),
80a–8, 80a–29, 80a–30, 80a–37, 80b–4, 80b–
10, 80b–11, 7201 et seq.; and 18 U.S.C. 1350,
unless otherwise noted.
*
*
*
*
*
2. Section § 232.101 is amended by
revising paragraph (a)(1)(xxx) and
adding paragraph (a)(1)(xxxi) to read as
follows:
■
§ 232.101 Mandated electronic
submissions and exceptions.
(a) * * *
(1) * * *
(xxx) Documents filed with the
Commission pursuant to section 33 of
the Investment Company Act (15 U.S.C.
80a–32); and
(xxxi) Form SCIR (§ 249.624 of this
chapter).
*
*
*
*
*
PART 240—GENERAL RULES AND
REGULATIONS, SECURITIES
EXCHANGE ACT OF 1934
3. The authority citation for part 240
continues to read, in part, as follows:
■
Authority: 15 U.S.C. 77c, 77d, 77g, 77j,
77s, 77z–2, 77z–3, 77eee, 77ggg, 77nnn,
77sss, 77ttt, 78c, 78c–3, 78c–5, 78d, 78e, 78f,
78g, 78i, 78j, 78j–1, 78k, 78k–1, 78l, 78m,
78n, 78n–1, 78o, 78o–4, 78o–10, 78p, 78q,
78q–1, 78s, 78u–5, 78w, 78x, 78ll, 78mm,
80a–20, 80a–23, 80a–29, 80a–37, 80b–3, 80b–
4, 80b–11, and 7201 et. seq., and 8302; 7
U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18
U.S.C. 1350; Pub. L. 111–203, 939A, 124 Stat.
1376 (2010); and Pub. L. 112–106, sec. 503
and 602, 126 Stat. 326 (2012), unless
otherwise noted.
*
*
*
*
*
4. Section 240.3a71–6 is amended by
revising paragraph (d)(1) to read as
follows:
■
§ 240.3a71–6 Substituted compliance for
security-based swap dealers and major
security-based swap participants.
*
*
*
*
*
(d) * * *
(1) Business conduct, supervision,
and risk management. The business
conduct and supervision requirements
of sections 15F(h) and (j) of the Act (15
U.S.C. 78o–10(h) and (j)) and
§§ 240.15Fh–3 through 15Fh–6 (other
than the antifraud provisions of section
15F(h)(4)(A) of the Act and § 240.15Fh–
4(a), and other than the provisions of
PO 00000
Frm 00132
Fmt 4701
Sfmt 4702
sections 15F(j)(3) and 15F(j)(4)(B) of the
Act), and the requirements of § 242.10 of
this chapter and Form SCIR (§ 249.624
of this chapter); provided, however, that
prior to making such a substituted
compliance determination the
Commission intends to consider
whether the information that is required
to be provided to counterparties
pursuant to the requirements of the
foreign financial regulatory system, the
counterparty protections under the
requirements of the foreign financial
regulatory system, the mandates for
supervisory systems under the
requirements of the foreign financial
regulatory system, and the duties
imposed by the foreign financial
regulatory system, are comparable to
those associated with the applicable
provisions arising under the Act and its
rules and regulations.
*
*
*
*
*
■ 5. Section 240.17a–4 is amended by
adding paragraph (e)(13) to read as
follows:
§ 240.17a–4 Records to be preserved by
certain exchange members, brokers and
dealers.
*
*
*
*
*
(e) * * *
(13)(i) The written policies and
procedures required to be adopted and
implemented pursuant to § 242.10(b)(1)
or § 242.10(e)(1) of this chapter until
three years after the termination of the
use of the policies and procedures;
(ii) The written documentation of any
risk assessment pursuant to
§ 242.10(b)(1)(i)(B) of this chapter for
three years;
(iii) The written documentation of the
occurrence of a cybersecurity incident
pursuant to § 242.10(b)(1)(v)(B) of this
chapter, including any documentation
related to any response and recovery
from such an incident, for three years;
(iv) The written report of the annual
review required to be prepared pursuant
to § 242.10(b)(2)(ii) of this chapter or the
record of the annual review required
pursuant to § 240.10(e)(1) for three
years;
(v) A copy of any notice transmitted
to the Commission pursuant to
§ 242.10(c)(1) or § 240.10(e)(2) of this
chapter or any Part I of Form SCIR filed
with the Commission pursuant to
§ 242.10(c)(2) of this chapter for three
years; and
(vi) A copy of any Part II of Form
SCIR filed with the Commission
pursuant to § 242.10(d) of this chapter
for three years.
*
*
*
*
*
■ 6. Redesignate § 240.17Ad–7 as
§ 240.17ad–7.
E:\FR\FM\05APP2.SGM
05APP2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
7. Newly redesignated § 240.17ad–7 is
amended by revising the section
heading, and adding paragraph (j) to
read as follows:
■
§ 240.17ad–7
retention.
(Rule 17Ad–7) Record
*
*
*
*
*
(j)(1) The written policies and
procedures required to be adopted and
implemented pursuant to § 242.10(b)(1)
of this chapter until three years after the
termination of the use of the policies
and procedures;
(2) The written documentation of any
risk assessment pursuant to
§ 242.10(b)(1)(i)(B) of this chapter for
three years;
(3) The written documentation of the
occurrence of a cybersecurity incident
pursuant to § 242.10(b)(1)(v)(B) of this
chapter, including any documentation
related to any response and recovery
from such an incident, for three years;
(4) The written report of the annual
review required to be prepared pursuant
to § 242.10(b)(2)(ii) of this chapter for
three years;
(5) A copy of any notice transmitted
to the Commission and any ARA
pursuant to § 242.10(c)(1) of this chapter
or any Part I of Form SCIR filed with the
Commission pursuant to § 240.2.10(c)(2)
for three years; and
(6) A copy of any Part II of Form SCIR
filed with the Commission pursuant to
§ 240.2.10(d) for three years.
8. Section 240.18a–6 is amended by
adding paragraph (d)(6) to read as
follows:
■
§ 240.18a–6 Records to be preserved by
certain security-based swap dealers and
major security-based swap participants
lotter on DSK11XQN23PROD with PROPOSALS2
*
*
*
*
*
(d) * * *
(6)(i) The written policies and
procedures required to be adopted and
implemented pursuant to § 242.10(b)(1)
of this chapter until three years after the
termination of the use of the policies
and procedures;
(ii) The written documentation of any
risk assessment pursuant to
§ 242.10(b)(1)(i)(B) of this chapter for
three years;
(iii) The written documentation of the
occurrence of a cybersecurity incident
pursuant to § 242.10(b)(1)(v)(B) of this
chapter, including any documentation
related to any response and recovery
from such an incident, for three years;
(iv) The written report of the annual
review required to be prepared pursuant
to § 242.10(b)(2)(ii) of this chapter for
three years;
(v) A copy of any notice transmitted
to the Commission pursuant to
§ 242.10(c)(1) of this chapter or any Part
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
I of Form SCIR filed with the
Commission pursuant to § 242.10(c)(2)
of this chapter for three years; and
(vi) A copy of any Part II of Form
SCIR filed with the Commission
pursuant to § 242.10(d) of this chapter
for three years.
*
*
*
*
*
■ 9. Section 240.18a–10 is amended by
adding paragraph (g) to read as follows:
§ 240.18a–10 Alternative compliance
mechanism for security-based swap dealers
that are registered as swap dealers and
have limited security-based swap activities
*
*
*
*
*
(g) The provisions of this section do
not apply to the record maintenance and
preservation requirements § 240.18a–
6(d)(6)(i) through (vi).
PART 242—REGULATIONS M, SHO,
ATS, AC, NMS, AND SBSR AND
CUSTOMER MARGIN REQUIREMENTS
FOR SECURITY FUTURES
10. The general authority citation for
part 242 is revised to read as follows:
■
Authority: 15 U.S.C. 77g, 77q(a), 77s(a),
78b, 78c, 78g(c)(2), 78i(a), 78j, 78k–1(c), 78l,
78m, 78n, 78o(b), 78o(c), 78o(g), 78o–10,
78q(a), 78q(b), 78q(h), 78w(a), 78dd–1,
78mm, 80a–23, 80a–29, and 80a–37.
11. Section 242.10 is added to read as
follows:
■
§ 242.10
Cybersecurity requirements.
(a) Definitions: For purposes of this
section:
(1) Covered entity means:
(i) A broker or dealer registered with
the Commission that:
(A) Maintains custody of cash and
securities for customers or other brokers
or dealers and is not exempt from the
requirements of § 240.15c3–3 of this
chapter;
(B) Introduces customer accounts on a
fully disclosed basis to another broker
or dealer described in paragraph
(a)(1)(i)(A) of this section;
(C) Has regulatory capital equal to or
exceeding $50 million;
(D) Has total assets equal to or
exceeding $1 billion;
(E) Is a market maker under the
Securities Exchange Act of 1934 (15
U.S.C. 78a, et seq.) (‘‘Act’’) or the rules
thereunder (which includes a broker or
dealer that operates pursuant to
§ 240.15c3–1(a)(6) of this chapter) or is
a market maker under the rules of a selfregulatory organization of which the
broker or dealer is a member; or
(F) operates an alternative trading
system as defined in § 242.300(a) or
operates an NMS Stock ATS as defined
in § 242.300(k).
PO 00000
Frm 00133
Fmt 4701
Sfmt 4702
20343
(ii) A clearing agency (registered or
exempt) under section 3(a)(23)(A) of the
Act.
(iii) A major security-based swap
participant registered pursuant to
section 15F(b) of the Act.
(iv) The Municipal Securities
Rulemaking Board.
(v) A national securities association
registered under section 15A of the Act.
(vi) A national securities exchange
registered under section 6 of the Act.
(vii) A security-based swap data
repository under section 3(a)(75) of the
Act.
(viii) A security-based swap dealer
registered pursuant to section 15F(b) of
the Act.
(ix) A transfer agent as defined in
section 3(a)(25) of the Act that is
registered or required to be registered
with an appropriate regulatory agency
as defined in section 3(a)(34)(B) of the
Act (hereinafter also ‘‘ARA’’).
(2) Cybersecurity incident means an
unauthorized occurrence on or
conducted through a market entity’s
information systems that jeopardizes the
confidentiality, integrity, or availability
of the information systems or any
information residing on those systems.
(3) Cybersecurity risk means financial,
operational, legal, reputational, and
other adverse consequences that could
result from cybersecurity incidents,
cybersecurity threats, and cybersecurity
vulnerabilities.
(4) Cybersecurity threat means any
potential occurrence that may result in
an unauthorized effort to affect
adversely the confidentiality, integrity,
or availability of a market entity’s
information systems or any information
residing on those systems.
(5) Cybersecurity vulnerability means
a vulnerability in a market entity’s
information systems, information
system security procedures, or internal
controls, including, for example,
vulnerabilities in their design,
configuration, maintenance, or
implementation that, if exploited, could
result in a cybersecurity incident.
(6) Information means any records or
data related to the market entity’s
business residing on the market entity’s
information systems, including, for
example, personal information received,
maintained, created, or processed by the
market entity.
(7) Information systems means the
information resources owned or used by
the market entity, including, for
example, physical or virtual
infrastructure controlled by the
information resources, or components
thereof, organized for the collection,
processing, maintenance, use, sharing,
dissemination, or disposition of the
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
20344
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
covered entity’s information to maintain
or support the covered entity’s
operations.
(8) Market Entity means a ‘‘covered
entity’’ as defined in this section and a
broker or dealer registered with the
Commission that is not a ‘‘covered
entity’’ as defined in this section.
(9) Personal information means any
information that can be used, alone or
in conjunction with any other
information, to identify a person,
including, but not limited to, name, date
of birth, place of birth, telephone
number, street address, mother’s maiden
name, Social Security number,
government passport number, driver’s
license number, electronic mail address,
account number, account password,
biometric records, or other non-public
authentication information.
(10) Significant cybersecurity incident
means a cybersecurity incident, or a
group of related cybersecurity incidents,
that:
(i) Significantly disrupts or degrades
the ability of the market entity to
maintain critical operations; or
(ii) Leads to the unauthorized access
or use of the information or information
systems of the market entity, where the
unauthorized access or use of such
information or information systems
results in or is reasonably likely to
result in:
(A) Substantial harm to the market
entity; or
(B) Substantial harm to a customer,
counterparty, member, registrant, or
user of the market entity, or to any other
person that interacts with the market
entity.
(b)(1) Cybersecurity policies and
procedures. A covered entity must
establish, maintain, and enforce written
policies and procedures that are
reasonably designed to address the
covered entity’s cybersecurity risks,
including policies and procedures that:
(i)(A) Risk assessment. Require
periodic assessments of cybersecurity
risks associated with the covered
entity’s information systems and
information residing on those systems,
including requiring the covered entity
to:
(1) Categorize and prioritize
cybersecurity risks based on an
inventory of the components of the
covered entity’s information systems
and information residing on those
systems and the potential effect of a
cybersecurity incident on the covered
entity; and
(2) Identify the covered entity’s
service providers that receive, maintain,
or process information, or are otherwise
permitted to access the covered entity’s
information systems and any of the
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
covered entity’s information residing on
those systems, and assess the
cybersecurity risks associated with the
covered entity’s use of these service
providers.
(B) Require written documentation of
the risk assessments.
(ii) User security and access. Require
controls designed to minimize userrelated risks and prevent unauthorized
access to the covered entity’s
information systems and the
information residing on those systems,
including:
(A) Requiring standards of behavior
for individuals authorized to access the
covered entity’s information systems
and the information residing on those
systems, such as an acceptable use
policy;
(B) Identifying and authenticating
individual users, including but not
limited to implementing authentication
measures that require users to present a
combination of two or more credentials
for access verification;
(C) Establishing procedures for the
timely distribution, replacement, and
revocation of passwords or methods of
authentication;
(D) Restricting access to specific
information systems of the covered
entity or components thereof and the
information residing on those systems
solely to individuals requiring access to
the systems and information as is
necessary for them to perform their
responsibilities and functions on behalf
of the covered entity; and
(E) Securing remote access
technologies.
(iii) Information protection. (A)
Require measures designed to monitor
the covered entity’s information systems
and protect the information residing on
those systems from unauthorized access
or use, based on a periodic assessment
of the covered entity’s information
systems and the information that resides
on the systems that takes into account:
(1) The sensitivity level and
importance of the information to the
covered entity’s business operations;
(2) Whether any of the information is
personal information;
(3) Where and how the information is
accessed, stored and transmitted,
including the monitoring of information
in transmission;
(4) The information systems’ access
controls and malware protection; and
(5) The potential effect a cybersecurity
incident involving the information
could have on the covered entity and its
customers, counterparties, members, or
users, including the potential to cause a
significant cybersecurity incident.
(B) Require oversight of service
providers that receive, maintain, or
PO 00000
Frm 00134
Fmt 4701
Sfmt 4702
process the covered entity’s
information, or are otherwise permitted
to access the covered entity’s
information systems and the
information residing on those systems,
pursuant to a written contract between
the covered entity and the service
provider, through which the service
providers are required to implement and
maintain appropriate measures,
including the practices described in
paragraphs (b)(1)(i) through (v) of this
section, that are designed to protect the
covered entity’s information systems
and information residing on those
systems.
(iv) Cybersecurity threat and
vulnerability management. Require
measures designed to detect, mitigate,
and remediate any cybersecurity threats
and vulnerabilities with respect to the
covered entity’s information systems
and the information residing on those
systems;
(v) Cybersecurity incident response
and recovery. (A) Require measures
designed to detect, respond to, and
recover from a cybersecurity incident,
including policies and procedures that
are reasonably designed to ensure:
(1) The continued operations of the
covered entity;
(2) The protection of the covered
entity’s information systems and the
information residing on those systems;
(3) External and internal cybersecurity
incident information sharing and
communications; and
(4) The reporting of significant
cybersecurity incidents pursuant to
paragraph (c) of this section.
(B) Require written documentation of
any cybersecurity incident, including
the covered entity’s response to and
recovery from the cybersecurity
incident.
(2) Annual Review. A covered entity
must, at least annually:
(i) Review and assess the design and
effectiveness of the cybersecurity
policies and procedures required by
paragraph (b)(1) of this section,
including whether the policies and
procedures reflect changes in
cybersecurity risk over the time period
covered by the review; and
(ii) Prepare a written report that
describes the review, the assessment,
and any control tests performed,
explains their results, documents any
cybersecurity incident that occurred
since the date of the last report, and
discusses any material changes to the
policies and procedures since the date
of the last report.
(c) Notification and reporting of
significant cybersecurity incidents—(1)
Immediate notice. A covered entity
must give the Commission immediate
E:\FR\FM\05APP2.SGM
05APP2
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
written electronic notice of a significant
cybersecurity incident upon having a
reasonable basis to conclude that the
significant cybersecurity incident has
occurred or is occurring. The notice
must identify the covered entity, state
that the notice is being given to alert the
Commission of a significant
cybersecurity incident impacting the
covered entity, and provide the name
and contact information of an employee
of the covered entity who can provide
further details about the significant
cybersecurity incident. The notice also
must be given to:
(i) In the case of a broker or dealer, the
examining authority of the broker or
dealer; and
(ii) In the case of a transfer agent, the
ARA of the transfer agent.
(2) Report. (i) A covered entity must
report a significant cybersecurity
incident, promptly, but no later than 48
hours, upon having a reasonable basis to
conclude that the significant
cybersecurity incident has occurred or
is occurring by filing Part I of Form
SCIR with the Commission
electronically through the Electronic
Data Gathering, Analysis, and Retrieval
System (‘‘EDGAR system’’) in
accordance with the EDGAR Filer
Manual, as defined in Rule 11 of
Regulation S–T (17 CFR 232.11), and
Part I of Form SCIR must be filed in
accordance with the requirements of
Regulation S–T.
(ii) A covered entity must file an
amended Part I of Form SCIR with the
Commission electronically through the
EDGAR system in accordance with the
EDGAR Filer Manual, as defined in Rule
11 of Regulation S–T (17 CFR 232.11),
and Part I of Form SCIR must be filed
in accordance with the requirements of
Regulation S–T promptly, but no later
than 48 hours after each of the following
circumstances:
(A) Any information previously
reported to the Commission on Part I of
Form SCIR pertaining to a significant
cybersecurity incident becoming
materially inaccurate;
(B) Any new material information
pertaining to a significant cybersecurity
incident previously reported to the
Commission on Part I of Form SCIR
being discovered;
(C) A significant cybersecurity
incident is resolved; or
(D) An internal investigation
pertaining to a significant cybersecurity
incident is closed.
(iii)(A) If the covered entity is a broker
or dealer, it must promptly transmit a
copy of each Part I of Form SCIR it files
with the Commission to its examining
authority; and
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
(B) If the covered entity is a transfer
agent, it must promptly transmit a copy
of each Part I of Form SCIR it files with
the Commission to its ARA.
(d) Disclosure of cybersecurity risks
and incidents—(1) Content of the
disclosure—(i) Cybersecurity risks. A
covered entity must provide a summary
description of the cybersecurity risks
that could materially affect the covered
entity’s business and operations and
how the covered entity assesses,
prioritizes, and addresses those
cybersecurity risks.
(ii) Significant cybersecurity
incidents. A covered entity must
provide a summary description of each
significant cybersecurity incident that
has occurred during the current or
previous calendar year. The description
of each significant cybersecurity
incident must include the following
information to the extent known:
(A) The person or persons affected;
(B) The date the incident was
discovered and whether it is ongoing;
(C) Whether any data was stolen,
altered, or accessed or used for any
other unauthorized purpose;
(D) The effect of the incident on the
covered entity’s operations; and
(E) Whether the covered entity, or
service provider, has remediated or is
currently remediating the incident.
(2) Methods of disclosure. A covered
entity must make the disclosures
required pursuant to paragraph (d)(1) of
this section by:
(i) Filing Part II of Form SCIR with the
Commission electronically through the
EDGAR system in accordance with the
EDGAR Filer Manual, as defined in Rule
11 of Regulation S–T (17 CFR 232.11),
and in accordance with the
requirements of Regulation S–T; and
(ii) Posting a copy of the Part II of
Form SCIR most recently filed pursuant
to paragraph (d)(2)(i) of this section on
an easily accessible portion of its
business internet website that can be
viewed by the public without the need
of entering a password or making any
type of payment or providing any other
consideration.
(3) Additional methods of disclosure
required for certain brokers or dealers.
In addition to the method of disclosure
required by paragraph (d)(2) of this
section, a broker or dealer described in
paragraph (a)(1)(i) or (ii) of this section
must provide a copy of the Part II of
Form SCIR most recently filed pursuant
to paragraph (d)(2)(i) of this section to
a customer as part of the account
opening process and, thereafter,
annually and as required by paragraph
(d)(4) of this section using the same
means that the customer elects to
receive account statements.
PO 00000
Frm 00135
Fmt 4701
Sfmt 4702
20345
(4) Disclosure updates. The covered
entity must promptly provide an
updated disclosure through the methods
required by paragraphs (d)(2) and (3) of
this section if the information required
to be disclosed pursuant to paragraphs
(d)(1)(i) or (ii) of this section materially
changes, including, in the case of
paragraph (d)(1)(ii) of this section, after
the occurrence of a new significant
cybersecurity incident or when
information about a previously
disclosed significant cybersecurity
incident materially changes.
(e) Requirements for brokers or
dealers that are not covered entities. (1)
A broker or dealer that is not a ‘‘covered
entity’’ as defined in this section must
establish, maintain, and enforce written
policies and procedures that are
reasonably designed to address the
cybersecurity risks of the broker or
dealer taking into account the size,
business, and operations of the broker or
dealer. The broker or dealer must
annually review and assess the design
and effectiveness of the cybersecurity
policies and procedures, including
whether the policies and procedures
reflect changes in cybersecurity risk
over the time period covered by the
review. The broker or dealer must make
a written record that documents the
steps taken in performing the annual
review and the conclusions of the
annual review.
(2) A broker or dealer that is not a
‘‘covered entity’’ as defined in this
section must give the Commission
immediate written electronic notice of a
significant cybersecurity incident upon
having a reasonable basis to conclude
that the significant cybersecurity
incident has occurred or is occurring.
The notice must identify the broker or
dealer, state that the notice is being
given to alert the Commission of a
significant cybersecurity incident
impacting the broker or dealer, and
provide the name and contact
information of an employee of the
broker or dealer who can provide
further details about the significant
cybersecurity incident. The notice also
must be given to the examining
authority of the broker or dealer.
*
*
*
*
*
PART 249—FORMS, SECURITIES
EXCHANGE ACT OF 1934
12. The authority citation for part 249
continues to read, in part, as follows:
■
Authority: 15 U.S.C. 78a, et seq., unless
otherwise noted.
*
*
*
*
*
13. Section 249.624 is added to read
as follows:
■
E:\FR\FM\05APP2.SGM
05APP2
20346
§ 249.624
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
Form SCIR.
Form SCIR shall be filed by a covered
entity to report a significant
cybersecurity incident pursuant to the
requirements of 17 CFR 242.10.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00136
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
EP05AP23.000</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
BILLING CODE 8011–01–P
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00137
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
20347
EP05AP23.001</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
VerDate Sep<11>2014
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00138
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
EP05AP23.002</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
20348
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00139
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
20349
EP05AP23.003</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
VerDate Sep<11>2014
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00140
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
EP05AP23.004</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
20350
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00141
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
20351
EP05AP23.005</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
VerDate Sep<11>2014
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00142
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
EP05AP23.006</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
20352
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00143
Fmt 4701
Sfmt 4725
E:\FR\FM\05APP2.SGM
05APP2
20353
EP05AP23.007</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
20354
Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 / Proposed Rules
[FR Doc. 2023–05767 Filed 4–4–23; 8:45 am]
VerDate Sep<11>2014
18:14 Apr 04, 2023
Jkt 259001
PO 00000
Frm 00144
Fmt 4701
Sfmt 9990
E:\FR\FM\05APP2.SGM
05APP2
EP05AP23.008</GPH>
lotter on DSK11XQN23PROD with PROPOSALS2
BILLING CODE 8011–01–C
]]>Agencies
[Federal Register Volume 88, Number 65 (Wednesday, April 5, 2023)]
[Proposed Rules]
[Pages 20212-20354]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05767]
[[Page 20211]]
Vol. 88
Wednesday,
No. 65
April 5, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 232, 240, 242, et al.
Cybersecurity Risk Management Rule for Broker-Dealers, Clearing
Agencies, Major Security-Based Swap Participants, the Municipal
Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-
Based Swap Dealers, and Transfer Agents; Proposed Rule
��Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 /
Proposed Rules��
[[Page 20212]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 232, 240, 242 and 249
[Release No. 34-97142; File No. S7-06-23]
RIN 3235-AN15
Cybersecurity Risk Management Rule for Broker-Dealers, Clearing
Agencies, Major Security-Based Swap Participants, the Municipal
Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-
Based Swap Dealers, and Transfer Agents
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing a new rule and form and amendments to existing recordkeeping
rules to require broker-dealers, clearing agencies, major security-
based swap participants, the Municipal Securities Rulemaking Board,
national securities associations, national securities exchanges,
security-based swap data repositories, security-based swap dealers, and
transfer agents to address cybersecurity risks through policies and
procedures, immediate notification to the Commission of the occurrence
of a significant cybersecurity incident and, as applicable, reporting
detailed information to the Commission about a significant
cybersecurity incident, and public disclosures that would improve
transparency with respect to cybersecurity risks and significant
cybersecurity incidents. In addition, the Commission is proposing
amendments to existing clearing agency exemption orders to require the
retention of records that would need to be made under the proposed
cybersecurity requirements. Finally, the Commission is proposing
amendments to address the potential availability to security-based swap
dealers and major security-based swap participants of substituted
compliance in connection with those requirements.
DATES: Comments should be received on or before June 5, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/submitcomments.htm); or
Send an email to [email protected]. Please include
File Number S7-06-23 on the subject line.
Paper Comments
Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-06-23. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules/proposed.shtml). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Randall W. Roy, Deputy Associate
Director and Nina Kostyukovsky, Special Counsel, Office of Broker-
Dealer Finances (with respect to the proposed cybersecurity rule and
form and the aspects of the proposal unique to broker-dealers); Matthew
Lee, Assistant Director and Stephanie Park, Senior Special Counsel,
Office of Clearance and Settlement (with respect to aspects of the
proposal unique to clearing agencies and security-based swap data
repositories); John Guidroz, Assistant Director and Russell Mancuso,
Special Counsel, Office of Derivatives Policy (with respect to aspects
of the proposal unique to major security-based swap participants and
security-based swap dealers); Michael E. Coe, Assistant Director and
Leah Mesfin, Special Counsel, Office of Market Supervision (with
respect to aspects of the proposal unique to national securities
associations and national securities exchanges); Moshe Rothman,
Assistant Director, Office of Clearance and Settlement (with respect to
aspects of the proposal unique to transfer agents) at (202) 551-5500,
Division of Trading and Markets; and Dave Sanchez, Director, Adam
Wendell, Deputy Director, and Adam Allogramento, Special Counsel,
Office of Municipal Securities (with respect to aspects of the proposal
unique to the Municipal Securities Rulemaking Board) at (202) 551-5680,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-7010.
SUPPLEMENTARY INFORMATION: The Commission is proposing to add the
following new rule and form under the Securities Exchange Act of 1934
(``Exchange Act''): (1) 17 CFR 242.10 (``Rule 10''); and (2) 17 CFR
249.642 (``Form SCIR''). The Commission also is proposing related
amendments to the following rules: (1) 17 CFR 232.101; (2) 17 CFR
240.3a71-6; (3) 17 CFR 240.17a-4; (4) 17 CFR 240.17Ad-7; (5) 17 CFR
240.18a-6; and (6) 17 CFR 240.18a-10. Further, the Commission is
proposing to amend certain orders that exempt clearing agencies from
registration.
------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Regulation S-T............................ Sec. 232.101
Rule 3a71-6............................... Sec. 240.3a71-6
Rule 17a-4................................ Sec. 240.17a-4
Rule 17Ad-7............................... Sec. 240.17Ad-7
Rule 18a-6................................ Sec. 240.18a-6
Rule 18a-10............................... Sec. 240.18a-10
Rule 10................................... Sec. 242.10
Form SCIR................................. Sec. 249.624
------------------------------------------------------------------------
Table of Contents
I. Introduction
A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets
1. In General
2. Critical Operations of Market Entities Are Exposed to
Cybersecurity Risk
B. Overview of the Proposed Cybersecurity Requirements
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
1. ``Covered Entity''
2. ``Cybersecurity Incident''
3. ``Significant Cybersecurity Incident''
4. ``Cybersecurity Threat''
5. ``Cybersecurity Vulnerability''
6. ``Cybersecurity Risk''
7. ``Information''
8. ``Information Systems''
9. ``Personal Information''
10. Request for Comment
B. Proposed Requirements for Covered Entities
1. Cybersecurity Risk Management Policies and Procedures
2. Notification and Reporting of Significant Cybersecurity
Incidents
3. Disclosure of Cybersecurity Risks and Incidents
4. Filing Parts I and II of Proposed Form SCIR in EDGAR Using a
Structured Data Language
[[Page 20213]]
5. Recordkeeping
C. Proposed Requirements for Non-Covered Broker-Dealers
1. Cybersecurity Policies and Procedures, Annual Review,
Notification, and Recordkeeping
2. Request for Comment
D. Cross-Border Application of the Proposed Cybersecurity
Requirements to SBS Entities
1. Background on the Cross-Border Application of Title VII
Requirements
2. Proposed Entity-Level Treatment
3. Availability of Substituted Compliance
E. Amendments to Rule 18a-10
1. Proposal
2. Request for Comment
F. Market Entities Subject to Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID
1. Discussion
2. Request for Comment
G. Cybersecurity Risk Related to Crypto Assets
III. General Request for Comment
IV. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Cybersecurity Risks and Current Relevant Regulations
2. Market Structure
D. Benefits and Costs of Proposed Rule 10, Form SCIR, and Rule
Amendments
1. Benefits and Costs of the Proposals to the U.S. Securities
Markets
2. Policies and Procedures and Annual Review Requirements for
Covered Entities
3. Regulatory Reporting of Cybersecurity Incidents by Covered
Entities
4. Public Disclosure of Cybersecurity Risks and Significant
Cybersecurity Incidents
5. Record Preservation and Maintenance by Covered Entities
6. Policies and Procedures, Annual Review, Immediate
Notification of Significant Cybersecurity Incidents, and Record
Preservation Requirements for Non-Covered Broker-Dealers
7. Substituted Compliance for Non-U.S. SBS Entities
E. Effects on Efficiency, Competition, and Capital Formation
F. Reasonable Alternatives
1. Alternatives to the Policies and Procedures Requirements of
Proposed Rule 10
2. Alternatives to the Requirements of Proposed Form SCIR and
Related Notification and Disclosure Requirements of Proposed Rule 10
3. General Request for Comment
V. Paperwork Reduction Act Analysis
A. Summary of Collections of Information
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
4. Substituted Compliance (Rule 3a71-6)
B. Proposed Use of Information
C. Respondents
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Total Initial and Annual Reporting Burdens
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6, and Clearing Agency Exemption
Orders (and Existing Rules 13n-7 and 17a-1)
4. Substituted Compliance (Rule 3a71-6)
E. Collection of Information is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Retention Period for Recordkeeping Requirements
H. Request for Comment
VI. Initial Regulatory Flexibility Act Analysis
A. Reasons for, and Objectives of, Proposed Action
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
B. Legal Basis
C. Small Entities Subject to Proposed Rule, Form SCIR, and
Recordkeeping Rule Amendments
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Reporting, Recordkeeping, and Other Compliance Requirements
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, and 18a-6
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
F. Significant Alternatives
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
G. Request for Comment
VII. Small Business Regulatory Enforcement Fairness Act
VIII. Statutory Authority
I. Introduction
A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets
1. In General
Cybersecurity risk has been described as ``an effect of uncertainty
on or within information and technology.'' \1\ This risk can lead to
``the loss of confidentiality, integrity, or availability of
information, data, or information (or control) systems and [thereby to]
potential adverse impacts to organizational operations (i.e., mission,
functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.'' \2\ The U.S. Financial Stability
Oversight Counsel (``FSOC'') in its 2021 annual report stated that a
destabilizing cybersecurity incident could potentially threaten the
stability of the U.S. financial system through at least three channels:
---------------------------------------------------------------------------
\1\ See the National Institute of Standards and Technology
(``NIST''), U.S. Department of Commerce, Computer Security Resource
Center Glossary, available at https://csrc.nist.gov/glossary (``NIST
Glossary'') (definition of ``cybersecurity risk''). The NIST
Glossary consists of terms and definitions extracted verbatim from
NIST's cybersecurity and privacy-related publications (i.e., Federal
Information Processing Standards (FIPS), NIST Special Publications
(SPs), and NIST Internal/Interagency Reports (IRs)) and from the
Committee on National Security Systems (CNSS) Instruction CNSSI-
4009. The NIST Glossary may be expanded to include relevant terms in
external or supplemental sources, such as applicable laws and
regulations. The Cybersecurity Enhancement Act of 2014 (``CEA'')
updated the role of NIST to include identifying and developing
cybersecurity risk frameworks for voluntary use by critical
infrastructure owners and operators. The CEA required NIST to
identify ``a prioritized, flexible, repeatable, performance based,
and cost-effective approach, including information security measures
and controls that may be voluntarily adopted by owners and operators
of critical infrastructure to help them identify, assess, and manage
cyber risks.'' See 15 U.S.C. 272(e)(1)(A)(iii). In response, NIST
has published the Framework for Improving Critical Infrastructure
Cybersecurity (``NIST Framework''). See also NIST, Integrating
Cybersecurity and Enterprise Risk Management (ERM) (Oct. 2020),
available at https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf (``All types of organizations, from corporations to
federal agencies, face a broad array of risks. For federal agencies,
the Office of Management and Budget (OMB) Circular A-11 defines risk
as `the effect of uncertainty on objectives'. The effect of
uncertainty on enterprise mission and business objectives may then
be considered an `enterprise risk' that must be similarly managed .
. . Cybersecurity risk is an important type of risk for any
enterprise.'') (footnotes omitted).
\2\ See NIST Glossary (definition of ``cybersecurity risk'').
See also The Board of the International Organization of Securities
Commissions (``IOSCO''), Cyber Security in Securities Markets--An
International Perspective (Apr. 2016), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf (``IOSCO
Cybersecurity Report'') (``In essence, cyber risk refers to the
potential negative outcomes associated with cyber attacks. In turn,
cyber attacks can be defined as attempts to compromise the
confidentiality, integrity and availability of computer data or
systems.'') (footnote omitted).
---------------------------------------------------------------------------
First, the incident could disrupt a key financial service
or utility for which there is little or no substitute. This could
include attacks on central banks; exchanges; sovereign and subsovereign
creditors, including U.S. state and local governments; custodian banks;
payment clearing and settlement systems; or other firms or services
that lack substitutes or are sole service providers.
Second, the incident could compromise the integrity of
critical
[[Page 20214]]
data. Accurate and usable information is critical to the stable
functioning of financial firms and the system; if such data is
corrupted on a sufficiently large scale, it could disrupt the
functioning of the system. The loss of such data also has privacy
implications for consumers and could lead to identity theft and fraud,
which in turn could result in a loss of confidence.
Third, a cybersecurity incident that causes a loss of
confidence among a broad set of customers or market participants could
cause customers or participants to question the safety or liquidity of
their assets or transactions, and lead to significant withdrawal of
assets or activity.\3\
---------------------------------------------------------------------------
\3\ FSOC, Annual Report (2021), at 168, available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (``FSOC
2021 Annual Report'').
---------------------------------------------------------------------------
The U.S. securities markets are part of the Financial Services
Sector, one of the sixteen critical infrastructure sectors ``whose
assets, systems, and networks, whether physical or virtual, are
considered so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination
thereof.'' \4\ These markets are over $100 trillion in total size, and
more than a trillion dollars' worth of transactions flow through them
each day. For example, the market capitalization of the U.S. equities
market was valued at $49 trillion as of the first quarter of 2022,\5\
and as of May 2022, the average daily trading dollar volume in the U.S.
equities market was $659 billion.\6\ The market capitalization of the
U.S. fixed income market was valued at $52.9 trillion as of the fourth
quarter of 2021,\7\ and as of May 2022, the average daily trading
dollar volume in the U.S. fixed income market was $897.8 billion.\8\
---------------------------------------------------------------------------
\4\ Cybersecurity and Infrastructure Security Agency (``CISA''),
U.S. Department of Homeland Security, Critical Infrastructure
Sectors, available at https://www.cisa.gov/critical-infrastructure-sectors. See also Presidential Policy Directive--Critical
Infrastructure Security and Resilience, Presidential Policy
Directive, PPD-21 (Feb. 12 2013).
\5\ See Securities Industry and Financial Markets Association
(``SIFMA''), Research Quarterly: Equities (Apr. 27, 2022), available
at https://www.sifma.org/resources/research/research-quarterly-equities/.
\6\ See SIFMA, US Equity and Related Statistics (June 1, 2022),
available at https://www.sifma.org/resources/research/us-equity-and-related-securities-statistics/.
\7\ See SIFMA, Research Quarterly: Fixed Income--Outstanding
(Mar. 14, 2022), available at https://www.sifma.org/resources/research/research-quarterly-fixed-income-outstanding/.
\8\ See SIFMA, US Fixed Income Securities Statistics (June 9,
2022), available at https://www.sifma.org/resources/research/us-fixed-income-securities-statistics/.
---------------------------------------------------------------------------
The sizes of these markets are indicative of the central role they
play in the U.S. economy in terms of the flow of capital, including the
savings of individual investors who are increasingly relying on them
to, for example, build wealth to fund their retirement, purchase a
home, or pay for college for themselves or their family. Therefore, it
is critically important to the U.S. economy, investors, and capital
formation that the U.S. securities markets function in a fair, orderly,
and efficient manner.\9\
---------------------------------------------------------------------------
\9\ The Commission's tripartite mission is to: (1) protect
investors; (2) maintain, fair, orderly, and efficient markets; and
(3) facilitate capital formation. See, e.g., Commission, Our Goals,
available at https://www.sec.gov/our-goals.
---------------------------------------------------------------------------
The fair, orderly, and efficient operation of the U.S. securities
markets depends on different types of entities performing various
functions to support, among other things, disseminating market
information, underwriting securities issuances, making markets in
securities, trading securities, providing liquidity to the securities
markets, executing securities transactions, clearing and settling
securities transactions, financing securities transactions, recording
and transferring securities ownership, maintaining custody of
securities, paying dividends and interest on securities, repaying
principal on securities investments, supervising regulated market
participants, and monitoring market activities. Collectively, these
functions are performed by entities regulated by the Commission:
broker-dealers, broker-dealers that operate an alternative trading
system (``ATS''), clearing agencies, major security-based swap
participants (``MSBSPs''), the Municipal Securities Rulemaking Board
(``MSRB''), national securities associations, national securities
exchanges, security-based swap data repositories (``SBSDRs''),
security-based swap dealers (``SBSDs'' or collectively with MSBSPs,
``SBS Entities''), and transfer agents (collectively, ``Market
Entities'').\10\
---------------------------------------------------------------------------
\10\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------
To perform their functions, Market Entities rely on an array of
electronic information, communication, and computer systems (or similar
systems) (``information systems'') and networks of interconnected
information systems. While Market Entities have long relied on
information systems to perform their various functions, the
acceleration of technical innovation in recent years has exponentially
expanded the role these systems play in the U.S. securities
markets.\11\ This expansion has been driven by the greater efficiencies
and lower costs that can be achieved through the use of information
systems.\12\ It also has been driven by newer entrants (financial
technology (Fintech) firms) that have developed business models that
rely heavily on information systems (e.g., applications on mobile
devices) to provide services to investors and other participants in the
securities markets and more established Market Entities adopting the
use of similar technologies.\13\ The COVID-19 pandemic also has
contributed to the greater reliance on information systems.\14\
---------------------------------------------------------------------------
\11\ See, e.g., Bank of International Settlements, Erik Feyen,
Jon Frost, Leonardo Gambacorta, Harish Natarajan, and Mathew Saal,
Fintech and the digital transformation of financial services:
implications for market structure and public policy, BIS Papers No.
117 (July 2021), available at https://www.bis.org/publ/bppdf/bispap117.pdf (``BIS Papers 117'') (``Significant technology
advances have taken place in two key areas that have contributed to
the current wave of technology-based finance:'' Increased
connectivity . . . [and] Low-cost computing and data storage . .
.'').
\12\ Id. (``Technology has reduced the costs of, and need for,
much of the traditional physical infrastructure that drove fixed
costs for the direct financial services provider . . . Financial
intermediaries can reduce marginal costs through technology-enabled
automation and `straight through' processing, which are accelerating
with the expanded use of data and [artificial intelligence]-based
processes. Digital innovation can also help to overcome spatial
(geographical) barriers, and even to bridge differences across legal
jurisdictions . . .''). See also United Nations, Office for Disaster
Risk Reduction, Constantine Toregas and Joost Santos, Cybersecurity
and its cascading effect on societal systems (2019), available at
https://www.undrr.org/publication/cybersecurity-and-its-cascading-effect-societal-systems (``Cybersecurity and its Cascading Effect on
Societal Systems'') (``Modern society has benefited from the
additional efficiency achieved by improving the coordination across
interdependent systems using information technology (IT) solutions.
IT systems have significantly contributed to enhancing the speed of
communication and reducing geographic barriers across consumers and
producers, leading to a more efficient and cost-effective exchange
of products and services across an economy.'').
\13\ BIS Papers 117 (``Internet and mobile technology have
rapidly increased the ability to transfer information and interact
remotely, both between businesses and directly to the consumer.
Through mobile and smartphones, which are near-ubiquitous,
technology has increased access to, and the efficiency of, direct
delivery channels and promises lower-cost, tailored financial
services . . . Incumbents large and small are embracing digital
transformation across the value chain to compete with fintechs and
big techs. Competitive pressure on traditional financial
institutions may force even those that are lagging to transform or
risk erosion of their customer base, income, and margins.'').
\14\ Id. (``The COVID-19 pandemic has accelerated the digital
transformation. In particular, the need for digital connectivity to
replace physical interactions between consumers and providers, and
in the processes that produce financial services, will be even more
important as economies, financial services providers, businesses and
individuals navigate the pandemic and the eventual post-COVID-19
world.''). See also McKinsey & Company, How Covid-19 has pushed
companies over the technology tipping point--and transformed
business forever (Oct. 5, 2020), available at https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever#/ (noting that due to
the COVID-19 pandemic, ``companies have accelerated the digitization
of their customer and supply-chain interactions and of their
internal operations by three to four years [and] the share of
digital or digitally enhanced products in their portfolios has
accelerated by a shocking seven years'').
---------------------------------------------------------------------------
[[Page 20215]]
This increased reliance on information systems by Market Entities
has caused a corresponding increase in their cybersecurity risk.\15\
This risk can be caused by the actions of external threat actors,
including organized or individual threat actors seeking financial gain,
nation states conducting espionage operations, or individuals engaging
in protest, acting on grudges or personal offenses, or seeking
thrills.\16\ Internal threat actors (e.g., disgruntled employees or
employees seeking financial gain) also can be sources of cybersecurity
risk.\17\ Threat actors may target Market Entities because they handle
financial assets or proprietary information about financial assets and
transactions.\18\ In addition to threat actors, errors of employees,
service providers, or business partners can create cybersecurity risk
(e.g., mistakenly exposing confidential or personal information by, for
example, sending it through an unencrypted email to unintended
recipients).\19\
---------------------------------------------------------------------------
\15\ See, e.g., Financial Services Information Sharing and
Analysis Center (``FS-ISAC''), Navigating Cyber 2022 (Mar. 2022),
available at: www.fsisac.com/navigatingcyber2022-report (detailing
cyber threats that emerged in 2021 and predictions for 2022); Danny
Brando, Antonis Kotidis, Anna Kovner, Michael Lee, and Stacey L.
Schreft, Implications of Cyber Risk for Financial Stability, FEDS
Notes, Washington: Board of Governors of the Federal Reserve System
(May 12, 2022), available at https://doi.org/10.17016/2380-7172.3077
(``Implications of Cyber Risk for Financial Stability'') (``Cyber
risk in the financial system has grown over time as the system has
become more digitized, as evidenced by the increase in cyber
incidents. That growth has brought to light unique features of cyber
risk and the potentially greater scope for cyber events to affect
financial stability.''); United States Government Accountability
Office (``GAO''), Critical Infrastructure Protection: Treasury Needs
to Improve Tracking of Financial Sector Cybersecurity Risk
Mitigation Efforts, GAO-20-631 (Sept. 2020), available at https://www.gao.gov/assets/gao-20-631.pdf (``GAO Cybersecurity Report'')
(``The federal government has long identified the financial services
sector as a critical component of the nation's infrastructure. The
sector includes commercial banks, securities brokers and dealers,
and providers of the key financial systems and services that support
these functions. Altogether, the sector holds about $108 trillion in
assets and faces a variety of cybersecurity-related risks. Key risks
include (1) an increase in access to financial data through
information technology service providers and supply chain partners;
(2) a growth in sophistication of malware--software meant to do
harm--and (3) an increase in interconnectivity via networks, the
cloud, and mobile applications.''); Cybersecurity and its Cascading
Effect on Societal Systems (``Nonetheless, IT dependence has also
exposed critical infrastructure and industry systems to a myriad of
cyber security risks, ranging from accidental causes, technological
glitches, to malevolent willful attacks.'').
\16\ See, e.g., Verizon, Data Breach Investigations Report
(2022) available at https://www.verizon.com/business/resources/Tba/reports/dbir/2022-data-breach-investigations-report-dbir.pdf
(``Verizon DBIR'') (finding that 73% of the data breaches analyzed
in the report were caused by external actors). The Verizon DBIR is
an annual report that analyzes cyber security incidents (defined as
a security event that compromises the integrity, confidentiality or
availability of an information asset) and breaches (defined as an
incident that results in the confirmed disclosure--not just
potential exposure--of data to an unauthorized party). To perform
the analysis, data about the cybersecurity incidents included in the
report are catalogued using the Vocabulary for Event Recording and
Incident Sharing (VERIS). VERIS is a set of metrics designed to
provide a common language for describing security incidents in a
structured and repeatable manner. More information about VERIS is
available at: https://veriscommunity.net/. See also
Microsoft, Microsoft Digital Defense Report (Oct. 2021), available
at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi
(``Microsoft Report'') (``The last year has been marked by
significant historic geopolitical events and unforeseen challenges
that have changed the way organizations approach daily operations.
During this time, nation state actors have largely maintained their
operations at a consistent pace while creating new tactics and
techniques to evade detection and increase the scale of their
attacks'').
\17\ See, e.g., Verizon DBIR (finding that 18% of the data
breaches analyzed in the report were caused by internal actors). But
see id. (``Internal sources accounted for the fewest number of
incidents (18 percent), trailing those of external origin by a ratio
of four to one. The relative infrequency of data breaches attributed
to insiders may be surprising to some. It is widely believed and
commonly reported that insider incidents outnumber those caused by
other sources. While certainly true for the broad range of security
incidents, our caseload showed otherwise for incidents resulting in
data compromise. This finding, of course, should be considered in
light of the fact that insiders are adept at keeping their
activities secret.'').
\18\ See, e.g., GAO Cybersecurity Report (``The financial
services sector faces significant risks due to its reliance on
sophisticated technologies and information systems, as well as the
potential monetary gain and economic disruption that can occur by
attacking the sector''); IOSCO Cybersecurity Report (``[T]he
financial sector is one of the prime targets of cyber attacks. It is
easy to understand why: the sector is `where the money is' and it
can represent a nation or be a symbol of capitalism for some
politically motivated activists.'').
\19\ See Verizon DBIR (finding that error (defined as anything
done (or left undone) incorrectly or inadvertently) as one of action
types leading to cybersecurity incidents and breaches).
---------------------------------------------------------------------------
Another factor increasing the cybersecurity risk to Market Entities
is the growing sophistication of the tactics, techniques, and
procedures employed by threat actors.\20\ This trend is further
exacerbated by the ability of threat actors to purchase tools to engage
in cyber-crime.\21\ Threat actors employ a number of tactics to cause
harmful cybersecurity incidents.\22\ One tactic is the use of malicious
software (``malware'') that is uploaded into a computer system and used
by threat actors to compromise the confidentiality of information
stored or operations performed (e.g., monitoring key strokes) on the
system or the integrity or availability of the system (e.g., command
and control attacks where a threat actor is able to infiltrate a system
to install malware to enable it to remotely send commands to infected
devices).\23\ There are a number of different forms of malware,
including adware, botnets, rootkit, spyware, Trojans, viruses, and
worms.\24\
---------------------------------------------------------------------------
\20\ See, e.g., Bank of England, CBEST Intelligence-Led Testing:
Understanding Cyber Threat Intelligence Operations (Version 2.0),
available at https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf (``Bank of England CBEST
Report'') (``The threat actor community, once dominated by amateur
hackers, has expanded to include a broad range of professional
threat actors, all of whom are strongly motivated, organised and
funded. They include: state-sponsored organisations stealing
military, government and commercial intellectual property; organised
criminal gangs committing theft, fraud and money laundering which
they perceive as low risk and high return; non-profit hacktivists
and for-profit mercenary organisations attempting to disrupt or
destroy their own or their client's perceived enemies.''); Microsoft
Report (``Sophisticated cybercriminals are also still working for
governments conducting espionage and training in the new
battlefield'').
\21\ See, e.g., Microsoft Report (``Through our investigations
of online organized crime networks, frontline investigations of
customer attacks, security and attack research, nation state threat
tracking, and security tool development, we continue to see the
cybercrime supply chain consolidate and mature. It used to be that
cybercriminals had to develop all the technology for their attacks.
Today they rely on a mature supply chain, where specialists create
cybercrime kits and services that other actors buy and incorporate
into their campaigns. With the increased demand for these services,
an economy of specialized services has surfaced, and threat actors
are increasing automation to drive down their costs and increase
scale.'').
\22\ See, e.g., Financial Industry Regulatory Authority
(``FINRA''), Common Cybersecurity Threats, available at:
www.finra.org/rules-guidance/guidance/common-cybersecurity-threats
(``FINRA Common Cybersecurity Threats'') (summarizing common
cybersecurity threats faced by broker-dealers to include phishing,
imposter websites, malware, ransomware, distributed denial-of-
service attacks, and vendor breaches, among others).
\23\ See CISA, Malware Tip Card, available at https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf (``CISA
Malware Tip Card'') (``Malware, short for ``malicious software,''
includes any software (such as a virus, Trojan, or spyware) that is
installed on your computer or mobile device. The software is then
used, usually covertly, to compromise the integrity of your device.
Most commonly, malware is designed to give attackers access to your
infected computer. That access may allow others to monitor and
control your online activity or steal your personal information or
other sensitive data.'').
\24\ See, e.g., CISA Malware Tip Card (``Adware [is] a type of
software that downloads or displays unwanted ads when a user is
online or redirects search requests to certain advertising websites.
Botnets [are] networks of computers infected by malware and
controlled remotely by cybercriminals, usually for financial gain or
to launch attacks on websites or networks. Many botnets are designed
to harvest data, such as passwords, Social Security numbers, credit
card numbers, and other personal information . . . Rootkit [is] a
type of malware that opens a permanent ``back door'' into a computer
system. Once installed, a rootkit will allow additional viruses to
infect a computer as various hackers find the vulnerable computer
exposed and compromise it. Spyware [is] a type of malware that
quietly gathers a user's sensitive information (including browsing
and computing habits) and reports it to unauthorized third parties.
Trojan [is] a type of malware that disguises itself as a normal file
to trick a user into downloading it in order to gain unauthorized
access to a computer. Virus [is] a program that spreads by first
infecting files or the system areas of a computer or network
router's hard drive and then making copies of itself. Some viruses
are harmless, others may damage data files, and some may destroy
files entirely. Worm [is] a type of malware that replicates itself
over and over within a computer.'').
---------------------------------------------------------------------------
[[Page 20216]]
A second tactic is a variation of malware known as ``ransomware.''
\25\ In this scheme, the threat actor encrypts the victim's data making
it unusable and then demands payment to decrypt it.\26\ Ransomware
schemes have become more prevalent with the widespread adoption and use
of crypto assets.\27\ It is a common tactic used against the financial
sector.\28\ Commission staff has observed that this tactic has
increasingly been employed against certain Market Entities.\29\
---------------------------------------------------------------------------
\25\ See CISA, Ransomware 101, available at https://www.cisa.gov/stopransomware/ransomware-101 (``Ransomware is an ever-
evolving form of malware designed to encrypt files on a device,
rendering any files and the systems that rely on them unusable.
Malicious actors then demand ransom in exchange for decryption.
Ransomware actors often target and threaten to sell or leak
exfiltrated data or authentication information if the ransom is not
paid. In recent years, ransomware incidents have become increasingly
prevalent among the Nation's state, local, tribal, and territorial
(SLTT) government entities and critical infrastructure
organizations.'').
\26\ See, e.g., Federal Bureau of Investigation (``FBI''),
internet Crime Report (2021), available at https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf (``FBI internet Crime
Report'') (``Ransomware is a type of malicious software, or malware,
that encrypts data on a computer, making it unusable. A malicious
cyber criminal holds the data hostage until the ransom is paid. If
the ransom is not paid, the victim's data remains unavailable. Cyber
criminals may also pressure victims to pay the ransom by threatening
to destroy the victim's data or to release it to the public.'').
\27\ See, e.g., Institute for Security and Technology, Combating
Ransomware: A Comprehensive Framework For Action: Key
Recommendations from the Ransomware Task Force (Apr. 2021),
available at https://securityandtechnology.org/ransomwaretaskforce/report (``The explosion of ransomware as a lucrative criminal
enterprise has been closely tied to the rise of Bitcoin and other
cryptocurrencies, which use distributed ledgers, such as blockchain,
to track transactions.'').
\28\ See, e.g., FBI internet Crime Report (stating that it
received 649 complaints that indicated organizations in the sixteen
U.S. critical infrastructure sectors were victims of a ransomware
attack, with the financial sector being the source of the second
largest number of complaints).
\29\ See, Office of Compliance, Inspections and Examinations
(now the Division of Examinations (``EXAMS'')), Commission, Risk
Alert, Cybersecurity: Ransomware Alert (July 10, 2020), available at
https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf (``EXAMS
Ransomware Risk Alert'') (observing an apparent increase in
sophistication of ransomware attacks on Commission registrants,
including broker-dealers). Any staff statements represent the views
of the staff. They are not a rule, regulation, or statement of the
Commission. Furthermore, the Commission has neither approved nor
disapproved their content. These staff statements, like all staff
statements, have no legal force or effect: they do not alter or
amend applicable law; and they create no new or additional
obligations for any person.
---------------------------------------------------------------------------
Another group of tactics are various social engineering schemes. In
a social engineering attack, the threat actor uses social skills to
convince an individual to provide access or information that can be
used to access an information system.\30\ ``Phishing'' is a variation
of a social engineering attack in which an email is used to convince an
individual to provide information (e.g., personal or account
information or log-in credentials) that can be used to gain
unauthorized access to an information system.\31\ Threat actors also
use websites to perform phishing attacks.\32\ ``Spear phishing'' is a
variation of phishing that targets a specific individual or group.\33\
``Vishing'' and ``smishing'' are variations of social engineering that
use phone communications or text messages, respectively, for this
purpose.\34\ These social engineering tactics also are used to deceive
the recipient of an electronic communication (e.g., an email or text
message) to open a link or attachment in the communication that uploads
malware on to the recipient's information systems.\35\
---------------------------------------------------------------------------
\30\ See, e.g., CISA, Security Tip (ST04-014)--Avoiding Social
Engineering and Phishing Attacks, available at https://www.cisa.gov/uscert/ncas/tips/ST04-014 (``CISA Security Tip (ST04-014)'').
\31\ See, e.g., CISA Security Tip (ST04-014); Microsoft Report
(``Phishing is the most common type of malicious email observed in
our threat signals. These emails are designed to trick an individual
into sharing sensitive information, such as usernames and passwords,
with an attacker. To do this, attackers will craft emails using a
variety of themes, such as productivity tools, password resets, or
other notifications with a sense of urgency to lure a user to click
on a link.'').
\32\ See, e.g., Microsoft Report (``The phishing web pages used
in these attacks may utilize malicious domains, such as those
purchased and operated by the attacker, or compromised domains,
where the attacker abuses a vulnerability in a legitimate website to
host malicious content. The phishing sites frequently copy well-
known, legitimate login pages, such as Office 365 or Google, to
trick users into inputting their credentials. Once the user inputs
their credentials, they will often be redirected to a legitimate
final site--such as the real Office 365 login page--leaving the user
unaware that actors have obtained their credentials. Meanwhile, the
entered credentials are stored or sent to the attacker for later
abuse or sale.'').
\33\ See, e.g., U.S. Office of the Director of National
Intelligence, Spear Phishing and Common Cyber Attacks, available at
https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf (``ODNI Spear Phishing
Alert'') (``A spear phishing attack is an attempt to acquire
sensitive information or access to a computer system by sending
counterfeit messages that appear to be legitimate. `Spear phishing'
is a type of phishing campaign that targets a specific person or
group and often will include information known to be of interest to
the target, such as current events or financial documents. Like
other social engineering attacks, spear phishing takes advantage of
our most basic human traits, such as a desire to be helpful, provide
a positive response to those in authority, a desire to respond
positively to someone who shares similar tastes or views, or simple
curiosity about contemporary news and events.'').
\34\ See, e.g., CISA Security Tip (ST04-014).
\35\ See, e.g., ODNI Spear Phishing Alert (``The goal of spear
phishing is to acquire sensitive information such as usernames,
passwords, and other personal information. When a link in a phishing
email is opened, it may open a malicious site, which could download
unwanted information onto a user's computer. When the user opens an
attachment, malicious software may run which could compromise the
security posture of the host. Once a connection is established, the
attacker is able to initiate actions that could compromise the
integrity of your computer, the network it resides on, and data.'').
---------------------------------------------------------------------------
In addition to malware and social engineering, threat actors may
try to circumvent or thwart the information system's logical security
mechanisms (i.e., to ``hack'' the system).\36\ There are many
variations of hacking.\37\ One tactic is a ``brute force'' attack in
which the threat actor attempts to determine an unknown value (e.g.,
log-in credentials) using an automated process that tries a large
number of possible values.\38\ The Commission staff has observed that a
variation of this tactic has increasingly been employed by threat
actors against certain Market Entities to access their customers'
accounts.\39\ The ability of
[[Page 20217]]
threat actors to hack into information systems can be facilitated by
vulnerabilities in information systems, including for example the
software run on the systems.\40\
---------------------------------------------------------------------------
\36\ See Verizon DBIR (definition of ``hacking''); see also NIST
Glossary (defining a ``hacker'' as an ``unauthorized user who
attempts to or gains access to an information system'').
\37\ See, e.g., Web Application Security Consortium, WASC Threat
Classification: Version 2.00 (1/1/2010), available at https://projects.webappsec.org/f/WASC-TC-v2_0.pdf (``WASC Classification
Report'').
\38\ See, e.g., WASC Classification Report (``The most common
type of a brute force attack in web applications is an attack
against log-in credentials. Since users need to remember passwords,
they often select easy to memorize words or phrases as passwords,
making a brute force attack using a dictionary useful. Such an
attack attempting to log-in to a system using a large list of words
and phrases as potential passwords is often called a `word list
attack' or a `dictionary attack.' '').
\39\ See EXAMS, Commission, Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf (``EXAMS Safeguarding Client Accounts
Risk Alert'') (``The Office of Compliance Inspections and
Examinations (`OCIE') has observed in recent examinations an
increase in the number of cyber-attacks against SEC-registered
investment advisers (`advisers') and brokers and dealers (`broker-
dealers,' and together with advisers, `registrants' or `firms')
using credential stuffing. Credential stuffing is an automated
attack on web-based user accounts as well as direct network login
account credentials. Cyber attackers obtain lists of usernames,
email addresses, and corresponding passwords from the dark web and
then use automated scripts to try the compromised user names and
passwords on other websites, such as a registrant's website, in an
attempt to log in and gain unauthorized access to customer
accounts.'').
\40\ See, e.g., CISA, Alert (AA22-117A): 2021 Top Routinely
Exploited Vulnerabilities, available at https://www.cisa.gov/uscert/ncas/alerts/aa22-117a (``CISA 2021 Vulnerability Report'')
(``Globally, in 2021, malicious cyber actors targeted internet-
facing systems, such as email servers and virtual private network
(VPN) servers, with exploits of newly disclosed vulnerabilities. For
most of the top exploited vulnerabilities, researchers or other
actors released proof of concept (POC) code within two weeks of the
vulnerability's disclosure, likely facilitating exploitation by a
broader range of malicious actors. To a lesser extent, malicious
cyber actors continued to exploit publicly known, dated software
vulnerabilities--some of which were also routinely exploited in 2020
or earlier. The exploitation of older vulnerabilities demonstrates
the continued risk to organizations that fail to patch software in a
timely manner or are using software that is no longer supported by a
vendor.''). To address this risk, CISA maintains a Known Exploited
Vulnerability (KEV) catalogue that identifies known vulnerabilities.
See, e.g., CISA, Reducing The Significant Risk of Known Exploited
Vulnerabilities, available at https://www.cisa.gov/known-exploited-vulnerabilities (``CISA strongly recommends all organizations review
and monitor the KEV catalog and prioritize remediation of the listed
vulnerabilities to reduce the likelihood of compromise by known
threat actors.'').
---------------------------------------------------------------------------
Threat actors also cause harmful cybersecurity incidents through
denial-of-service (``DoS'') attacks.\41\ This type of attack may
involve botnets or compromised servers sending ``junk'' data or
messages to an information system that a Market Entity uses to provide
services to investors, market participants, or other Market Entities
causing the system to fail or be unable to process operations in a
timely manner. DoS attacks are a commonly used tactic.\42\
---------------------------------------------------------------------------
\41\ See CISA, Security Tip (ST04-015)--Understanding Denial-of-
Service Attacks, available at https://www.cisa.gov/uscert/ncas/tips/ST04-015 (``A denial-of-service (DoS) attack occurs when legitimate
users are unable to access information systems, devices, or other
network resources due to the actions of a malicious threat actor.
Services affected may include email, websites, online accounts
(e.g., banking), or other services that rely on the affected
computer or network. A denial-of-service condition is accomplished
by flooding the targeted host or network with traffic until the
target cannot respond or simply crashes, preventing access for
legitimate users. DoS attacks can cost an organization both time and
money while their resources and services are inaccessible.'').
\42\ See Verizon DBIR (finding that DoS attacks represented 46%
of the total cybersecurity incidents analyzed).
---------------------------------------------------------------------------
The tactics, techniques, and procedures employed by threat actors
can impact the information systems a Market Entity operates directly
(e.g., a web application or email system).\43\ They also can adversely
impact the Market Entity and its information systems through its
connection to information systems operated by third-parties such as
service providers (e.g., cloud service providers), business partners,
customers, counterparties, members, registrants, or users.\44\ Further,
the tactics, techniques, and procedures employed by threat actors can
adversely impact the Market Entity and its information systems through
its connection to information systems operated by utilities or central
platforms to which the Market Entity is connected (e.g., a securities
exchange, securities trading platform, securities clearing agency, or a
payment processor).\45\
---------------------------------------------------------------------------
\43\ See, e.g., Verizon DBIR (finding that the top assets
breached in cyber security incidents are servers hosting web
applications and emails, and stating that because they are
``internet-facing'' they ``provide a useful venue for attackers to
slip through the organization's `perimeter' '').
\44\ See, e.g., Ponemon Institute LLC, The Cost of Third-Party
Cybersecurity Risk Management (Mar. 2019), available at https://info.cybergrx.com/ponemon-report (``Third-party breaches remain a
dominant security challenge for organizations, with over 63% of
breaches linked to a third party.'').
\45\ See, e.g., Financial Markets Authority, New Zealand, Market
Operator Obligations Targeted Review--NZX (January 2021), available
at https://www.fma.govt.nz/assets/Reports/Market-Operator-Obligations-Targeted-Review-NZX.pdf (``New Zealand FMA Report'')
(describing an August 2020 cybersecurity incident at New Zealand's
only regulated financial product market that caused a trading halt
of approximately four days).
---------------------------------------------------------------------------
If cybersecurity risk materializes into a significant cybersecurity
incident, a Market Entity may lose its ability to perform a key
function causing harm to the Market Entity, investors, or other market
participants. Moreover, given the interconnectedness of Market
Entities' information systems, a significant cybersecurity incident at
one Market Entity has the potential to spread to other Market Entities
in a cascading process that could cause widespread disruptions
threatening the fair, orderly, and efficient operation of the U.S.
securities markets.\46\ Further, the disruption of a Market Entity that
provides critical services to other Market Entities through connected
information systems could cause cascading disruptions to those other
Market Entities to the extent they cannot obtain those critical
services from another source.\47\
---------------------------------------------------------------------------
\46\ See, e.g., Implications of Cyber Risk for Financial
Stability (``Cyber shocks can lead to losses hitting many firms at
the same time because of correlated risk exposures (sometimes called
the popcorn effect), such as when firms load the same malware-
infected third-party software update.''); The Bank for International
Settlements, Committee on Payments and Market Infrastructures
(``CPMI'') and IOSCO, Guidance on cyber resilience for financial
market infrastructures (June 2016), available at https://www.bis.org/cpmi/publ/d146.pdf (``[T]here is a broad range of entry
points through which a [financial market intermediary (``FMI'')]
could be compromised. As a result of their interconnectedness, cyber
attacks could come through an FMI's participants, linked FMIs,
service providers, vendors and vendor products . . . . Because an
FMI's systems and processes are often interconnected with the
systems and processes of other entities within its ecosystem, in the
event of a large-scale cyber incident it is possible for an FMI to
pose contagion risk (i.e., propagation of malware or corrupted data)
to, or be exposed to contagion risk from, its ecosystem.'').
\47\ See, e.g., Implications of Cyber Risk for Financial
Stability (``And the interconnectedness of the financial system
means that an event at one or more firms may spread to others (the
domino effect). For example, a cyber event at a single bank can
disrupt the bank's ability to send payments and have cascading
effects on other banks' liquidity and operations.'').
---------------------------------------------------------------------------
A significant cybersecurity incident also can result in
unauthorized access to and use of personal, confidential, or
proprietary information.\48\ In the case of personal information, this
can cause harm to investors and others whose personal information was
accessed or used (e.g., identity theft).\49\ This could lead to theft
of investor assets. In the case of confidential or proprietary
information, this can cause harm to the business of the person whose
proprietary information was accessed or used (e.g., public exposure of
trading positions or business strategies) or provide the unauthorized
user with an unfair advantage over other market participants (e.g.,
trading based on confidential business information). Unauthorized
access to proprietary information also can lead to theft of a Market
Entity's valuable intellectual property.
---------------------------------------------------------------------------
\48\ See, e.g., Bank of England CBEST Report (``One class of
targeted attack is Computer Network Exploitation (CNE) where the
goal is to steal (or exfiltrate) confidential information from the
target. This is effectively espionage in cyberspace or, in
information security terms, compromising confidentiality.'').
\49\ The NIST Glossary defines ``identity fraud or theft'' as
``all types of crime in which someone wrongfully obtains and uses
another person's personal data in some way that involves fraud or
deception, typically for economic gain.''
---------------------------------------------------------------------------
Cybersecurity incidents affecting Market Entities can cause
substantial harm to other market participants, including investors. For
example, significant cybersecurity incidents caused by malware can
cause the loss of the Market Entity's data, or the data of other market
participants.\50\ These
[[Page 20218]]
incidents also can lead to business disruptions that are not just
costly to the Market Entity but also the other market participants that
rely on the Market Entity's services.
---------------------------------------------------------------------------
\50\ CISA, Cyber Essentials Starter Kit--The Basics for Building
a Culture of Cyber Readiness (Spring 2021), available at https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf (``CISA
Cyber Essentials Starter Kit'') (``Malware is designed to spread
quickly. A lack of defense against it can completely corrupt,
destroy or render your data inaccessible.'').
---------------------------------------------------------------------------
A Market Entity also may incur substantial remediation costs due to
a significant cybersecurity incident.\51\ For example, the incident may
result in reimbursement to other market participants for cybersecurity-
related losses and payment for their use of identity protection
services. A Market Entity's failure to protect itself adequately
against a significant cybersecurity incident also may increase its
insurance premiums. In addition, a significant cybersecurity incident
may expose a Market Entity to litigation costs (e.g., to defend
lawsuits brought by individuals whose personal information was stolen),
regulatory scrutiny, reputational damage, and, if a result of a
compliance failure, penalties. Finally, a sufficiently severe
significant cybersecurity incident could cause the failure of a Market
Entity. Given the interconnectedness of Market Entities, a significant
cybersecurity incident that degrades or disrupts the critical functions
of one Market Entity could cause harm to other Market Entities (e.g.,
by cutting off their access to a critical service such as securities
clearance or by exposing them to the same malware that degraded or
disrupted the critical functions of the first Market Entity). This
could lead to market-wide outages that compromise the fair, orderly,
and efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------
\51\ See, e.g., IBM Security, Cost of Data Breach Report 2022,
available at https://www.ibm.com/security/data-breach (noting the
average cost of a data breach in the financial industry is $5.97
million); FBI internet Crime Report (noting that cybercrime victims
lost approximately $6.9 billion in 2021).
---------------------------------------------------------------------------
For these reasons, the Commission is proposing new rule
requirements that are designed to protect the U.S. securities markets
and investors in these markets from the threat posed by cybersecurity
risks.\52\
---------------------------------------------------------------------------
\52\ The Commission has pending proposals to address
cybersecurity risk with respect to investment advisers, investment
companies, and public companies. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies, Release Nos. 33-11028, 34-94917, IA-
5956, IC-34497 (Feb. 9, 2022) [87 FR 13524, (Mar. 9, 2022)]
(``Investment Management Cybersecurity Release''); Cybersecurity
Risk Management, Strategy, Governance, and Incident Disclosure,
Release Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022) [87 FR
16590 (Mar. 23, 2022)]. In addition, as discussed in more detail
below in section II.F. of this release, the Commission is proposing
to amend Regulation SCI (17 CFR 242.1000 through 1007) and
Regulation S-P (17 CFR 248.1 through 248.30) concurrent with this
release. See Regulation Systems Compliance and Integrity, Release
No. 34-97143 (Mar. 15, 2023) (File No. S7-07-23) (``Regulation SCI
2023 Proposing Release''); Regulation S-P: Privacy of Consumer
Financial Information and Safeguarding Customer Information, Release
Nos. 34-97141, IA-6262, IC-34854 (Mar. 15, 2023) (File No. S7-05-23)
(``Regulation S-P 2023 Proposing Release''). The Commission
encourages commenters to review the proposals with respect to
Regulation SCI and Regulation S-P to determine whether they might
affect their comments on this proposing release. See also section
II.F. of this release (seeking specific comment on how the proposals
in this release would interact with Regulation SCI and Regulation S-
P as they currently exist and would be amended). Further, the
Commission has reopened the comment period for the Investment
Management Cybersecurity Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Regulation SCI 2023
Proposing Release and the Regulation S-P 2023 Proposing Release that
the Commission should consider in connection with the Investment
Management Cybersecurity Release. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies; Reopening of Comment Period, Release
Nos. 33-11167, 34-97144, IA-6263, IC-34855 (Mar. 15, 2023), [88 FR
16921 (Mar. 31, 2023)]. The Commission encourages commenters to
review the Investment Management Cybersecurity Release and the
comments on that proposal to determine whether they might affect
their comments on this proposing release. The comments on the
Investment Management Cybersecurity Release are available at:
https://www.sec.gov/comments/s7-04-22/s70422.htm. Lastly, the
Commission also proposed rules and amendments regarding an
investment adviser's obligations with respect to outsourcing certain
categories of ``covered functions,'' including cybersecurity. See
Outsourcing by Investment Advisers, Release No. IA-6176 (Oct. 26,
2022), [87 FR 68816 (Nov. 16, 2022)]. The Commission encourages
commenters to review that proposal to determine whether it might
affect comments on this proposing release.
---------------------------------------------------------------------------
2. Critical Operations of Market Entities Are Exposed to Cybersecurity
Risk
The fair, orderly, and efficient operation of the U.S. securities
markets depends on Market Entities performing various functions without
disruption. Market Entities rely on information systems and networks of
interconnected information systems to perform their functions. This
exposes them to the harms that can be caused by threat actors using the
tactics, techniques, and procedures discussed above (among others) and
by errors of employees or third-party service providers (among others).
The GAO has stated that the primary cybersecurity risks identified by
financial sector firms are: (1) internal actors; \53\ (2) malware; \54\
(3) social engineering; \55\ and (4) interconnectivity.\56\ As
discussed below, a significant cybersecurity incident can cause serious
harm to Market Entities and others who use their services or are
connected to them through information systems and, if severe enough,
negatively impact the fair, orderly, and efficient operations of the
U.S. securities markets.
---------------------------------------------------------------------------
\53\ See GAO Cybersecurity Report (``Risks due to insider
threats involve careless, poorly trained, or disgruntled employees
or contractors hired by an organization who may intentionally or
inadvertently introduce vulnerabilities or malware into information
systems. Insiders may not need a great deal of knowledge about
computer intrusions because their knowledge of a target system often
allows them to gain unrestricted access to cause damage to the
system or to steal system data. Results of insider threats can
include data destruction and account compromise.'').
\54\ Id. (``The risk of malware exploits impacting the
[financial] sector has increased as malware exploits have grown in
sophistication'').
\55\ Id. (``The financial services sector is at risk due to
social engineering attacks, which include a broad range of malicious
activities accomplished through human interaction that enable
attackers to gain access to sensitive data by convincing a
legitimate, authorized user to give them their credentials and/or
other personal information'').
\56\ Id. (``Interconnectivity involves interdependencies
throughout the financial services sector and the sharing of data and
information via networks, the cloud, and mobile applications.
Organizations in the financial services sector utilize data
aggregation hubs and cloud service providers, and new financial
technologies such as algorithms based on consumers' data and risk
preferences to provide digital services for investment and financial
advice.'').
---------------------------------------------------------------------------
a. Common Uses of Information Systems by Market Entities
Market Entities need accurate and accessible books and records,
among other things, to manage and conduct their operations, manage and
mitigate their risks, monitor the progress of their business, track
their financial condition, prepare financial statements, prepare
regulatory filings, and prepare tax returns. Increasingly, these
records are made and preserved on information systems.\57\ These
recordkeeping information systems also store personal, confidential,
and proprietary business information about the Market Entity and its
customers, counterparties, members, registrants, or users.
---------------------------------------------------------------------------
\57\ Some Market Entities may store certain or all of their
records in paper format. This discussion pertains to recordkeeping
systems that store records electronically on information systems.
---------------------------------------------------------------------------
The complexity and scope of these books and records systems ranges
from ones used by large Market Entities that comprise networks of
systems that track thousands of different types of daily transactions
(e.g., securities trades and movements of assets) to ones used by small
Market Entities comprising off-
[[Page 20219]]
the-shelf accounting software and computer files on a desktop computer.
In either case, the impact on the confidentiality, integrity, or
availability of the information system being compromised as a
consequence of a significant cybersecurity incident can be devastating
to the Market Entity and its customers, counterparties, members,
registrants or users. For example, it could cause the Market Entity to
cease operations or allow threat actors to use personal information
about the customers of the Market Entity to steal their identities.
Market Entities also use information systems so that their
employees can communicate with each other and with external persons.
These include email, text messaging, and virtual meeting applications.
The failure of these information systems as a result of a significant
cybersecurity incident can seriously disrupt the Market Entity's
ability to carry out its functions. Moreover, these outward facing
information systems are vectors that threat actors use to cause harmful
cybersecurity incidents by, for example, tricking an employee through
social engineering into downloading malware in an attachment to an
email.
b. Broker-Dealers
Broker-dealers perform a number of functions in the U.S. securities
markets, including underwriting the issuance of securities for publicly
and privately held companies, making markets in securities, brokering
securities transactions, dealing securities, operating an ATS,
executing securities transactions, clearing and settling securities
transactions, and maintaining custody of securities for investors. Some
broker-dealers may perform multiple functions; whereas others may
perform a single function. Increasingly, these functions are performed
through the use of information systems. For example, broker-dealers use
information systems to connect to securities exchanges, ATSs, and other
securities markets in order to transmit purchase and sell orders.
Broker-dealers also use information systems to connect to clearing
agencies or clearing broker-dealers to transmit securities settlement
instructions and transfer funds. They use information systems to
communicate and transact with other broker-dealers. In addition, they
use information systems to provide securities services to investors,
including information systems that investors use to access their
securities accounts and transmit orders to purchase or sell securities.
Depending on the functions undertaken by a broker-dealer, a
significant cybersecurity incident could affect customers, including
retail investors. For example, a significant cybersecurity incident
could result in the broker-dealer experiencing a systems outage, which
in turn could leave customers unable to purchase or sell securities
held in their account and the broker-dealer unable to trade for itself.
In addition, broker-dealers maintain records and information related to
their customers that include personal information, such as names,
addresses, phone numbers, employer information, tax identification
information, bank information, and other detailed and individualized
information related to broker-dealer obligations under applicable
statutory and regulatory provisions.\58\ If personal information held
by a broker-dealer is accessed or stolen by unauthorized users, it
could result in harm (e.g., identity theft or conversion of financial
assets) to many individuals, including retail investors.
---------------------------------------------------------------------------
\58\ See, e.g., 17 CFR 240.17a-3(a)(17) (requiring broker-
dealers to make account records of the customer's or owner's name,
tax identification number, address, telephone number, date of birth,
employment status, annual income, net worth, and the account's
investment objectives). Broker-dealers also must comply with
relevant anti-money laundering (AML) laws, rules, orders, and
guidance. See, e.g., Commission, Anti-Money Laundering (AML) Source
Tool for Broker-Dealers, (May 16, 2022), available at https://www.sec.gov/about/offices/ocie/amlsourcetool.
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at a broker-dealer
could provide a gateway for threat actors to attack the self-regulatory
organizations (``SROs'')--such as national securities exchanges and
registered clearing agencies--ATSs, and other broker-dealers to which
the firm is connected through information systems and networks of
interconnected information systems.\59\ This could cause a cascading
effect where a significant cybersecurity incident initially impacting
one broker-dealer spreads to other Market Entities. Moreover, the
information systems that link a broker-dealer to other Market Entities,
its customers, and other service providers are vectors that expose the
broker-dealer to cybersecurity risk arising from threats that originate
in information systems outside the broker-dealer's control.
---------------------------------------------------------------------------
\59\ Section 3(a)(26) of the Exchange Act defines a self-
regulatory organization as any national securities exchange,
registered securities association, registered clearing agency, or
(with limitations) the MSRB. See 15 U.S.C. 78c(a)(26).
---------------------------------------------------------------------------
In addition, some broker-dealers operate ATSs. An ATS is a trading
system for securities that meets the definition of ``exchange'' under
federal securities laws but is not required to register with the
Commission as a national securities exchange if it complies with the
conditions to an exemption provided under Regulation ATS, which
includes registering as a broker-dealer.\60\ Registering as a broker-
dealer requires becoming a member of an SRO, such as FINRA, and
membership in FINRA subjects an ATS to FINRA's rules and oversight.
Since Regulation ATS was adopted in 1998, ATSs' operations have
increasingly relied on complex automated systems to bring together
buyers and sellers for various securities, which include--for example--
electronic limit order books and auction mechanisms. These developments
have made ATSs significant sources of orders and trading interest for
securities. ATSs employ information systems to accept, store, and match
orders pursuant to pre-programmed methods and to communicate the
execution of these orders for trade reporting purposes and for
clearance and settlement of the transactions. ATSs, in particular ATSs
that are ``NMS Stock ATSs,'' \61\ use information systems to connect to
various trading centers in order to receive market data that ATSs use
to price and execute orders that are entered on the ATS. A significant
cyber security incident could disrupt the ATS's critical infrastructure
and significantly impede the ability of the ATS to (among other
things): (1) receive market data; (2) accept, price, and match orders;
or (3) report transactions. This, in turn, could negatively impact the
ability of ATS subscribers to trade and execute the orders of their
investors or purchase certain securities at favorable or predictable
prices or in a timely manner to the extent the ATS provides
[[Page 20220]]
liquidity to the market for those securities.
---------------------------------------------------------------------------
\60\ 17 CFR 242.300 through 242.304. Exchange Act Rule 3a1-
1(a)(2) exempts from the definition of ``exchange'' under Section
3(a)(1) of the Exchange Act an organization, association, or group
of persons that complies with Regulation ATS. See 17 CFR 240.3a1-
1(a)(2). Regulation ATS requires an ATS to, among other things,
register as a broker-dealer, file a Form ATS with the Commission to
notice its operations, and establish written safeguards and
procedures to protect subscribers' confidential trading information.
See 17 CFR 242.301(b)(1), (2), and (10), respectively. The broker-
dealer operator of the ATS controls all aspects of the ATS's
operations and is legally responsible for its operations and for
ensuring that the ATS complies with applicable federal securities
laws and the rules and regulations thereunder, including Regulation
ATS. See Regulation of NMS Stock Alternative Trading Systems,
Exchange Act Release No. 83663 (July 18, 2018) [83 FR 38768, 38819-
20 (Aug. 7, 2018)] (``Regulation of NMS Stock Alternative Trading
Systems Release'').
\61\ See 17 CFR 242.300(k) (defining the term ``NMS Stock
ATS'').
---------------------------------------------------------------------------
c. Clearing Agencies
Clearing agencies are broadly defined in the Exchange Act and
undertake a variety of functions.\62\ An entity that meets the
definition of a ``clearing agency'' is required to register with the
Commission or obtain from the Commission an exemption from registration
prior to performing the functions of a clearing agency.\63\
---------------------------------------------------------------------------
\62\ See 15 U.S.C. 78c(a)(23)(A).
\63\ See 15 U.S.C. 78q-1(b); 17 CFR 240.17Ab2-1.
---------------------------------------------------------------------------
Two common functions of registered clearing agencies are operating
as a central counterparty (``CCP'') or a central securities depository
(``CSD''). Registered clearing agencies that provide these services are
``covered clearing agencies'' under Commission regulations.\64\ A CCP
acts as the buyer to every seller and the seller to every buyer,
providing a trade guaranty with respect to transactions submitted for
clearing by the clearing agency's participants.\65\ A CSD acts as a
depository for handling securities, whereby all securities of a
particular class or series of any issuer deposited within the system
are treated as fungible. Market Entities may use a CSD to transfer,
loan, or pledge securities by bookkeeping entry without the physical
delivery of certificates. A CSD also may permit or facilitate the
settlement of securities transactions more generally.\66\ Currently,
all clearing agencies registered with the Commission that are actively
providing clearance and settlement services are covered clearing
agencies.\67\
---------------------------------------------------------------------------
\64\ See 17 CFR 240.17Ad-22. See also Standards for Covered
Clearing Agencies, Exchange Act Release No. 78961 (Sept. 28, 2016)
[81 FR 70786, 70793 (Oct. 13, 2016)] (``CCA Standards Adopting
Release''). As discussed below, some clearing agencies operate
pursuant to Commission exemptions from registration.
\65\ See 17 CFR 240.17Ad-22 (``Rule 17Ad-22''); Definition of
``Covered Clearing Agency'', Exchange Act Release No. 88616 (Apr. 9,
2020) [85 FR 28853, 28855-56 (May 14, 2020)] (``CCA Definition
Adopting Release'').
\66\ See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad-22; CCA
Definition Adopting Release, 81 FR at 28856.
\67\ The active covered clearing agencies are: (1) The
Depository Trust Company (``DTC''); (2) Fixed Income Clearing
Corporation (``FICC''); (3) National Securities Clearing Corporation
(``NSCC''); (4) Intercontinental Exchange, Inc. (``ICE'') Clear
Credit LLC (``ICC''); (5) ICE Clear Europe Limited (``ICEEU''); (6)
The Options Clearing Corporation (``Options Clearing Corp.''); and
(7) LCH SA. Certain clearing agencies are registered with the
Commission but are not covered clearing agencies. See CCA Standards
Adopting Release, 81 FR at 70793. In particular, although subject to
paragraph (d) of Rule 17Ad-22, the Boston Stock Exchange Clearing
Corporation (``BSECC'') and Stock Clearing Corporation of
Philadelphia (``SCCP'') are currently registered with the Commission
as clearing agencies but conduct no clearance or settlement
operations. See Self-Regulatory Organizations; The Boston Stock
Clearing Corporation; Notice of Filing and Immediate Effectiveness
of Proposed Rule Change To Amend the Articles of Organization and
By-Laws, Exchange Act Release No. 63629 (Jan. 3, 2011) [76 FR 1473,
1474 (Jan. 10, 2011)] (``BSECC Notice''); Self-Regulatory
Organizations; Stock Clearing Corporation of Philadelphia; Notice of
Filing and Immediate Effectiveness of Proposed Rule Change Relating
to the Suspension of Certain Provisions Due to Inactivity, Exchange
Act Release No. 63268 (Nov. 8, 2010) [75 FR 69730, 69731 (Nov. 15,
2010)] (``SCCP Notice'').
---------------------------------------------------------------------------
Registered clearing agencies also are SROs under section 19 of the
Exchange Act, and their proposed rules are subject to Commission review
and published for notice and comment. While certain types of proposed
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
Additionally, section 17A(b)(1) of the Exchange Act provides the
Commission with authority to exempt a clearing agency or any class of
clearing agencies (``exempt clearing agencies'') from any provision of
section 17A or the rules or regulations thereunder.\68\ An exemption
may be effected by rule or order, upon the Commission's own motion or
upon application, and conditionally or unconditionally.\69\ The
Commission has provided exemptions from registration as a clearing
agency for clearing agencies that provide matching services.\70\
Matching services centrally match trade information between a broker-
dealer and its institutional customer. The Commission also has provided
exemptions for non-U.S. clearing agencies to perform the functions of a
clearing agency with respect to transactions of U.S. participants
involving U.S. government and agency securities.\71\
---------------------------------------------------------------------------
\68\ 15 U.S.C. 78q-1(b)(1). See also 15 U.S.C. 78mm (providing
the Commission with general exemptive authority).
\69\ See 15 U.S.C. 78q-1(b)(1). The Commission's exercise of
authority to grant exemptive relief must be consistent with the
public interest, the protection of investors, and the purposes of
Section 17A of the Exchange Act, including the prompt and accurate
clearance and settlement of securities transactions and the
safeguarding of securities and funds.
\70\ See Global Joint Venture Matching Services--US, LLC; Order
Granting Exemption from Registration as a Clearing Agency, Exchange
Act Release No. 44188 (Apr. 17, 2001) [66 FR 20494 (Apr. 23, 2001)]
(granting an exemption to provide matching services to Global Joint
Venture Matching Services US LLC, now known as DTCC ITP Matching
U.S. LLC) (``DTCC ITP Matching Order''); Bloomberg STP LLC; SS&C
Technologies, Inc.; Order of the Commission Approving Applications
for an Exemption From Registration as a Clearing Agency, Exchange
Act Release No. 76514 (Nov. 25, 2015) [80 FR 75388 (Dec. 1, 2015)]
(granting an exemption to provide matching services to each of
Bloomberg STP LLC and SS&C Technologies, Inc.) (``BSTP SS&C
Order''). In addition, on July 1, 2011, the Commission published a
conditional, temporary exemption from clearing agency registration
for entities that perform certain post-trade processing services for
security-based swap transactions. See Order Pursuant to Section 36
of the Securities Exchange Act of 1934 Granting Temporary Exemptions
From Clearing Agency Registration Requirements Under Section 17A(b)
of the Exchange Act for Entities Providing Certain Clearing Services
for Security-Based Swaps, Exchange Act Release No. 34-64796 (July 1,
2011) [76 FR 39963 (July 7, 2011)]. The order facilitated the
Commission's identification of entities that operate in that area
and that accordingly may fall within the clearing agency definition.
Recently, the Commission indicated that the 2011 Temporary Exemption
may no longer be necessary. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 34-94615 (Apr. 6, 2022) [87
FR 28872, 28934 (May 11, 2022)] (stating that the ``Commission
preliminarily believes that, if it adopts a framework for the
registration of [security-based swap execution facilities
(``SBSEFs'')], the 2011 Temporary Exemption would no longer be
necessary because entities carrying out the functions of SBSEFs
would be able to register with the Commission as such, thereby
falling within the exemption from the definition of `clearing
agency' in existing Rule 17Ad-24.'').
\71\ See Euroclear Bank SA/NV; Order of the Commission Approving
an Application To Modify an Existing Exemption From Clearing Agency
Registration, Exchange Act Release No. 79577 (Dec. 16, 2016) [81 FR
93994 (Dec. 22, 2016)] (providing an exemption to Euroclear Bank SA/
NV (successor in name to Morgan Guaranty Trust Company of NY))
(``Euroclear Bank Order''); Self-Regulatory Organizations; Cedel
Bank; Order Approving Application for Exemption From Registration as
a Clearing Agency, Exchange Act Release No. Release No. 38328 (Feb.
24, 1997) [62 FR 9225 (Feb. 28, 1997)] (providing an exemption to
Clearstream Banking, S.A. (successor in name to Cedel Bank, societe
anonyme, Luxembourg)) (``Clearstream Banking Order''). Furthermore,
pursuant to the Commission's statement on CCPs in the European Union
(``EU'') authorized under the European Markets Infrastructure
Regulation (``EMIR''), an EU CCP may request an exemption from the
Commission where it has determined that the application of
Commission requirements would impose unnecessary, duplicative, or
inconsistent requirements in light of EMIR requirements to which it
is subject. See Statement on Central Counterparties Authorized under
the European Markets Infrastructure Regulation Seeking to Register
as a Clearing Agency or to Request Exemptions from Certain
Requirements Under the Securities Exchange Act of 1934, Exchange Act
Release No. 34-90492 (Nov. 23, 2020) [85 FR 76635, 76639 (Nov. 30,
2020)], https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf (stating that in seeking an exemption, an EU CCP
could provide ``a self-assessment . . . [to] explain how the EU
CCP's compliance with EMIR corresponds to the requirements in the
Exchange Act and applicable SEC rules thereunder, such as Rule 17Ad-
22 and Regulation SCI.'').
---------------------------------------------------------------------------
Registered and exempt clearing agencies rely on information systems
to perform the functions described above. Given their central role, the
information systems operated by clearing agencies are critical to the
operations of the U.S. securities markets. For registered clearing
agencies, in particular, these information systems include those that
set and calculate margin obligations and other charges, perform netting
and calculate payment obligations, facilitate the movement of funds and
securities, or effectuate end-of-day settlement.
[[Page 20221]]
Certain exempt clearing agencies (e.g., Euroclear and Clearstream) may
provide CSD functions like covered clearing agencies while other exempt
clearing agencies (e.g., DTCC ITP) may not provide such functions.
Nonetheless, any entity that falls within the definition of a clearing
agency centralizes technology functions in a manner that increases its
potential to become a single point of failure in the case of a
significant cybersecurity incident.\72\
---------------------------------------------------------------------------
\72\ See generally Board of Governors of the Federal Reserve
System (``Federal Reserve Board''), Commission, Commodity Futures
Trading Commission (``CFTC''), Risk Management of Designated
Clearing Entities (July 2011), available at https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf (report to the Senate
Committees on Banking, Housing, and Urban Affairs and Agriculture,
Nutrition, and Forestry and the House Committees on Financial
Services and Agriculture stating that a designated clearing entity
(``DCE'') ``faces two types of non-financial risks--operational and
legal--that may disrupt the functioning of the DCE. . . . DCEs face
operational risk from both internal and external sources, including
human error, system failures, security breaches, and natural or man-
made disasters.'').
---------------------------------------------------------------------------
The technology behind clearing agency information systems is
subject to growing innovation and interconnectedness, with multiple
clearing agencies sharing links among their systems and with the
systems of other Market Entities. This growing interconnectivity means
that a significant cybersecurity incident at a registered clearing
agency could, for example, prevent it from acting timely to carry out
its functions, which, in turn, could negatively impact other Market
Entities that utilize the clearing agency's services.\73\ Further, a
significant cybersecurity incident at a registered or exempt clearing
agency could provide a gateway for threat actors to attack the members
of the clearing agency and other financial institutions that connect to
it through information systems. Moreover, the information systems that
link the clearing agency to its members are vectors that expose the
clearing agency to cybersecurity risk.
---------------------------------------------------------------------------
\73\ See also EXAMS, Commission, Staff Report on the Regulation
of Clearing Agencies (Oct. 1, 2020), available at https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf (staff
stating that ``consolidation among providers of clearance and
settlement services concentrates clearing activity in fewer
providers and has increased the potential for providers to become
single points of failure.'').
---------------------------------------------------------------------------
The records stored by clearing agencies on their information
systems include proprietary information about their members, including
confidential business information (e.g., information about the
financial condition of the members used by the clearing agency to
manage credit risk). Each clearing agency also is required to keep all
records made or received by it in the course of its business and in the
conduct of its self-regulatory activity. A significant cybersecurity
incident at a clearing agency could lead to the improper use of this
information to harm the members (e.g., public exposure of confidential
financial information) or provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential business information). Moreover, a disruption to a
registered clearing agency's operations as a result of a significant
cybersecurity incident could interfere with its ability to perform its
responsibilities as an SRO (e.g., interrupting its oversight of
clearing member activities for compliance with its rules and the
federal securities laws), and, therefore, materially impact the fair,
orderly, and efficient functioning of the U.S. securities markets.
d. The Municipal Securities Rulemaking Board
The MSRB is an SRO that serves as a regulator of the U.S. municipal
securities market with a mandate to protect municipal securities
investors, municipal entities, obligated persons, and the public
interest.\74\ Pursuant to the Exchange Act, the MSRB shall propose and
adopt rules with respect to transactions in municipal securities
effected by broker-dealers and municipal securities dealers and with
respect to advice provided to or on behalf of municipal entities or
obligated persons by broker-dealers, municipal securities dealers, and
municipal advisors with respect to municipal financial products, the
issuance of municipal securities, and solicitations of municipal
entities or obligated persons undertaken by broker-dealers, municipal
securities dealers, and municipal advisors.\75\ Pursuant to the
Exchange Act, the MSRB's rules shall be designed to prevent fraudulent
and manipulative acts and practices, to promote just and equitable
principles of trade, to foster cooperation and coordination with
persons engaged in regulating, clearing, settling, processing,
information with respect to, and facilitating transactions in municipal
securities and municipal financial products, to remove impediments to
and perfect the mechanism of a free and open market in municipal
securities and municipal products, and in general, to protect
investors, municipal entities, obligated persons, and the public
interest.\76\ As an SRO, the MSRB's proposed rules are subject to
Commission review and published for notice and comment. While certain
types of proposed rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------
\74\ See 15 U.S.C. 78o-4. Information about the MSRB and its
functions is available at: www.msrb.org.
\75\ See 15.U.S.C. 78o-4(b)(2).
\76\ See 15.U.S.C. 78o-4(b)(2)(C).
---------------------------------------------------------------------------
The MSRB relies on information systems to carry out its mission
regulating broker-dealers, municipal securities dealers, and municipal
advisors. For example, the MSRB operates the Electronic Municipal
Market Access website (``EMMA''). EMMA provides transparency to the
U.S. municipal bond market by disclosing free information on virtually
all municipal bond offerings, including real-time trade prices, bond
disclosure documents, and certain market statistics.\77\ The MSRB also
provides data to the Commission, broker-dealer examining authorities,
and banking supervisors to assist in their examination and enforcement
efforts involving participants in the municipal securities markets. The
MSRB also maintains other data on the U.S. municipal securities
markets. This data can be used by the public and others to understand
better these markets. The MSRB is also required to keep all records
made or received by it in the course of its business and in the conduct
of its self-regulatory activity.
---------------------------------------------------------------------------
\77\ Broker-dealers, and municipal securities dealers that trade
municipal securities are subject to transaction reporting
obligations under MSRB Rule G-14. EMMA, established by the MSRB in
2009, is currently designated by the Commission as the official
repository of municipal securities disclosure providing the public
with free access to relevant municipal securities data, and is the
central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires broker-dealers and municipal securities dealers to submit
transaction data to the MSRB within 15 minutes of trade execution,
and such near real-time post-trade transaction data can be accessed
through the MSRB's EMMA website.
---------------------------------------------------------------------------
A significant cybersecurity incident could disrupt the operation of
EMMA and could negatively impact the fair, orderly, and efficient
operation of the U.S. municipal securities market. For example, the
loss or corruption of transparent price information could cause
investors to stop purchasing or selling municipal securities or
negatively impact the ability of investors to liquidate or purchase
municipal securities at favorable or predictable prices or in a timely
manner. In addition, the unauthorized access or use of personal or
proprietary
[[Page 20222]]
information of the persons who are registered with the MSRB could cause
them harm through identity theft or the disclosure of confidential
business information.
Further, a significant cybersecurity incident impacting the MSRB
could provide a gateway for threat actors to attack registrants that
connect to the MRSB through information systems and networks of
interconnected information systems. Moreover, the information systems
that link the MSRB to its registrants are vectors that expose the MSRB
to cybersecurity risk.
e. National Securities Associations
A national securities association is an SRO created to regulate
broker-dealers and the off-exchange broker-dealer market.\78\
Currently, FINRA is the only national securities association registered
under section 15A of the Exchange Act. As a national securities
association, FINRA must have rules for its members that, among other
things, are designed to prevent fraudulent and manipulative acts and
practices, to promote just and equitable principles of trade, to foster
cooperation and coordination with persons engaged in regulating,
clearing, settling, or processing information with respect to (and
facilitating transactions in) securities, to remove impediments to and
perfect the mechanism of a free and open market and a national market
system, and, in general, to protect investors and the public
interest.\79\ FINRA's rules also must provide for discipline of its
members for violations of any provision of the Exchange Act, Exchange
Act rules, the rules of the MSRB, or its own rules.\80\ A national
securities association is an SRO under section 19 of the Exchange Act,
and its proposed rules are subject to Commission review and are
published for notice and comment. While certain types of proposed FINRA
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
---------------------------------------------------------------------------
\78\ See 15 U.S.C. 78o-3(a); Exemption for Certain Exchange
Members, Exchange Act Release No. 95388 (July 29, 2022) [87 FR 49930
(Aug. 12, 2022)] (proposing amendments to national securities
association membership exemption for certain exchange members).
\79\ See 15 U.S.C. 78o-3(b)(6).
\80\ See 15 U.S.C. 78o-3(b)(7).
---------------------------------------------------------------------------
FINRA also performs other functions of vital importance to the U.S.
securities markets. It developed and operates the Trade Reporting and
Compliance Engine (``TRACE''), which facilitates the mandatory
reporting of over-the-counter transactions in eligible fixed-income
securities.\81\ In addition, FINRA operates the Trade Reporting
Facility (``TRF''). FINRA members report over-the-counter transactions
in national market system (``NMS'') stocks to the TRF, which are then
included in publicly disseminated consolidated equity market data
pursuant to an NMS plan.\82\ Further, pursuant to plans declared
effective by the Commission under Exchange Act Rule 17d-2 (``Rule 17d-
2''),\83\ FINRA frequently acts as the sole SRO with regulatory
responsibility with respect to certain applicable laws, rules, and
regulations for its members that are also members of other SROs (e.g.,
national securities exchanges).\84\ Some of these Rule 17d-2 plans
facilitate the conduct of market-wide surveillance, including for
insider trading.\85\ The disruption of these FINRA activities by a
significant cybersecurity incident could interfere with its ability to
carry out its regulatory responsibilities (e.g., disclosing
confidential information pertaining to its surveillance of trading
activity), and, therefore, materially impact the fair, orderly, and
efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------
\81\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730. This rule requires FINRA members
to report transactions in TRACE-Eligible Securities, which the rule
defines to include a range of fixed-income securities.
\82\ In addition, FINRA operates the Alternative Display
Facility (``ADF''), which allows members to display quotations and
report trades in NMS stocks. Although there are currently no users
of the ADF, FINRA has issued a pre-quotation notice advising that a
new participant intends to begin using the ADF, subject to
regulatory approval. See Self-Regulatory Organizations; Financial
Industry Regulatory Authority, Inc.; Notice of Filing of a Proposed
Rule Change Relating to Alternative Display Facility New Entrant,
Exchange Act Release No. 96550 (Dec. 20, 2022) [87 FR 79401 (Dec.
27, 2022)].
\83\ 17 CFR 240.17d-2. Pursuant to a plan declared effective by
the Commission under Rule 17d-2, the Commission relieves an SRO of
those regulatory responsibilities allocated by the plan to another
SRO.
\84\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amended Plan for the Allocation
of Regulatory Responsibilities Between the Financial Industry
Regulatory Authority, Inc. and MEMX LLC, Exchange Act Release No.
96101 (Oct. 18, 2022) [87 FR 64280 (Oct. 24, 2022)].
\85\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amendment to the Plan for the
Allocation of Regulatory Responsibilities Among Cboe BZX Exchange,
Inc., Cboe BYX Exchange, Inc., NYSE Chicago, Inc., Cboe EDGA
Exchange, Inc., Cboe EDGX Exchange, Inc., Financial Industry
Regulatory Authority, Inc., MEMX LLC, MIAX PEARL, LLC, Nasdaq BX,
Inc., Nasdaq PHLX LLC, The Nasdaq Stock Market LLC, NYSE National,
Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca,
Inc., Investors' Exchange LLC, and Long-Term Stock Exchange, Inc.
Relating to the Surveillance, Investigation, and Enforcement of
Insider Trading Rules, Exchange Act Release No. 89972 (Sept. 23,
2020) [85 FR 61062 (Sept. 29, 2020)].
---------------------------------------------------------------------------
FINRA uses other information systems to perform its
responsibilities as an SRO. For example, it operates a number of
information systems that its members use to make regulatory
filings.\86\ These systems include the FINRA's eFOCUS system through
which its broker-dealer members file periodic (monthly or quarterly)
confidential financial and operational reports.\87\ FINRA Gateway is
another information system that it uses as a compliance portal for its
members to file and access information. A disruption of FINRA's
business operations caused by a significant cybersecurity incident
could disrupt its ability to carry out its responsibilities as an SRO
(e.g., by disrupting its oversight of broker-dealer activities for
compliance with its rules and the federal securities laws or its review
of broker-dealers' financial condition), and could therefore materially
impact the fair, orderly, and efficient functioning of the U.S.
securities markets.
---------------------------------------------------------------------------
\86\ Further information about these filing systems is available
at: https://www.finra.org/filing-reporting/regulatory-filing-systems.
\87\ The eFOCUS system provides firms with the capability to
electronically submit their Financial and Operational Combined
Uniform Single (FOCUS) Reports to FINRA. FINRA member broker-dealers
are required to prepare and submit FOCUS reports pursuant to
Exchange Rule 17a-5 (17 CFR 240.17a-5) (``Rule 17a-5'') and FINRA's
FOCUS Report filing plan. See, e.g., Self-Regulatory Organizations;
Notice of Filing and Order Granting Accelerated Approval of Proposed
Rule Change by the National Association of Securities Dealers, Inc.
Relating to the Association's FOCUS Filing Plan, Exchange Act
Release No. 36780, (Jan. 26, 1996) [61 FR 3743 (Feb. 1, 1996)].
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at FINRA could
provide a gateway for threat actors to attack members that connect to
it through information systems and networks of interconnected
information systems. Moreover, the information systems that link FINRA
to its members are vectors that expose FINRA to cybersecurity risk.
Additionally, the records stored by FINRA on its information
systems include proprietary information about its members, including
confidential business information (e.g., information about the
operational and financial condition of its broker-dealer members) and
confidential personal information about registered persons affiliated
with member firms. FINRA also is required to keep all records made or
received by it in the course of its business and in the conduct of its
self-regulatory activity. A significant cybersecurity incident at FINRA
could lead to the improper use of this information to harm the members
[[Page 20223]]
(e.g., public exposure of confidential financial information) or their
registered persons (e.g., public exposure of personal information).
Further, it could provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential financial information about its members).
f. National Securities Exchanges
Under the Exchange Act, an ``exchange'' is any organization,
association, or group of persons, whether incorporated or
unincorporated, that constitutes, maintains, or provides a market place
or facilities for bringing together purchasers and sellers of
securities or for otherwise performing with respect to securities the
functions commonly performed by a stock exchange (as that term is
generally understood), and includes the market place and the market
facilities maintained by that exchange.\88\ Section 5 of the Exchange
Act \89\ requires an organization, association, or group of persons
that meets the definition of ``exchange'' under section 3(a)(1) of the
Exchange Act, unless otherwise exempt, to register with the Commission
as a national securities exchange pursuant to section 6 of the Exchange
Act. Registered national securities exchanges also are SROs, and must
comply with regulatory requirements applicable to both national
securities exchanges and SROs.\90\ Section 6 of the Exchange Act
requires, among other things, that the rules of a national securities
exchange be designed to prevent fraudulent and manipulative acts and
practices; to promote just and equitable principles of trade; to foster
cooperation and coordination with persons engaged in facilitating
transactions in securities; to remove impediments to, and perfect the
mechanism of, a free and open market and a national market system; and,
in general, to protect investors and the public interest; and that the
rules of a national securities exchange not be designed to permit
unfair discrimination between customers, issuers, brokers, or
dealers.\91\ As SROs under section 19 of the Exchange Act, the proposed
rules of national securities exchanges are subject to Commission review
and are published for notice and comment.\92\ While certain types of
proposed exchange rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------
\88\ See 15 U.S.C. 78c(a)(1). Exchange Act Rule 3b-16 (``Rule
3b-16'') defines terms used in the statutory definition of
``exchange'' under section 3(a)(1) of the Exchange Act. Under
paragraph (a) of Rule 3b-16, an organization, association, or group
of persons is considered to constitute, maintain, or provide such a
marketplace or facilities if they ``[b]ring[ ] together the orders
for securities of multiple buyers and sellers'' and use
``established non-discretionary methods (whether by providing a
trading facility or by setting rules) under which such orders
interact with each other, and the buyers and sellers entering such
orders agree to the terms of a trade.'' See 17 CFR 240.3b-16(a). In
January 2022, the Commission: (1) proposed amendments to Rule 3b-16
to include systems that offer the use of non-firm trading interest
and provide communication protocols to bring together buyers and
sellers of securities; (2) re-proposed amendments to Regulation ATS
for ATSs that trade government securities or repurchase and reverse
repurchase agreements on government securities; (3) re-proposed
amendments to Regulation SCI to apply to ATSs that meet certain
volume thresholds in U.S. Treasury securities or in a debt security
issued or guaranteed by a U.S. executive agency or government-
sponsored enterprise; and (4) proposed amendments to, among other
things, Form ATS-N, Form ATS-R, Form ATS, and the fair access rule
under Regulation ATS. See Amendments Regarding the Definition of
``Exchange'' and Alternative Trading Systems (ATSs) That Trade U.S.
Treasury and Agency Securities, National Market System (NMS) Stocks,
and Other Securities, Exchange Act Release No. 94062 (Jan. 26, 2022)
[87 FR 15496 (Mar. 18, 2022)] (``Amendments Regarding the Definition
of `Exchange' and ATSs Release''). The Commission encourages
commenters to review that proposal with respect to ATSs and the
comments on that proposal to determine whether they might affect
comments on this proposing release.
\89\ 15 U.S.C. 78e.
\90\ See, e.g., 15 U.S.C. 78f and 78s.
\91\ See 15 U.S.C. 78f(b)(5).
\92\ See 15 U.S.C. 78s.
---------------------------------------------------------------------------
National securities exchanges use information systems to operate
their marketplaces and facilities for bringing together purchasers and
sellers of securities. In particular, national securities exchanges
rely on automated, complex, and interconnected information systems for
trading, routing, market data, regulatory, and surveillance purposes.
They also use information systems to connect to members, other national
securities exchanges, plan processors, and clearing agencies to
facilitate order routing, trading, trade reporting, and the clearing of
securities transactions. They also provide quotation, trade reporting,
and regulatory information to the securities information processors to
ensure that current market data information is available to market
participants.\93\ A significant cyber security incident at a national
securities exchange could disrupt or disable its ability to provide
these market functions, causing broader disruptions to the securities
markets.\94\ For example, a significant cyber security incident could
severely impede the ability to trade securities, or could disrupt the
public dissemination of consolidated market data, impacting investors
and the maintenance of fair, orderly, and efficient markets. In
addition, the information systems that link national securities
exchanges to their members are vectors that expose the exchange to
cybersecurity risk.
---------------------------------------------------------------------------
\93\ The national securities exchanges will provide quotation,
trade reporting, and regulatory information to competing
consolidators and self-aggregators after the market data
infrastructure rules have been implemented. See Market Data
Infrastructure, Exchange Act Release No. 90610 (Dec. 9, 2020) [86 FR
18596 (Apr. 9, 2021)] (``MDI Adopting Release''). In July 2012, the
Commission adopted Rule 613 of Regulation NMS, which required
national securities exchanges and national securities associations
(the ``Participants'') to jointly develop and submit to the
Commission a national market system plan to create, implement, and
maintain a consolidated audit trail (the ``CAT''). See Consolidated
Audit Trail, Exchange Act Release No. 67457 (July 18, 2012) [77 FR
45722 (Aug. 1, 2012)]; 17 CFR 242.613. In November 2016, the
Commission approved the national market system plan required by Rule
613 (the ``CAT NMS Plan''). See Joint Industry Plan; Order Approving
the National Market System Plan Governing the Consolidated Audit
Trail, Exchange Act Release No. 78318 (Nov. 15, 2016) [81 FR 84696
(Nov. 23, 2016)] (the ``CAT NMS Plan Approval Order''). The
Participants conduct the activities related to the CAT in a Delaware
limited liability company, Consolidated Audit Trail, LLC (the
``Company''). The Participants jointly own on an equal basis the
Company. As such, the CAT's Central Repository is a facility of each
of the Participants. See CAT NMS Plan Approval Order, 81 FR at
84758. It would also qualify as an ``information system'' of each
national securities exchange and each national securities
association under proposed Rule 10. FINRA CAT, LLC--a wholly-owned
subsidiary of FINRA--has entered into an agreement with the Company
to act as the plan processor for the CAT. However, because the CAT
System is operated by FINRA CAT, LLC on behalf of the national
securities exchanges and FINRA, the Participants remain ultimately
responsible for the performance of the CAT and its compliance with
any statutes, rules, and regulations. The goal of the CAT NMS Plan
is to create a modernized audit trail system that provides
regulators with more timely access to a more comprehensive set of
trading data, thus enabling regulators to more efficiently and
effectively analyze and reconstruct broad-based market events,
conduct market analysis in support of regulatory decisions, and to
conduct market surveillance, investigations, and other enforcement
activities. The CAT accepts data that are submitted by the
Participants and broker-dealers, as well as data from certain market
data feeds like SIP and OPRA.
\94\ See, e.g., New Zealand FMA Report (describing an August
2020 cybersecurity incident at New Zealand's only regulated
financial product market that caused a trading halt of approximately
four days).
---------------------------------------------------------------------------
Similarly, proprietary market data systems of exchanges are widely
used and relied upon by a wide swath of market participants for
detailed information about quoting and trading activity on an exchange.
A significant cybersecurity incident that disrupts the availability or
integrity of these feeds could have a significant impact on the trading
of securities because market participants may withdraw from trading
without access to current quotation and trade information. This could
interfere with the maintenance of fair, orderly, and efficient markets.
National securities exchanges also use information systems to
perform their
[[Page 20224]]
responsibilities as SROs. In particular, exchanges employ market-
regulation systems to assist with obligations such as enforcing their
rules and the federal securities laws with respect to their members. A
disruption of a national securities exchange's business operations
caused by a significant cybersecurity incident could disrupt its
ability to carry out its regulatory responsibilities as an SRO and,
therefore, materially impact the fair, orderly, and efficient
functioning of the U.S. securities markets.
Each exchange also is required to keep all records made or received
by it in the course of its business and in the conduct of its self-
regulatory activity. The records stored by national securities
exchanges on their information systems include proprietary information
about their members, including confidential business information (e.g.,
information about the financial condition of their members). The
records also include information relating to trading, routing, market
data, and market surveillance, among other areas.\95\ A significant
cybersecurity incident at a national securities exchange could lead to
the improper use of this information to harm exchange members (e.g.,
public exposure of confidential financial information) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).
---------------------------------------------------------------------------
\95\ For example, as discussed above, the national securities
exchanges and FINRA jointly operate the CAT System, which collects
and stores information relating market participants, and their order
and trading activities.
---------------------------------------------------------------------------
g. Security-Based Swap Data Repositories
Title VII of the Dodd-Frank Wall Street Reform and Consumer
Protection Act (``Title VII of the Dodd-Frank Act''), enacted in 2010,
provided for a comprehensive, new regulatory framework for swaps and
security-based swaps, including regulatory reporting and public
dissemination of transactions in security-based swaps.\96\ In 2015, the
Commission established a regulatory framework for SBSDRs to provide
improved transparency to regulators and help facilitate price discovery
and efficiency in the SBS market.\97\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the security-based swap market,\98\ thereby supporting
the Dodd-Frank Act's goal of public dissemination for all security-
based swaps to enhance price discovery to market participants.\99\ The
collection and dissemination of security-based swap data by SBSDRs
provide transparency in the security-based swap market for regulators
and market participants.
---------------------------------------------------------------------------
\96\ Public Law 111-203, 124 Stat. 1376 (2010), section 761(a)
(adding Exchange Act section 3(a)(75) (defining SBSDR)) and section
763(i) (adding Exchange Act section 13(n) (establishing a regulatory
regime for SBSDRs)).
\97\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 74246 (Feb.
11, 2015) [80 FR 14438 (Mar. 19, 2015)] (``SBSDR Adopting
Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Exchange Act Release No. 74244
(Feb. 11, 2015) [80 FR 14563 (Mar. 19, 2015)] (``SBSR Adopting
Release'').
\98\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\99\ See, e.g., SBSDR Adopting Release, 80 FR at 14604.
---------------------------------------------------------------------------
In addition, as centralized repositories for security-based swap
transaction data that is used by regulators, SBSDRs provide an
important infrastructure assisting relevant authorities in performing
their market oversight.\100\ Data maintained by SBSDRs can assist
regulators in addressing market abuses, performing supervision, and
resolving issues and positions if an institution fails.\101\ SBSDRs are
required to collect and maintain accurate security-based swap
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\102\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic details.
---------------------------------------------------------------------------
\100\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010) [75 FR 77306, 77307 (Dec. 10, 2010)], corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'') (``The data maintained by an [SBSDR] may also
assist regulators in (i) preventing market manipulation, fraud, and
other market abuses; (ii) performing market surveillance, prudential
supervision, and macroprudential (systemic risk) supervision; and
(iii) resolving issues and positions after an institution fails.'').
\101\ See SBSDR Proposing Release at 77307.
\102\ See SBSDR Adopting Release, 80 FR at 14440 (stating that
``[SBSDRs] are required to collect and maintain accurate [security-
based swap] transaction data so that relevant authorities can access
and analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
---------------------------------------------------------------------------
SBSDRs use information systems to perform these functions,
including to disseminate market data and provide price transparency in
the security-based swap market. They also use information systems to
operate centralized repositories for security-based swap data for use
by regulators. These information systems provide an important market
infrastructure that assists relevant authorities in performing their
market oversight.\103\ As discussed above, data maintained by SBSDRs
may, for example, assist regulators in addressing market abuses,
performing supervision, and resolving issues and positions if an
institution fails.
---------------------------------------------------------------------------
\103\ See Committee on Payments and Settlement Systems
(``CPSS''), Technical Committee of IOSCO, Principles for financial
markets intermediaries (Apr. 2012), available at https://www.bis.org/cpmi/publ/d101a.pdf (``FMI Principles'') (Principle for
financial markets intermediaries (``PFMI'') 1.14 stating that ``[b]y
centralising the collection, storage, and dissemination of data, a
well-designed [trade repository (``TR'')] that operates with
effective risk controls can serve an important role in enhancing the
transparency of transaction information to relevant authorities and
the public, promoting financial stability, and supporting the
detection and prevention of market abuse.''). In 2014, the CPSS
became the Committee on Payments and Market Infrastructures
(``CPMI'').
---------------------------------------------------------------------------
SBSDRs are subject to certain cybersecurity risks that if realized
could impede their ability to meet the goals set out in Title VII of
the Dodd-Frank Act and the Commission's rules.\104\ For example, SBSDRs
process and disseminate trade data using information systems. If these
information systems suffer from a significant cybersecurity incident,
public access to timely and reliable trade data for the derivatives
markets could potentially be compromised.\105\ Also, if the data stored
at an SBSDR is corrupted by a threat actor through a cybersecurity
attack, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, SBSDRs
[[Page 20225]]
use information systems to receive and maintain personal, confidential,
and proprietary information and data. The unauthorized use or access of
this information could be used to create unfair business or trading
advantages and, in the case of personal information, to steal
identities.
---------------------------------------------------------------------------
\104\ See SBSDR Adopting Release, 80 FR at 14450 (``[SBSDRs]
themselves are subject to certain operational risks that may impede
the ability of [SBSDRs] to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\105\ See FMI Principles (PFMI 1.14, Box 1 stating that ``[t]he
primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at an SBSDR could
provide a gateway for threat actors to attack Market Entities and
others that connect to it through information systems. Moreover, the
links established between an SBSDR and other entities, including
unaffiliated clearing agencies and other SBSDRs, are vectors that
expose the SBSDR to cybersecurity risk arising from threats that
originate in information systems outside the SBSDR's control.\106\
---------------------------------------------------------------------------
\106\ See FMI Principles (PFMI at 3.20.20 stating that ``[a] TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT and
related resources. A TR can establish links with another TR or with
another type of FMI. Such links may expose the linked [financial
market infrastructures (``FMIs'')] to additional risks if not
properly designed. Besides legal risks, a link to either another TR
or to another type of FMI may involve the potential spillover of
operational risk. The mitigation of operational risk is particularly
important because the information maintained by a TR can support
bilateral netting and be used to provide services directly to market
participants, service providers (for example, portfolio compression
service providers), and other linked FMIs.''). The CPMI and IOSCO
issued guidance for cyber resilience for FMIs, including CSDs,
securities settlement systems (``SSSs''), CCPs, and trade
repositories. See CPMI-IOSCO, Guidance on cyber resilience for
financial market infrastructures (June 2016), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf; see also CPMI-
IOSCO, Implementation monitoring of the PFMI: Level 3 assessment on
Financial Market Infrastructures' Cyber Resilience (Nov. 2022),
available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf (presenting the results of an assessment of the state
of cyber resilience (as of February 2021) of FMIs from 29
jurisdictions that participated in the exercise in 2020 to 2022).
---------------------------------------------------------------------------
h. SBS Entities
The SBS Entities covered by the proposed rulemaking are SBSDs and
MSBSPs. An SBSD generally refers to any person who: (1) holds itself
out as a dealer in security-based swaps; (2) makes a market in
security-based swaps; (3) regularly enters into security-based swaps
with counterparties as an ordinary course of business for its own
account; or (4) engages in any activity causing it to be commonly known
in the trade as a dealer or market maker in security-based swaps.\107\
An SBSD does not, however, include a person that enters into security-
based swaps for such person's own account, either individually or in a
fiduciary capacity, but not as a part of regular business.\108\
---------------------------------------------------------------------------
\107\ See 15 U.S.C. 78c(a)(71); 17 CFR 240.3a71-1 et seq.
\108\ See 15 U.S.C. 78c(a)(71)(C); 17 CFR 240.3a71-1(b).
---------------------------------------------------------------------------
An MSBSP generally includes any person that is not a security-based
swap dealer and that satisfies one of the following three alternative
statutory tests: (1) it maintains a ``substantial position'' in
security-based swaps, excluding positions held for hedging or
mitigating commercial risk and positions maintained by any employee
benefit plan (or any contract held by such a plan) for the primary
purpose of hedging or mitigating any risk directly associated with the
operation of the plan, for any of the major security-based swap
categories determined by the Commission; (2) its outstanding security-
based swaps create substantial counterparty exposure that could have
serious adverse effects on the financial stability of the U.S. banking
system or financial markets; or (3) it is a ``financial entity'' that
is ``highly leveraged'' relative to the amount of capital it holds (and
that is not subject to capital requirements by an appropriate federal
banking agency) and maintains a ``substantial position'' in outstanding
security-based swaps in any major category as determined by the
Commission.\109\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------
\109\ See 15 U.S.C. 78c(a)(67); 17 CFR 240.3a67-1 et seq.
---------------------------------------------------------------------------
SBS Entities play (or, in the case of MSBSPs, could play) a
critical role in the U.S. security-based swap market.\110\ SBS Entities
rely on information systems to transact in security-based swaps with
other market participants, to receive and deliver collateral, to create
and maintain books and records, and to obtain market information to
update books and records, and manage risk.
---------------------------------------------------------------------------
\110\ Currently, this role is fulfilled by SBSDs, given there
are no MSBSPs registered with the Commission.
---------------------------------------------------------------------------
A disruption to an SBS Entity's operations caused by a significant
cybersecurity incident could have a large negative impact on the U.S.
security-based swap market given the concentration of dealers in this
market. Further, a disruption in the security-based swap market could
negatively impact the broader securities markets by, for example,
causing participants to liquidate positions related to, or referenced
by, the impacted security-based swaps to mitigate losses to
participants' positions or portfolios or due to loss of trading
confidence. A disruption in the security-based swap market also could
negatively impact the broader securities markets by causing
participants to liquidate the collateral margining the security-based
swaps for similar reasons or to cover margin calls. The consequences of
a business disruption to an SBS Entity's functions--such as those that
may be caused by a significant cybersecurity incident--may be amplified
because, unlike many other securities transactions, securities-based
swap transactions give rise to an ongoing obligation between
transaction counterparties during the life of the transaction.\111\
This means that each counterparty bears the risk of its counterparty's
ability to perform under the terms of a security-based swap until the
transaction is terminated. A disruption of an SBS Entity's normal
business activities because of a significant cybersecurity incident
could produce spillover or contagion by negatively affecting the
willingness or the ability of market participants to extend credit to
each other, and could substantially reduce liquidity and valuations for
particular types of financial instruments.\112\ The security-based swap
market is large \113\ and thus a disruption of an SBS Entity's
operations due to a significant cybersecurity incident could negatively
impact sectors of the U.S. economy.\114\
---------------------------------------------------------------------------
\111\ See Further Definition of ``Swap Dealer,'' ``Security-
Based Swap Dealer,'' ``Major Swap Participant,'' ``Major Security-
Based Swap Participant'' and ``Eligible Contract Participant'',
Exchange Act Release No. 66868 (Apr. 27, 2012) [77 FR 30596, 30616-
17 (May 23, 2012)] (``Further Definition Release'') (noting that
``[i]n contrast to a secondary market transaction involving equity
or debt securities, in which the completion of a purchase or sale
transaction can be expected to terminate the mutual obligations of
the parties to the transaction, the parties to a security-based swap
often will have an ongoing obligation to exchange cash flows over
the life of the agreement'').
\112\ See Cross-Border Security-Based Swap Activities; Re-
Proposal of Regulation SBSR and Certain Rules and Forms Relating to
the Registration of Security-Based Swap Dealers and Major Security-
Based Swap Participants, Exchange Act Release No. 69490 (May 1,
2013) [78 FR 30967, 30980-81 (May 23, 2013)] (``Cross-Border
Proposing Release'').
\113\ See, e.g., Commission, Report on Security-Based Swaps
Pursuant to Section 13(m)(2) of the Securities Exchange Act of 1934
(July 15, 2022) available at https://www.sec.gov/files/report-on-security-based-swaps-071522.pdf.
\114\ See Cross-Border Proposing Release, 78 FR at 30972 (``The
Dodd-Frank Act was enacted, among other reasons, to promote the
financial stability of the United States by improving accountability
and transparency in the financial system. The 2008 financial crisis
highlighted significant issues in the over-the-counter (`OTC')
derivatives markets, which . . . are capable of affecting
significant sectors of the U.S. economy.'') (footnotes omitted).
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at an SBS Entity
could provide a gateway for threat actors to attack the exchanges,
SBSDRs, clearing agencies, counterparties, and other SBS Entities to
[[Page 20226]]
which the firm is connected through information systems and networks of
interconnected information systems. Moreover, the information systems
that link SBS Entities to other Market Entities are vectors that expose
the SBS Entity to cybersecurity risk arising from threats that
originate in information systems outside the SBS Entity's control. SBS
Entities also store proprietary and confidential information about
their counterparties on their information systems, including financial
information they use to perform credit analysis. A significant
cybersecurity incident at an SBS Entity could lead to the improper use
of this information to harm the counterparties (e.g., public exposure
of confidential financial information) or provide the unauthorized user
with an unfair advantage over other market participants (e.g., trading
based on confidential business information).
i. Transfer Agents
A transfer agent is any person who engages on behalf of an issuer
of securities or on behalf of itself as an issuer of securities in
(among other functions): (1) tracking, recording, and maintaining the
official record of ownership of each issuer's securities; (2) canceling
old certificates, issuing new ones, and performing other processing and
recordkeeping functions that facilitate the issuance, cancellation, and
transfer of those securities; (3) facilitating communications between
issuers and registered securityholders; and (4) making dividend,
principal, interest, and other distributions to securityholders.\115\
To perform these functions, transfer agents maintain records and
information related to securityholders that may include names,
addresses, phone numbers, email addresses, employers, employment
history, bank and specific account information, credit card
information, transaction histories, securities holdings, and other
detailed and individualized information related to the transfer agents'
recordkeeping and transaction processing on behalf of issuers. With
advances in technology and the expansion of book-entry ownership of
securities, transfer agents today increasingly rely on technology and
automation to perform the core recordkeeping, processing, and transfer
services described above, including the use of computer systems to
store, access, and process the information related to securityholders
they maintain on behalf of issuers. A significant cybersecurity
incident that impacts these systems could cause harm to investors by,
for example, preventing the transfer agent from transferring ownership
of securities or preventing investors from receiving dividend,
interest, or principal payments.
---------------------------------------------------------------------------
\115\ See Transfer Agent Regulations, Exchange Act Release No.
76743 (Dec. 22, 2015) [80 FR 81948, 81949 (Dec. 31, 2015)].
---------------------------------------------------------------------------
Further, a significant cybersecurity incident at a transfer agent
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. Moreover, the information systems
that link transfer agents to other Market Entities expose the transfer
agent to cybersecurity risk arising from threats that originate in
information systems outside the transfer agent's control. The records
stored by transfer agents on their information systems include
proprietary information about securities ownership and corporate
actions. A significant cybersecurity incident at a transfer agent could
lead to the improper use of this information to harm securities holders
(e.g., public exposure of their confidential financial information or
the use of that information to steal their identities) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).
B. Overview of the Proposed Cybersecurity Requirements
As discussed above, the U.S. securities markets are part of the
critical infrastructure of the United States.\116\ In this regard, they
play a central role in the U.S. economy in terms of facilitating the
flow of capital, including the savings of individual investors. The
fair, orderly, and efficient operation of the U.S. securities markets
depends on Market Entities being able to perform their critical
functions, and Market Entities are increasingly relying on information
systems and interconnected networks of information systems to perform
these functions. These information systems are targets of threat
actors. Moreover, Market Entities--as financial institutions--are
choice targets for threat actors seeking financial gain or to inflict
economic harm. Further, threat actors are using increasingly
sophisticated and constantly evolving tactics, techniques, and
procedures to attack information systems. In addition to threat actors,
cybersecurity risk also can be caused by the errors of employees,
service providers, or business partners. The interconnectedness of
Market Entities increases the risk that a significant cybersecurity
incident can simultaneously impact multiple Market Entities causing
harm to the U.S. securities markets.
---------------------------------------------------------------------------
\116\ See section I.A. of this release (discussing cybersecurity
risk and how critical operations of Market Entities are exposed to
cybersecurity risk).
---------------------------------------------------------------------------
For these reasons, it is critically important that Market Entities
take steps to protect their information systems and the information
residing on those systems from cybersecurity risk. A Market Entity that
fails to do so is more vulnerable to succumbing to a significant
cybersecurity incident. As discussed above, a significant cybersecurity
incident can cause serious harm not only to the Market Entity but also
to its customers, counterparties, members, registrants, or users, or to
any other market participants (including other Market Entities) that
interact with the Market Entity. Therefore, it is vital to the U.S.
securities markets and the participants in those markets that all
Market Entities address cybersecurity risk, which, as discussed above,
is increasingly threatening the financial sector.
Consequently, the Commission is proposing new Rule 10 and new Form
SCIR to require that Market Entities address cybersecurity risks, to
improve the Commission's ability to obtain information about
significant cybersecurity incidents impacting Market Entities, and to
improve transparency about the cybersecurity risks that can cause
adverse impacts to the U.S. securities markets.\117\ Under proposed
Rule 10, certain broker-dealers, the MSRB, and all clearing agencies,
national securities associations, national securities exchanges,
SBSDRs, SBS Entities, and transfer agents would be defined as a
``covered entity'' (collectively, ``Covered Entities'').\118\
---------------------------------------------------------------------------
\117\ In designing the requirements of proposed Rule 10, the
Commission considered several cybersecurity sources (which are cited
in the relevant sections below), including the NIST Framework, the
NIST Glossary, and CISA's Cyber Essentials Starter Kit (information
about CISA's Cyber Essentials Starter Kit is available at: https://www.cisa.gov/publication/cisa-cyber-essentials). The Commission also
considered definitions in relevant federal statutes including the
Federal Information Security Modernization Act of 2014, Public Law
113-283 (Dec. 18, 2014); 44 U.S.C. 3551 et seq. (``FISMA'') and the
Cyber Incident Reporting for Critical Infrastructure Act of 2022,
H.R. 2471, 117th Cong. (2021-2022); 6 U.S.C. 681 et seq.
(``CIRCIA'').
\118\ The following broker-dealers would be Covered Entities:
(1) broker-dealers that maintain custody of securities and cash for
customers or other broker-dealers (``carrying broker-dealers''); (2)
broker-dealers that introduce their customer accounts to a carrying
broker-dealer on a fully disclosed basis (``introducing broker-
dealers''); (3) broker-dealers with regulatory capital equal to or
exceeding $50 million; (4) broker-dealers with total assets equal to
or exceeding $1 billion; (5) broker-dealers that operate as market
makers; and (6) broker-dealers that operate an ATS (sometimes
collectively referred to as ``Covered Broker-Dealers''). Broker-
dealers that do not fall into one of these six categories (sometimes
collectively referred to as ``Non-Covered Entities'' or ``Non-
Covered Broker-Dealers'') would not be Covered Entities for the
purposes of proposed Rule 10. See also section II.A.1.b. of this
release (discussing the categories of broker-dealers that would be
``Covered Entities'' in greater detail).
---------------------------------------------------------------------------
[[Page 20227]]
Proposed Rule 10 would require all Market Entities (Covered
Entities and Non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\119\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\120\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of Non-Covered Entities) with respect to the annual
review. CISA states that organizations should ``approach cyber as
business risk.'' \121\ Like other business risks (e.g., market, credit,
or liquidity risk), cybersecurity risk can be addressed through
policies and procedures that are reasonably designed to manage the
risk. Finally, all Market Entities would need to give the Commission
immediate written electronic notice of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring.\122\
---------------------------------------------------------------------------
\119\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10 (setting forth the requirements for Market Entities that are not
Covered Entities (i.e., Non-Covered Broker-Dealers)). See also
sections II.B.1. and II.C. of this release (discussing these
proposed requirements in more detail). As discussed in sections
II.F. and IV.C.1.b. of this release, certain categories of Market
Entities are subject to existing requirements to address aspects of
cybersecurity risk or that may relate to cybersecurity. These other
requirements, however, do not address cybersecurity risk as
directly, broadly, or comprehensively as the requirements of
proposed Rule 10.
\120\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\121\ See CISA Cyber Essentials Starter Kit (``Ask yourself what
type of impact would be catastrophic to your operations? What
information if compromised or breached would cause damage to
employees, customers, or business partners? What is your level of
risk appetite and risk tolerance? Raising the level of awareness
helps reinforce the culture of making informed decisions and
understanding the level of risk to the organization.'').
\122\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10. See also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\123\ First, as discussed in more detail below, the written policies
and procedures that Covered Entities would need to establish, maintain,
and enforce would need to include the following elements:
---------------------------------------------------------------------------
\123\ Compare paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities), with
paragraph (e) of proposed Rule 10 (setting forth the requirements
for Non-Covered Entities).
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversee service providers that receive,
maintain, or process information, or are otherwise permitted to access
the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\124\
---------------------------------------------------------------------------
\124\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of Non-Covered Entities, as discussed in more detail below in
section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission.\125\ The form would elicit information about
the significant cybersecurity incident and the Covered Entity's efforts
to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\125\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to disclose publicly summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\126\ The form would
need to be filed with the Commission and posted on the Covered Entity's
business internet website. Covered Entities that are carrying or
introducing broker-dealers also would need to provide the form to
customers at account opening, when information on the form is updated,
and annually.
---------------------------------------------------------------------------
\126\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
pursuant to conditions in relevant exemption orders.\127\
---------------------------------------------------------------------------
\127\ See sections II.B.5. and II.C. of this release (discussing
these proposed requirements in more detail).
---------------------------------------------------------------------------
Finally, the Commission is proposing amendments to address the
potential availability of substituted compliance to non-U.S. SBS
Entities with respect to the proposed cybersecurity requirements.\128\
---------------------------------------------------------------------------
\128\ See sections II.D. of this release (discussing these
proposed amendments in more detail).
---------------------------------------------------------------------------
In developing the proposed requirements summarized above with
regard to SBSDRs and SBS Entities, the Commission consulted and
coordinated with the CFTC and the prudential regulators in accordance
with section 712(a)(2) of Title VII of the Dodd-Frank Act. In
accordance with section 752 of Title VII of the Dodd-Frank Act, the
Commission has consulted and coordinated with foreign regulatory
authorities through Commission staff participation in numerous
bilateral and multilateral discussions with foreign regulatory
authorities addressing the regulation of OTC derivatives markets.
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
Proposed Rule 10 would define a number of terms for the purposes of
its requirements.\129\ These definitions also would be used for the
purposes of Parts
[[Page 20228]]
I and II of proposed Form SCIR.\130\ The defined terms are intended to
tailor the risk management, notification, reporting, and disclosure
requirements of proposed Rule 10 to the distinctive aspects of
cybersecurity risk as compared with other risks Market Entities face
(e.g., market, credit, or liquidity risk).\131\
---------------------------------------------------------------------------
\129\ See paragraph (a) of proposed Rule 10.
\130\ See sections II.B.2. and II.B.3. of this release
(discussing Parts I and II of proposed Form SCIR in more detail).
\131\ See paragraphs (a)(2) through (9) of proposed Rule 10
(defining, respectively, the terms ``cybersecurity incident,''
``cybersecurity risk,'' ``cybersecurity threat,'' ``cybersecurity
vulnerability,'' ``information,'' ``information systems,''
``personal information,'' and ``significant cybersecurity
incident'').
---------------------------------------------------------------------------
1. ``Covered Entity''
a. Market Entities That Meet the Definition of ``Covered Entity'' Would
Be Subject to Additional Requirements
Proposed Rule 10 would define the term ``covered entity'' to
identify the types of Market Entities that would be subject to certain
additional requirements under the rule.\132\ As discussed above,
proposed Rule 10 would require all Market Entities to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address their cybersecurity risks.\133\ All
Market Entities also, at least annually, would be required to review
and assess the design and effectiveness of their cybersecurity risk
management policies and procedures, including whether the policies and
procedures reflect changes in cybersecurity risk over the time period
covered by the review.\134\ They also would be required to prepare a
report (in the case of Covered Entities) or a record (in the case of
Non-Covered Entities) with respect to the annual review. Further, all
Market Entities would need to give the Commission immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\135\ As discussed above, Market
Entities use information systems that expose them to cybersecurity risk
and that risk is increasing due to the interconnectedness of the
information systems and the sophistication of the tactics used by
threat actors. Therefore, regardless of their function,
interconnectedness, or size, all Market Entities would be subject to
these requirements designed to address cybersecurity risks.
---------------------------------------------------------------------------
\132\ See paragraphs (a)(1)(i) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities''). A Market
Entity that falls within the definition of ``covered entity'' for
purposes of proposed Rule 10 may not necessarily meet the definition
of a ``covered entity'' for purposes of certain federal statutes,
such as, but not limited to, CIRCIA and any regulations promulgated
thereunder. CIRCIA, among other things, requires the Director of
CISA to issue and implement regulations defining the term ``covered
entity'' and requiring covered entities to report covered cyber
incidents and ransom payments as the result of ransomware attacks to
CISA in certain instances.
\133\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(1) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity,'' which, as discussed above, would
be certain smaller broker-dealers).
\134\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10.
\135\ See paragraph (c)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(2) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Market Entities that are Covered Entities would be subject to
certain additional requirements under proposed Rule 10.\136\ In
particular, they would be required to: (1) include certain elements in
their cybersecurity risk management policies and procedures; \137\ (2)
file Part I of proposed Form SCIR with the Commission and, for some
Covered Entities, other regulators to report information about a
significant cybersecurity incident; \138\ and (3) make public
disclosures on Part II of proposed Form SCIR about their cybersecurity
risks and the significant cybersecurity incidents they experienced
during the current or previous calendar year.\139\
---------------------------------------------------------------------------
\136\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities); paragraph (e)
of proposed Rule 10 (setting forth the requirements for Non-Covered
Entities). As discussed above, Covered Entities would need to
prepare a report with respect to their review and assessment of the
policies and procedures. See paragraph (b)(2) of proposed Rule 10.
Non-Covered Entities would need to make a record with the respect to
the annual review and assessment of their policies and procedures.
See paragraph (e) of proposed Rule 10.
\137\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
\138\ See paragraph (c)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity risk'').
\139\ See paragraph (d) of proposed Rule 10.
---------------------------------------------------------------------------
In determining which Market Entities would be Covered Entities
subject to the additional requirements, the Commission considered: (1)
how the type of Market Entity supports the fair, orderly, and efficient
operation of the U.S. securities markets and the consequences if that
type of Market Entity's critical functions were disrupted or degraded
by a significant cybersecurity incident; (2) the harm that could befall
investors, including retail investors, if that type of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which that type of Market Entity poses
cybersecurity risk to other Market Entities through information system
connections, including the number of connections; (4) the extent to
which the that type of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the type of Market Entity and other persons
(e.g., investors) stored on the Market Entity's information systems and
the harm that could be caused if that information was accessed or used
by threat actors.
b. Broker-Dealers
The following broker-dealers registered with the Commission would
be Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customers' accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); \140\ (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS. Thus, under proposed Rule 10, these six categories of
broker-dealers would be subject to the additional requirements.\141\
All other types of
[[Page 20229]]
broker-dealers would not meet the definition of Covered Entity.\142\
---------------------------------------------------------------------------
\140\ When a broker-dealer introduces a customer to a carrying
broker-dealer on a fully disclosed basis, the carrying broker-dealer
knows the identity of the customer and holds cash and securities in
an account for the customer that identifies the customer as the
accountholder. This is distinguishable from a broker-dealer that
introduces its customers to another carrying broker-dealer on an
omnibus basis. In this scenario, the carrying broker-dealer does not
know the identities of the customers and holds their cash and
securities in an account that identifies the broker-dealer
introducing the customers on an omnibus basis as the accountholder.
A broker-dealer that introduces customers to another broker-dealer
on an omnibus basis is, itself, a carrying broker-dealer for
purposes of the Commission's financial responsibility rules,
including, the broker-dealer net capital and customer protection
rules. See, e.g., 17 CFR 240.15c3-1 and 17 CFR 240.15c3-3. This
category of broker-dealer would be a carrying broker-dealer for
purposes of proposed Rule 10 and therefore subject to the rule's
requirements for Covered Entities.
\141\ See paragraphs (a)(1)(i)(A) through (F) of proposed Rule
10. Certain of the definitions in proposed Rule 10 would be used for
the purposes of the requirements in the rule for broker-dealers that
are not Covered Entities. Specifically, paragraph (e)(1) of proposed
Rule 10 would require broker-dealers that are not Covered Entities
to establish, maintain, and enforce written policies and procedures
that are reasonably designed to address the cybersecurity risks of
the broker-dealer taking into account the size, business, and
operations of the broker-dealer. The term ``cybersecurity risk'' is
defined in paragraph (a)(3) of proposed Rule 10 and that definition
incorporates the terms ``cybersecurity incident,'' ``cybersecurity
threat,'' and ``cybersecurity vulnerability,'' which are defined,
respectively, in paragraphs (a)(2), (a)(4), and (a)(5) of proposed
Rule 10. In addition, paragraph (e)(2) of proposed Rule 10 would
require broker-dealers that are not Covered Entities to provide
immediate written electronic notice to the Commission and their
examining authority if they experience a ``significant cybersecurity
incident'' as that term is defined in the rule. Therefore, paragraph
(a)(8) of proposed Rule 10 would define the term ``market entity''
to mean a Covered Entity and a broker-dealer registered with the
Commission that is not a Covered Entity. Further, the definitions in
proposed Rule 10 would refer to ``market entities'' (rather than
``covered entities'') in order to not limit the application of these
definitions to paragraphs (b) through (d) of proposed Rule 10, which
set forth the requirements for Covered Entities (but not for Non-
Covered Entities).
\142\ As discussed below in section IV.C.2. of this release, of
the 3,510 broker-dealers registered with the Commission as of the
third quarter of 2022, 1,541 would meet the definition of ``covered
entity'' under proposed Rule 10, leaving 1,969 broker-dealers as
Non-Covered Entities.
---------------------------------------------------------------------------
The first category of broker-dealers included as Covered Entities
would be carrying broker-dealers. Specifically, proposed Rule 10 would
define ``covered entity'' to include any broker-dealer that maintains
custody of cash and securities for customers or other broker-dealers
and is not exempt from the requirements of Exchange Act Rule 15c3-3
(i.e., a carrying broker-dealer).\143\ Some carrying broker-dealers are
large in terms of their assets and dealing activities or the number of
their accountholders. For example, they may engage in a variety of
order handling, trading, and/or clearing activities, and thereby play a
significant role in U.S. securities markets, often through multiple
business lines and/or in multiple asset classes. Consequently, if their
critical functions were disrupted or degraded by a significant
cybersecurity incident it could have a potential negative impact on the
U.S. securities markets by, for example, reducing liquidity in the
markets or sectors of the markets due to the firm's inability to
continue dealing and trading activities. A broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the inability to execute a trade within a
reasonable amount of time. Further, some carrying broker-dealers hold
millions of accounts for investors. If a significant cybersecurity
incident prevented this investor-base from accessing the securities
markets, it could impact liquidity as well.
---------------------------------------------------------------------------
\143\ See paragraph (a)(1)(i)(A) of proposed Rule 10. See also
17 CFR 240.15c3-3 (``Rule 15c3-3''). Rule 15c3-3 sets forth
requirements for broker-dealers that maintain custody of customer
securities and cash that are designed to protect those assets and
ensure their prompt return to the customers.
---------------------------------------------------------------------------
Also, the dealing activities of carrying broker-dealers may make
them attractive targets for threat actors seeking to access proprietary
and confidential information about the broker-dealer's trading
positions and strategies to use for financial advantage. In addition,
the size and financial resources of carrying broker-dealers may make
them attractive targets for threat actors employing ransomware schemes.
Because carrying broker-dealers hold cash and securities for
customers and other broker-dealers, a significant cybersecurity
incident could put these assets in peril or make them unavailable. For
example, a significant cybersecurity incident could cause harm to the
investors that own these assets--including retail investors--if it
causes the investors to lose access to their securities accounts (and,
therefore, the ability to purchase or sell securities), causes the
failure of the carrying broker-dealer (which could tie up the assets in
a liquidation proceeding under the Securities Investor Protection Act),
or, in the worst case, results in the assets being stolen. The fact
that carrying broker-dealers hold cash and securities for investors
also may make them attractive targets for threat actors seeking to
steal those assets through hacking the accounts or using stolen
credentials and log-in information. In addition, carrying broker-
dealers with large numbers of customers might be attractive targets for
threat actors because of the volume of personal information they
maintain. Threat actors may seek to access and download this
information in order to sell it to other threat actors. If this
information is accessed or stolen by threat actors, it could result in
harm (e.g., identity theft or conversion of financial assets) to many
individuals, including retail investors. Carrying broker-dealers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges,
clearing agencies, and other broker-dealers (including introducing
broker-dealers).
The second category of broker-dealers included as Covered Entities
would be introducing broker-dealers.\144\ These broker-dealers
introduce customer accounts on a fully disclosed basis to a carrying
broker-dealer. In this arrangement, the carrying broker-dealer knows
the identities of the fully disclosed customers and maintains custody
of their securities and cash. The introducing broker-dealer typically
interacts directly with the customers by, for example, making
securities recommendations and accepting their orders to purchase or
sell securities. An introducing broker-dealer must enter into an
agreement with a carrying broker-dealer to which it introduces customer
accounts on a fully disclosed basis.\145\
---------------------------------------------------------------------------
\144\ See paragraph (a)(1)(i)(B) of proposed Rule 10.
\145\ See FINRA Rule 4311. Pursuant to FINRA requirements, the
carrying agreement must specify the responsibilities of the carrying
broker-dealer and the introducing broker-dealer, including, at a
minimum, the responsibilities for: (1) opening and approving
accounts; (2) accepting of orders; (3) transmitting of orders for
execution; (4) executing of orders; (5) extending credit; (6)
receiving and delivering of funds and securities; (7) preparing and
transmitting confirmations; (8) maintaining books and records; and
(9) monitoring of accounts. See FINRA Rule 4311(c)(1).
---------------------------------------------------------------------------
These broker-dealers would be included as Covered Entities because
they are a conduit to their customers' accounts at the carrying broker-
dealer and have access to information and trading systems of the
carrying broker-dealer. Consequently, a significant cybersecurity
incident could harm their customers to the extent it causes the
customers to lose access to their securities accounts at the carrying
broker-dealer. Further, a significant cybersecurity incident at an
introducing broker-dealer could spread to the carrying broker-dealer
given the information systems that connect the two firms. These
connections also may make introducing broker-dealers attractive targets
for threat actors seeking to access the information systems of the
carrying broker-dealer to which the introducing broker-dealer is
connected.
In addition, introducing broker-dealers may store personal
information about their customers on their information systems or be
able to access this information on the carrying broker-dealer's
information systems. The fact that they store this information also may
make them attractive targets for threat actors seeking to use the
information to steal identities or assets, or to sell the personal
information to other bad actors who will seek to use it for these
purposes.
The third category of broker-dealers included as Covered Entities
would be broker-dealers that have regulatory capital equal to or
exceeding $50 million.\146\ Regulatory capital is the total capital of
the broker-dealer plus allowable subordinated liabilities of the
broker-dealer and is reported on the FOCUS reports broker-dealers file
[[Page 20230]]
pursuant to Rule 17a-5.\147\ The fourth category would be a broker-
dealer with total assets equal to or exceeding $1 billion.\148\ The $50
million and $1 billion thresholds are modeled on the thresholds that
trigger enhanced recordkeeping and reporting requirements for certain
broker-dealers pursuant to Exchange Act Rules 17h-1T and 17h-2T.\149\
---------------------------------------------------------------------------
\146\ See paragraph (a)(1)(i)(C) of proposed Rule 10.
\147\ See 17 CFR 240.17a-5; Form X-17A-5, Line Item 3550.
\148\ See paragraph (a)(1)(i)(D) of proposed Rule 10.
\149\ See 17 CFR 240.17h-1T and 17h-1T. See also Order Under
Section 17(h)(4) of the Securities Exchange Act of 1934 Granting
Exemption from Rule 17h-1T and Rule 17h-2T for Certain Broker-
Dealers Maintaining Capital, Including Subordinated Debt of Greater
Than $20 Million But Less Than $50 Million, Exchange Act Release No.
89184 (June 29, 2020) [85 FR 40356 (July 6, 2020)] (``17h Release'')
(setting forth the $50 million and $1 billion thresholds).
---------------------------------------------------------------------------
These thresholds are designed to include as Covered Entities
broker-dealers that are large in terms of their assets and dealing
activities (and that would not otherwise be Covered Broker-Dealers
under the definitions in proposed Rule 10).\150\ For example, larger
broker-dealers that exceed these thresholds often engage in proprietary
trading (including high frequency trading) and are sources of liquidity
in certain securities. Consequently, if their critical functions were
disrupted or degraded by a significant cybersecurity incident it could
have a potential negative impact on those securities markets if it
reduces liquidity in the markets through the inability to continue
dealing and trading activities. For example, a broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the ability to execute a trade within a
reasonable amount of time.
---------------------------------------------------------------------------
\150\ Size has been recognized as a proxy for substantial market
activity relative to other registrants of the same type and
therefore a firm's relative risk to the financial markets. See 17h
Release (noting that broker-dealers that have less than $50 million
in regulatory capital and less than $1 billion in total assets are
``relatively small in size,'' and ``because of their relative size''
and to the extent they are not carrying firms, these entities
``present less risk to the financial markets,'' while stating that
with respect to broker-dealers with at least $50 million in
regulatory capital or at least $1 billion in total assets ``the
Commission believes . . . those broker-dealers . . . pose greater
risk to the financial markets, investors, and other market
participants'').
---------------------------------------------------------------------------
In addition, the size and dealing activities of these broker-
dealers could make them attractive targets for threat actors seeking to
access proprietary and confidential information about the broker-
dealer's trading positions and strategies to use for financial
advantage. This also may make them attractive targets for threat actors
employing ransomware schemes. Further, given their size and trading
activities, these broker-dealers may be connected to a number of
different Market Entities through information systems, including
national securities exchanges, clearing agencies, other broker-dealers,
and ATSs.
The fifth category of broker-dealers included as Covered Entities
would be broker-dealers that operate as market makers. Specifically,
proposed Rule 10 would define ``covered entity'' to include a broker-
dealer that operates as a market maker under the Exchange Act or the
rules thereunder (which includes a broker-dealer that operates pursuant
to Exchange Act Rule 15c3-1(a)(6)) or is a market maker under the rules
of an SRO of which the broker-dealer is a member.\151\ The proposed
rule's definition of ``market maker'' is tied to securities laws that
confer benefits or impose requirements on market makers and,
consequently, covers broker-dealers that take advantage of those
benefits or are subject to those requirements. The objective is to rely
on these other securities laws to define a market maker rather than set
forth a new definition of ``market maker'' in proposed Rule 10, which
could conflict with these other laws.
---------------------------------------------------------------------------
\151\ See paragraph (a)(1)(i)(E) of proposed Rule 10. See also
17 CFR 240.15c3-1 (``Rule 15c3-1''). Paragraph (a)(6) of Rule 15c3-1
permits a market maker to avoid taking capital charges for its
proprietary positions provided, among other things, its carrying
firm takes the capital charges instead. See also, e.g., Rule 103 of
the New York Stock Exchange (setting forth requirements for
Designated Market Makers and Designated Market Maker Units).
---------------------------------------------------------------------------
Market makers would be included as Covered Entities because
disruptions to their operations caused by a significant cybersecurity
incident could have a material impact on the fair, orderly, and
efficient functioning of the U.S. securities markets. For example, a
significant cybersecurity incident could imperil a market maker's
operations and ability to facilitate transactions in particular
securities between buyers and sellers. In addition, market makers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges
and other broker-dealers.
The sixth category of broker-dealers included as Covered Entities
would be broker-dealers that operate an ATS.\152\ Since Regulation ATS
was adopted in 1998, ATSs have become increasingly important venues for
trading securities in a fast and automated manner. ATSs perform
exchange-like functions such as offering limit order books and other
order types. These developments have made ATSs significant sources of
orders and trading interest for securities. ATSs use data feeds,
algorithms, and connectivity to perform these functions. ATSs rely
heavily on information systems to perform these functions, including to
connect to other Market Entities such as broker-dealers and principal
trading firms.
---------------------------------------------------------------------------
\152\ See paragraph (a)(1)(i)(F) of proposed Rule 10.
---------------------------------------------------------------------------
A significant cybersecurity incident that disrupts an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent it provides liquidity to the market for those
securities. Further, a significant cybersecurity incident at an ATS
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. In addition, ATSs are connected to
a number of different Market Entities through information systems,
including national securities exchanges and other broker-dealers.
Finally, the records stored by ATSs on their information systems
include proprietary information about the Market Entities that use
their services, including confidential business information (e.g.,
information about their trading activities).
For the foregoing reasons, the categories of broker-dealers
discussed above would be Covered Entities under proposed Rule 10. All
other categories of broker-dealers would be Non-Covered Entities.
Generally, the types of broker-dealers that would be Non-Covered
Entities under proposed Rule 10 are smaller firms whose functions do
not play as significant a role in promoting the fair, orderly, and
efficient operation of the U.S. securities markets, as compared to
broker-dealers that would be Covered Entities.\153\ For example, they
tend to offer a more focused and limited set of services such as
facilitating private placements of securities, selling mutual funds and
variable contracts, underwriting securities, and participating in
direct investment
[[Page 20231]]
offerings.\154\ Further, they do not act as custodians for customer
securities and cash or serve as a conduit (i.e., an introducing broker-
dealer) for customers to access their accounts at a carrying broker-
dealer that does maintain custody of securities and cash. Therefore,
they do not pose the risk that a significant cybersecurity incident
could lead to investors losing access to their securities or cash or
having those assets stolen. In addition, Non-Covered Broker-Dealers
likely are less connected to other Market Participants through
information systems than Covered Broker-Dealers. For these reasons, the
additional policies and procedures, reporting, and disclosure
requirements would not apply to Non-Covered Broker-Dealers.
---------------------------------------------------------------------------
\153\ For example, as discussed below in section IV.C.2. of this
release, the 1,541 broker-dealers that would be Covered Entities had
average total assets of $3.5 billion and average regulatory equity
of $325 million; whereas the 1,969 that would be Non-Covered
Entities had average total assets of $4.7 million and average
regulatory equity of $3 million. This means that Non-Covered Broker-
Dealers under proposed Rule 10 accounted for about 0.2% of the total
assets of all broker-dealers and 0.1% of total capital for all
broker-dealers.
\154\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10).
---------------------------------------------------------------------------
At the same time, Non-Covered Broker-Dealers are part of the
financial sector and exposed to cybersecurity risk. Further, certain
Non-Covered Broker-Dealers maintain personal information about their
customers that if accessed by threat actors or mistakenly exposed to
unauthorized users could result in harm to the customers. For these
reasons, Non-Covered Broker-Dealers--among other things--would be
required under proposed Rule 10 to: (1) establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks taking into account their size,
business, and operations; (2) review and assess the design and
effectiveness of their cybersecurity policies and procedures annually,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review; (3) make
a written record that documents the steps taken in performing the
annual review and the conclusions of the annual review; and (4) give
the Commission and their examining authority immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\155\ The Commission's objective
in proposing Rule 10 is to address the cybersecurity risks faced by all
Market Entities but apply a more limited set of requirements to Non-
Covered Broker-Dealers commensurate with the level of risk they pose to
investors, the U.S. securities markets, and the U.S. financial sector
more generally.
---------------------------------------------------------------------------
\155\ See section II.C. of this release (discussing the
requirements for these broker-dealers in more detail).
---------------------------------------------------------------------------
c. Market Entities Other Than Broker-Dealers
The MSRB and all clearing agencies, national securities
associations, national securities exchanges, SBSDRs, SBS Entities,\156\
and transfer agents would be Covered Entities and, therefore, subject
to the additional requirements regarding the minimum elements that must
be included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\157\ In particular,
proposed Rule 10 would define Covered Entity to include: (1) a clearing
agency (registered or exempt) under section 3(a)(23)(A) of the Exchange
Act; \158\ (2) an MSBSP that is registered pursuant to section 15F(b)
of the Exchange Act; \159\ (3) the Municipal Securities Rulemaking
Board; \160\ (4) a national securities association under section 15A of
the Exchange Act; \161\ (5) a national securities exchange under
section 6 of the Exchange Act; \162\ (6) a security-based swap data
repository under section 3(a)(75) of the Exchange Act; \163\ (7) a
security-based swap dealer that is registered pursuant to section
15F(b) of the Exchange Act; \164\ and (8) a transfer agent as defined
in section 3(a)(25) of the Exchange Act that is registered or required
to be registered with an appropriate regulatory agency (``ARA'') as
defined in section 3(a)(34)(B) of the Exchange Act.\165\
---------------------------------------------------------------------------
\156\ In addition to the requirements proposed in Rule 10
itself, the scope of certain existing regulations applicable to SBS
Entities would include proposed Rule 10 if adopted; see, e.g., 17
CFR 240.15Fk-1(b)(2)(i) (which establishes the scope of specified
chief compliance officer duties by reference to Section 15F of the
Exchange Act (15 U.S.C. 78o-10) and the rules and regulations
thereunder); 17 CFR 240.15Fh-3(h)(2)(iii)(I) (which establishes the
scope of specified supervisory requirements by reference to Section
15F(j) of the Exchange Act (15 U.S.C. 78o-10(j)).
\157\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
\158\ See paragraph (a)(1)(ii) of proposed Rule 10. See also 15
U.S.C. 78c(a)(23)(A) (defining the term ``clearing agency'').
\159\ See paragraph (a)(1)(iii) of proposed Rule 10. See also 15
U.S.C. 78o-10(b). Registered MSBSPs include both MSBSPs that are
conditionally registered pursuant to paragraph (d) of Exchange Act
Rule 15Fb2-1 (``Rule 15Fb2-1'') (17 CFR 240.15Fb2-1) and MSBSPs that
have been granted ongoing registration pursuant to paragraph (e) of
Rule 15Fb2-1.
\160\ See paragraph (a)(1)(iv) of proposed Rule 10.
\161\ See paragraph (a)(1)(v) of proposed Rule 10. See also 15
U.S.C. 78o-3.
\162\ See paragraph (a)(1)(vi) of proposed Rule 10. See also 15
U.S.C. 78f.
\163\ See paragraph (a)(1)(vii) of proposed Rule 10.
\164\ See paragraph (a)(1)(viii) of proposed Rule 10. See also
15 U.S.C. 78o-10(b). Registered SBSDs include both SBSDs that are
conditionally registered pursuant to paragraph (d) of Rule 15Fb2-1
and SBSDs that have been granted ongoing registration pursuant to
paragraph (e) of Rule 15Fb2-1.
\165\ See paragraph (a)(1)(ix) of proposed Rule 10. See also 15
U.S.C. 78q-1(c)(1) (registration requirements for transfer agents);
15 U.S.C. 78c(a)(25) (definition of transfer agent) and (a)(34)(B)
(definition of appropriate regulatory agency).
---------------------------------------------------------------------------
SROs play a critical role in setting and enforcing rules for their
members or registrants that govern trading, fair access, transparency,
operations, and business conduct, among other things. SROs and SBSDRs
also play a critical role in ensuring fairness in the securities
markets through the transparency they provide about securities
transactions and pricing, and the information about securities
transactions they can provide to regulators. National securities
exchanges play a critical role in ensuring the orderly and efficient
operation of the U.S. securities markets through the marketplaces they
operate. Clearing agencies are critical to the orderly and efficient
operation of the U.S. securities markets through the centralized
clearing and settlement services they provide as well as their role as
securities depositories, with exempt clearing agencies serving an
important role as part of this process. Market liquidity is critical to
the orderly and efficient operation of the U.S. securities markets. In
this regard, SBS Entities play a critical role in providing liquidity
to the security-based swap market.
The disruption or degradation of the functions of an SRO (including
functions that support securities marketplaces and the oversight of
market participants) could cause harm to investors to the extent it
negatively impacted the fair, orderly, and efficient operations of the
U.S. securities markets. For example, it could prevent investors from
purchasing or selling securities or doing so at fair or reasonable
prices. Investors also would face harm if a transfer agent's functions
were disrupted or degraded by a significant cybersecurity incident.
Transfer agents provide services such as stockholder recordkeeping,
processing of securities transactions and corporate actions, and paying
agent activities. Their core recordkeeping systems provide a direct
conduit to their issuer clients' master records that document and, in
many instances provide the legal underpinning for, registered
securityholders' ownership of the issuer's securities. If these
functions were disrupted, investors might not be able to transfer
ownership of their securities or receive dividends and
[[Page 20232]]
interest due on their securities positions.
SROs, exempt clearing agencies, and SBSDRs connect to multiple
members, registrants, users, or others though networks of information
systems. The interconnectedness of these Market Entities with other
Market Entities through information systems creates the potential that
a significant cybersecurity incident at one Market Entity (e.g., one
caused by malware) could spread to other Market Entities in a cascading
process that could cause widespread disruptions threatening the fair,
orderly, and efficient operation of the U.S. securities markets.\166\
Additionally, the disruption of a Market Entity that provides critical
services to other Market Entities through information system
connections could disrupt the activities of these other Market Entities
if they cannot obtain the services from another source.
---------------------------------------------------------------------------
\166\ See, e.g., Implications of Cyber Risk for Financial
Stability (``[T]he interconnectedness of the financial system means
that an event at one or more firms may spread to others (the domino
effect).'').
---------------------------------------------------------------------------
SROs, exempt clearing agencies, SBSDRs, SBS Entities, and transfer
agents could be prime targets of threat actors because of the central
roles they play in the securities markets. For example, threat actors
could seek to disrupt their functions for geopolitical purposes. Threat
actors also could seek to gain unauthorized access to their information
systems to conduct espionage operations on their internal non-public
activities. Moreover, because they hold financial assets (e.g.,
clearing deposits in the case of clearing agencies) and/or store
substantial confidential and proprietary information about other Market
Entities or financial transactions, they may be choice targets for
threat actors seeking to steal the assets or use the financial
information to their advantage.
SROs, exempt clearing agencies, and SBSDRs store confidential and
proprietary information about their members, registrants, and users,
including confidential business information, and personal information.
A significant cybersecurity incident at any of these types of Market
Entities could lead to the improper use of this information to harm the
members, registrants, and users or provide the unauthorized user with
an unfair advantage over other market participants and, in the case of
personal information, to steal identities. Moreover, given the volume
of information stored by these Market Entities about different persons,
the harm caused by a cybersecurity incident could be widespread,
negatively impacting many victims.
SBS Entities also store proprietary and confidential information
about their counterparties on their information systems, including
financial information they use to perform credit analysis. A
significant cybersecurity incident at an SBS Entity could lead to the
improper use of this information to harm the counterparties or provide
the unauthorized user with an unfair advantage over other market
participants. Transfer agents store proprietary information about
securities ownership and corporate actions. A significant cybersecurity
incident at a transfer agent could lead to the improper use of this
information to harm securities holders. Transfer agents also may store
personal information including names, addresses, phone numbers, email
addresses, employers, employment history, bank and specific account
information, credit card information, transaction histories, securities
holdings, and other detailed and individualized information related to
the transfer agents' recordkeeping and transaction processing on behalf
of issuers. Threat actors breaching the transfer agent's information
systems could use this information to steal identities or financial
assets of the persons to whom this information pertains. They also
could sell it to other threat actors.
In light of these considerations, the MSRB and all clearing
agencies, national securities associations, national securities
exchanges, SBSDRs, SBS Entities, and transfer agents would be Covered
Entities under proposed Rule 10 and, therefore, subject to the
additional requirements regarding the minimum elements that must be
included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\167\
---------------------------------------------------------------------------
\167\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
---------------------------------------------------------------------------
2. ``Cybersecurity Incident''
Proposed Rule 10 would define the term ``cybersecurity incident''
to mean an unauthorized occurrence on or conducted through a Market
Entity's information systems that jeopardizes the confidentiality,
integrity, or availability of the information systems or any
information residing on those systems.\168\ The objective is to use a
term that is broad enough to encompass within the definition of
``cybersecurity incident'' the various categories of unauthorized
occurrences that can impact an information system (e.g., unauthorized
access, use, disclosure, downloading, disruption, modification, or
destruction). As discussed earlier, the sources of cybersecurity risk
are myriad as are the tactics, techniques, and procedures employed by
threat actors.\169\
---------------------------------------------------------------------------
\168\ See paragraph (a)(2) of proposed Rule 10. See generally,
NIST Glossary (defining ``cybersecurity risk'' as ``an effect of
uncertainty on or within information and technology'' and defining
``incident'' as ``an occurrence that actually or potentially
jeopardizes the confidentiality, integrity, or availability of an
information system or the information the system processes, stores,
or transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable
use policies''); FISMA (defining ``incident'' as an ``occurrence''
that: (1) actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or availability of
information or an information system; or (2) constitutes a violation
or imminent threat of violation of law, security policies, security
procedures, or acceptable use policies. 44 U.S.C. 3552(b)(2).
\169\ See section I.A.1. of this release (discussing the sources
of the cybersecurity risk).
---------------------------------------------------------------------------
The definition of ``cybersecurity incident'' in proposed Rule 10 is
designed to include any unauthorized incident impacting an information
system or the information residing on the system. An information system
can experience an unauthorized occurrence without a threat actor itself
directly obtaining unauthorized access to the system. For example, a
social engineering tactic could cause an employee to upload ransomware
unintentionally that encrypts the information residing on the system or
a DoS attack could cause the information system to shut down. In either
case, the threat actor did not need to access the information system to
cause harm.
While the definition is intended to be broad, the occurrence must
be one that jeopardizes (i.e., places at risk) the confidentiality,
integrity, or availability of the information systems or any
information residing on those systems. Confidentiality would be
jeopardized if the unauthorized occurrence resulted in or could result
in persons accessing an information system or the information residing
on the system who are not permitted or entitled to do so or resulted in
or could result in the disclosure of the information residing on the
information system to the public or to any person not permitted or
entitled to view it.\170\ Integrity would be jeopardized if the
unauthorized occurrence resulted in or could result in: (1) an
unpermitted or unintended modification or destruction of the
[[Page 20233]]
information system or the information residing on the system; or (2)
otherwise resulted in or could result in a compromise of the
authenticity of the information system (including its operations and
output) and the information residing on the system.\171\ Availability
would be jeopardized if the unauthorized occurrence resulted in or
could result in the Market Entity or other authorized users being
unable to access or use the information system or information residing
on the system or being unable access or use the information system or
information residing on the system in a timely or reliable manner.\172\
---------------------------------------------------------------------------
\170\ See generally NIST Glossary (defining ``confidentiality''
as ``preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and
proprietary information'').
\171\ See generally NIST Glossary (defining ``integrity'' as
``guarding against improper information modification or destruction,
and includes ensuring information non-repudiation and
authenticity'').
\172\ See generally NIST Glossary (defining ``availability'' as
``ensuring timely and reliable access to and use of information'').
---------------------------------------------------------------------------
3. ``Significant Cybersecurity Incident''
Proposed Rule 10 would have a two-pronged definition of
``significant cybersecurity incident.'' \173\ The first prong of the
definition would be a cybersecurity incident, or a group of related
cybersecurity incidents, that significantly disrupts or degrades the
ability of the Market Entity to maintain critical operations.\174\ As
discussed earlier, significant cybersecurity incidents can negatively
impact information systems and the information residing on information
systems in two fundamental ways. First, they can disrupt or degrade the
information system or the information residing on the information
system in a manner that prevents the Market Entity from performing
functions that rely on the system operating as designed (e.g., an order
routing system of an national securities exchange or a margin
calculation and collection system of a clearing agency) or that rely on
the Market Entity being able to process or access information on the
system (e.g., a general ledger of a broker-dealer or SBS Entity that
tracks and records securities transactions).\175\ This type of harm can
be caused by, for example, a ransomware attack that encrypts the
information stored on the system, a DoS attack that overwhelms the
information system, or hackers taking control of a the system or
shutting it down. Generally, critical operations would be activities,
processes, and services that if disrupted could prevent the Market
Entity from continuing to operate or prevent it from performing a
service that supports the fair, orderly, and efficient functioning of
the U.S. securities markets.\176\
---------------------------------------------------------------------------
\173\ See paragraphs (a)(10)(i) and (ii) of proposed Rule 10.
\174\ See paragraph (a)(10)(i) of proposed Rule 10.
\175\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of these types of information system degradations
and disruptions). This type of impact would compromise the integrity
or availability of the information system. See generally NIST
Glossary (defining ``integrity'' as ``guarding against improper
information modification or destruction, and includes ensuring
information non-repudiation and authenticity'' and ``availability''
as ``ensuring timely and reliable access to and use of
information'').
\176\ See, e.g., Basel Committee on Banking Supervision,
Principles for Operational Resilience (Mar. 2021) (``The term
critical operations is based on the Joint Forum's 2006 high-level
principles for business continuity. It encompasses critical
functions as defined by the FSB and is expanded to include
activities, processes, services and their relevant supporting assets
the disruption of which would be material to the continued operation
of the bank or its role in the financial system.'') (footnotes
omitted).
---------------------------------------------------------------------------
The second fundamental way that a significant cybersecurity
incident can negatively impact an information system or the information
residing on the information system is when unauthorized persons are
able to access and use the information stored on the information system
(e.g., proprietary business information or personal information).\177\
Therefore, the second prong of the definition would be a cybersecurity
incident, or a group of related cybersecurity incidents, that leads to
the unauthorized access or use of the information or information
systems of the Market Entity, where the unauthorized access or use of
such information or information systems results in or is reasonably
likely to result in: (1) substantial harm to the Market Entity; or (2)
substantial harm to a customer, counterparty, member, registrant, or
user of the Market Entity, or to any other person that interacts with
the Market Entity.\178\ As discussed earlier, this kind of significant
cybersecurity incident could lead to the improper use of this
information to harm persons to whom it pertains (e.g., public exposure
of their confidential financial information or the use of that
information to steal their identities) or provide the unauthorized user
with an unfair advantage over other market participants (e.g., trading
based on confidential business information).\179\
---------------------------------------------------------------------------
\177\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of this type of compromise of an information
system). This type of impact would compromise the confidentiality of
the information system. See generally NIST Glossary (defining
``confidentiality'' as ``preserving authorized restrictions on
information access and disclosure, including means for protecting
personal privacy and proprietary information'').
\178\ See paragraph (a)(10)(ii) of proposed Rule 10. There could
be instances where a significant cybersecurity incident meets both
prongs. For example, an unauthorized user that is able to access the
Market Entity's internal computer systems could shut down critical
operations of the Market Entity and use information on the systems
to steal assets of the Market Entity or assets or identities of the
Market Entity's customers.
\179\ See sections I.A.1. and I.A.2. of this release (discussing
the consequences of this type of compromise of an information
system).
---------------------------------------------------------------------------
4. ``Cybersecurity Threat''
Proposed Rule 10 would define the term ``cybersecurity threat'' to
mean any potential occurrence that may result in an unauthorized effort
to affect adversely the confidentiality, integrity, or availability of
a Market Entity's information systems or any information residing on
those systems.\180\ As discussed earlier, threat actors use a number of
different tactics, techniques, and procedures (e.g., malware, social
engineering, hacking, DoS attacks) to commit cyber-related crime.\181\
These threat actors may be nation states, individuals (acting alone or
as part of organized syndicates) seeking financial gain, or individuals
seeking to cause harm for a variety of reasons. Further, the threat
actors may be external or internal actors. Also, as discussed earlier,
errors can pose a cybersecurity threat (e.g., accidentally providing
access to confidential information to individuals that are not
authorized to view or use it). The definition of ``cybersecurity
threat'' in proposed Rule 10 is designed to include the potential
actions of threat actors (e.g., seeking to install malware on or hack
into an information system or engaging in social engineering tactics)
and potential errors (e.g., an employee failing to secure confidential,
proprietary, and personal information) that may result in an
unauthorized effort to affect adversely the confidentiality, integrity,
or availability of a Market Entity's information systems or any
information residing on those systems.
---------------------------------------------------------------------------
\180\ See paragraph (a)(4) of proposed Rule 10. See generally
NIST Glossary (defining ``threat'' as any circumstance or event with
the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational
assets, or individuals through an information system via
unauthorized access, destruction, disclosure, modification of
information, and/or denial of service and also the potential for a
threat-source to successfully exploit a particular information
system vulnerability).
\181\ See section I.A.1. of this release (discussing the various
tactics, techniques, and procedures used by threat actors).
---------------------------------------------------------------------------
5. ``Cybersecurity Vulnerability''
Proposed Rule 10 would define the term ``cybersecurity
vulnerability'' to mean a vulnerability in a Market Entity's
information systems, information system security procedures, or
internal controls, including, for example, vulnerabilities in their
design,
[[Page 20234]]
configuration, maintenance, or implementation that, if exploited, could
result in a cybersecurity incident.\182\ Cybersecurity vulnerabilities
are weaknesses in the Covered Entity's information systems that threat
actors could exploit, for example, to hack into the system or install
malware.\183\ One example would be an information system that uses
outdated software that is no longer updated to address known flaws that
could be exploited by threat actors to access the system. Cybersecurity
vulnerabilities also are weaknesses in the procedures and controls the
Market Entity uses to protect its information systems and the
information residing on them such as procedures and controls that do
not require outdated software to be replaced or that do not adequately
restrict access to the system. Cybersecurity vulnerabilities can also
include lack of training opportunities for employees to increase their
cybersecurity awareness, such as how to properly secure sensitive data
and recognize harmful files. The definition of ``cybersecurity
vulnerability'' in proposed Rule 10 is designed to include weaknesses
in the information systems themselves and weaknesses in the measures
the Covered Entity takes to protect the systems and the information
residing on the systems.
---------------------------------------------------------------------------
\182\ See paragraph (a)(5) of proposed Rule 10. See generally
NIST Glossary (defining ``vulnerability'' as a weakness in an
information system, system security procedures, internal controls,
or implementation that could be exploited or triggered by a threat
source'').
\183\ See section I.A.1. of this release (discussing information
system vulnerabilities). See generally CISA 2021 Vulnerability
Report (``Globally, in 2021, malicious cyber actors targeted
internet-facing systems, such as email servers and virtual private
network (VPN) servers, with exploits of newly disclosed
vulnerabilities.'').
---------------------------------------------------------------------------
6. ``Cybersecurity Risk''
Proposed Rule 10 would define the term ``cybersecurity risk'' to
mean financial, operational, legal, reputational, and other adverse
consequences that could stem from cybersecurity incidents,
cybersecurity threats, and cybersecurity vulnerabilities.\184\ As
discussed earlier, cybersecurity incidents have the potential to cause
harm to Market Entities and others who use their services or are
connected to them through information systems and, if severe enough,
negatively impact the fair, orderly, and efficient operations of the
U.S. securities markets.\185\ The definition of ``cybersecurity risk''
in proposed Rule 10 is designed to encompass the types of harm and
damage that can befall a Market Entity that experiences a cybersecurity
incident.
---------------------------------------------------------------------------
\184\ See paragraph (a)(3) of proposed Rule 10. See also
paragraphs (a)(4) and (5) of proposed Rule 10 (defining,
respectively, ``cybersecurity threat'' to mean ``any potential
occurrence that may result in an unauthorized effort to affect
adversely the confidentiality, integrity, or availability of a
Market Entity's information systems or any information residing on
those systems'' and ``cybersecurity vulnerability'' to mean ``a
vulnerability in a Market Entity's information systems, information
system security procedures, or internal controls, including, for
example, vulnerabilities in their design, configuration,
maintenance, or implementation that, if exploited, could result in a
cybersecurity incident'').
\185\ See sections I.A.1. and I.A.2. of this release
(discussing, respectively, the harms that can be caused by
significant cybersecurity incidents generally and with respect to
each category of Market Entity).
---------------------------------------------------------------------------
7. ``Information''
As discussed in more detail below, a Market Entity would be
required under proposed Rule 10 to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
the Market Entity's cybersecurity risks.\186\ Cybersecurity risks--as
discussed above--would be financial, operational, legal, reputational,
and other adverse consequences that could result from cybersecurity
incidents, cybersecurity threats, and cybersecurity
vulnerabilities.\187\ Cybersecurity incidents would be unauthorized
occurrences on or conducted through a market entity's information
systems that jeopardize the confidentiality, integrity, or availability
of the information systems or any information residing on those
systems.\188\ Cybersecurity threats would be any potential occurrences
that may result in an unauthorized effort to affect adversely the
confidentiality, integrity, or availability of a market entity's
information systems or any information residing on those systems.\189\
Finally, cybersecurity vulnerabilities would be a vulnerability in a
Market Entity's information systems, information system security
procedures, or internal controls, including, for example,
vulnerabilities in their design, configuration, maintenance, or
implementation that, if exploited, could result in a cybersecurity
incident.\190\ Consequently, the policies and procedures required under
proposed Rule 10 would need to cover all of the Market Entity's
information systems and information residing on those systems in order
to address the Market Entity's cybersecurity risks.
---------------------------------------------------------------------------
\186\ See paragraphs (b)(1) and (e) of proposed Rule 10
(requiring Covered Entities and Non-Covered Entities, respectively,
to have policies and procedures to address their cybersecurity
risks); sections II.B.1. and II.C. of this release (discussing the
requirements of paragraphs (b)(1) and (e) of proposed Rule 10,
respectively, in more detail).
\187\ See paragraph (a)(3) of proposed Rule 10 (defining
``cybersecurity risk'').
\188\ See paragraph (a)(2) of proposed Rule 10 (defining
``cybersecurity incident'').
\189\ See paragraph (a)(4) of proposed Rule 10 (defining
``cybersecurity threat'').
\190\ See paragraph (a)(5) of proposed Rule 10 (defining
``cybersecurity vulnerability'').
---------------------------------------------------------------------------
Proposed Rule 10 would define the term ``information'' to mean any
records or data related to the Market Entity's business residing on the
Market Entity's information systems, including, for example, personal
information received, maintained, created, or processed by the Market
Entity.\191\ The definition is designed to cover the full range of
information stored by Market Entities on their information systems
regardless of the digital format in which the information is
stored.\192\ As discussed earlier, Market Entities create and maintain
a wide range of information on their information systems.\193\ This
includes information used to manage and conduct their operations,
manage and mitigate their risks, monitor the progress of their
business, track their financial condition, prepare financial
statements, prepare regulatory filings, and prepare tax returns. They
also store personal, confidential, and proprietary business information
about their customers, counterparties, members, registrants or users.
This includes information maintained by clearing agencies, the MSRB,
the national securities exchanges, and SBSDRs about market activity and
about their members, registrants, and users.
---------------------------------------------------------------------------
\191\ See paragraph (a)(6) of proposed Rule 10.
\192\ See generally NIST Glossary (defining ``information'' as
any communication or representation of knowledge such as facts,
data, or opinions in any medium or form, including textual,
numerical, graphic, cartographic, narrative, or audiovisual. Id.
(defining ``data'' (among other things) as: (1) pieces of
information from which ``understandable information'' is derived;
(2) distinct pieces of digital information that have been formatted
in a specific way; and (3) a subset of information in an electronic
format that allows it to be retrieved or transmitted. Id. (defining
``records'' (among other things) as units of related data fields
(i.e., groups of data fields that can be accessed by a program and
that contain the complete set of information on particular items).
\193\ See section I.A.2. of this release.
---------------------------------------------------------------------------
The information maintained by Market Entities on their information
systems is an attractive target for threat actors, particularly
confidential, proprietary, and personal information.\194\ Also, it also
can be
[[Page 20235]]
critical to performing their various functions, and the inability to
access and use their information could disrupt or degrade their ability
to operate in support of the fair, orderly, and efficient operation of
the U.S. securities markets.\195\ Consequently, protecting the
confidentiality, integrity, and availability of information residing on
a Market Entity's information systems is critical to avoiding the harms
that can be caused by cybersecurity risk. The definition of
``information'' in proposed Rule 10 is designed to encompass this
information and, therefore, to extend the proposed protections of the
rule to it.
---------------------------------------------------------------------------
\194\ See sections I.A.1. and I.A.2 of this release (discussing
how threat actors seek unauthorized access to and use of
confidential, proprietary, and personal information to, among other
reasons, conduct espionage operations, steal identities, use it for
business advantage, hold it hostage (in effect) through a ransomware
attack, or sell it to other threat actors).
\195\ Id.
---------------------------------------------------------------------------
8. ``Information Systems''
The policies and procedures required under proposed Rule 10 also
would need to cover the Market Entity's information systems in order to
address the Market Entity's cybersecurity risks. Proposed Rule 10 would
define the term ``information systems'' to mean the information
resources owned or used by the Market Entity, including, for example,
physical or virtual infrastructure controlled by the information
resources, or components thereof, organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition of
the Market Entity's information to maintain or support the Market
Entity's operations.\196\
---------------------------------------------------------------------------
\196\ See paragraph (a)(7) of proposed Rule 10.
---------------------------------------------------------------------------
As discussed earlier, Market Entities use information systems to
perform a wide range of functions.\197\ For example, they use
information systems to maintain books and records to manage and conduct
their operations, manage and mitigate their risks, monitor the progress
of their business, track their financial condition, prepare financial
statements, prepare regulatory filings, and prepare tax returns. Market
Entities also use information systems so that their employees can
communicate with each other and with external persons. These include
email, text messaging, and virtual meeting applications. They also use
internet websites to communicate information to their customers,
counterparties, members, registrants, or users. They use information
systems to perform the functions associated with their status and
obligations as a broker-dealer, registered or exempt clearing agency,
national securities association, national securities exchange, SBSDR,
SBS Entity, SRO, or transfer agent.
---------------------------------------------------------------------------
\197\ See section I.A.2. of this release.
---------------------------------------------------------------------------
Information systems are targets that threat actors attack to access
and use information maintained by Market Entities related to their
business (particularly confidential, proprietary, and personal
information).\198\ In addition, the interconnectedness of Market
Entities through information systems creates channels through which
malware, viruses, and other destructive cybersecurity threats can
spread throughout the financial system. Moreover, the disruption or
degradation of a Market Entity's information systems could negatively
impact the entity's ability to operate in support of the U.S.
securities markets.\199\ Consequently, protecting the confidentiality,
integrity, and availability of a Market Entity's information systems is
critical to avoiding the harms that can be caused by cybersecurity
risk. The definition of the term ``information systems'' in proposed
Rule 10 is designed to be broad enough to encompass all the electronic
information resources owned or used by a Market Entity to carry out its
various operations. Accordingly, the definition of ``information
systems'' would require a Market Entity's policies and procedures to
address cybersecurity risks to cover all of its information systems.
---------------------------------------------------------------------------
\198\ See sections I.A.1. and I.A.2. of this release.
\199\ Id.
---------------------------------------------------------------------------
9. ``Personal Information''
Proposed Rule 10 would define the term ``personal information'' to
mean any information that can be used, alone or in conjunction with any
other information, to identify a person, including, but not limited to,
name, date of birth, place of birth, telephone number, street address,
mother's maiden name, Social Security number, government passport
number, driver's license number, electronic mail address, account
number, account password, biometric records, or other non-public
authentication information.\200\ The definition of ``personal
information'' was guided by a number of established sources and aims to
capture a broad array of information that can reside on a Market
Entity's information systems that may be used alone, or with other
information, to identify an individual. The definition is designed to
encompass information that if compromised could cause harm to the
individuals to whom the information pertains (e.g., identity theft or
theft of assets).
---------------------------------------------------------------------------
\200\ See paragraph (a)(9) of proposed Rule 10. See generally
NIST Glossary (defining ``personal information'' as information that
can be used to distinguish or trace an individual's identity, either
alone or when combined with other information that is linked or
linkable to a specific individual and defining ``personally
identifying information'' (among other things) as information that
can be used to distinguish or trace an individual's identity--such
as name, social security number, biometric data records--either
alone or when combined with other personal or identifying
information that is linked or linkable to a specific individual
(e.g., date and place of birth, mother's maiden name, etc.)); 17 CFR
248.201(b)(8) ((defining ``identifying information'' as any name or
number that may be used, alone or in conjunction with any other
information, to identify a specific person, including any: (1) name,
Social Security number, date of birth, official State or government
issued driver's license or identification number, alien registration
number, government passport number, employer or taxpayer
identification number; (2) unique biometric data, such as
fingerprint, voice print, retina or iris image, or other unique
physical representation; (3) unique electronic identification
number, address, or routing code; or (4) telecommunication
identifying information or access device (as defined in 18 U.S.C.
1029(e))).
---------------------------------------------------------------------------
Personal information is an attractive target for threat actors
because they can use it to steal a person's identity and then use the
stolen identity to appropriate the person's assets through unauthorized
transactions or to make unlawful purchases on credit or to effect other
unlawful transactions in the name of the person.\201\ They also can
sell personal information they obtain through unauthorized access to an
information system to criminals who will seek to use the information
for these purposes. Moreover, the victims of identity theft can be the
more vulnerable members of society (e.g., individuals on fixed-incomes,
including retirees). Consequently, proposed Rule 10 would have a
provision that specifically addresses protecting personal
information.\202\
---------------------------------------------------------------------------
\201\ See sections I.A.1. and I.A.2. of this release.
\202\ See paragraph (b)(1)(iii)(A)(2) of proposed Rule 10. See
also proposed Form SCIR, which would elicit information about
whether personal information was compromised in a significant
cybersecurity incident.
---------------------------------------------------------------------------
10. Request for Comment
The Commission requests comment on all aspects of the proposed
definitions. In addition, the Commission is requesting comment on the
following specific aspects of the proposals:
1. In designing the definitions of proposed Rule 10, the Commission
considered a number of sources cited in the sections above, including,
in particular, the NIST Glossary and certain Federal statutes and
regulations. Are these appropriate sources to consider? If so, explain
why. If not, explain why not. Are there other sources the Commission
should use? If so, identify them and explain why they should be
considered and how they
[[Page 20236]]
could inform potential modifications to the definitions.
2. In determining which categories of Market Entities would be
Covered Entities subject to the additional requirements of proposed
Rule 10, the Commission considered: (1) how the category of Market
Entity supports the fair, orderly, and efficient operation of the U.S.
securities markets and the consequences if that type of broker-dealer's
critical functions were disrupted or degraded by a significant
cybersecurity incident; (2) the harm that could befall investors,
including retail investors, if that category of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which the category of Market Entity poses
cybersecurity risk to other Market Entities though information system
connections, including the number of connections; (4) the extent to
which the category of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the category of Market Entity and other
persons (e.g., investors) stored on the Market Entity's information
systems and the harm that could be caused if that information was
accessed or used by threat actors through a cybersecurity breach. Are
these appropriate factors to consider? If so, explain why. If not,
explain why not. Are there other factors the Commission should take
into account? If so, identify them and explain why they should be
considered.
3. Should proposed Rule 10 be modified to include other categories
of broker-dealers as Covered Entities? If so, identify the category of
broker-dealers and explain how to define broker-dealers within that
category and why it would be appropriate to apply the additional
policies and procedures, reporting, and disclosure requirements of the
proposed rule to that category of broker-dealers. For example, should
the $50 million regulatory capital threshold be lowered (e.g., to $25
million or some other amount) or should the $1 billion total assets
threshold be lowered (e.g., to $500 million or some other amount) to
include more broker-dealers as Covered Entities? If so, identify the
threshold and explain why it would be appropriate to apply the
additional requirements to broker-dealers that fall within that
threshold.
4. Should proposed Rule 10 be modified to include as a Covered
Entity any broker-dealer that is an SCI entity for the purposes of
Regulation SCI? Currently, under Regulation SCI, an ATS that trades
certain stocks exceeding specific volume thresholds is an SCI entity?
\203\ As discussed above, a broker-dealer that operates an ATS would be
a Covered Entity under proposed Rule 10 and, therefore, subject to the
additional policies and procedures, reporting, and disclosure
requirements of the proposed rule. However, the Commission is proposing
to amend Regulation SCI to broaden the definition of ``SCI entity'' to
include, among other Commission registrants, a broker-dealer that
exceeds an asset-based size threshold or a volume-based trading
threshold in NMS stocks, exchange-listed options, agency securities, or
U.S. treasury securities.\204\ A broker-dealer that exceeds the asset-
based size threshold under the proposed amendments to Regulation SCI
(which would be several hundred billion dollars) would be subject to
the requirements of proposed Rule 10 applicable to Covered Entities, as
it would exceed the $1 billion total assets threshold in the broker-
dealer definition of ``covered entity.'' \205\ Further, a broker-dealer
that exceeds one or more of the volume-based trading thresholds under
the proposed amendments to Regulation SCI likely would meet one of the
broker-dealer definitions of ``covered entity'' in proposed Rule 10
given its size and activities. For example, it may be carrying broker-
dealer, have regulatory capital equal to or exceeding $50 million, have
total assets equal to or exceeding $1 billion, or operate as a market
maker.\206\ Nonetheless, should the definition of ``covered entity'' in
proposed Rule 10 be modified to include any broker-dealer that is an
SCI entity under Regulation SCI? If so, explain why. If not, explain
why not.
---------------------------------------------------------------------------
\203\ See 17 CFR 242.1000 (defining the term ``SCI alternative
trading system'' and including that defined term in the definition
of ``SCI Entity'').
\204\ Regulation SCI 2023 Proposing Release.
\205\ See paragraph (a)(1)(i)(D) of proposed Rule 10. See also
section II.F.1.c. of this release (discussing why this type of
broker-dealer would be a Covered Entity).
\206\ See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10 (defining these categories of broker-dealers as ``covered
entities''). See also section II.F.1.c. of this release (discussing
why this type of broker-dealer likely would be a Covered Entity).
---------------------------------------------------------------------------
5. Should proposed Rule 10 be modified to narrow the categories of
broker-dealers that would be Covered Entities? If so, explain how the
category should be narrowed and why it would be appropriate not to
apply the additional requirements to broker-dealers that would no
longer be included as Covered Entities. For example, are there certain
types of carrying broker-dealers, introducing broker-dealers, market
makers, or ATSs that should not be included as Covered Entities? If so,
identify the type of broker-dealer and explain why it would be
appropriate not to impose the additional policies and procedures,
reporting, and disclosure requirements of the proposed rule on that
type of broker-dealer. Similarly, should the proposed $50 million
regulatory capital threshold be increased (e.g., to $100 million or
some other amount) or should the $1 billion total assets threshold be
increased (e.g., to $5 billion or some other amount) to exclude more
broker-dealers from the definition of ``covered entity''? If so,
identify the threshold and explain why it would be appropriate not to
apply the additional requirements on the broker-dealers that would not
be Covered Entities under the narrower definition.
6. Should proposed Rule 10 be modified to divide other categories
of Market Entities into Covered Entities and Non-Covered Entities? If
so, identify the category of Market Entity and explain how to define
Covered Entity and Non-Covered Entity within that category and explain
why it would be appropriate not to impose the additional policies and
procedures, reporting, and disclosure requirements on the Market
Entities that would be Non-Covered Entities. For example, are there
types of clearing agencies (registered or exempt), MSBSPs, national
securities exchanges, SBSDRs, SBSDs, or transfer agents that pose a
level of cybersecurity risk to the U.S. securities markets and the
participants in those markets that is no greater than the cybersecurity
risk posed by the categories of broker-dealers that would be Non-
Covered Entities? If so, explain why it would be appropriate not to
apply the additional requirements of proposed Rule 10 to these types of
Market Entities.
7. Should proposed Rule 10 be modified so that it applies to other
participants in the U.S. securities markets that are registered with
the Commission? If so, identify the registrant type and explain why it
should be subject to the requirements of proposed Rule 10. For example,
should competing consolidators or plan processors be subject to the
requirements of proposed Rule 10? \207\ If so, explain why. If not,
explain why not. If competing consolidators or plan processors should
be subject to proposed Rule 10, should they be treated as Covered
Entities or Non-Covered Entities? If Covered Entities,
[[Page 20237]]
explain why. If Non-Covered Entities, explain why. Should certain
competing consolidators or plan processors be treated as Covered
Entities and others be treated as Non-Covered Entities? If so, explain
how to define Covered Entity and Non-Covered Entity within that
category and explain why it would be appropriate not to apply the
additional policies and procedures, reporting, and disclosure
requirements of the proposed rule to the competing consolidators or
plan processors in that category that would not be Covered Entities.
---------------------------------------------------------------------------
\207\ See 17 CFR 242.600(16) and (67) (defining the terms
``competing consolidator'' and ``plan processor,'' respectively).
See also 17 CFR 242.1000 (defining ``SCI competing consolidator''
and defining ``SCI entity'' to include SCI competing consolidator).
---------------------------------------------------------------------------
8. Should proposed Rule 10 be modified to revise the broker-dealer
definitions of ``covered entity''? For example, in order to include
carrying broker-dealers as Covered Entities, paragraph (a)(1)(i)(A) of
proposed Rule 10 would define the term ``covered entity'' to include a
broker-dealer that maintains custody of cash and securities for
customers or other brokers-dealers and is not exempt from the
requirements of Rule 15c3-3. In addition, in order to include
introducing broker-dealers as Covered Entities, paragraph (a)(1)(i)(B)
of proposed Rule 10 would define the term ``covered entity'' to include
a broker-dealer that introduces customer accounts on a fully disclosed
basis to another broker-dealer that is a carrying broker-dealer under
paragraph (a)(1)(i)(A) of the proposed rule. Would these broker-dealer
definitions of ``covered entity'' work as designed? If not, explain why
and suggest modifications to improve their design.
9. In order to include market makers as Covered Entities, paragraph
(a)(1)(i)(E) of proposed Rule 10 would define the term ``covered
entity'' to include a broker-dealer that is a market maker under the
Exchange Act or the rules thereunder (which includes a broker-dealer
that operates pursuant to paragraph (a)(6) of Rule 15c3-1) or is a
market maker under the rules of an SRO of which the broker-dealer is a
member. Would the definition work as designed? If not, explain why and
suggest modifications to improve its design. For example, should the
definition be based on a list of the functions and activities of a
market maker as distinct from the functions and activities of other
categories of broker-dealers? If so, identify the relevant functions
and activities and explain how they could be incorporated into a
definition.
10. Should paragraph (a)(2) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity incident''? For example, as
discussed above, the definition is designed to include any unauthorized
occurrence that impacts an information system or the information
residing on the system. Would the definition work as designed? If not,
explain why and suggest modifications to improve its design. Is this
design objective appropriate? If not, explain why and suggest an
alternative design objective for the definition. Is the definition of
``cybersecurity incident'' overly broad in that it refers to an
incident that jeopardizes the confidentiality, integrity, or
availability of the information systems or any information residing on
those systems? If so, explain why and suggest modifications to
appropriately narrow its scope without undermining the objective of the
rule to address cybersecurity risks facing Market Entities. Is the
definition of ``cybersecurity incident'' too narrow? If so, how should
it be broadened?
11. Should paragraph (a)(3) of proposed Rule 10 be modified to
revise definition of ``cybersecurity risk''? For example, the NIST
definition of ``cybersecurity risk'' focuses on how this risk can cause
harm: it can adversely impact organizational operations (i.e., mission,
functions, image, or reputation) and assets, individuals, other
organizations, and the Nation. The definition of ``cybersecurity risk''
in proposed Rule 10 was guided by this aspect of cybersecurity risk.
Does the definition appropriately incorporate this aspect of
cybersecurity risk? If not, explain why and suggest modifications to
improve its design. Is this design objective appropriate? If not,
explain why and suggest an alternative design objective for the
definition.
12. Should paragraph (a)(4) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity threat''? For example, as
discussed above, the definition is designed to include the potential
actions of threat actors and errors that may result in an unauthorized
effort to affect adversely the confidentiality, integrity, or
availability of a Market Entity's information systems or any
information residing on those systems. Would the definition work as
designed? If not, explain why and suggest modifications to improve its
design. Is the definition of ``cybersecurity threat'' overly broad in
that it includes any ``potential occurrence''? If so, explain why and
suggest modifications to appropriately narrow its scope without
undermining the objective of the rule to address cybersecurity risks
facing Market Entities. Is the definition of ``cybersecurity threat''
too narrow? If so, how should it be broadened?
13. Should paragraph (a)(5) of proposed Rule 10 be modified to
revise the definition of ``cybersecurity vulnerability''? For example,
as discussed above, the definition is designed to include weaknesses in
the information systems themselves and weaknesses in the measures the
Covered Entity takes to protect the systems and the information
residing on the systems. Would the definition work as designed? If not,
explain why and suggest modifications to improve its design. Is this
design objective appropriate? If not, explain why and suggest an
alternative design objective for the definition. Is the definition of
``cybersecurity vulnerability'' overly broad? If so, explain why and
suggest modifications to appropriately narrow its scope without
undermining the objective of the rule to address cybersecurity risks
facing Market Entities. Is the definition of ``cybersecurity
vulnerability'' too narrow? If so, how should it be broadened?
14. Should paragraph (a)(6) of proposed Rule 10 be modified to
revise the definition of ``information''? For example, as discussed
above, the definition is designed to be broad enough to encompass the
wide range of information that resides on the information systems of
Market Entities. Would the definition work as designed? If not, explain
why and suggest modifications to improve its design. Is this design
objective appropriate? If not, explain why and suggest an alternative
design objective for the definition. For example, should the definition
focus on information that, if compromised, could cause harm to the
Market Entity or others and exclude information that, if compromised,
would not cause harm? If so, explain why and suggest rule text to
implement this modification.
15. Should paragraph (a)(7) of proposed Rule 10 be modified to
revise the definition of ``information systems''? For example, as
discussed above, the definition is designed to be broad enough to
encompass all the electronic information resources owned or used by a
Market Entity to carry out its various operations. Would the definition
work as designed? If not, explain why and suggest modifications to
improve its design. Is this design objective appropriate? If not,
explain why and suggest an alternative design objective for the
definition. Is the definition of ``information systems'' overly broad
in that it includes any information resource ``used by'' the Market
Entity, which may include information resources developed and
maintained by a third party (other than a service provider that that
receives, maintains, or processes information, or is otherwise
permitted to access the Market Entity's information systems and any of
the
[[Page 20238]]
Market Entity's information residing on those systems)? If so, explain
why and suggest modifications to improve its design. Is this design
objective appropriate? If not, explain why and suggest an alternative
design objective for the definition. Is the definition of ``information
system'' overly narrow? If so, how should it be broadened?
16. Should paragraph (a)(9) of proposed Rule 10 be modified to
revise the definition of ``personal information''? For example, as
discussed above, the definition is designed to encompass information
that if compromised could cause harm to the individuals to whom the
information pertains (e.g., identity theft or theft of assets). Would
the definition work as designed? If not, explain why and suggest
modifications to improve its design. Is this design objective
appropriate? If not, explain why and suggest an alternative design
objective for the definition.
17. Should paragraph (a)(10) of proposed Rule 10 be modified to
revise the definition of ``significant cybersecurity incident''? For
example, as discussed above, the definition would have two prongs: the
first relating to incidents that significantly disrupt or degrade the
ability of the Market Entity to maintain critical operations and the
second relating to the unauthorized access or use of the information or
information systems of the Market Entity. Are these the fundamental
ways that significant cybersecurity incidents can negatively impact
information systems and the information residing on information
systems? If not, explain why and identify other fundamental ways that
information and information systems can be negatively impacted by
significant cybersecurity incidents that should be incorporated into
the definition of ``significant cybersecurity incident.'' Should the
term ``significant'' be defined separately? If so, explain why and
suggest potential definitions for this term. Instead, of
``significant'' should the definition use the word ``material.'' If so,
explain why and how that would change the meaning of the definition.
18. Should paragraph (a)(10)(i) of proposed Rule 10 be modified to
revise the first prong of the definition of ``significant cybersecurity
incident''? For example, as explained above, the first prong is
designed to address how a ``significant cybersecurity incident'' can
disrupt or degrade the information system or the information residing
on the system in a manner that prevents the Market Entity from
performing functions that rely on the system operating as designed or
that rely on the Market Entity being able to process or access
information on the system. Would the first prong of the definition work
as designed? If not, explain why and suggest modifications to improve
its design. Is this design objective appropriate? If not, explain why
and suggest an alternative design objective for the first prong of the
definition. For example, should the first prong of the definition be
limited to cybersecurity incidents that ``disrupt'' the ability of the
Market Entity to maintain critical operations (i.e., not include
incidents that ``degrade'' that ability)? If so, explain why and also
explain how to distinguish between an incident that degrades the
ability of the Market Entity to maintain critical operations and an
incident that disrupts that ability. Also, explain why reporting to the
Commission and other regulators (as applicable) and publicly disclosing
incidents that degrade the ability of the Market Entity to maintain
critical operations would not be necessary because they would no longer
be significant cybersecurity incidents.\208\
---------------------------------------------------------------------------
\208\ See paragraphs (c) and (d) of proposed Rule 10 (requiring,
respectively, immediate notification and subsequent reporting of
significant cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
---------------------------------------------------------------------------
19. Should paragraph (a)(10)(ii) of proposed Rule 10 be modified be
to revise the second prong of the definition of ``significant
cybersecurity incident''? For example, as explained above, the second
prong is designed to address how a ``significant cybersecurity
incident'' can cause harm if unauthorized persons are able to access
and use the information system or the information residing on the
system. Would the definition work as designed? If not, explain why and
suggest modifications to improve its design. Is this design objective
appropriate? If not, explain why and suggest an alternative design
objective for the second prong of the definition. For example, should
the second prong of the definition be limited to cybersecurity
incidents that ``result'' in substantial harm to the Market Entity or
substantial harm to a customer, counterparty, member, registrant, or
user of the Market entity, or to any other person that interacts with
the Market Entity (i.e., not include incidents that are ``reasonably
likely'' to result in these consequences)? If so, explain why and also
explain why reporting to the Commission and other regulators (as
applicable) and publicly disclosing incidents that are reasonably
likely to result in these consequences would not be necessary because
they would no longer be significant cybersecurity incidents.\209\
Alternatively, should the second prong of the definition be limited to
an incident of unauthorized access or use that leads to ``substantial
harm'' to a customer, counterparty, member, registrant or user of the
Covered Entity, or should ``inconvenience'' to a customer,
counterparty, member, registrant or user be enough? If yes, explain
why. Should the second prong of the definition be modified so that it
is limited to cybersecurity incidents that result in or are reasonably
likely to result in substantial harm to more than one customer,
counterparty, member, registrant, or user of the Market Entity, or to
any other market participant that interacts with the Market Entity? If
so, explain why.
---------------------------------------------------------------------------
\209\ See paragraphs (c) and (d) of proposed Rule 10 (requiring,
respectively, immediate notification and subsequent reporting of
significant cybersecurity incidents and public disclosure of
significant cybersecurity incidents).
---------------------------------------------------------------------------
20. Should proposed Rule 10 be modified to define additional terms
for the purposes of the rule and Parts I and II of proposed Form SCIR?
If so, identify the term, suggest a definition, and explain why
including the definition would be appropriate. For example, would
including additional defined terms improve the clarity of the
requirements of proposed Rule 10 and Parts I and II of proposed Form
SCIR? If so, explain why. Should proposed Rule 10 be modified to define
the terms ``confidentiality,'' ``integrity'', and ``availability''? If
so, explain why and suggest definitions.
B. Proposed Requirements for Covered Entities
1. Cybersecurity Risk Management Policies and Procedures
Risk management is the ongoing process of identifying, assessing,
and responding to risk.\210\ To manage risk generally, Market Entities
should understand the likelihood that an event will occur and the
potential resulting impacts.\211\ Cybersecurity risk--like other
business risks (e.g., market, credit, or liquidity risk)--can be
addressed through policies and procedures that are reasonably designed
to manage the risk.\212\
---------------------------------------------------------------------------
\210\ See generally NIST Framework.
\211\ Id.
\212\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should ``approach cyber as business risk'').
---------------------------------------------------------------------------
Accordingly, proposed Rule 10 would require Covered Entities to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address the Covered Entity's
[[Page 20239]]
cybersecurity risks.\213\ Further, proposed Rule 10 would set forth
minimum elements that would need to be included in the policies and
procedures.\214\ In particular, the policies and procedures would need
to address: (1) risk assessment; (2) user security and access; (3)
information protection; (4) cybersecurity threat and vulnerability
management; and (5) cybersecurity incident response and recovery. As
discussed in more detail below, the inclusion of these elements is
designed to enumerate the core areas that Covered Entities would need
to address when designing, implementing, and assessing their policies
and procedures. Proposed Rule 10 also would require Covered Entities to
review annually and assess their policies and procedures and prepare a
written report describing the review and other related matters. Taken
together, these requirements are designed to position Covered Entities
to be better prepared to protect themselves against cybersecurity
risks, to mitigate cybersecurity threats and vulnerabilities, and to
recover from cybersecurity incidents. They are also designed to help
ensure that Covered Entities focus their efforts and resources on the
cybersecurity risks associated with their operations and business
practices.
---------------------------------------------------------------------------
\213\ See paragraph (b)(1) of proposed Rule 10.
\214\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
Covered Entities may wish to consult a number of resources in
connection with these elements. See generally NIST Framework; CISA
Cyber Essentials Starter Kit.
---------------------------------------------------------------------------
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
a. Risk Assessment
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
policies and procedures that require periodic assessments of
cybersecurity risks associated with the Covered Entity's information
systems and information residing on those systems.\215\ Further, with
respect to the periodic assessments, the policies and procedures would
need to include two components.
---------------------------------------------------------------------------
\215\ See paragraph (b)(1)(i)(A) of proposed Rule 10. See
generally NIST Framework (providing that the first core element of
the framework is ``identify''--meaning develop an organizational
understanding to manage cybersecurity risk to systems, people,
assets, data, and capabilities); IOSCO Cybersecurity Report (``A key
component of the risk management program is the identification of
critical assets, information and systems, including order routing
systems, risk management systems, execution systems, data
dissemination systems, and surveillance systems. Practices
supporting the identification function include the establishment and
maintenance of an inventory of all hardware and software. This risk
management program should also typically include third-party and
technology providers' security assessments. Finally, accessing
information about the evolving threat landscape is important in
identifying the changing nature of cyber risk.'').
---------------------------------------------------------------------------
First, the policies and procedures would need to provide that the
Covered Entity will categorize and prioritize cybersecurity risks based
on an inventory of the components of the Covered Entity's information
systems and information residing on those systems and the potential
effect of a cybersecurity incident on the Covered Entity.\216\ As
discussed earlier, proposed Rule 10 would define the term
``cybersecurity risk'' to mean financial, operational, legal,
reputational, and other adverse consequences that could result from
cybersecurity incidents, cybersecurity threats, and cybersecurity
vulnerabilities.\217\ For example, Covered Entities may be subject to
different cybersecurity risks as a result of, among other things: (1)
the functions they perform and the extent to which they use information
systems to perform those functions; (2) the criticality of the
functions they perform that rely on information systems; (3) the
interconnectedness of their information systems with third-party
information systems; (4) the software that operates on their
information systems, including whether it is proprietary or vender-
supplied software; (5) the nature and volume of the information they
store on information systems (e.g., personal, confidential, and/or
proprietary information); (6) the complexity and scale of their
information systems (i.e., the size of their IT footprint); (7) the
location of their information systems; (8) the number of users
authorized to access their information systems; (9) the types of
devices permitted to access their information systems (e.g., company-
owned or personal desktop computers, laptop computers, or smart
phones); (10) the extent to which they conduct international operations
and allow access to their information systems from international
locations; and (11) the extent to which employees access their
information systems from remote locations, including international
locations. In categorizing and prioritizing cybersecurity risks, the
Covered Entity generally should consider consulting with, among others,
personnel familiar with the Covered Entity's operations, its business
partners, and third-party cybersecurity experts.\218\ In addition, a
Covered Entity could consider an escalation protocol in its risk
assessment plan to ensure that its senior officers, including
appropriate legal and compliance personnel, receive necessary
information regarding cybersecurity risks on a timely basis.\219\ Only
after assessing, categorizing, and prioritizing its cybersecurity risks
can a Covered Entity establish, maintain, and enforce reasonably
designed cybersecurity policies and procedures under proposed Rule 10
to address those risks.
---------------------------------------------------------------------------
\216\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10. See
generally CISA Cyber Essentials Starter Kit (``Consider how much
your organization relies on information technology to conduct
business and make it a part of your culture to plan for
contingencies in the event of a cyber incident. Identify and
prioritize your organization's critical assets and the associated
impacts to operations if an incident were to occur. Ask the
questions that are necessary to understanding your security
planning, operations, and security-related goals. Develop an
understanding of how long it would take to restore normal
operations. Resist the ``it can't happen here'' pattern of thinking.
Instead, focus cyber risk discussions on ``what-if'' scenarios and
develop an incident response plan to prepare for various cyber
events and scenarios.'').
\217\ See paragraph (a)(3) of proposed Rule 10; see also
paragraphs (a)(2), (a)(4), and (a)(5) of proposed Rule 10 (defining,
respectively, the terms ``cybersecurity incident,'' cybersecurity
threat,'' and ``cybersecurity vulnerability,'' which are used in the
definition of ``cybersecurity risk'').
\218\ See generally CISA Cyber Essentials Starter Kit (``[H]ave
conversations with your staff, business partners, vendors, managed
service providers, and others within your supply chain. . . .
Maintain situational awareness of cybersecurity threats and explore
available communities of interest. These may include sector-specific
Information Sharing and Analysis Centers, government agencies, law
enforcement, associations, vendors, etc.'').
\219\ See generally id. (stating that organizational leaders
drive cybersecurity strategy, investment, and culture, and that
leaders should, among other things: (1) use risk assessments to
identify and prioritize allocation of resources and cyber
investments; (2) perform a review of all current cybersecurity and
risk policies and identify gaps or weaknesses; and (3) develop a
policy roadmap, prioritize policy creation and updates based on the
risk to the organization as determined by business leaders and
technical staff).
---------------------------------------------------------------------------
A Covered Entity also would need to reassess and re-prioritize its
cybersecurity risks periodically. The Covered Entity would need to
determine the frequency of these assessments and the types of
developments in
[[Page 20240]]
cybersecurity risk that would trigger an assessment based on its
particular circumstances. Consequently, the Covered Entity generally
should consider whether to reassess its cybersecurity risks to reflect
internal changes as they arise, such as changes to its business, online
presence, or customer website access, or external changes, such as
changes in the evolving technology and cybersecurity threat
landscape.\220\ The Covered Entity generally should also consider
raising any material changes in its risk assessment plan to senior
officers, as appropriate. In assessing ongoing and emerging
cybersecurity threats, a Covered Entity could monitor and consider
updates and guidance from private sector and governmental resources,
such as the FS-ISAC and CISA.\221\
---------------------------------------------------------------------------
\220\ See generally id. (``Maintain awareness of current events
related to cybersecurity. Be proactive; alert staff to hazards that
the organization may encounter. Maintain vigilance by asking
yourself: what types of cyber attack[s] are hitting my peers or
others in my industry? What tactics were successful in helping my
peers limit damage? What does my staff need to know to help protect
the organization and each other? On a national-level, are there any
urgent cyber threats my staff need to know about?'').
\221\ The FS-ISAC is a global private industry cyber
intelligence sharing community solely focused on financial services.
Additional information about FS-ISAC is available at https://www.fsisac.com. Often, private industry groups maintain
relationships and information sharing agreements with government
cybersecurity organizations, such as CISA. Private sector companies,
such as information technology and cybersecurity consulting
companies, may have insights on cybersecurity (given the access
their contractual status gives them to customer networks) that the
government initially does not. See, e.g., Verizon DBIR; Microsoft
Report. For example, private-sector cybersecurity firms may often be
in the position to spot new malicious cybersecurity trends before
they become more widespread and common.
---------------------------------------------------------------------------
Second, the policies and procedures would need to require the
Covered Entity to identify its service providers that receive,
maintain, or process information, or are otherwise permitted to access
its information systems and the information residing on those systems,
and assess the cybersecurity risks associated with its use of these
service providers.\222\ Covered Entities are exposed to cybersecurity
risks through the technology of their service providers.\223\ Having
identified the relevant service providers, the Covered Entity would
need to assess how they expose it to cybersecurity risks. In
identifying these cybersecurity risks, the service provider's
cybersecurity practices would be relevant, including: (1) how the
service provider protects itself against cybersecurity risk; and (2)
its ability to respond to and recover from cybersecurity incidents.
---------------------------------------------------------------------------
\222\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems''). Oversight of third-party service provider or vendor risk
is a component of many cybersecurity frameworks. See, e.g., NIST
Framework (discussing supply chain risks associated with products
and services an organization uses).
\223\ See GAO Cyber Security Report (``Increased connectivity
with third-party providers and the potential for increased cyber
risk is a concern in the financial industry as core systems and
critical data are moved offsite to third parties.''). For purposes
of proposed Rule 10, the Covered Entity's assessment of service
providers should not be limited to only certain service providers,
such as those that provide core functions or services for the
Covered Entity. Rather, the cybersecurity risk of any service
provider that receives, maintains, or processes information, or is
otherwise permitted to access the information systems of the Covered
Entity and the information residing on those systems should be
evaluated. Furthermore, it is possible that a service provider for a
Covered Entity may itself be a Covered Entity under proposed Rule
10. For example, a carrying broker-dealer may be a service provider
for a number of introducing broker-dealers.
---------------------------------------------------------------------------
A Covered Entity generally should take into account whether a
cybersecurity incident at a service provider could lead to process
failures or the unauthorized access to or use of information or
information systems. For example, a Covered Entity may use a cloud
service provider to maintain required books and records. If all of the
Covered Entity's books and records were concentrated at this cloud
service provider and a cybersecurity incident disrupts or degrades the
cloud service provider's information systems, there could potentially
be detrimental data loss affecting the ability of the Covered Entity to
provide services and comply with regulatory obligations. Accordingly,
as part of identifying the cybersecurity risks associated with using a
cloud service provider, a Covered Entity should consider how the
service provider will secure and maintain data and whether the service
provider has response and recovery procedures in place such that any
compromised or lost data in the event of a cybersecurity incident can
be recovered and restored.
Finally, the Covered Entity's risk assessment policies and
procedures would need to require written documentation of these risk
assessments.\224\ This documentation would be relevant to the reviews
performed by the Covered Entity to analyze whether the policies and
procedures need to be updated, to inform the Covered Entity of risks
specific to it, and to support responses to cybersecurity risks by
identifying cybersecurity threats to information systems that, if
compromised, could result in significant cybersecurity incidents.\225\
It also could be used by Commission and SRO staff and possibly internal
auditors of the Covered Entity to examine for adherence to the risk
assessment policies and procedures.
---------------------------------------------------------------------------
\224\ See paragraph (b)(1)(i)(B) of proposed Rule 10.
\225\ See paragraph (b)(2) of proposed Rule 10 (which would
require a Covered Entity to review and assess the design and
effectiveness of the cybersecurity policies and procedures,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review). See
also section II.B.1.f. of this release (discussing the review
proposal in more detail).
---------------------------------------------------------------------------
b. User Security and Access
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
controls designed to minimize user-related risks and prevent
unauthorized access to the Covered Entity's information systems and the
information residing on those systems.\226\ Further, the rule would
require that these policies and procedures include controls addressing
five specific aspects relating to user security and access.
---------------------------------------------------------------------------
\226\ See paragraph (b)(1)(ii) of proposed Rule 10; paragraphs
(a)(6) and (7) of proposed Rule 10 (defining, respectively, the
terms ``information'' and ``information systems''). See generally
NIST Framework (providing that the second core element of the
framework is ``protect''--meaning develop and implement appropriate
safeguards to ensure delivery of critical services); CISA Cyber
Essentials Starter Kit (stating with respect to user security and
access that (among other things): (1) the authority and access
granted employees, managers, and customers into an organization's
digital environment needs limits; (2) setting approved access
privileges requires knowing who operates on an organization's
systems and with what level of authorization and accountability; and
(3) organizations should ensure only those who belong on their
``digital workplace have access''); IOSCO Cybersecurity Report
(stating that network access controls are one of the types of
controls trading venues use as the protection function).
---------------------------------------------------------------------------
First, there would need to be controls requiring standards of
behavior for individuals authorized to access the Covered Entity's
information systems and the information residing on those systems, such
as an acceptable use policy.\227\ Second, there would need to be
controls for identifying and authenticating individual users, including
but not limited to implementing authentication measures that require
users to present a combination of two or more credentials for access
verification.\228\ Third, there would need to be controls for
establishing procedures for the timely distribution, replacement, and
revocation of passwords or methods of
[[Page 20241]]
authentication.\229\ Fourth, there would need to be controls for
restricting access to specific information systems of the Covered
Entity or components thereof and the information residing on those
systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity.\230\ Fifth, there would
need to be controls for securing remote access technologies.\231\
---------------------------------------------------------------------------
\227\ See paragraph (b)(1)(ii)(A) of proposed Rule 10.
\228\ See paragraph (b)(1)(ii)(B) of proposed Rule 10.
\229\ See paragraph (b)(1)(ii)(C) of proposed Rule 10.
\230\ See paragraph (b)(1)(ii)(D) of proposed Rule 10.
\231\ See paragraph (b)(1)(ii)(E) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems'').
---------------------------------------------------------------------------
The objective of these policies, procedures, and controls would be
to protect the Covered Entity's information systems from unauthorized
access and improper use. There are a variety of controls that a Covered
Entity, based on its particular circumstances, could include in these
policies and procedures to make them reasonably designed to achieve
this objective. For example, access to information systems could be
controlled through the issuance of user credentials, digital rights
management with respect to proprietary hardware and copyrighted
software, authentication and authorization methods (e.g., multi-factor
authentication and geolocation), and tiered access to personal,
confidential, and proprietary information and data and network
resources.\232\ Covered Entities may wish to consider multi-factor
authentication methods that are not based solely on SMS-delivery (e.g.,
text message delivery) of authentication codes, because SMS-delivery
methods may provide less security than other non-SMS based multi-factor
authentication methods. Furthermore, Covered Entities could require
employees to attend cybersecurity training on how to secure sensitive
data and recognize harmful files prior to obtaining access to certain
information systems. The training generally could address best
practices in creating new passwords, filtering through suspicious
emails, or browsing the internet.\233\
---------------------------------------------------------------------------
\232\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should (among other things): (1) learn who is on
their networks and maintain inventories of network connections
(e.g., user accounts, vendors, and business partners); (2) leverage
multi-factor authentication for all users, starting with privileged,
administrative and remote access users; (3) grant access and
administrative permissions based on need-to-know basis; (4) leverage
unique passwords for all user accounts; and (5) develop IT policies
and procedures addressing changes in user status (e.g., transfers
and terminations).
\233\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should (among other things) leverage basic
cybersecurity training to improve exposure to cybersecurity
concepts, terminology, and activates associated with implementing
cybersecurity best practices).
---------------------------------------------------------------------------
Further, a Covered Entity could use controls to monitor user access
regularly in order to remove users that are no longer authorized. These
controls generally should address the Covered Entity's employees (e.g.,
removing access for employees that leave the firm) and external users
of the Covered Entity's information systems (e.g., customers that no
longer use the firm's services or external service providers that no
longer are under contract with the firm to provide it with any
services). In addition, controls to monitor for unauthorized login
attempts and account lockouts, and the handling of customer requests,
including for user name and password changes, could be a part of
reasonably designed policies and procedures. Similarly, controls to
assess the need to authenticate or investigate any unusual customer,
member, or user requests (e.g., wire transfer or withdrawal requests)
could be a part of reasonably designed policies and procedures.
A Covered Entity also generally should take into account the types
of technology through which its users access the Covered Entity's
information systems. For example, mobile devices (whether firm-issued
or personal devices) that allow employees to access information systems
and personal, confidential, or proprietary information residing on
these systems may create additional and unique vulnerabilities,
including when such devices are used internationally. Consequently,
controls limiting mobile or other devices approved for remote access to
those issued by the firm or enrolled through a mobile device manager
could be part of reasonably designed policies and procedures.
In addition, a Covered Entity could consider controls with respect
to its network perimeter such as securing remote network access used by
teleworking and traveling employees. This could include controls to
identify threats on a network's endpoints. For example, Covered
Entities could consider using software that monitors and inspects all
files on an endpoint, such as a mobile phone or remote laptop, and
identifies and blocks incoming unauthorized communications. Covered
Entities generally would need to consider potential user-related and
access risks relating to the remote access technologies used at their
remote work and telework locations to include controls designed to
secure such technologies. For example, a Covered Entity's personnel
working remotely from home or a co-working space may create unique
cybersecurity risks--such as unsecured or less secure Wi-Fi--that
threat actors could exploit to access the Covered Entity's information
systems and the information residing on those systems. Accordingly, a
Covered Entity could consider whether its user security and access
policies, procedures, and controls should have controls requiring
approval of mobile or other devices for remote access, and whether
training on device policies would be appropriate. The training for
remote workers in particular could focus on phishing, social
engineering, compromised passwords, and the consequences of weak
network security.
c. Information Protection
Information protection is a key aspect of managing cybersecurity
risk.\234\ Therefore, proposed Rule 10 would specify that the Covered
Entity's cybersecurity risk management policies and procedures would
need to address information protection in two ways.\235\ First, the
policies and procedures would need to include measures designed to
protect the Covered Entity's information systems and protect the
information residing on those systems from unauthorized access or use,
based on a periodic assessment of the Covered
[[Page 20242]]
Entity's information systems and the information that resides on the
systems.\236\ The periodic assessment would need to take into account:
(1) the sensitivity level and importance of the information to the
Covered Entity's business operations; (2) whether any of the
information is personal information; \237\ (3) where and how the
information is accessed, stored and transmitted, including the
monitoring of information in transmission; (4) the information systems'
access controls and malware protection; \238\ and (5) the potential
effect a cybersecurity incident involving the information could have on
the Covered Entity and its customers, counterparties, members,
registrants, or users, including the potential to cause a significant
cybersecurity incident.\239\
---------------------------------------------------------------------------
\234\ See generally NIST Framework (``The Protect Function
supports the ability to limit or contain the impact of a potential
cybersecurity event. Examples of outcome Categories within this
Function include: Identity Management and Access Control; Awareness
and Training; Data Security; Information Protection Processes and
Procedures; Maintenance; and Protective Technology.''); IOSCO
Cybersecurity Report (``There are numerous controls and protection
measures that regulated entities may wish to consider in enhancing
their cyber security. Such measures can be organizational (like the
establishment of security operations centers) or technical (like
anti-virus and intrusion prevention systems). Risk assessments help
determine the minimum level of controls to be implemented within a
project, an application or a database. In addition, employee
training and awareness initiatives are critical parts of any cyber
security program, including induction programs for newcomers,
general training, as well as more specific training (for instance,
social engineering awareness). Proficiency tests could be conducted
to demonstrate staff understanding and third party training could
also be organized. Other initiatives which contribute to raising
employees' awareness of cyber security threats include monthly
security bulletins emailed to all employees, regular communications
regarding new issues and discovered vulnerabilities, use of posters
and screen savers, and regular reminders sent to employees. Mock
tests can also be conducted to assess employees' preparedness.
Employees are also often encouraged to report possible attacks.'').
\235\ See paragraph (b)(1)(iii) of proposed Rule 10.
\236\ See paragraph (b)(1)(iii)(A) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems''). See generally CISA Cyber Essentials Starter Kit (``Learn
what information resides on your network. Inventory critical or
sensitive information. An inventory of information assets provides
an understanding of what you are protecting, where that information
resides, and who has access. The inventory can be tracked in a
spreadsheet, updated quickly and frequently'').
\237\ See paragraph (a)(9) of proposed Rule 10 (defining the
term ``personal information'').
\238\ See generally CISA Cyber Essentials Starter Kit
(``Leverage malware protection capabilities. Malware is designed to
spread quickly. A lack of defense against it can completely corrupt,
destroy or render your data inaccessible.'').
\239\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10. See generally CISA Cyber Essentials Starter Kit (``Learn
how your data is protected. Data should be handled based on its
importance to maintaining critical operations in order to understand
what your business needs to operate at a basic level. For example,
proprietary research, financial information, or development data
need protection from exposure in order to maintain operations.
Understand the means by which your data is currently protected;
focus on where the protection might be insufficient. Guidance from
the Cyber Essentials Toolkits, including authentication, encryption,
and data protection help identify methods and resources for how to
best secure your business information and devices.'').
---------------------------------------------------------------------------
By performing these assessments, a Covered Entity should be able to
determine the measures it would need to implement to prevent the
unauthorized access or use of information residing on its information
systems. Measures that could be used for this purpose include
encryption, network segmentation, and access controls to ensure that
only authorized users have access to personal, confidential, and
proprietary information and data or critical systems. Measures to
identify suspicious behavior also could be used for this purpose. These
measures could include consistent monitoring of systems and personnel,
such as the generation and review of activity logs, identification of
potential anomalous activity, and escalation of issues to senior
officers, as appropriate. Further data loss prevention measures could
include processes to identify personal, confidential, or proprietary
information and data (e.g., account numbers, Social Security numbers,
trade information, and source code) and block its transmission to
external parties. Additional measures could include testing of systems,
including penetration tests. A Covered Entity also could consider
measures to track the actions taken in response to findings from
testing and monitoring, material changes to business operations or
technology, or any other significant events. Appropriate measures for
preventing the unauthorized use of information may differ depending on
the circumstances of a Covered Entity, such as the systems used by the
Covered Entity, the Covered Entity's relationship with service
providers, or the level of access granted by the Covered Entity to
employees or contractors. Appropriate measures generally should evolve
with changes in technology and the increased sophistication of
cybersecurity attacks.
Second, the policies and procedures for protecting information
would need to require oversight of service providers that receive,
maintain, or process the Covered Entity's information, or are otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider.\240\ Further,
pursuant to that written contract, the service provider would be
required to implement and maintain appropriate measures, including the
practices described in paragraphs (b)(1)(i) through (v) of proposed
Rule 10, that are designed to protect the Covered Entity's information
systems and information residing on those systems. These policies and
procedures could include measures to perform due diligence on a service
provider's cybersecurity risk management prior to using the service
provider and periodically thereafter during the relationship with the
service provider. Covered Entities also could consider including
periodic contract review processes that allow them to assess whether,
and help to ensure that, their agreements with service providers
contain provisions that require service providers to implement and
maintain appropriate measures designed to protect the Covered Entity's
information systems and information residing on those systems.
---------------------------------------------------------------------------
\240\ See paragraph (b)(1)(iii)(B) of proposed Rule 10;
paragraphs (a)(6) and (7) of proposed Rule 10 (defining,
respectively, the terms ``information'' and ``information
systems'').
---------------------------------------------------------------------------
d. Cybersecurity Threat and Vulnerability Management
Rule 10 would specify that the Covered Entity's cybersecurity risk
management policies and procedures must include measures designed to
detect, mitigate, and remediate any cybersecurity threats and
vulnerabilities with respect to the Covered Entity's information
systems and information residing on those systems.\241\ Because Covered
Entities depend on information systems to process, store, and transmit
personal, confidential, and proprietary information and data and to
conduct critical business functions, it is essential that they manage
cybersecurity threats and vulnerabilities effectively.\242\ Moreover,
detecting, mitigating, and remediating threats and vulnerabilities is
essential to preventing significant cybersecurity incidents.
---------------------------------------------------------------------------
\241\ See paragraph (b)(1)(iv) of proposed Rule 10; paragraphs
(a)(4) through (7) of proposed Rule 10 (defining, respectively, the
terms ``cybersecurity threat,'' ``cybersecurity vulnerability,''
``information,'' and ``information systems''). See generally NIST
Framework (providing that the third core element of the framework is
``detect''--meaning develop and implement appropriate activities to
identify the occurrence of a cybersecurity event); CISA Cyber
Essentials Starter Kit (stating regarding detection that
organizations should (among other things): (1) learn what is
happening on their networks; (2) manage network and perimeter
components, host and device components, data at rest and in transit,
and user behavior and activities: and (3) actively maintain
information as it will provide a baseline for security testing,
continuous monitoring, and making security-based decisions); IOSCO
Cybersecurity Report (``External and internal monitoring of traffic
and logs generally should be used to detect abnormal patterns of
access (e.g., abnormal user activity, odd connection durations, and
unexpected connection sources) and other anomalies. Such detection
is crucial as attackers can use the period of presence in the
target's systems to expand their footprint and their access gaining
elevated privileges and control over critical systems. Many
regulated entities have dedicated cyber threat teams and engage in
file servers integrity and database activity monitoring to prevent
unauthorized modification of critical servers within their
organization's enterprise network. Different alarm categories and
severity may be defined.'').
\242\ See section I.A.2. of this release (discussing how Covered
Entities use information systems).
---------------------------------------------------------------------------
Measures to detect cybersecurity threats and vulnerabilities could
include ongoing monitoring (e.g., comprehensive examinations and risk
management processes), including, for example, conducting network,
system, and application vulnerability assessments. This could include
scans or reviews of internal systems, externally facing systems, new
systems, and systems used by service providers. Further, measures could
include monitoring industry and government
[[Page 20243]]
sources for new threat and vulnerability information that may assist in
detecting cybersecurity threats and vulnerabilities.\243\
---------------------------------------------------------------------------
\243\ See generally CISA, National Cyber Awareness System--
Alerts, available at https://us-cert.cisa.gov/ncas/alerts (providing
information about current security issues, vulnerabilities, and
exploits).
---------------------------------------------------------------------------
Measures to mitigate and remediate an identified threat or
vulnerability are more effective if they minimize the window of
opportunity for attackers to exploit vulnerable hardware and software.
These measures could include, for example, implementing a patch
management program to ensure timely patching of hardware and software
vulnerabilities and maintaining a process to track and address reports
of vulnerabilities.\244\ Covered Entities also generally should
consider the vulnerabilities associated with ``end of life systems''
(i.e., systems in which software is no longer supported by the
particular vendor and for which security patches are no longer issued).
These measures also could establish accountability for handling
vulnerability reports by, for example, establishing processes for their
intake, assignment, escalation, remediation, and remediation testing.
For example, a Covered Entity could use a vulnerability tracking system
that includes severity ratings, and metrics for measuring the time it
takes to identify, analyze, and remediate vulnerabilities.
---------------------------------------------------------------------------
\244\ See generally CISA Cyber Essentials Starter Kit (stating
that organizations should: (1) enable automatic updates whenever
possible; (2) replace unsupported operating systems, applications
and hardware; and (3) test and deploy patches quickly).
---------------------------------------------------------------------------
Covered Entities also could consider role-specific cybersecurity
threat and vulnerability response training.\245\ For example, training
could include secure system administration courses for IT
professionals, vulnerability awareness and prevention training for web
application developers, and social engineering awareness training for
employees and executives. Covered Entities that do not proactively
address threats and discovered vulnerabilities face an increased
likelihood of having their information systems--including the Covered
Entity's information residing on those systems--accessed or disrupted
by threat actors or otherwise compromised. The requirement for Covered
Entities to include cybersecurity threats and vulnerabilities measures
in their cybersecurity policies and procedures is designed to address
this risk and help ensure threats and vulnerabilities are adequately
and proactively addressed by Covered Entities.
---------------------------------------------------------------------------
\245\ See generally CISA Cyber Essentials Starter Kit
(``Leverage basic cybersecurity training. Your staff needs a basic
understanding of the threats they encounter online in order to
effectively protect your organization. Regular training helps
employees understand their role in cybersecurity, regardless of
technical expertise, and the actions they take help keep your
organization and customers secure. Training should focus on threats
employees encounter, like phishing emails, suspicious events to
watch for, and simple best practices individual employees can adopt
to reduce risk. Each aware employee strengthens your network against
attack, and is another `sensor' to identify an attack.'').
---------------------------------------------------------------------------
e. Cybersecurity Incident Response and Recovery
Proposed Rule 10 would specify that the Covered Entity's
cybersecurity risk management policies and procedures must include
measures designed to detect, respond to, and recover from a
cybersecurity incident.\246\ Further, the rule would require that these
measures include policies and procedures that are reasonably designed
to ensure: (1) the continued operations of the Covered Entity; (2) the
protection of the Covered Entity's information systems and the
information residing on those systems; \247\ (3) external and internal
cybersecurity incident information sharing and communications; and (4)
the reporting of significant cybersecurity incidents pursuant to the
requirements of paragraph (c) of proposed Rule 10 discussed below.\248\
---------------------------------------------------------------------------
\246\ See paragraph (b)(1)(v) of proposed Rule 10; paragraph
(c)(2) of proposed Rule 10 (defining the term ``cybersecurity
incident''). See generally NIST Framework (providing that the fourth
core element of the framework is ``respond''--meaning develop and
implement appropriate activities to take action regarding a detected
cybersecurity incident; and providing that the fifth core element of
the framework is ``recover''--meaning develop and implement
appropriate activities to maintain plans for resilience and to
restore any capabilities or services that were impaired due to a
cybersecurity incident).
\247\ See paragraphs (a)(6) and (7) of proposed Rule 10
(defining, respectively, the terms ``information'' and ``information
systems'').
\248\ See section II.B.2. of this release (discussing the
requirements to report significant cybersecurity incidents);
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident''). See generally CISA Cyber
Essentials Starter Kit (stating regarding response and recovery that
the objective is to limit damage and accelerate restoration of
normal operations and, to this end, organizations (among other
things) can: (1) leverage business impact assessments to prioritize
resources and identify which systems must be recovered first; (2)
``learn who to call for help (e.g., outside partners, vendors,
government/industry responders, technical advisors and law
enforcement);'' (3) develop an internal reporting structure to
detect, communicate and contain attacks; and (4) develop in-house
containment measures to limit the impact of cyber incidents when
they occur); IOSCO Cybersecurity Report (``Regulated entities
generally should consider developing response plans for those types
of incidents to which the organization is most likely to be subject.
Elements associated with response plans may include: preparing
communication/notification plans to inform relevant stakeholders;
conducting forensic analysis to understand the anatomy of a breach
or an attack; maintaining a database recording cyber attacks; and
conducting cyber drills, firm specific simulation exercises as well
as industry-wide scenario exercises.'').
---------------------------------------------------------------------------
Cybersecurity incidents can lead to significant business
disruptions, including losing the ability to send internal or external
communications, transmit information, or connect to internal or
external systems necessary to carry out the Covered Entity's critical
functions and provide services to customers, counterparties, members,
registrants, or users.\249\ They also can lead to the inability to
access accounts holding cash or other financial assets of the Covered
Entity or its customers, counterparties, members, registrants, or
users.\250\ Therefore, the proposed incident response and recovery
policies and procedures are designed to place the Covered Entity in a
position to respond to a cybersecurity incident, which should help to
reduce business disruptions and other harms the incident may cause the
Covered Entity or its customers, counterparties, members, registrants,
or users. A cybersecurity program with a clear incident response plan
designed to ensure continued operational capability, and the protection
of, and access to, personal, confidential, or proprietary information
and data, even if a Covered Entity loses access to its systems, would
assist in mitigating the effects of a cybersecurity incident.\251\ A
Covered Entity, therefore, may wish to consider maintaining physical
copies of its incident response plan--and other cybersecurity policies
and procedures--to help ensure they can be accessed and implemented
during a cybersecurity incident.
---------------------------------------------------------------------------
\249\ See sections I.A.1. and I.A.2. of this release (discussing
these consequences).
\250\ Id.
\251\ See generally CISA Cyber Essentials Starter Kit (``Plan,
prepare, and conduct drills for cyber-attacks and incidents as you
would a fire or robbery. Make your reaction to cyber incidents or
system outages an extension of your other business contingency
plans. This involves having incident response plans and procedures,
trained staff, assigned roles and responsibilities, and incident
communications plans.'').
---------------------------------------------------------------------------
Covered Entities generally should focus on operational capability
in creating reasonably designed policies and procedures to ensure their
continued operations in the event of a cybersecurity incident (e.g.,
the ability to withstand a DoS attack). The objective is to place
Covered Entities in a position to be able to continue providing
services to other Market Entities and other participants in the U.S.
securities markets (including investors) and, thereby, continue to
support the fair, orderly, and efficient
[[Page 20244]]
operation of the U.S. securities markets. For example, this requirement
is designed to place Covered Entities in a position to be able to
continue to perform market and member surveillance and oversight in the
case of SROs, clearance and settlement in the case of clearing
agencies, and brokerage or dealing activities in the case of broker-
dealers and SBSDs.
The ability of Covered Entities to recover from a cybersecurity
incident in a timeframe that minimizes disruptions to their business or
regulatory activities is critically important to the fair, orderly, and
efficient operations of the U.S. securities markets and, therefore, to
the U.S. economy, investors, and capital formation. A Covered Entity
generally should consider implementing safeguards, such as backing up
data, which can help facilitate a prompt recovery that allows the
Covered Entity to resume operations following a cybersecurity
incident.\252\ A Covered Entity also generally should consider whether
to designate personnel to perform specific roles in the case of a
cybersecurity incident. This could entail identifying and/or hiring
personnel or third parties who have the requisite cybersecurity and
recovery expertise (or are able to coordinate effectively with outside
experts) as well as identifying personnel who should be kept informed
throughout the response and recovery process. In addition, a Covered
Entity could consider an escalation protocol in its incident response
plan to ensure that its senior officers, including appropriate legal
and compliance personnel, receive necessary information regarding
cybersecurity incidents on a timely basis.\253\
---------------------------------------------------------------------------
\252\ See generally CISA Cyber Essentials Starter Kit
(``Leverage protections for backups, including physical security,
encryption and offline copies. Ensure the backed-up data is stored
securely offsite or in the cloud and allows for at least seven days
of incremental rollback. Backups should be stored in a secure
location, especially if you are prone to natural disasters.
Periodically test your ability to recover data from backups. Online
and cloud storage backup services can help protect against data loss
and provide encryption as an added level of security. Identify key
files you need access to if online backups are unavailable to access
your files when you do not have an internet connection.'').
\253\ See generally CISA Cyber Essentials Starter Kit (stating
that: (1) organizations should develop an internal reporting
structure to detect, communicate, and contain attacks and that
effective communication plans focus on issues unique to security
breaches; (2) a standard reporting procedure will reduce confusion
and conflicting information between leadership, the workforce, and
stakeholders; and (3) communication should be continuous, since most
data breaches occur over a long period of time and not instantly and
that it should come from top leadership to show commitment to action
and knowledge of the situation).
---------------------------------------------------------------------------
Moreover, as discussed in further detail below, under proposed Rule
10, a Covered Entity would need to give the Commission immediate
written electronic notice of a significant cybersecurity incident after
having a reasonable basis to conclude that the incident has occurred or
is occurring.\254\ Further, the Covered Entity would need to report
information about the significant cybersecurity incident promptly, but
no later than 48 hours, after having a reasonable basis to conclude
that the incident has occurred or is occurring by filing Part I of
proposed Form SCIR with the Commission.\255\ Thereafter, the Covered
Entity would need to file an amended Part I of proposed Form SCIR with
the Commission under certain circumstances.\256\ Accordingly, proposed
Rule 10 would require the Covered Entity to include in its incident
response and recovery policies and procedures measures designed to
ensure compliance with these notification and reporting
requirements.\257\ The Covered Entity also may wish to implement a
process to determine promptly whether and how to contact local and
Federal law enforcement authorities, such as the FBI, about an
incident.\258\
---------------------------------------------------------------------------
\254\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2. of this release (discussing this proposed notification
requirement in more detail).
\255\ See paragraph (c)(2) of proposed Rule 10. See also section
II.B.2. of this release (discussing this proposed reporting
requirement in more detail).
\256\ The circumstances under which an amended Part I of
proposed Form SCIR would need to be filed are discussed below in
section II.B.2. of this release.
\257\ See paragraph (b)(1)(v)(A)(4) of proposed Rule 10.
\258\ For example, the FBI has instructed individuals and
organizations to contact their nearest FBI field office to report
cybersecurity incidents or to report them online at https://www.ic3.gov/Home/FileComplaint. See FBI, What We Investigate, Cyber
Crime, available at https://www.fbi.gov/investigate/cyber. See also
CISA Cyber Essentials Starter Kit (``As part of your incident
response, disaster recovery, and business continuity planning
efforts, identify and document partners you will call on to help.
Consider building these relationships in advance and understand what
is required to obtain support. CISA and the Federal Bureau of
Investigation (FBI) provide dedicated hubs for helping respond to
cyber and critical infrastructure attacks. Both have resources and
guidelines on when, how, and to whom an incident is to be reported
in order to receive assistance. You should also file a report with
local law enforcement, so they have an official record of the
incident.'').
---------------------------------------------------------------------------
A Covered Entity also could consider including periodic testing
requirements in its incident response and recovery policies and
procedures.\259\ These tests could assess the efficacy of the policies
and procedures to determine whether any changes are necessary, for
example, through tabletop or full-scale exercises. Relatedly, proposed
Rule 10 would require that the incident response and recovery policies
and procedures include written documentation of a cybersecurity
incident, including the Covered Entity's response to and recovery from
the incident.\260\ This record could be used by the Covered Entity to
assess the efficacy of, and adherence to, its incident response and
recovery policies and procedures. It further could be used as a
``lessons-learned'' document to help the Covered Entity respond more
effectively the next time it experiences a cybersecurity incident. The
Commission staff and SRO staff also would use the records to review
compliance with this aspect of proposed Rule 10.
---------------------------------------------------------------------------
\259\ See generally CISA Cyber Essentials Starter Kit (``Lead
development of an incident response and disaster recovery plan
outlining roles and responsibilities. Test it often. Incident
response plans and disaster recovery plans are crucial to
information security, but they are separate plans. Incident response
mainly focuses on information asset protection, while disaster
recovery plans focus on business continuity. Once you develop a
plan, test the plan using realistic simulations (known as ``war-
gaming''), where roles and responsibilities are assigned to the
people who manage cyber incident responses. This ensures that your
plan is effective and that you have the appropriate people involved
in the plan. Disaster recovery plans minimize recovery time by
efficiently recovering critical systems.'').
\260\ See paragraph (b)(1)(v)(B) of proposed Rule 10.
---------------------------------------------------------------------------
f. Annual Review and Required Written Reports
In addition to requiring a Covered Entity to establish, maintain,
and enforce written policies and procedures to address cybersecurity
risk, proposed Rule 10 would require the Covered Entity, at least
annually, to: (1) review and assess the design and effectiveness of the
cybersecurity policies and procedures, including whether the policies
and procedures reflect changes in cybersecurity risk over the time
period covered by the review; and (2) prepare a written report that
describes the review, the assessment, and any control tests performed,
explains their results, documents any cybersecurity incident that
occurred since the date of the last report, and discusses any material
changes to the policies and procedures since the date of the last
report.\261\ The annual review requirement is designed to require the
Covered Entity to evaluate whether its cybersecurity policies and
procedures continue to work as designed. In making this assessment,
Covered Entities generally should consider whether changes are needed
to ensure their continued effectiveness, including oversight of any
delegated responsibilities. As discussed earlier, the sophistication of
the tactics,
[[Page 20245]]
techniques, and procedures employed by threat actors is
increasing.\262\ The review requirement is designed to impose a
discipline on Covered Entities to be vigilant in assessing whether
their cybersecurity risk management policies and procedures continue to
be reasonably designed to address this risk.
---------------------------------------------------------------------------
\261\ See paragraph (b)(2) of proposed Rule 10.
\262\ See section I.A.1. of this release (discussing, for
example, how cybersecurity threats are evolving); see also Bank of
England CBEST Report (stating that ``[t]he threat actor community,
once dominated by amateur hackers, has expanded to include a broad
range of professional threat actors, all of whom are strongly
motivated, organised and funded'').
---------------------------------------------------------------------------
The review would need to be conducted no less frequently than
annually. As discussed above, one of the required elements that would
need to be included in the policies and procedures is the requirement
to perform periodic assessments of cybersecurity risks associated with
the covered entity's information systems and information residing on
those systems.\263\ Based on the findings of those risk assessments, a
Covered Entity could consider whether to perform a review prior to the
one-year anniversary of the last review. In addition, the occurrence of
a cybersecurity incident or significant cybersecurity incident
impacting the Covered Entity or other entities could cause the Covered
Entity to consider performing a review before the next annual review is
required.
---------------------------------------------------------------------------
\263\ See paragraph (b)(1)(i) of proposed Rule 10. See also
section II.B.1.a. of this release (discussing the assessment
proposal in more detail).
---------------------------------------------------------------------------
The Covered Entity would need to document the review in a written
report.\264\ The required written report generally should be prepared
or overseen by the persons who administer the Covered Entity's
cybersecurity program. This report requirement is designed to assist
the Covered Entity in evaluating the efficacy of organization's
cybersecurity risk management policies and procedures. Additionally,
the requirement to review and assess the design and effectiveness of
the cybersecurity policies and procedures includes whether they reflect
changes in cybersecurity risk over the time period covered by the
review. Therefore, the Covered Entity generally would need to take into
account the periodic assessments of cybersecurity risks performed
pursuant to the requirements of paragraphs (b)(1)(i)(A) and
(b)(1)(iii)(A) of proposed Rule. This could provide Covered Entities
with valuable insights into potential enhancements to the policies and
procedures to keep them up-to-date (i.e., reasonably designed to
address emerging cybersecurity threats). For example, incorporating the
cybersecurity risk assessments into the required written report could
provide senior officers who review the report with information on the
specific risks identified in the assessments. This could lead them to
ask questions and seek relevant information regarding the effectiveness
of the Covered Entity's cybersecurity risk management policies and
procedures and its implementation in light of those risks. This could
include questions as to whether the Covered Entity has adequate
resources with respect to cybersecurity matters, including access to
cybersecurity expertise.
---------------------------------------------------------------------------
\264\ See paragraph (b)(2)(ii) of proposed Rule 10.
---------------------------------------------------------------------------
g. Request for Comment
The Commission requests comment on all aspects of the requirements
that Covered Entities establish, maintain, and enforce written policies
and procedures to address their cybersecurity risks, the elements that
would need to be included in the cybersecurity risk management policies
and procedures, and the required (at least) annual review of the
cybersecurity risk management policies and procedure under paragraph
(b) of proposed Rule 10. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
21. In designing the cybersecurity risk management policies and
procedures requirements of proposed Rule 10, the Commission considered
a number of sources cited in the sections above, including, in
particular, the NIST Framework and the CISA Cyber Essentials Starter
Kit. Are there other sources the Commission should use? If so, identify
them and explain why they should be considered and how they could
inform potential modifications to the cybersecurity risk management
policies and procedures requirements.
22. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified? For example, are there other
elements that should be included in cybersecurity risk management
policies and procedures? If so, identify them and explain why they
should be included. Should any of the minimum required elements be
eliminated? If so, identify them and explain why it would be
appropriate to eliminate them from the rule.
23. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to provide more flexibility in
how a Covered Entity implements them? If so, identify the requirements
that are too prescriptive and explain why and suggest ways to make them
more flexible without undermining the objective of having Covered
Entities adequately address cybersecurity risks.
24. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to provide less flexibility in
how a Covered Entity had to implement them? If so, identify the
requirements that should be more prescriptive and explain why and
suggest ways to make them more prescriptive without undermining the
objective of having Covered Entities implement cybersecurity risk
management policies and procedures that address their particular
circumstances.
25. Should the policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be deemed to be reasonably designed if they
are consistent with industry standards comprised of cybersecurity risk
management practices that are widely available to cybersecurity
professionals in the financial sector and issued by an authoritative
body that is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized organization?
If so, identify the standard or standards and explain why it would be
appropriate to deem the policies and procedures requirements of
paragraph (b)(1) of proposed Rule 10 reasonably designed if they are
consistent with the standard or standards.
26. The policies and procedures requirements of paragraph (b)(1) of
proposed Rule 10 would require Covered Entities to cover
``information'' and ``information systems'' as defined, respectively,
in paragraphs (a)(6) and (7) of proposed Rule 10 without limitation.
Should the proposed policies and procedures requirements of paragraph
(b)(1) of proposed Rule 10 be modified to address a narrower set of
information and information systems? If so, describe how the narrower
set of information and information systems should be defined and why it
would be appropriate to limit the policies and procedures requirements
to this set of information and information systems. For example, should
the policies and procedures requirements of paragraph (b)(1) of
proposed Rule 10 be limited to information and information systems
that, if compromised, would result in, or would be reasonably likely to
result in, harm to the Covered Entity or others? If so, explain why. If
not, explain why not. Is there another way to limit the application of
the policies and procedures requirements to certain information and
information systems that would not undermine the objective
[[Page 20246]]
that Covered Entities implement policies and procedures that adequately
address their cybersecurity risks? If so, explain how.
27. Should the requirements of paragraph (b)(1)(i) of proposed Rule
10 relating to periodic assessments of the cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems be modified? If so, explain why.
If not, explain why not.
28. Should the requirements of paragraph (b)(1)(i)(A)(1) of
proposed Rule 10 relating to categorizing and prioritizing
cybersecurity risks based on an inventory of the components of the
Covered Entity's information systems and information residing on those
systems and the potential effect of a cybersecurity incident on the
Covered Entity be modified? If so, explain why. If not, explain why
not.
29. Should the requirements of paragraph (b)(1)(i)(A)(2) of
proposed Rule 10 relating to identifying the Covered Entity's service
providers that receive, maintain, or process information, or are
otherwise permitted to access the Covered Entity's information systems
and any of the Covered Entity's information residing on those systems,
and assess the cybersecurity risks associated with the Covered Entity's
use of these service providers be modified? If so, explain why. If not,
explain why not. Certain Covered Entities may use data feeds from
third-party providers that do not receive, maintain, or process
information for the Covered Entity but that could nonetheless cause
significant disruption for the Covered Entity if they were the subject
of a cybersecurity incident. For example, broker-dealers may subscribe
to third-party data feeds to satisfy their obligations for best
execution under the federal securities laws. If a third-party provider
of data feeds experienced a cybersecurity breach, it could lead to
faulty market information being shared with the broker-dealer, which
could in turn impact the broker-dealer's ability to operate and execute
trades for its customers. Likewise, SBS Entities might rely on data
from counterparties. Should the Commission require the risk assessment
to include service providers that provide data feeds to Covered
Entities but do not otherwise have access to the Covered Entities'
information systems? If so, should the risk assessment be limited to
only those third parties who provide data critical to the Covered
Entity's business operations? Are there other cybersecurity risks
associated with utilizing a third party who provides data feeds that
should be addressed? If so, identify the risks and explain how they
could be addressed.
30. Should the requirements of paragraph (b)(1)(i)(B) of proposed
Rule 10 relating to requiring written documentation of the risk
assessments required by paragraph (b)(1)(i)(A) of proposed Rule 10 be
modified? If so, explain why. If not, explain why not.
31. Should the requirements of paragraph (b)(1)(ii) of proposed
Rule 10 relating to controls designed to minimize user-related risks
and prevent unauthorized access to the Covered Entity's information
systems and the information residing on those systems? If so, explain
why. If not, explain why not. Should requirements of paragraph
(b)(1)(ii) of proposed Rule 10 be modified to revise the requirement to
include the following identified controls: (1) controls requiring
standards of behavior for individuals authorized to access the Covered
Entity's information systems and the information residing on those
systems, such as an acceptable use policy; (2) controls identifying and
authenticating individual users, including but not limited to
implementing authentication measures that require users to present a
combination of two or more credentials for access verification; (3)
controls establishing procedures for the timely distribution,
replacement, and revocation of passwords or methods of authentication;
(4) controls restricting access to specific information systems of the
Covered Entity or components thereof and the information residing on
those systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity; and (5) securing remote
access technologies? If so, explain why. If not, explain why not. For
example, should this paragraph of the proposed rule be modified to
include any additional type of controls? If so, identify the controls
and explain why they should be included. Should the text of the
proposed controls be modified? For example, should the control
pertaining to the timely distribution, replacement, and revocation of
passwords or methods of authentication use a word other than
``distribution''? If so, explain why and suggest an alternative word
that would be more appropriate. Would ``establishment'' or ``setting
up'' be more appropriate in this context? Should this paragraph of the
proposed rule be modified to eliminate any of the identified controls?
If so, identify the control and explain why it should be eliminated.
For example, could the control pertaining to implementing
authentication measures requiring users to present a combination of two
or more credentials for access verification potentially become
obsolete? If so, explain why and suggest an alternative control that
could incorporate this requirement as well as other authentication
controls that may develop in the future.
32. CISA has developed a catalog of cyber ``bad practices'' that
are exceptionally risky and can increase risk to an organization's
critical infrastructure.\265\ These bad practices include the use of
unsupported (or end-of-life) software, use of known or default
passwords and credentials, and the use of single-factor authentication.
In addition, the Federal Financial Institutions Examination Council
(``FFIEC'') has issued guidance on authentication and access to
financial institution services and systems, and suggests that the use
of single-factor authentication as a control mechanism has shown to be
inadequate against certain cyber threats and adverse impacts from
ransomware, customer account fraud, and identity theft.\266\ Instead,
the FFIEC guidance suggests the use of multi-factor authentication and
other measures, such as specific authentication solutions, password
controls, and access and transaction controls. Should paragraph
(b)(1)(ii) of proposed Rule 10 be modified to specifically require
controls that users provide multi-factor authentication before they can
access an information system of the Covered Entity? If so, explain why.
If not, explain why not. Would it be appropriate to require multi-
factor authentication for all of the Covered Entity's information
systems or for a more limited set of information systems? For example,
should multi-factor authentication be required for public-facing
information systems such as applications that provide users access to
their accounts at the Covered Entity and not required for internal
information systems used by the Covered Entity's employees? If so,
explain why. If not, explain why not.
[[Page 20247]]
Should multi-factor authentication be required regardless of whether
the information system is public facing if personal, confidential, or
proprietary information resides on the information system? If so,
explain why. If not, explain why not. Should the rule require phishing-
resistant multi-factor authentication? If so, explain why. If not,
explain why not.
---------------------------------------------------------------------------
\265\ See CISA, Bad Practices, available at https://www.cisa.gov/BadPractices.
\266\ See FFIEC, Authentication and Access to Financial
Institution Services and Systems (Aug. 2021), available at https://www.ffiec.gov/guidance/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf. See also FDIC and the Office
of the Comptroller of the Currency (``OCC''), Joint Statement on
Heightened Cybersecurity Risk (Jan. 16, 2020), available at https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-5a.pdf
(noting that identity and access management controls include
multifactor authentication to segment and safeguard access to
critical systems and data on an organization's network).
---------------------------------------------------------------------------
33. Should the requirements of paragraph (b)(1)(iii)(A) of proposed
Rule 10 relating to measures designed to monitor the Covered Entity's
information systems and protect the information residing on those
systems from unauthorized access or use be modified? For example,
should the requirements of paragraph (b)(1)(iii)(A) of proposed Rule 10
specifically require encryption of certain information residing on the
Covered Entity's information systems? If so, explain why. If not,
explain why not.
34. The measures discussed in paragraph (b)(1)(iii)(A) of proposed
Rule 10 designed to monitor the Covered Entity's information systems
and protect the information residing on those systems from unauthorized
access or use would need to be based on a periodic assessment of the
Covered Entity's information systems and the information that resides
on the systems that takes into account: (1) the sensitivity level and
importance of the information to Covered Entity's business operations;
(2) whether any of the information is personal information; (3) where
and how the information is accessed, stored and transmitted, including
the monitoring of information in transmission; (4) the information
systems' access controls and malware protection; and (5) the potential
effect a cybersecurity incident involving the information could have on
the Covered Entity and its customers, counterparties, members, or
users, including the potential to cause a significant cybersecurity
incident. Should this paragraph of the proposed rule be modified to
include any additional factors that would need to be taken into
account? If so, identify the factors and explain why they should be
taken into account. Should this paragraph of the proposed rule be
modified to eliminate any of the identified factors that should be
taken into account? If so, identify the factors and explain why they
should be eliminated.
35. Should the requirements of paragraph (b)(1)(iii)(A) of proposed
Rule 10 relating periodic assessments of the Covered Entity's
information systems and information residing of the systems be modified
to specifically require periodic (e.g., semi-annual or annual)
penetration tests? If so, explain why. If not, explain why not. If
proposed Rule 10 should be modified to require periodic penetration
tests, should the rule specify the information systems and information
to be tested? If so, explain why. If not, explain why not. For example,
should the penetration tests be performed on all information systems
and information of the Covered Entity? Alternatively, should the
penetration tests be performed: (1) on a random selection of
information systems and information; (2) on a prioritized selection of
the information systems and information residing on them that are most
critical to the Covered Entity's functions or that maintain information
that if accessed by or disclosed to persons not authorized to view it
could cause the most harm to the Covered Entity or others; and/or (3)
on information systems for which the Covered Entity has identified
vulnerabilities pursuant to the requirements of paragraph (b)(1)(iv) of
proposed Rule 10? Please explain the advantages and disadvantages of
each potential approach to requiring penetration tests.
36. Should the requirements of paragraph (b)(1)(iii)(B) of proposed
Rule 10 relating to the oversight of service providers that receive,
maintain, or process the Covered Entity's information, or are otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider, through which the
service providers are required to implement and maintain appropriate
measures, including the practices described in paragraphs (b)(1)(i)
through (v) of proposed Rule 10, that are designed to protect the
Covered Entity's information systems and information residing on those
systems be modified? If so, explain why. If not, explain why not. For
example, would there be practical difficulties with implementing the
requirement to oversee the service providers through a written
contract? If so, explain why. If not, explain why not. Are there
alternative approaches to addressing the cybersecurity risk that arises
when Covered Entities use service providers? If so, describe them and
explain why they would be appropriate in terms of addressing this risk.
For example, rather than addressing this risk through written contract,
could it be addressed through policies and procedures to obtain written
assurances or certifications from service providers that the service
provider manages cybersecurity risk in a manner that would be
consistent with how the Covered Entity would need to manage this risk
under paragraph (b) of proposed Rule 10? If so, explain why and
describe the type of assurances or certifications Covered Entities
could reasonably obtain to ensure that their service providers are
taking appropriate measures to manage cybersecurity risk? In
responding, please explain how assurances or certifications would be an
appropriate alternative to written contracts in terms of addressing the
cybersecurity risk caused by the use of service providers.
37. Should the requirements of paragraph (b)(1)(iv) of proposed
Rule 10 relating to measures designed to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems and the information residing
on those systems be modified? If so, explain why. If not, explain why
not.
38. Should the requirements of paragraph (b)(1)(v)(A) of proposed
Rule 10 relating to measures designed to detect, respond to, and
recover from a cybersecurity incident be modified? If so, explain why.
If not, explain why not. For example, these measures would need to
include policies and procedures that are reasonably designed to ensure:
(1) the continued operations of the covered entity; (2) the protection
of the Covered Entity's information systems and the information
residing on those systems; (3) external and internal cybersecurity
incident information sharing and communications; and (4) the reporting
of significant cybersecurity incidents pursuant to paragraph (c) of
proposed Rule 10. Would these four specific design objectives required
of the policies and procedures place the Covered Entity in a position
to effectively detect, respond to, and recover from a cybersecurity
incident? If so, explain why. If not, explain why not. Should this
paragraph of the proposed rule be modified to include any additional
design objectives for these policies and procedures? If so, identify
the design objectives and explain why they should be included. For
example, should the rule require policies and procedures that are
designed to recover from a cybersecurity incident within a specific
timeframe such as 24, 48, or 72 hours or some other period? If so,
identify the recovery period and explain why it would be appropriate.
Should this paragraph of the proposed rule be modified to eliminate any
of the specified design objectives? If so, identify the design
objectives and explain why they should be eliminated.
[[Page 20248]]
39. Should the requirements of paragraph (b)(1)(v)(B) of proposed
Rule 10 relating to written documentation of any cybersecurity
incidents be modified? If so, explain why. If not, explain why not. For
example, should the written documentation requirements apply to a
narrower set of incidents than those that would meet the definition of
``cybersecurity incident'' under proposed Rule 10? If so, describe the
narrower set of incidents and explain why it would be appropriate to
limit the written documentation requirements to them.
40. Should the requirements of paragraph (b)(2) of proposed Rule 10
relating to the review and assessment of the policies and procedures
and a written report of the review by modified? If so, explain why. If
not, explain why not. For example, this paragraph would require: (1) a
review and assessment of the design and effectiveness of the
cybersecurity risk management policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review; and (2) the
preparation of a written report that describes the review, the
assessment, and any control tests performed, explains their results,
documents any cybersecurity incident that occurred since the date of
the last report, and discusses any material changes to the policies and
procedures since the date of the last report. Should the review
requirement be modified to provide greater flexibility based on the
Covered Entity's assessment of what it believes would be most effective
in light of its cybersecurity risks? If so, explain why. If not,
explain why not. Should the review, assessment, and report be required
on a more frequent basis such as quarterly? If so, explain why. If not,
explain why not. Should the review, assessment, and report requirement
be triggered after certain events regardless of when the previous
review was conducted? If so, explain why. If not, explain why not. For
example, should the requirement be triggered if the Covered Entity
experiences a significant cybersecurity incident or undergoes a
significant business event such as a merger, acquisition, or the
commencement of a new business line that relies on information systems?
If so, explain why and suggest how a ``significant business event''
should be defined for the purposes of the review and assessment
requirement. If not, explain why not. Should the rule require that
persons with a minimum level of cybersecurity expertise or experience
must perform the review and assessment or that the review and
assessment must be performed by a senior officer of the Covered Entity?
If so, explain why. If not, explain why not. Should the rule require
that the review and assessment be performed by personnel who are not
involved in designing and implementing the cybersecurity policies and
procedures? If so, explain why. If not, explain why not. Should the
rule require that the annual report be subject to periodic third-party
audits or reviews? If so, explain why. If not, explain why not. Should
the Commission provide guidance to clarify how the review and report
requirements of paragraph (b)(2) proposed Rule 10 interact with the
requirements that SBS Entities perform assessments under 17 CFR
240.15Fk-1 or reviews under 17 CFR 250.15c3-4(c)(3)? If so, explain
why. If not, explain why not.
2. Notification and Reporting of Significant Cybersecurity Incidents
a. Timing and Manner of Notification and Reporting
FSOC observed that ``[s]haring timely and actionable cybersecurity
information can reduce the risk that cybersecurity incidents occur and
can mitigate the impacts of those that do occur.'' \267\ The Commission
is proposing to require that Covered Entities provide immediate notice
and subsequent reports about significant cybersecurity incidents to the
Commission and, in the case of certain Covered Entities, other
regulators. The objective is to improve the Commission's ability to
monitor and evaluate the effects of a significant cybersecurity
incident on Covered Entities and their customers, counterparties,
members, registrants, or users, as well as assess the potential risks
affecting financial markets more broadly.
---------------------------------------------------------------------------
\267\ FSOC 2021 Annual Report.
---------------------------------------------------------------------------
For these reasons, proposed Rule 10 would require a Covered Entity
to provide immediate written electronic notice to the Commission of a
significant cybersecurity incident upon having a reasonable basis to
conclude that the incident has occurred or is occurring.\268\ The
Commission would keep the notices nonpublic to the extent permitted by
law. The notice would need to identify the Covered Entity, state that
the notice is being given to alert the Commission of a significant
cybersecurity incident impacting the Covered Entity, and provide the
name and contact information of an employee of the Covered Entity who
can provide further details about the nature and scope of the
significant cybersecurity incident.
---------------------------------------------------------------------------
\268\ See paragraph (c)(1) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident''). As discussed below in
section II.C. of this release, Non-Covered Broker-Dealers would be
subject to an identical immediate written electronic notice
requirement. See paragraph (e)(2) of proposed Rule 10. If proposed
Rule 10 is adopted, it is anticipated that a dedicated email address
would be set up to receive the notices from Covered Entities and
Non-Covered Broker-Dealers. See, e.g., Staff Guidance for Filing
Broker-Dealer Notices, Statements and Reports, available at https://www.sec.gov/divisions/marketreg/bdnotices; Staff Statement on
Submitting Notices, Statements, Applications, and Reports for
Security-Based Swap Dealers and Major Security-Based Swap
Participants Pursuant to the Financial Responsibility Rules
(Exchange Act Rules 18a-1 through 18a-10), available at https://www.sec.gov/tm/staff-statement-on-submissions.
---------------------------------------------------------------------------
The immediate notice would need to be submitted by the Covered
Entity electronically in written form (as opposed to permitting the
notice to made telephonically).\269\ The Commission is proposing a
written notification requirement because of the number of Market
Entities that would be subject to the requirement and because of the
different types of Market Entities.\270\ A written notification would
also facilitate the Commission in identifying patterns and trends
across Market Entities experiencing significant cybersecurity
incidents.
---------------------------------------------------------------------------
\269\ See paragraph (c)(1) of proposed Rule 10. But see 17 CFR
242.1002(b)(1) (requiring an SCI entity to provide the Commission
with immediate notice after having a reasonable basis to conclude
that an SCI event has occurred without specifying that the notice be
written); OCC, Federal Reserve Board, FDIC, Computer-Security
Incident Notification Requirements for Banking Organizations and
Their Bank Service Providers, 86 FR 66424 (Nov. 23, 2021) (requiring
a banking organization to provide notice to a designated point of
contact of a computer-security incident through telephone, email, or
similar methods).
\270\ Non-Covered Broker-Dealers also would be subject to an
immediate written electronic notice requirement under paragraph
(e)(2) of proposed Rule 10 and, therefore, the Commission
potentially could receive notices from all types of Market Entities.
As discussed in section V.C. of this release, it is estimated that
1,989 Market Entities would be Covered Entities and 1,969 broker-
dealers would be Non-Covered Entities resulting in a 3,958 total
Market Entities. This is a far larger number of entities than the 47
entities that currently are SCI entities.
---------------------------------------------------------------------------
The notice requirement would be triggered when the Covered Entity
has a reasonable basis to conclude that a significant cybersecurity
incident has occurred or is occurring.\271\ This does not mean that the
Covered Entity can wait until it definitively concludes that
[[Page 20249]]
a significant cybersecurity incident has occurred or is occurring. In
the early stages of discovering the existence of a cybersecurity
incident, it may not be possible for the Covered Entity to conclude
definitively that it is a significant cybersecurity incident. For
example, the Covered Entity may need to assess which information
systems have been subject to the cybersecurity incident and the impact
that the incident has had on those systems before definitively
concluding that it is a significant cybersecurity incident.\272\ The
objective of the notification requirement is to alert the Commission
staff as soon as the Covered Entity detects the existence of a
cybersecurity incident that it has a reasonable basis to conclude is a
significant cybersecurity incident and not to wait until the Covered
Entity definitively concludes it is a significant cybersecurity
incident. This would provide the Commission staff with the ability to
begin to assess the situation at an earlier stage of the cybersecurity
incident.
---------------------------------------------------------------------------
\271\ The notice requirement for Non-Covered Broker-Dealers also
would be triggered when the broker-dealer has a reasonable basis to
conclude that a significant cybersecurity incident has occurred or
is occurring. See paragraph (e)(2) of proposed Rule 10.
\272\ See paragraph (a)(2) of proposed Rule 10 (defining
``cybersecurity incident'' to mean an unauthorized occurrence on or
conducted through a Market Entity's information systems that
jeopardizes the confidentiality, integrity, or availability of the
information systems or any information residing on those systems).
---------------------------------------------------------------------------
This proposed immediate written notification requirement is
modelled on other notification requirements that apply to broker-
dealers and SBSDs pursuant to other Exchange Act rules. Under these
existing requirements, broker-dealers and certain SBSDs must provide
the Commission with same-day written notification if they undergo
certain adverse events, including falling below their minimum net
capital requirements or failing to make and keep current required books
and records.\273\ The objective of these requirements is to provide the
Commission staff with the opportunity to respond when a broker-dealer
or SBSD is in financial or operational difficulty.\274\ Similarly, the
written notification requirements of proposed Rule 10 are designed to
provide the Commission staff with the opportunity to begin assessing
the situation promptly when a Covered Entity is experiencing a
significant cybersecurity incident by, for example, assessing the
Covered Entity's operating status and engaging in discussions with the
Covered Entity to understand better what steps it is taking to protect
its customers, counterparties, members, registrants, or users. In
addition, a Covered Entity that is a broker-dealer would need to
provide the written notice to its examining authority, and a transfer
agent would need to provide the written notice to its ARA.\275\ The
objective is to notify other supervisory authorities to allow them the
opportunity to respond to the significant cybersecurity incident
impacting the Covered Entity.
---------------------------------------------------------------------------
\273\ See 17 CFR 240.17a-11 (notification rule for broker-
dealers); 17 CFR 240.18a-8 (notification rule for SBS Entities).
\274\ See Recordkeeping and Reporting Requirements for Security-
Based Swap Dealers, Major Security-Based Swap Participants, and
Broker-Dealers; Capital Rule for Certain Security-Based Swap
Dealers, Exchange Act Release No. 71958 (Apr. 17, 2014) [79 FR
25194, 25247 (May 2, 2014)] (``SBS Entity Recordkeeping and
Reporting Proposing Release'').
\275\ See paragraphs (c)(1)(i) and (ii) of proposed Rule 10.
Non-Covered Broker-Dealers also would be required to provide the
written notice to their examining authority. See paragraph (e)(2) of
proposed Rule 10.
---------------------------------------------------------------------------
As discussed above, the immediate written electronic notice is
designed to alert the Commission on a confidential basis to the
existence of a significant cybersecurity incident impacting a Covered
Entity so the Commission staff can begin to assess the event. It is not
intended as a means to report written information about the significant
cybersecurity incident. Therefore, in addition to the immediate written
electronic notice, a Covered Entity would be required to report
detailed information about the significant cybersecurity incident by
filing, on a confidential basis, Part I of proposed Form SCIR with the
Commission through the Electronic Data Gathering, Analysis, and
Retrieval System (``EDGAR'' or ``EDGAR system'').\276\ Because of the
sensitive nature of the information and the fact that threat actors
could potentially use it to cause more harm, the Commission would not
make the filings available to the public to the extent permitted by
law.
---------------------------------------------------------------------------
\276\ See paragraph (c)(2) of proposed Rule 10. As discussed
below, Part II of proposed Form SCIR would be used by Covered
Entities to make public disclosures about the cybersecurity risks
they face and the significant cybersecurity incidents they
experienced during the current or previous calendar year. See
sections II.B.2. and II.B.4. of this release (discussing these
proposed requirements). Non-Covered Broker-Dealers would not be
subject to the requirements to file Part I and Part II of proposed
Form SCIR.
---------------------------------------------------------------------------
As with the notice, the requirement to file Part I of proposed Form
SCIR would be triggered when the Covered Entity has a reasonable basis
to conclude that a significant cybersecurity incident has occurred or
is occurring. Therefore, the notification and reporting requirements
would be triggered at the same time. However, in order to provide the
Covered Entity time to gather the information that would be elicited by
Part I of proposed Form SCIR, the Covered Entity would need to file the
form promptly, but no later than 48 hours, upon having a reasonable
basis to conclude that a significant cybersecurity incident has
occurred or is occurring.
Proposed Rule 10 also would require the Covered Entity to file an
amended Part I of proposed Form SCIR with updated information about the
significant cybersecurity incident in four circumstances.\277\ In each
case, the amended Part I of proposed Form SCIR would need to be filed
promptly, but no later than 48 hours, after the update requirement is
triggered. First, the Covered Entity would need to file an amended Part
I of proposed Form SCIR if any information previously reported to the
Commission on the form pertaining to the significant cybersecurity
incident becomes materially inaccurate.\278\ Second, the Covered Entity
would need to file an amended Part I of proposed Form SCIR if any new
material information pertaining to the significant cybersecurity
incident previously reported to the Commission on the form is
discovered.\279\ The Commission staff generally would use the
information reported on Part I of proposed Form SCIR to assess the
operating status of the Covered Entity and assess the impact that the
significant cybersecurity incident could have on other participants in
the U.S. securities markets. The requirement to file an amended Part I
of proposed Form SCIR under the first and second circumstances is
designed to ensure the Commission and Commission staff have reasonably
accurate and complete information when undertaking these activities.
---------------------------------------------------------------------------
\277\ See paragraphs (c)(2)(ii)(A) through (D) of proposed Rule
10.
\278\ See paragraph (c)(2)(ii)(A) of proposed Rule 10.
\279\ See paragraph (c)(2)(ii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
Third, the Covered Entity would need to file an amended Part I of
proposed Form SCIR after the significant cybersecurity incident is
resolved.\280\ A significant cybersecurity incident impacting a Covered
Entity would be resolved when the situation no longer meets the
definition of ``significant cybersecurity incident.'' \281\ The
resolution of a significant cybersecurity incident would be a material
development in the situation and, therefore, would be a reporting
trigger under proposed Rule 10.
---------------------------------------------------------------------------
\280\ See paragraph (c)(2)(ii)(C) of proposed Rule 10.
\281\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
---------------------------------------------------------------------------
[[Page 20250]]
Finally, if the Covered Entity conducted an internal investigation
pertaining to the significant cybersecurity incident, it would need to
file an amended Part I of proposed Form SCIR after the investigation is
closed.\282\ This would be an investigation of the significant
cybersecurity incident that seeks to determine the cause of the
incident or to examine whether there was a failure to adhere to the
Covered Entity's policies and procedures to address cybersecurity risk
or whether those policies and procedures are effective. An internal
investigation could be conducted by the Covered Entity's own personnel
(e.g., internal auditors) or by external consultants hired by the
Covered Entity. The closure of an internal investigation would be a
reporting trigger under proposed Rule 10 because it could yield
material new information about the incident that had not been reported
in a previously filed Part I of proposed Form SCIR.
---------------------------------------------------------------------------
\282\ See paragraph (c)(2)(ii)(D) of proposed Rule 10.
---------------------------------------------------------------------------
As with the immediate written electronic notice, a Covered Broker-
Dealer would need to promptly transmit a copy of each Part I of
proposed Form SCIR it files with the Commission to its examining
authority, and a transfer agent would need to promptly transmit a copy
of each Part I of proposed Form SCIR it files with the Commission to
its ARA.\283\ The objective is to provide these other supervisory
authorities with the same information about the significant
cybersecurity incident that the Commission receives.
---------------------------------------------------------------------------
\283\ See paragraphs (c)(2)(iii)(A) and (B) of proposed Rule 10.
---------------------------------------------------------------------------
In this regard, the reporting requirements under proposed Rule 10
would provide the Commission and its staff with information to
understand better the nature and extent of a particular significant
cybersecurity incident and the efficacy of the Covered Entity's
response to mitigate the disruption and harm caused by the incident.
The Commission staff could use the reports to focus on the Covered
Entity's operating status and to facilitate their outreach to, and
discussions with, personnel at the Covered Entity who are addressing
the significant cybersecurity incident. For example, certain
information provided in a report may be sufficient to address any
questions the staff has about the incident; and in other instances
staff may want to ask follow-up questions to get a better understanding
of the matter. In addition, the reporting would provide the staff with
a view into the Covered Entity's understanding of the scope and impact
of the significant cybersecurity incident. All of this information
would be used by the Commission and its staff in assessing the impact
of the significant cybersecurity incident on the Covered Entity.
The information provided to the Commission under the proposed
reporting requirements also would be used to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be useful in assessing other and future
significant cybersecurity incidents. For example, these reports could
assist the Commission in identifying patterns and trends across Covered
Entities, including widespread cybersecurity incidents affecting
multiple Covered Entities at the same time. Further, the reports could
be used to evaluate the effectiveness of various approaches to respond
to and recover from a significant cybersecurity incident.
b. Part I of Proposed Form SCIR
Proposed Rule 10 would require a Covered Entity to report
information about a significant cybersecurity incident confidentially
on Part I of proposed Form SCIR.\284\ The form would elicit certain
information about the significant cybersecurity incident through check
boxes, date fields, and narrative fields. Covered Entities would file
Part I of proposed Form SCIR electronically with the Commission using
the EDGAR system in accordance with the EDGAR Filer Manual, as defined
in Rule 11 of Regulation S-T,\285\ and in accordance with the
requirements of Regulation S-T.\286\
---------------------------------------------------------------------------
\284\ See paragraph (c)(2) of proposed Rule 10.
\285\ See 17 CFR 232.11.
\286\ See paragraphs (c)(2)(i) and (ii) of proposed Rule 10. As
discussed below in section II.B.4. of this release, the Covered
Entity would need to file Part I of proposed Form SCIR using a
structured data language.
---------------------------------------------------------------------------
A Covered Entity would need to indicate on Part I of proposed Form
SCIR whether the form is being filed with respect to a significant
cybersecurity incident as an initial report, amended report, or final
amended report by checking the appropriate box. As discussed above,
proposed Rule 10 would require a Covered Entity to file Part I of
proposed Form SCIR upon having a reasonable basis to conclude that a
significant cybersecurity incident has occurred or is occurring.\287\
This would be the initial Part I of proposed Form SCIR with respect to
the significant cybersecurity incident.\288\ Thereafter, a Covered
Entity would be required to file an amended Part I of proposed Form
SCIR with respect to the significant cybersecurity incident after: (1)
any information previously reported to the Commission on Part I of
proposed Form SCIR pertaining to the significant cybersecurity incident
becomes materially inaccurate; (2) any new material information
pertaining to the significant cybersecurity incident previously
reported to the Commission on Part I of proposed Form SCIR is
discovered; (3) the significant cybersecurity incident is resolved; or
(4) an internal investigation pertaining to a significant cybersecurity
incident is closed.\289\ If a Covered Entity checks the box indicating
that the filing is a final Part I of proposed Form SCIR, the firm also
would need to check the appropriate box to indicate why a final form
was being filed: either the significant cybersecurity incident was
resolved or an internal investigation pertaining to the incident was
closed.
---------------------------------------------------------------------------
\287\ See paragraph (c)(2)(i) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the proposed filing
requirements in more detail).
\288\ See Instruction B.1. of proposed Form SCIR.
\289\ See paragraphs (c)(2)(ii)(A) through (D) of proposed Rule
10.
---------------------------------------------------------------------------
Part I of proposed Form SCIR would elicit information about the
Covered Entity that would be used to identify the filer.\290\ In
particular, the Covered Entity would need to provide its full legal
name and business name (if different from its legal name), tax
identification number, unique identification code (``UIC'') (if the
filer has a UIC), central index key (``CIK number''),\291\ and main
address.\292\ The instructions to proposed Form SCIR (which would be
applicable to Parts I and II) would provide that a UIC is an
identification number that has been issued by an internationally
recognized standards-setting system (``IRSS'') that has been recognized
by the Commission pursuant to Rule 903(a) of Regulation SBSR.\293\
Currently, the Commission has recognized only the Global Legal Entity
Identifier Foundation (``GLEIF'')--which is responsible for overseeing
the Global Legal Entity Identifier System (``GLEIS'')--as an IRSS.\294\
Part I of
[[Page 20251]]
proposed Form SCIR also would elicit the name, phone number, and email
address of the contact employee of the Covered Entity.\295\ The contact
employee would need to be an individual authorized by the Covered
Entity to provide the Commission with information about the significant
cybersecurity incident (i.e., information the individual can provide
directly) and make information about the incident available to the
Commission (e.g., information the individual can provide by, for
example, making other employees of the Covered Entity available to
answer questions of the Commission staff).\296\ The Covered Entity also
would need to indicate the type of Market Entity it is by checking the
appropriate box or boxes.\297\ For example, if the Covered Entity is
dually registered as a broker-dealer and SBSD, it would need to check
the box for each of those entity types.
---------------------------------------------------------------------------
\290\ See Line Items 1.A. through 1.E. of Part I of proposed
Form SCIR.
\291\ A CIK number is used on the Commission's computer systems
to identify persons who have filed disclosures with the Commission.
\292\ See Line Items 1.A. through 1.C. of Part I of proposed
Form SCIR.
\293\ See Instruction A.5.g. of proposed Form SCIR. See also,
e.g., Form SBSE available at https://www.sec.gov/files/form-sbse.pdf
(providing a similar definition of UIC).
\294\ See Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Exchange Act Release No. 74244
(Feb. 11, 2015), 80 FR 14563, 14632 (Mar. 19, 2015) (``Regulation
SBSR Release''). LEIs are unique alphanumeric codes that identify
legal entities in financial transactions in international markets.
See Financial Stability Board (``FSB''), Options to Improve Adoption
of the LEI, in Particular for Use in Cross-Border Payments (July 7,
2022). Information associated with the LEI, which is a globally-
recognized digital identifier that is not specific to the
Commission, includes the ``official name of the legal entity as
recorded in the official registers[,]'' the entity's address,
country of incorporation, and the ``legal form of the entity.'' Id.
Accordingly, in proposing to require each Covered Entity to provide
its UIC if it has a UIC, the Commission is proposing to require each
Covered Entity identify itself with an LEI if it has an LEI.
\295\ See Line Item 1.D. of Part I of proposed Form SCIR.
\296\ See Instruction B.4. of proposed Form SCIR.
\297\ See Line Item 1.E. of Part I of proposed Form SCIR
(setting forth check boxes to indicate whether the Covered Entity is
a broker-dealer, clearing agency, MSBSP, the MRSB, a national
securities association, a national securities exchange, SBSD, SBSDR,
or transfer agent).
---------------------------------------------------------------------------
Page 1 of Part I of proposed Form SCIR also would contain fields
for the individual executing the form to sign and date the form. By
signing the form, the individual would: (1) certify that the form was
executed on behalf of, and with the authority of, the Covered Entity;
(2) represent individually, and on behalf of the Covered Entity, that
the information and statements contained in the form are current, true
and complete; and (3) represent individually, and on behalf of the
Covered Entity, that to the extent any information previously submitted
is not amended such information is current, true, and complete. The
form of the certification is designed to ensure that the Covered
Entity, through the individual executing the form, provides information
that the Commission and Commission staff can rely on to evaluate the
operating status of the Covered Entity, assess the impact the
significant cybersecurity incident may have on other participants in
the U.S. securities markets, and formulate an appropriate response to
the incident.
Line Items 2 through 14 of Part I of proposed Form SCIR would
elicit information about the significant cybersecurity incident and the
Covered Entity's response to the incident. After discovering the
existence of a significant cybersecurity incident, a Covered Entity may
need time to determine the scope and impact of the incident in order to
provide meaningful responses to these questions. For example, the
Covered Entity may be working diligently to investigate and resolve the
significant cybersecurity incident at the same time it would be
required to complete and file Part I of proposed Form SCIR. The Covered
Entity's priorities in the early stages after detecting the significant
cybersecurity incident may be to devote its staff resources to
mitigating the harms caused by the incident or that could be caused by
the incident if necessary corrective actions are not promptly
implemented. Moreover, during this period, the Covered Entity may not
have a complete understanding of the cause of the significant
cybersecurity incident, all the information systems impacted by the
incident, the harm caused by the incident, or how to best resolve and
recover from the incident (among other relevant information).
Therefore, the first form filed with respect to a given significant
cybersecurity incident should include information that is known to the
Covered Entity at the time of filing and not include speculative
information. If information is unknown at the time of filing, the
Covered Entity should indicate that on the form. Understanding the
aspects of the significant cybersecurity incident that are not yet
known would inform the Commission's assessment. The process of filing
an amended Part I of proposed Form SCIR is designed to update earlier
filings as information becomes known to the Covered Entity. In
particular, proposed Rule 10 would require the Covered Entity to file
an amended Part I of proposed Form SCIR if information reported on a
previously filed form pertaining to the significant cybersecurity
incident becomes materially incomplete because new information is
discovered.\298\ Therefore, as the Covered Entity reasonably concludes
that additional information about the significant cybersecurity
incident is necessary to make its filing not materially inaccurate, it
would need to file amended forms. In this way, the reporting
requirements of proposed Rule 10 are designed to provide the Commission
and Commission staff with current known information and provide a means
for the Covered Entity to report information as it becomes known.
---------------------------------------------------------------------------
\298\ See paragraph (c)(2)(ii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
This does not mean that the Covered Entity can refrain from
providing known information in Part I of proposed Form SCIR. As
discussed above, the Covered Entity must certify through the individual
executing the form that the information and statements in the form are
current, true, and complete, among other things. A failure to provide
current, true, and complete information that is known to the Covered
Entity would be inconsistent with this required certification. In
addition, failing to investigate the significant cybersecurity incident
would be inconsistent with the policies and procedures required by
proposed Rule 10. As discussed above, the cybersecurity incident
response and recovery policies and procedures that would be required by
proposed Rule 10 would need to include policies and procedures that are
reasonably designed to ensure the reporting of significant
cybersecurity incidents as required by the rule.\299\ The failure to
diligently investigate the significant cybersecurity incident could
indicate that the Covered Entity's incident response and recovery
policies and procedures are not reasonably designed or are not being
enforced by the Covered Entity as required by proposed Rule 10.\300\
Moreover, reasonably designed policies and procedures to detect,
respond to, and recover from a cybersecurity incident, as required by
proposed Rule 10 generally should require diligent investigation of the
significant cybersecurity incident.\301\ Further, diligently
investigating the significant cybersecurity incident would be in the
interest of the Covered Entity as it could lead to a quicker resolution
of the incident by revealing--for example--its cause and impact.
---------------------------------------------------------------------------
\299\ See paragraph (b)(1)(v)(A)(4) of proposed Rule 10. See
also section II.B.1.e. of this release (discussing these proposed
required policies and procedures in more detail).
\300\ See paragraph (b)(1) of proposed Rule 10 (requiring that
the Covered Entity establish, maintain, and enforce written policies
and procedures that are reasonably designed to address the covered
entity's cybersecurity risks).
\301\ See paragraph (b)(1)(v)(A) of proposed Rule 10. See also
section II.B.1.e. of this release (discussing these proposed
required policies and procedures in more detail).
---------------------------------------------------------------------------
In terms of the information about the significant cybersecurity
incident elicited in Part I of proposed Form SCIR, the Covered Entity
first would be required to provide the approximate
[[Page 20252]]
date that it discovered the significant cybersecurity incident.\302\ As
discussed above, a Covered Entity would be required to provide the
Commission with immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the incident has occurred or is occurring.\303\ This can be based on,
for example, the Covered Entity reviewing or receiving a record, alert,
log, or notice about the incident. In addition, reaching this
conclusion would trigger the requirement to file promptly (but within
48 hours) an initial Part I of proposed Form SCIR with the Commission
to first report the significant cybersecurity incident using the
form.\304\ The date that would need to be reported on proposed Part I
of Form SCIR is the date the Covered Entity has a reasonable basis to
conclude that the incident has occurred or is occurring.\305\
---------------------------------------------------------------------------
\302\ See Line Item 2 of Part I of proposed Form SCIR.
\303\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing the proposed notification
requirement in more detail).
\304\ See paragraph (c)(2)(i) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the proposed reporting
trigger in more detail).
\305\ See Instruction B.5.a. of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 3 of Part I of proposed Form SCIR would elicit
information about the approximate duration of the significant
cybersecurity incident.\306\ First, the Covered Entity would need to
indicate whether the significant cybersecurity incident is
ongoing.\307\ The form would provide the option of answering yes, no,
or unknown. Second, the Covered Entity would need to provide the
approximate start date of the cybersecurity incident or indicate that
it does not know the start date.\308\ The start date may be well before
the date the Covered Entity discovered the significant cybersecurity
incident. Therefore, the start date of the incident reported on Line
Item 3 may be different than the discovery date reported on Line Item
2. Third, the Covered Entity would need to provide the approximate date
the significant cybersecurity incident is resolved.\309\ This would be
the date the Covered Entity was no longer undergoing a significant
cybersecurity incident.\310\ As discussed above, the resolution of the
significant cybersecurity incident triggers the requirement to file an
amended Part I of proposed Form SCIR under proposed Rule 10.\311\
---------------------------------------------------------------------------
\306\ See Line Items 3.A. through 3.C. of Part I of proposed
Form SCIR.
\307\ See Line Item 3.A. of Part I of proposed Form SCIR.
\308\ See Line Item 3.B. of Part I of proposed Form SCIR.
\309\ See Line Item 3.C. of Part I of proposed Form SCIR.
\310\ See Instruction B.5.b. of proposed Form SCIR. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident'').
\311\ See paragraph (c)(2)(ii)(C) of proposed Rule 10. See
section II.B.2.a. of this release (discussing the notification
requirements in more detail).
---------------------------------------------------------------------------
Line Item 4 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether an internal investigation pertaining
to the significant cybersecurity incident was being conducted. An
``internal investigation'' would be defined as a formal investigation
of the significant cybersecurity incident by internal personnel of the
Covered Entity or external personnel hired by the Covered Entity that
seeks to determine any of the following: the cause of the significant
cybersecurity incident; whether there was a failure to adhere to the
Covered Entity's policies and procedures to address cybersecurity risk;
or whether the Covered Entity's policies and procedures to address
cybersecurity are effective.\312\ If an internal investigation is
conducted, the Covered Entity also would need to provide the date the
investigation was closed. As discussed above, the closure of an
internal investigation pertaining to the significant cybersecurity
incident triggers the requirement to file an amended Part I of Form
SCIR under proposed Rule 10.\313\
---------------------------------------------------------------------------
\312\ See Instruction A.5.d. of proposed Form SCIR.
\313\ See paragraph (c)(2)(ii)(D) of proposed Rule 10. See also
section II.B.2.a. of this release (discussing the notification
requirement in more detail).
---------------------------------------------------------------------------
Line Item 5 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether a law enforcement or government
agency (other than the Commission) had been notified of the significant
cybersecurity incident.\314\ If so, the Covered Entity would need to
identify each law enforcement or government agency. The Commission and
Commission staff could use this information to coordinate with other
law enforcement and government agencies if needed both to assess the
incident and to share information as appropriate to understand the
impact of the incident better.
---------------------------------------------------------------------------
\314\ See Line Item 5 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 6 of Part I of proposed Form SCIR would require the
Covered Entity to describe the nature and scope of the significant
cybersecurity incident, including the information systems affected by
the incident and any effect on the Covered Entity's critical
operations.\315\ This item would enable the Commission to obtain
information about the incident to understand better how it is impacting
the Covered Entity's operating status and whether the Covered Entity
can continue to provide services to its customers, counterparties,
members, registrants, or users. This would include understanding which
services and systems have been impacted and whether the incident was
the result of a cybersecurity incident that occurred at a service
provider.
---------------------------------------------------------------------------
\315\ See Line Item 6 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 7 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether the threat actor(s) causing the
significant cybersecurity incident has been identified.\316\ If so, the
Covered Entity would be required to identify the threat actor(s). In
addition, the Covered Entity would need to indicate in Line Item 7
whether there has been communication(s) from or with the threat
actor(s) that caused or claims to have caused the significant cyber
security incident.\317\ The Covered Entity would need to answer the
question even if the threat actor(s) has not been identified. If there
had been communications, the Covered Entity would need to describe
them. This information would help the Commission staff to assess
whether the same threat actor(s) had sought to access information
systems of other Commission registrants and to warn other registrants
(as appropriate) about the threat posed by the actor(s). It also could
help in developing measures to protect against the risk to Commission
registrants posed by the threat actor. In addition, the information
would help the Commission assess the impact on the Covered Entity
experiencing the significant cybersecurity incident to the extent other
Commission registrants has been attacked by the same threat actor(s)
using similar tactics, techniques, and procedures.
---------------------------------------------------------------------------
\316\ See Line Item 7.A. of Part I of proposed Form SCIR.
\317\ See Line Item 7.B. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 8 of Part I of proposed Form SCIR would require the
Covered Entity to describe the actions taken or planned to respond to
and recover from the significant cybersecurity incident.\318\ The
objective is to obtain information to assess the Covered Entity's
operating status, including its critical operations. This information
also could assist the Commission and Commission staff in considering if
the response measures are effective or ineffective in addressing the
Covered Entity's significant cybersecurity incident.
---------------------------------------------------------------------------
\318\ See Line Item 8 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 9 of Part I of proposed Form SCIR would require the
Covered Entity
[[Page 20253]]
to indicate whether any data was stolen, altered, or accessed or used
for any other unauthorized purpose.\319\ The Covered Entity would have
the option of checking yes, no, or unknown. If yes, the Covered Entity
would need to describe the nature and scope of the data. This
information would help the Commission and its staff understand the
potential harm to the Covered Entity and its customers, counterparties,
members, registrants, or users that could result from the compromise of
the data. It also would provide insight into how the significant
cybersecurity incident could impact other Market Entities.
---------------------------------------------------------------------------
\319\ See Line Item 9 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 10 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any personal information was lost,
stolen, modified, deleted, destroyed, or accessed without authorization
as a result of the significant cybersecurity incident.\320\ The Covered
Entity would have the option of checking yes, no, or unknown. If yes,
the Covered Entity would need to describe the nature and scope of the
information. Additionally, if the Covered Entity answered yes, it would
need to indicate whether notification has been provided to persons
whose personal information was lost, stolen, damaged, or accessed
without authorization.\321\ If the answer is no, the Covered Entity
would need to indicate whether this notification is planned.\322\ For
the purposes of proposed Form SCIR, the term ``personal information''
would have the same meaning as that term is defined in proposed Rule
10.\323\ The compromise of personal information can have severe
consequences on the persons to whom the information relates. For
example, it potentially can be used to steal their identities or access
their accounts at financial institutions to steal assets held in those
accounts. Consequently, this information would help the Commission
assess the extent to which the significant cybersecurity incident has
created this risk and the potential harm that could result from the
compromise of personal data.
---------------------------------------------------------------------------
\320\ See Line Item 10.A. of Part I of proposed Form SCIR.
\321\ See Line Item 10.B.i. of Part I of proposed Form SCIR.
\322\ See Line Item 10.B.ii. of Part I of proposed Form SCIR.
\323\ See Instruction A.5.e. of proposed Form SCIR. See also
paragraph (a)(9) of proposed Rule 10 (defining ``personal
information'' to mean any information that can be used, alone or in
conjunction with any other information, to identify a person, such
as name, date of birth, place of birth, telephone number, street
address, mother's maiden name, government passport number, Social
Security number, driver's license number, electronic mail address,
account number, account password, biometric records, or other non-
public authentication information).
---------------------------------------------------------------------------
Line Item 11 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any of its assets were lost or
stolen as a result of the significant cybersecurity incident.\324\ The
Covered Entity would have the option of checking yes, no, or unknown.
If yes, the Covered Entity would need to describe the types of assets
that were lost or stolen and include an approximate estimate of their
value, if known. This question is not limited to particular types of
assets and, therefore, the Covered Entity would need to respond
affirmatively if, among other types of assets, financial assets such as
cash and securities were lost or stolen or intellectual property was
lost or stolen. The loss or theft of the Covered Entity's assets could
potentially cause the entity to fail financially or put a strain on its
liquidity. Further, to the extent counterparties become aware of the
loss or theft, it could cause them to withdraw assets from the entity
or stop transacting with the entity further straining its financial
condition. Consequently, the objective is to understand whether the
significant cybersecurity incident has created this risk and whether
there may be other spillover effects or consequences to the U.S.
securities markets.
---------------------------------------------------------------------------
\324\ See Line Item 11 of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 12 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether any assets of the Covered Entity's
customers, counterparties, clients, members, registrants, or users were
lost or stolen as a result of the significant cybersecurity
incident.\325\ The Covered Entity would have the option of checking
yes, no, or unknown. If yes, the Covered Entity would need to describe
the types of assets that were lost or stolen and include an approximate
estimate of their value, if known. Additionally, if the Covered Entity
answered yes, it would need to indicate whether notification has been
provided to persons whose assets were lost or stolen.\326\ If the
answer is no, the Covered Entity would need to indicate whether this
notification is planned.\327\
---------------------------------------------------------------------------
\325\ See Line Item 12.A. Part I of proposed Form SCIR.
\326\ See Line Item 11.B.i. of Part I of proposed Form SCIR.
\327\ See Line Item 12.B.ii. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Certain types of Covered Entities hold assets belonging to other
persons or maintain ownership records of the assets of other
persons.\328\ For example, certain broker-dealers maintain custody of
securities and cash for other persons and clearing agencies hold
clearing deposits of their members. A significant cybersecurity
incident impacting a Covered Entity that results in the loss or theft
of assets can cause severe financial hardship to the owners of those
assets. It also can impact the financial condition of the Covered
Entity if it is liable for the loss or theft. Consequently, the
objective is to understand whether the significant cybersecurity
incident has created this risk.
---------------------------------------------------------------------------
\328\ See Section I.A.2. of this release (discussing the
functions of Market Entities).
---------------------------------------------------------------------------
As discussed in more detail below, proposed Rule 10 would require a
Covered Entity to make a public disclosure that generally describes
each significant cybersecurity incident that has occurred during the
current or previous calendar year and promptly update this disclosure
after the occurrence of a new significant cybersecurity incident or
when information about a previously disclosed significant cybersecurity
incident materially changes.\329\ The Covered Entity would be required
to make the disclosure on the Covered Entity's business internet
website and by filing Part II of proposed Form SCIR through the EDGAR
system.\330\ In addition, if the Covered Entity is a carrying or
introducing broker-dealer, it would need to make the disclosure to its
customers using the same means that a customer elects to receive
account statements.\331\
---------------------------------------------------------------------------
\329\ See paragraph (d)(1)(ii) of proposed Rule 10. See also
sections II.B.3. and II.B.4. of this release (discussing these
proposed disclosure requirements in more detail).
\330\ See paragraphs (d)(2)(i) and (ii) of proposed Rule 10.
\331\ See paragraph (d)(3) of proposed Rule 10. See section
II.B.3.b. of this release (discussing the broker-dealer disclosure
requirement in more detail).
---------------------------------------------------------------------------
Line Item 13 of Part I of proposed Form SCIR would require the
Covered Entity to indicate whether the significant cybersecurity
incident has been disclosed pursuant to the requirements of proposed
Rule 10.\332\ The Covered Entity also would need to indicate whether it
made the required disclosures of Part II of proposed Form SCIR on its
website and through EDGAR and, if it had made the disclosure, it would
need to indicate the date of the disclosure.\333\ A Covered Entity that
is a carrying or introducing broker-dealer would need to indicate
separately
[[Page 20254]]
whether it made the required disclosure of Part II of proposed Form
SCIR to its customers.\334\ The Covered Entity would not need to
indicate a date for the customer disclosure because it could be made in
a number of ways (e.g., by email or mail) and that process could span a
number of days. If the Covered Entity has not disclosed the significant
cybersecurity incident as required by proposed Rule 10, it would need
to explain why. The requirement to report this information is designed
to promote compliance with the disclosure requirements of proposed Rule
10.
---------------------------------------------------------------------------
\332\ See Line Items 13.A. through C. of proposed Form SCIR.
\333\ See Line Items 13.A. through B. of proposed Part I of Form
SCIR.
\334\ See Line Item 13.C. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Line Item 14 of Part I of proposed Form SCIR would elicit
information about any insurance coverage the Covered Entity may have
with respect to the significant cybersecurity incident.\335\ First, the
Covered Entity would need to indicate whether the significant
cybersecurity incident is covered by an insurance policy of the Covered
Entity.\336\ The Covered Entity would have the option of checking yes,
no, or unknown. If yes, the Covered Entity would need to indicate
whether the insurance company has been contacted. The existence of
insurance coverage to cover losses could be relevant to Commission
staff in assessing the potential magnitude of harm to the Covered
Entity's customers, counterparties, members, registrants, or users and
to the Covered Entity's financial condition. For example, the existence
of insurance coverage, to the extent the significant cybersecurity
incident is covered by the policy, could indicate a greater possibility
that the Covered Entity and/or any of its customers, counterparties,
members, registrants, or users affected by the incident are made whole.
---------------------------------------------------------------------------
\335\ See Line Items 14.A. and B. of Part I of proposed Form
SCIR.
\336\ See Line Item 14.A. of Part I of proposed Form SCIR.
---------------------------------------------------------------------------
Finally, Line Item 15 of Part I of proposed Form SCIR would permit
the Covered Entity to include in the form any additional information
the entity would want the Commission and Commission staff to know as
well as provide any comments about the information included in the
report.\337\
---------------------------------------------------------------------------
\337\ See Line Item 15 of proposed Part I of Form SCIR.
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements to report significant cybersecurity incidents on Part I of
proposed Form SCIR. In addition, the Commission is requesting comment
on the following specific aspects of the proposals:
41. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the immediate notification requirement? For example, should the
requirement permit the notice to be made by telephone or email? If so,
explain why. If not, explain why not. If telephone or email notice is
permitted, should the rule specify the Commission staff, Division, or
Office to phone or email?
42. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the requirement to provide immediate written electronic notice
to specify how the notice must be transmitted to the Commission? For
example, should the rule specify an email address or other type of
electronic portal to be used to transmit the notice? If so, explain
why. If not, explain why not. Should the rule be modified to require
that the notice be transmitted to the Commission through the EDGAR
system? If so, explain why. If not, explain why not. Should the rule be
modified to require that the notice be transmitted to the Commission
through the EDGAR system using a structured data language other than
custom XML format?
43. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the requirement to provide immediate written electronic notice
to require the notice to be provided within a specific timeframe such
as on the same day the requirement was triggered or within 24 hours? If
so, explain why. If not, explain why not.
44. Should paragraph (c)(1) of proposed Rule 10 be modified to
revise the trigger for the immediate notification and reporting
requirements? If so, explain why. If not, explain why not. For example,
should the trigger be when the Covered Entity ``detects'' a significant
cybersecurity incident (rather than when it has a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring)? If so, explain why. If not, explain why not. For example,
would a detection standard be a less subjective standard? If so,
explain why. If not, explain why not. Is there another trigger standard
that would be more appropriate? If so, identify it and explain why it
would be more appropriate.
45. If the immediate notification requirement of paragraph (c)(1)
is adopted as proposed, it is anticipated that a dedicated email
address would be established to receive these notices. Are there other
methods the Commission should use for receiving these notices? If so,
identity them and explain why they would be more appropriate than
email. For example, should the notices be received through the EDGAR
system? If so, explain why. If not, explain why not.
46. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to incorporate the cybersecurity
reporting program that CISA will implement under recently adopted
legislation (``CISA Reporting Program'') to the extent it will be
applicable to Covered Entities? \338\ If so, explain why and suggest
modifications to the proposed reporting requirements for Covered
Entities to incorporate the CISA Reporting Program. For example, if a
Covered Entity would be required to file a report under the CISA
Reporting Program, should that report satisfy the obligations to report
to the Commission a significant cybersecurity incident under paragraph
(c) of proposed Rule 10? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\338\ See CIRCIA.
---------------------------------------------------------------------------
47. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial Part I of proposed Form
SCIR? If so, explain why. If not, explain why not. For example, should
the reporting requirements be revised to permit Covered Entities more
than 48 hours to file an initial Part I of proposed Form SCIR with the
Commission? If yes, explain how long they should have to file the
initial Part I of proposed Form SCIR and why that timeframe would be
appropriate. For example, should Covered Entities have 72 or 96 hours
to file the initial Part I of proposed Form SCIR? If so, explain why.
If not, explain why not. Would providing more time to file the initial
Part I of proposed Form SCIR make the filing more useful insomuch as
the Covered Entity would have more time to investigate the significant
cybersecurity incident? If so, explain why and how to balance that
benefit against the delay in providing this information to the
Commission within 48 hours. Would the immediate notification
requirement of paragraph (c) of proposed Rule 10 make it appropriate to
lengthen the timeframe for when the Covered Entity would need to file
the initial Part I of proposed Form SCIR? If so, explain why. If not,
explain why not. For example, could the immediate notification
requirement and the ability of the Commission staff to follow-up with
the contact person identified on the notification serve as an
appropriate alternative to receiving the initial Part I of proposed
Form SCIR within 48 hours. If so, explain why. If not, explain why not.
Conversely,
[[Page 20255]]
should the timeframe for filing an initial Part I of proposed Form SCIR
be shortened to 24 hours or some other period of time that is less than
48 hours? If so, explain why. If not, explain why not.
48. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial or amended Part I of
proposed Form SCIR so the timeframes are expressed in business days or
calendar days instead of hours? If so, explain why. If not, explain why
not. For example, should Covered Entities have two, five, or some other
number business or calendar days to file an initial or amended Part I
of proposed Form SCIR? Would business or calendar days be more
appropriate given that Part I of proposed Form SCIR would be filed
through the EDGAR system? \339\ If so, explain why. If not, explain why
not.
---------------------------------------------------------------------------
\339\ The Commission accepts electronic submissions through the
EDGAR system Monday through Friday, except federal holidays, from
6:00 a.m. to 10:00 p.m. Eastern Time. See Chapter 2 of the EDGAR
Filer Manual (Volume I), version 41 (Dec. 2022). Further, filings
submitted by direct transmission commencing on or before 5:30 p.m.
Eastern Standard Time or Eastern Daylight Saving Time, whichever is
currently in effect, shall be deemed filed on the same business day,
and all filings submitted by direct transmission commencing after
5:30 p.m. Eastern Standard Time or Eastern Daylight Saving Time,
whichever is currently in effect, shall be deemed filed as of the
next business day. 17 CFR 232.13.
---------------------------------------------------------------------------
49. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the timeframe for filing an initial or amended Part I of
proposed Form SCIR so that it must be filed promptly after the filing
requirement is triggered without specifying the 48 hour limit? If so,
explain why and describe how ``promptly'' should be interpreted for
purposes of the reporting requirements of paragraph (c) of proposed
Rule 10. If not, explain why not.
50. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to include the filing of an initial
Part I of proposed Form SCIR and a final Part I of proposed Form SCIR
but not require the filing of interim amended forms? If so, explain
why. If not, explain why not. For example, could informal
communications between the Commission staff and the Covered Entity
facilitated by the contact employee identified in the immediate notice
that would be required under paragraph (c)(1) of proposed Rule 10 be an
appropriate alternative to requiring the filing of interim amended
forms? If so, explain why. If not, explain why not.
51. Should paragraph (c)(2) of proposed Rule 10 be modified to
revise the reporting requirements to include the filing of interim
amended forms on a pre-set schedule? If so, explain why. If not,
explain why not. For example, should Covered Entities be required to
file an initial Part I of proposed Form SCIR and a final Part I of
proposed Form SCIR pursuant to the requirements of paragraph (c) of
proposed Rule 10 but file interim amended forms on a pre-set schedule?
If so, explain why this would be appropriate, including why a pre-set
reporting requirement would not undermine the objectives of the
proposed reporting requirements, and how often the interim reporting
should be required (e.g., weekly, bi-weekly, monthly, quarterly). Would
a pre-set reporting cadence (e.g., weekly, bi-weekly, monthly,
quarterly) undermine the objectives of the proposed reporting
requirements by inappropriately delaying the Commission's receipt of
important information about a significant cybersecurity incident? If
so, explain why. If not, explain why not. Would the immediate
notification requirement and the ability of the Commission staff to
follow-up with the contact person identified on the notification
mitigate this potential consequence? If so, explain why. If not,
explain why not.
52. Should paragraph (c)(2)(ii)(D) of proposed Rule 10 and Part I
of proposed Form SCIR be modified to revise the reporting requirements
relating to internal investigations? If so, explain why. If not,
explain why not. For example, would these reporting requirements create
a disincentive for Covered Entities to perform internal investigations
in response to significant cybersecurity incidents? If so, explain why.
If not, explain why not.
53. Should Part I of proposed Form SCIR be modified? If so, explain
why. If not, explain why not. For example, does the form strike an
appropriate balance of providing enough detail to the Commission to be
helpful while also not being unduly burdensome to Covered Entities? If
so, explain why. If not, explain why not. Is certain information that
would be elicited in Part I of Form SCIR unnecessary? If so, identify
the information and explain why it would be unnecessary. Is there
additional information that should be required to be included in Part I
of proposed Form SCIR? If so, identify the information and explain why
it would be appropriate to require a Covered Entity to report it in the
form.
54. Should Part I of proposed Form SCIR be modified to require that
Covered Entities provide a UIC--such as an LEI \340\ (which would
require each Covered Entity without a UIC (such as an LEI) to obtain
one to comply with the rule)? If so, explain why. If not, explain why
not. For example, would a requirement to provide a UIC allow the
Commission staff to better evaluate cyber-threats to Covered Entities?
If so, explain why. If not, explain why not. Should the form be
modified to require Covered Entities to provide another type of
standard identifier other than a CIK number and UIC (if they have a
UIC)? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\340\ The Commission approved a UIC (namely, the LEI) in a
previous rulemaking. See section II.B.2.b. of this release; see also
Regulation SBSR Release, 80 FR at 14632. The Commission is aware
that additional identifiers could be recognized as UICs in the
future, but for the purposes of this release, the Commission is
equating the UIC with the LEI.
---------------------------------------------------------------------------
3. Disclosure of Cybersecurity Risks and Incidents
a. Cybersecurity Risks and Incidents Disclosure
Proposed Rule 10 would require a Covered Entity to make two types
of public disclosures relating to cybersecurity on Part II of proposed
Form SCIR.\341\ First, the Covered Entity would need to, in plain
English, provide a summary description of the cybersecurity risks that
could materially affect its business and operations and how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity
risks.\342\ A cybersecurity risk would be material to a Covered Entity
if there is a substantial likelihood that a reasonable person would
consider the information important based on the total mix of facts and
information.\343\ The facts and circumstances relevant to determining
materiality in this context may include, among other things, the
likelihood and extent to which the cybersecurity risk or resulting
incident: (1) could disrupt or degrade the Covered Entity's ability to
maintain critical operations; (2) could adversely affect the
confidentiality, integrity, or availability of information residing on
the Covered Entity's information systems, including whether the
information is personal, confidential, or proprietary information; and/
or (3) could harm the Covered Entity or its customers, counterparties,
members, registrants, users, or other persons.
---------------------------------------------------------------------------
\341\ See paragraph (d)(1) of proposed Rule 10.
\342\ See paragraph (d)(1)(i) of proposed Rule 10; Line Item 2
of Part II proposed of Form SCIR.
\343\ See, e.g., SEC. v. Steadman, 967 F.2d 636, 643 (D.C. Cir.
1992); cf. Basic Inc. v. Levinson, 485 U.S. 224, 231-232 (1988); TSC
Industries v. Northway, Inc., 426 U.S. 438, 445, 449 (1976).
---------------------------------------------------------------------------
The second element of the disclosure would be a summary description
of each
[[Page 20256]]
significant cybersecurity incident that occurred during the current or
previous calendar year, if applicable.\344\ The look-back period of the
current and previous calendar years is designed to make the disclosure
period consistent across all Covered Entities. The look-back period
also is designed to provide a short history of significant
cybersecurity incidents affecting the Covered Entity while not
overburdening the firm with a longer disclosure period. The summary
description of each significant cybersecurity incident would need to
include: (1) the person or persons affected; \345\ (2) the date the
incident was discovered and whether it is ongoing; (3) whether any data
was stolen, altered, or accessed or used for any other unauthorized
purpose; (4) the effect of the incident on the Covered Entity's
operations; and (5) whether the Covered Entity, or service provider,
has remediated or is currently remediating the incident.\346\ This
disclosure--because it addresses actual significant cybersecurity
incidents--would serve as another way for market participants to
evaluate the Covered Entity's cybersecurity risks and vulnerabilities
apart from the general disclosure of its cybersecurity risk. For
example, a Covered Entity's disclosure of multiple significant
cybersecurity incidents during the current or previous calendar year
(particularly, if they did not impact other Covered Entities) would be
useful in assessing whether the Covered Entity is adequately addressing
cybersecurity risk or is more vulnerable to that risk as compared with
other Covered Entities.
---------------------------------------------------------------------------
\344\ See paragraph (d)(1)(ii) of proposed Rule 10; Line Item 3
of Part II proposed of Form SCIR. See also paragraph (a)(10) of
proposed Rule 10 (defining the term ``significant cybersecurity
incident'').
\345\ This element of the disclosure would not need to include
the identities of the persons affected or personal information about
those persons. Instead, the disclosure could use generic terms to
identify the person or persons affected. For example, the disclosure
could state that ``customers of the broker-dealer,''
``counterparties of the SBSD,'' or ``members of the SRO'' are
affected (as applicable).
\346\ See paragraphs (d)(1)(ii)(A) through (E) of proposed Rule
10; Line Item 3 of Part II proposed of Form SCIR.
---------------------------------------------------------------------------
The objective of these disclosures is to provide greater
transparency to customers, counterparties, registrants, or members of
the Covered Entity, or to users of its services, about the Covered
Entity's exposure to material harm as a result of a cybersecurity
incident, which, in turn, could cause harm to customers,
counterparties, members, registrants, or users. This information could
be used by these persons to manage their own cybersecurity risk and, to
the extent they have choice, select a Covered Entity with which to
transact or otherwise conduct business. Information about prior attacks
and their degree of success is immensely valuable in mounting effective
countermeasures.\347\
---------------------------------------------------------------------------
\347\ See Peter W. Singer and Allan Friedman. Cybersecurity and
Cyberwar: What Everyone Needs to Know. Oxford University Press 222
(2014).
---------------------------------------------------------------------------
However, the intent of the disclosure on Part II of proposed Form
SCIR is to avoid overly detailed disclosures that could increase
cybersecurity risk for the Covered Entity and other persons. Revealing
too much information could assist future attackers as well as lead to
loss of customers, reputational harm, litigation, or regulatory
scrutiny, which would be a cost associated with public disclosure.\348\
Therefore, under proposed Rule 10, the Covered Entity would be required
to provide only a summary description of its cybersecurity risk and
significant cybersecurity incidents.\349\ The requirement that the
disclosures contain summary descriptions only is designed to produce
meaningful disclosures but not disclosures that would reveal
information (e.g., proprietary or confidential methods of addressing
cybersecurity risk or known cybersecurity vulnerabilities) that could
be used by threat actors to cause harm to the Covered Entity or its
customers, counterparties, members, users, or other persons. This
requirement is also designed to produce high-level disclosures about
the Covered Entity's cybersecurity risks and significant cybersecurity
incidents that can be easily reviewed by interested parties in order to
give them a general understanding of the Covered Entity's risk profile.
---------------------------------------------------------------------------
\348\ See, e.g., Federal Trade Commission v. Equifax, Inc., FTC
Matter/File Number: 172 3203, Civil Action Number: 1:19-cv-03297-TWT
(2019), available at https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc (``FTC Equifax Civil Action'').
\349\ See paragraphs (d)(1)(i) and (ii) of proposed Rule 10.
---------------------------------------------------------------------------
b. Disclosure Methods and Updates
Proposed Rule 10 would require a Covered Entity to make the public
disclosures discussed above (i.e., the information about cybersecurity
risks and significant cybersecurity incidents) on Part II of proposed
Form SCIR.\350\ Part II of proposed Form SCIR would elicit information
about the Covered Entity that would be used to identify the filer.\351\
In particular, the Covered Entity would need to provide its full legal
name and business name (if different from its legal name), UIC (if the
filer has a UIC),\352\ CIK number, and main address.\353\ The Covered
Entity also would need to indicate the type of Market Entity it is by
checking the appropriate box or boxes.\354\ For example, if the Covered
Entity is dually registered as a broker-dealer and SBSD, it would need
to check the box for each of those entity types.
---------------------------------------------------------------------------
\350\ See paragraph (d) of proposed Rule 10.
\351\ See Line Items 1.A. through 1.D. of Part II of proposed
Form SCIR.
\352\ As mentioned previously, the Commission approved a UIC--
namely, the LEI--in a prior rulemaking. See section II.B.2.b. of
this release. Therefore, for the purposes of this release, the
Commission is proposing to require those Covered Entities that
already have LEIs to identify themselves with LEIs on Part II of
Form SCIR.
\353\ See Line Items 1.A. through 1.C. of Part I of proposed
Form SCIR. See also section II.B.2.b. of this release (discussing
UIC and CIK numbers in more detail with respect to Part I of
proposed Form SCIR).
\354\ See Line Item 1.D. of Part II of proposed Form SCIR
(setting forth check boxes to indicate whether the Covered Entity is
a broker-dealer, clearing agency, MSBSP, the MRSB, a national
securities association, a national securities exchange, SBSD, SBSDR,
or transfer agent).
---------------------------------------------------------------------------
Page 1 of Part II of proposed Form SCIR also would contain fields
for the individual executing the form to sign and date the form. By
signing the form, the individual would: (1) certify that the form was
executed on behalf of, and with the authority of, the Covered Entity;
and (2) represent individually, and on behalf of the Covered Entity,
that the information and statements contained in the form are current,
true and complete. The form of the certification is designed to ensure
that the Covered Entity, through the individual executing the form,
discloses information that can be used by the Covered Entity's
customers, counterparties, members, registrants, or users, or by other
interested persons to assess the Covered Entity's cybersecurity risk
profile and compare it with the risk profiles of other Covered
Entities.
As discussed above, proposed Rule 10 would require the Covered
Entity to publicly disclose a summary description of the cybersecurity
risks that could materially affect the Covered Entity's business and
operations and how the Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks.\355\ Line Item 2 of Part II of
proposed Form SCIR would contain a narrative field in which the Covered
Entity would provide this summary description.\356\ In order to provide
context to the meaning of the disclosure, the beginning of Line Item 2
would set forth the definition of ``cybersecurity risk'' in proposed
Rule 10 as well as the definitions of ``cybersecurity incident,''
``cybersecurity
[[Page 20257]]
threat,'' and ``cybersecurity vulnerability'' because these three terms
are used in the definition of ``cybersecurity risk.'' \357\
---------------------------------------------------------------------------
\355\ See paragraph (d)(1)(i) of proposed Rule 10.
\356\ See Line Item 2 of Part II of proposed Form SCIR.
\357\ Id. See also paragraphs (a)(2) through (5) of proposed
Rule 10 (defining, respectively, ``cybersecurity incident,''
``cybersecurity risk,'' ``cybersecurity threat,'' and
``cybersecurity vulnerability'').
---------------------------------------------------------------------------
Line Item 3 of Part II of proposed Form SCIR would be used to make
the disclosure about each significant cybersecurity incident that
occurred during the current and previous calendar year.\358\ The
definition of ``significant cybersecurity incident'' would be set forth
at beginning of Line Item 3 in order to provide context to the meaning
of the disclosure. To complete the line item, the Covered Entity first
would need to indicate by checking ``yes'' or ``no'' whether it had
experienced one or more significant cybersecurity incidents during the
current or previous calendar year. If the answer is yes, the Covered
Entity would need to provide in a narrative field on Line Item 3 the
summary description of each significant cybersecurity incident.\359\
---------------------------------------------------------------------------
\358\ See Line Item 3 of Part II of proposed Form SCIR.
\359\ See paragraph (d)(1)(ii) of proposed Rule 10.
---------------------------------------------------------------------------
As discussed next, there would be two methods of making the
disclosure, which would be required of all Covered Entities under
proposed Rule 10, and an additional third method that would be required
of Covered Entities that are carrying or introducing broker-dealers.
First, Covered Entities would be required to file Part II of Form SCIR
with the Commission electronically through the EDGAR system in
accordance with the EDGAR Filer Manual, as defined in Rule 11 of
Regulation S-T,\360\ and in accordance with the requirements of
Regulation S-T.\361\ The Commission would make these filings available
to the public. The objective of requiring centralized EDGAR-filing of
Part II of proposed Form SCIR is to facilitate the ability to compare
disclosures across different Covered Entities or categories of Covered
Entities in the same manner that EDGAR filing facilitates comparison of
financial statements, annual reports, and other disclosures across
Commission registrants. By creating a single location for all of the
disclosures, Commission staff, investors, market participants, and
analysts as well as Covered Entities' customers, counterparties,
members, registrants, or users would be able to run search queries to
compare the disclosures of multiple Covered Entities. Centralized EDGAR
filing could make it easier for Commission staff and others to assess
the cybersecurity risk profiles of different types of Covered Entities
and could facilitate trend analysis of significant cybersecurity
incidents. Thus, by providing a central location for the cybersecurity
disclosures, filing Part II of proposed Form SCIR through EDGAR could
lead to greater transparency of the cybersecurity risks in the U.S.
securities markets.
---------------------------------------------------------------------------
\360\ See 17 CFR 232.11.
\361\ See paragraph (d)(2)(i) of proposed Rule 10.
---------------------------------------------------------------------------
Second, proposed Rule 10 would require the Covered Entity to post a
copy of the Part II of proposed Form SCIR most recently filed on EDGAR
on an easily accessible portion of its business internet website that
can be viewed by the public without the need of entering a password or
making any type of payment or providing any other consideration.\362\
Consequently, the disclosures could not be located behind a ``paywall''
or otherwise require a person to pay a registration fee or provide any
other consideration to access them. The purpose of requiring the form
to be posted on the Covered Entity's business internet website is that
individuals naturally may visit a company's business internet website
when seeking timely and updated information about the company,
particularly if the company is experiencing an incident that disrupts
or degrades the services it provides. Therefore, requiring the form to
be posted on the website is designed to make it available through this
commonly used method of obtaining information. Additionally,
individuals may naturally visit a company's business internet website
as part of their due diligence process in determining whether to use
its services. Therefore, posting the form on the Covered Entity's
business internet website could provide individuals with information
about the Covered Entity's cybersecurity risks before they elect to
enter into an arrangement with the firm. It could serve a similar
purpose for individuals considering whether to maintain an ongoing
business relationship with the Covered Entity.
---------------------------------------------------------------------------
\362\ See paragraph (d)(2)(ii) of proposed Rule 10. In addition
to the disclosure to be made available to security-based swap
counterparties as required by paragraph (d)(2)(ii) of proposed Rule
10, current Commission rules require that SBS Entities' trading
relationship documentation between certain counterparties address
cybersecurity. Specifically, an SBS Entity's trading relationship
documentation must include valuation methodologies for purposes of
complying with specified risk management requirements, which would
include the risk management requirements of proposed Rule 10 (if it
is adopted). See 17 CFR 250.15Fi-5(b)(4). This documentation would
include a dispute resolution process or alternative methods for
determining value in the event of a relevant cybersecurity incident.
See also section IV.C.1.b.iii. of this release (discussing
disclosure requirements of Rule 15Fh-3(b)).
---------------------------------------------------------------------------
In addition to those two disclosure methods, a Covered Entity that
is either a carrying or introducing broker-dealer would be required to
provide a copy of the Part II of proposed Form SCIR most recently filed
on EDGAR to a customer as part of the account opening process.\363\
Thereafter, the Covered Entity would need to provide the customer with
the most recently posted form annually and when it is updated. The
broker-dealer would need to deliver the form using the same means that
the customer elects to receive account statements (e.g., by email or
through the postal service).\364\ This additional method of disclosure
is designed to make the information readily available to the broker-
dealer's customers (many of whom may be retail investors) through the
same processes that other important information (i.e., information
about their securities accounts) is communicated to them. Requiring a
broker-dealer to deliver copies of the form is designed to enhance
investor protection by enabling customers to take protective or
remedial measures to the extent appropriate. It would also assist
customers in determining whether their engagement of that particular
broker-dealer remains appropriate and consistent with their investment
objectives.
---------------------------------------------------------------------------
\363\ See paragraph (d)(3) of proposed Rule 10.
\364\ If the disclosure requirements of proposed Rule 10 are
adopted, the Commission would establish a compliance date by which a
Covered Entity would need to make its first public disclosure on
Part II of proposed Form SCIR. At a minimum, the initial disclosure
would need to include a summary description of the cybersecurity
risks that could materially affect the Covered Entity's business and
operations and how the Covered Entity assesses, prioritizes, and
addresses those cybersecurity risks. In setting an initial
compliance date, the Commission could take a bifurcated approach in
which each method of disclosure has a different compliance date. For
example, the compliance date for making the website disclosure could
come before the compliance date for making the EDGAR disclosure and
the additional disclosure required of carrying and introducing
broker-dealers. The Commission seeks comment below on a potential
compliance date or compliance dates for the disclosure requirements.
---------------------------------------------------------------------------
Finally, a Covered Entity would be required to file on EDGAR an
updated Part II of proposed Form SCIR promptly if the information
required to be disclosed about cybersecurity risks or significant
cybersecurity incidents materially changes, including, in the case of
the disclosure about significant cybersecurity incidents, after the
occurrence of a new significant cybersecurity incident or when
[[Page 20258]]
information about a previously disclosed significant cybersecurity
incident materially changes.\365\ The Covered Entity also would need to
post a copy of the updated Part II of proposed Form SCIR promptly on
its business internet website and, if it is a carrying broker-dealer or
introducing broker-dealer, deliver copies of the form to its customers.
Given the potential effect that significant cybersecurity incidents
could have on a Covered Entity's customers, counterparties, members,
registrants, or users--such as exposing their personal or other
confidential information or resulting in a loss of cash or securities
from their accounts--time is of the essence, and requiring a Covered
Entity to update the disclosures promptly would enhance investor
protection by enabling customers, counterparties, members, registrants,
or users to take proactive or remedial measures to the extent
appropriate. Accordingly, the timing of the filing of an updated
disclosure should take into account the exigent nature of significant
cybersecurity incidents which would generally militate toward swiftly
filing the update. Furthermore, requiring Covered Entities to update
their disclosures following the occurrence of a new significant
cybersecurity incident would assist market participants in determining
whether their business relationship with that particular Covered Entity
remains appropriate and consistent with their goals.
---------------------------------------------------------------------------
\365\ See paragraph (d)(4) of proposed Rule 10. See also
Instruction C.2. of proposed Form SCIR. As discussed earlier, a
Covered Entity would be required to file Part I of proposed Form
SCIR with the Commission promptly, but no later than 48 hours, upon
having a reasonable basis to conclude that a significant
cybersecurity incident has occurred or is occurring. See paragraph
(c)(2)(i) of proposed Rule 10; see also section II.B.2.a. of this
release (discussing this requirement in more detail). Therefore, the
Covered Entity would need to file a Part I and an updated Part II of
proposed Form SCIR with the Commission relatively contemporaneously.
Depending on the facts and circumstances, the Part I and updated
Part II could be filed at the same time or one could proceed the
other if the Covered Entity, for example, has the information to
complete Part II first but needs more time to gather the information
to complete Part I (which elicits substantially more information
than Part II). However, as discussed above, Part I must be filed no
later than 48 hours after the Covered Entity has a reasonable basis
to conclude that a significant cybersecurity incident has occurred
or is occurring and the Covered Entity must include in the initial
filing the information that is known at that time and file an
updated Part I as more information becomes known to the Covered
Entity.
---------------------------------------------------------------------------
A Covered Entity also would need to file an updated Part II of
proposed Form SCIR if the information in the summary description of a
significant cybersecurity incident included on the form is no longer
within the look-back period (i.e., the current or previous calendar
year). For example, the information that would need to be included in
the summary description includes whether the significant cybersecurity
incident is ongoing and whether the Covered Entity had remediated it.
The Covered Entity would need to file an updated Part II of proposed
Form SCIR if the significant cybersecurity incident was remediated and
ended on a date that was beyond the look-back period. The updated Part
II of proposed Form SCIR would no longer include a summary description
of that specific significant cybersecurity incident. The objective is
to focus the most recently filed disclosure on events within the
relative near term. The history of the Covered Entity's significant
cybersecurity incidents would be available in previous filings.
c. Request for Comment
The Commission requests comment on all aspects of the proposed
disclosure requirements. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
55. Should paragraph (d)(1)(i) of proposed Rule 10 be modified to
revise the requirements that Covered Entities publicly disclose the
cybersecurity risks that could materially affect their business and
operations and to publicly disclose a description of how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity risks?
If so, explain why. If not, explain why not. For example, would the
public disclosures required by paragraph (d)(1)(i) of proposed Rule 10
be useful or provide meaningful information to a Covered Entity's
customers, counterparties, members, registrants, or users? If so,
explain why. If not, explain why not. Could the proposed disclosure
requirement be modified to make it more useful? If so, explain how.
Could the public disclosures required by paragraph (d)(1)(i) of
proposed Rule 10 assist threat actors in engaging in cyber crime? If
so, explain why. If not, explain why not. Could the proposed disclosure
requirements be modified to eliminate this risk without negatively
impacting the usefulness of the disclosures? If so, explain how.
56. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
revise the requirements that Covered Entities publicly disclose
information about each significant cybersecurity incident that has
occurred during the current or previous calendar year? If so, explain
why. If not, explain why not. For example, would the public disclosures
required by paragraph (d)(1)(ii) of proposed Rule 10 be useful or
provide meaningful information to a Covered Entity's customers,
counterparties, members, registrants, or users? If so, explain why. If
not, explain why not. Could the proposed disclosure requirement be
modified to make it more useful? If so, explain how. Could the public
disclosures required by paragraph (d)(1)(ii) of proposed Rule 10 assist
threat actors in engaging in cyber crime? If so, explain why. If not,
explain why not. Could the proposed disclosure requirements be modified
to eliminate this risk without negatively impacting the usefulness of
the disclosures? If so, explain how.
57. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
revise the required current and previous year look-back period for the
disclosure of significant cybersecurity incidents? If so, explain why.
If not, explain why not. For example, should the look-back period be a
shorter period of time (e.g., only the current calendar year)? If so,
explain why. If not, explain why not. Alternatively, should the look-
back period be longer (e.g., the current calendar year and previous two
calendar years)? If so, explain why. If not, explain why not. Should
the look-back period be expressed in months rather than calendar years?
For example, should the look-back period be 12, 18, 24, 30, or 36
months? If so, explain why. If not, explain why not.
58. Should paragraph (d)(1)(ii) of proposed Rule 10 be modified to
provide that the requirement to include a summary description of each
significant cybersecurity incident that occurred during the current or
previous calendar year in Part II of proposed Form SCIR be prospective
and, therefore, limited to significant cybersecurity incidents that
occur on or after the compliance date of the disclosure requirement? If
so, explain why. If not, explain why not.
59. Should the public disclosure requirements of paragraphs
(d)(1)(i) and (ii) of proposed Rule 10 be modified to require the
disclosure of additional or different information? If so, identify the
additional or different information and explain why it would be
appropriate to require its public disclosure by Covered Entities.
60. Should 17 CFR 240.15Fh-3(b) be amended to specify that required
counterparty disclosure includes the information that would be required
by paragraph (d)(1) of proposed Rule 10 and publicly disclosed on Part
II of proposed Form SCIR? If so, explain why. If not explain why not.
61. Should paragraph (d)(2) of proposed Rule 10 be modified to
revise
[[Page 20259]]
the methods of making the public disclosures? If so, explain why. If
not, explain why not. For example, should Covered Entities be required
to file Part II of proposed Form SCIR on EDGAR but not be required to
post a copy of the form on their business internet websites? If so,
explain why. If not, explain why not. Would requiring the public
cybersecurity disclosures to be filed in a centralized electronic
system, such as EDGAR, make it easier for investors, analysts, and
others to access and gather information from the cybersecurity
disclosures than if those disclosures were only posted on Covered
Entity websites? Alternatively, should Covered Entities be required to
post an executed copy of Part II of proposed Form SCIR on their
business internet websites but not be required to file the form on
EDGAR? If so, explain why. If not, explain why not. Why or why not?
62. Should paragraph (d)(2) of proposed Rule 10 be modified to
revise the requirement to post a copy of Part II of proposed Form SCIR
on business internet website of the Covered Entity to permit the
Covered Entity to post a link to the EDGAR filing? If so, explain why.
If not, explain why not.
63. Should paragraph (d)(3) of proposed Rule 10 be modified to
revise the additional methods of making the public disclosures required
of carrying and introducing broker-dealers? If so, explain why. If not,
explain why not. For example, would filing Part II of proposed Form
SCIR on EDGAR and posting a copy of the form on the Covered Entity's
business internet website be sufficient to meet the objectives of the
disclosure requirements discussed above and, therefore, obviate the
need for a carrying broker-dealer or introducing broker-dealer to
additionally send copies of the form to customers? If so, explain why.
If not, explain why not. Rather than requiring the broker-dealer or
introducing broker-dealer to send a copy of the Part II of proposed
Form SCIR most recently filed on EDGAR to each customer, would it be
sufficient that the most recently filed form as of the end of each
quarter or the calendar year be sent to the customers? If so, explain
why. If not, explain why not.
64. Should paragraph (d)(3) of proposed Rule 10 be modified to
permit the Covered Entity to send a website link to the EDGAR filing to
customers instead of a copy of the EDGAR filing? If so, explain why. If
not, explain why not.
65. Should paragraph (d)(3) of proposed Rule 10 be modified to
require other types of Covered Entities to send a copy of the most
recently filed Part II of proposed Form SCIR to their customers,
counterparties, members, registrants, or users? If so, explain why. If
not, explain why not. For example, should transfer agents be required
to send the most recently filed Part II of proposed Form SCIR to their
securityholders? If so, explain why. If not, explain why not.
66. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to provide
that the Commission shall allow registrants to delay publicly
disclosing a significant cybersecurity incident where the Attorney
General requests such a delay from the Commission based on the Attorney
General's written determination that the delay is in the interest of
national security?
67. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to specify a
timeframe within which the updated filing must be promptly made? If so,
explain why. If not, explain why not. For example, should the rule be
modified to require that the updated disclosure must be made within 24,
36, 48, or 60 hours of the information on the previous disclosure
materially changing? If so, explain why. If not, explain why not.
Should the timeframe for making the updated disclosure be expressed in
business days? If so, explain why. If not, explain why not. For
example, should the updated disclosure be required to be made within
two, three, four, or five business days (or some other number of days)
of the information on the previous disclosure materially changing? If
so, explain why. If not, explain why not.
68. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirement that a Covered Entity must ``promptly'' provide
an updated disclosure on Part II of proposed Form SCIR if the
information on the previous disclosure materially changes to require
the update to be made within 30 days (similar to the requirement for
updating Form CRS)? \366\ If so, explain why. If not, explain why not.
For example, would this approach appropriately balance the objective of
requiring timely disclosure with the objective of providing accurate
and complete disclosure? If so, explain why. If not, explain why not.
---------------------------------------------------------------------------
\366\ See Form CRS Instructions, available at https://www.sec.gov/files/formcrs.pdf.
---------------------------------------------------------------------------
69. Should paragraph (d)(4) of proposed Rule 10 be modified to
revise the requirements that trigger when an updated Part II of
proposed Form SCIR must be filed on EDGAR, posted on the Covered
Entity's business internet website, and, if applicable, sent to
customers? If so, explain why. If not, explain why not. For example,
should the rule require that an updated form must be publically
disclosed through these methods on a quarterly, semi-annual, or annual
basis if the information on the previously filed form has materially
changed? If so, explain why. If not, explain why not.
70. Should Part II of proposed Form SCIR be modified to require
that Covered Entities provide a UIC--such as an LEI (which would
require Covered Entities without a UIC (such as an LEI) to obtain one
to comply with the rule)? \367\ If so, explain why. If not, explain why
not. For example, would requiring Covered Entities to provide a UIC
better allow investors, analysts, and third-party data aggregators to
evaluate the cyber security risk profiles of Covered Entities? If so,
explain why. If not, explain why not. Should the form be modified to
require Covered Entities to provide another type of standard identifier
other than a CIK number and UIC (if they have a UIC)? If so, explain
why. If not, explain why not.
---------------------------------------------------------------------------
\367\ As mentioned previously in section II.B.2.b. of this
release, the Commission approved a UIC (namely, the LEI) in a
previous rulemaking. The Commission is aware that additional
identifiers could be recognized as UICs in the future, but for the
purposes of this release, the Commission is equating the UIC with
the LEI.
---------------------------------------------------------------------------
71. If the disclosure requirements of proposed Rule 10 are adopted,
what would be an appropriate compliance date for the disclosure
requirements? For example, should the compliance date be three, six,
nine, or twelve months after the effective date of the rule (or some
other period of months)? Please suggest a compliance period and explain
why it would be appropriate. Should the compliance date for the website
disclosure be sooner than the compliance date for the EDGAR disclosure
or vice versa? If so, explain why. If not, explain why not. Should the
compliance date for the additional disclosure methods that would be
required of carrying and introducing broker-dealers be different than
the compliance dates for the website disclosure and the EDGAR
disclosure? If so, explain why. If not, explain why not. If the
requirement to provide a summary description of each significant
cybersecurity incident that occurred
[[Page 20260]]
during the current and previous calendar year is prospective (i.e.,
does not apply to incidents that occurred before the compliance date),
should the compliance period be shorter than if the requirement was
retrospective, given that the initial disclosure, in most cases, would
limited to a summary description of the cybersecurity risks that could
materially affect the Covered Entity's business and operations and how
the Covered Entity assesses, prioritizes, and addresses those
cybersecurity risks? If so, explain why. If not, explain why not.
4. Filing Parts I and II of Proposed Form SCIR in EDGAR Using a
Structured Data Language
a. Discussion
Proposed Rule 10 would require Covered Entities would file Parts I
and II of proposed Form SCIR electronically with the Commission using
the EDGAR system in accordance with the EDGAR Filer Manual, as defined
in Rule 11 of Regulation S-T,\368\ and in accordance with the
requirements of Regulation S-T.\369\ In addition, under the proposed
requirements, Covered Entities would file Parts I and II of Form SCIR
in a structured (i.e., machine-readable) data language.\370\
Specifically, Covered Entities would file Parts I and II of proposed
Form SCIR in an eXtensible Markup Language (``XML'')-based data
language specific to the form (``custom XML,'' and in this release
``SCIR-specific XML''). While the majority of filings through the EDGAR
system are submitted in unstructured HTML or ASCII formats, certain
EDGAR-system filings are submitted using custom XML languages that are
each specific to the particular form being submitted.\371\ For such
filings, filers are typically provided the option to either submit the
filing directly to the EDGAR system in the relevant custom XML data
language, or to manually input the information into a fillable web-
based form developed by the Commission that converts the completed form
into a custom XML document.\372\
---------------------------------------------------------------------------
\368\ See 17 CFR 232.11.
\369\ See paragraphs (c) and (d) of proposed Rule 10.
\370\ Requirements related to custom-XML filings are generally
covered in the EDGAR Filer Manual, which is incorporated in
Commission regulations by reference via Regulation S-T. See 17 CFR
232.11; 17 CFR 232.101.
\371\ See Commission, Current EDGAR Technical Specifications
(Dec. 5, 2022), available at https://www.sec.gov/edgar/filer-information/current-edgar-technical-specifications.
\372\ See Chapters 8 and 9 of the EDGAR Filer Manual (Volume
II), version 64 (Dec. 2022).
---------------------------------------------------------------------------
Requiring Covered Entities to file Parts I and II of proposed Form
SCIR through the EDGAR system would allow the Commission to download
Form SCIR information directly from a central location, thus
facilitating efficient access, organization, and evaluation of the
information contained in the forms. Use of the EDGAR system also would
enable technical validation of the information reported on Form SCIR,
which could potentially reduce the incidence of non-discretionary
errors (e.g., leaving required fields blank). Thus, the proposed
requirement to file Parts I and II of proposed Form SCIR through the
EDGAR system would allow the Commission and, in the case of Part II,
the public to more effectively examine and analyze the reported
information. In this regard, the proposed requirement to file Parts I
and II of proposed Form SCIR through the EDGAR system using SCIR-
specific XML, a machine-readable data language, is designed to
facilitate more thorough review and analysis of the reported
information.
b. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements to file Parts I and II of Form SCIR in EDGAR using a
structured data language. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
72. Should the Commission modify the structured data language
requirement for both Parts I and II of Form SCIR in accordance with the
alternatives discussed in Section IV.F. below? \373\ Should Covered
Entities be required to file the cybersecurity risk and incident
disclosures on Part II of Form SCIR in the EDGAR system in a structured
data language? Why or why not? Would custom XML or Inline eXtensible
Business Reporting Language (``iXBRL'') be the most suitable data
language for this information? Or would another data language be more
appropriate?
---------------------------------------------------------------------------
\373\ See section IV.F. of this release.
---------------------------------------------------------------------------
5. Recordkeeping
a. Amendments to Covered Entity Recordkeeping Rules
As discussed above, proposed Rule 10 would require a Covered Entity
to: (1) establish, maintain, and enforce reasonably designed policies
and procedures to address cybersecurity risks; \374\ (2) create written
documentation of risk assessments; \375\ (3) create written
documentation of any cybersecurity incident, including its response to
and recovery from the incident; \376\ (4) prepare a written report each
year describing its annual review of its policies and procedures to
address cybersecurity risks; \377\ (5) provide immediate electronic
written notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring; \378\
(6) report, not later than 48 hours, upon having a reasonable basis to
conclude that a significant cybersecurity incident has occurred or is
occurring on Part I of proposed Form SCIR; \379\ and (7) provide a
written summary disclosure about its cybersecurity risks that could
materially affect its business and operations, and how the Covered
Entity assesses, prioritizes, and addresses those risks, and
significant cybersecurity incidents that occurred during the current or
previous calendar year on Part II of proposed Form SCIR.\380\
Consequently, proposed Rule 10 would require a Covered Entity to make
several different types of records (collectively, the ``Rule 10
Records''). The proposed cybersecurity rule would not include
requirements specifying how long these records would need to be
preserved and the manner in which they would need to be maintained.
Instead, as discussed below, preservation and maintenance requirements
applicable to Rule 10 Records would be imposed through amendments, as
necessary, to the existing record preservation and maintenance rules
applicable to the Covered Entities.
---------------------------------------------------------------------------
\374\ See paragraph (b)(1) of proposed Rule 10. See also
sections II.B.1.a. through II.B.1.e. of this release (discussing
this proposed requirement in more detail).
\375\ See paragraph (b)(1)(i)(B) of proposed Rule 10. See also
section II.B.1.a. of this release (discussing this proposed
requirement in more detail).
\376\ See paragraph (b)(1)(v)(B) of proposed Rule 10. See also
section II.B.1.e. of this release (discussing this proposed
requirement in more detail).
\377\ See paragraph (b)(2)(ii) of proposed Rule 10. See also
section II.B.1.f. of this release (discussing this proposed
requirement in more detail).
\378\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing this proposed requirement in
more detail).
\379\ See paragraph (c)(2) of proposed Rule 10. See also Section
II.B.2.b. of this release (discussing this proposed requirement in
more detail).
\380\ See paragraph (d) of proposed Rule 10. See also Section
II.B.3. of this release (discussing this proposed requirement in
more detail).
---------------------------------------------------------------------------
In particular, broker-dealers, transfer agents, and SBS Entities
are subject to existing requirements that specify how long the records
they are required to make must be preserved (e.g., three or six years)
and how the records must be maintained (e.g., maintenance
[[Page 20261]]
requirements for electronic records).\381\ The Commission is proposing
to amend these record preservation and maintenance requirements to
identify Rule 10 Records specifically as records that would need to be
preserved and maintained pursuant to these existing requirements. In
particular, the Commission is proposing to amend the record
preservation and maintenance rules for: (1) broker-dealers; \382\ (2)
transfer agents; \383\ and (3) SBS entities.\384\ The proposed
amendments would specify that the Rule 10 Records must be retained for
three years. In the case of the written policies and procedures to
address cybersecurity risks, the record would need to be maintained
until three years after the termination of the use of the policies and
procedures. These amendments would subject the Rule 10 Records to the
record maintenance requirements of Rules 17a-4, 17ad-7, and 18a-6,
including the requirements governing electronic records.\385\
---------------------------------------------------------------------------
\381\ See 17 CFR 240.17a-4 (``Rule 17a-4'') (setting forth
record preservation and maintenance requirements for broker-
dealers); 17 CFR 240.17Ad-7 (``Rule 17ad-7'') (setting forth record
preservation and maintenance requirements for transfer agents); 17
CFR 240.18a-6 (``Rule 18a-6'') (setting forth record preservation
and maintenance requirements for SBS Entities). The Commission's
proposal includes an amendment to a CFR designation in order to
ensure regulatory text conforms more consistently with section 2.13
of the Document Drafting Handbook. See Office of the Federal
Register, Document Drafting Handbook (Aug. 2018 Edition, Revision
1.4, dated January 7, 2022), available at https://www.archives.gov/files/federal-register/write/handbook/ddh.pdf. In particular, the
proposal is to amend the CFR section designation for Rule 17Ad-7 (17
CFR 240.17Ad-7) to replace the uppercase letter with the
corresponding lowercase letter, such that the rule would be
redesignated as Rule 17ad-7 (17 CFR 240.17ad-7).
\382\ This amendment would add a new paragraph (e)(13) to Rule
17a-4.
\383\ This amendment would add a new paragraph (j) to Rule 17ad-
7.
\384\ This amendment would add a new paragraph (d)(6) to Rule
18a-6 .
\385\ See paragraphs (f) of Rule 17a-4, (f) of Rule 17ad-7, and
(e) of Rule 18a-6 (setting forth requirements for electronic records
applicable to broker-dealers, transfer agents, and SBS Entities,
respectively).
---------------------------------------------------------------------------
Exchange Act Rule 17a-1 (``Rule 17a-1'')--the record maintenance
and preservation rule applicable to registered clearing agencies, the
MSRB, national securities associations, and national securities
exchanges--as it exists today would require the preservation of the
Rule 10 Records.\386\ In particular, Rule 17a-1 requires these types of
Covered Entities to keep and preserve at least one copy of all
documents, including all correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by the Covered Entity in the course of its business as such and in the
conduct of its self-regulatory activity.\387\ Furthermore, Rule 17a-1
provides that the Covered Entity must keep the documents for a period
of not less than five years, the first two years in an easily
accessible place, subject to the destruction and disposition provisions
of Exchange Act Rule 17a-6.\388\ Consequently, under the existing
provisions of Rule 17a-1, registered clearing agencies, the MSRB,
national securities associations, and national securities exchanges
would be required to preserve at least one copy of the Rule 10 Records
for at least five years, the first two years in an easily accessible
place. In the case of the written policies and procedures to address
cybersecurity risks, pursuant to Rule 17a-1 the record would need to be
maintained until five years after the termination of the use of the
policies and procedures.\389\
---------------------------------------------------------------------------
\386\ See 17 CFR 240.17a-1.
\387\ See paragraph (a) of Rule 17a-1.
\388\ See paragraph (b) of Rule 17a-1; 17 CFR 240.17a-6 (``Rule
17a-6''). Rule 17a-6 of the Exchange Act provides that an SRO may
destroy such records at the end of the five year period or at an
earlier date as is specified in a plan for the destruction or
disposition of any such documents if such plan has been filed with
the Commission by SRO and has been declared effective by the
Commission.
\389\ See, e.g., Nationally Recognized Statistical Rating
Organizations, Exchange Act Release No. 72936 (Aug. 27, 2014) [79 FR
55078, 55099-100 (Sept. 15, 2014)] (explaining why preservation
periods for written policies and procedures are based on when a
version of the policies and procedures is updated or replaced).
---------------------------------------------------------------------------
Similarly, Exchange Act Rule 13n-7 (``Rule 13n-7'')--the record
maintenance and preservation rule applicable to SBSDRs--as it exists
today would require the preservation of the Rule 10 Records.\390\ In
particular, Rule 13n-7 requires SBSDRs to, among other things, keep and
preserve at least one copy of all documents, including all documents
and policies and procedures required by the Exchange Act and the rules
and regulations thereunder, correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by it in the course of its business as such.\391\ Furthermore, Rule
13n-7 provides that the SBSDR must keep the documents for a period of
not less than five years, the first two years in a place that is
immediately available to representatives of the Commission for
inspection and examination.\392\ Consequently, under the existing
provisions of Rule 13n-7, SBSDRs would be required to preserve at least
one copy of the Rule 10 Records for at least five years, the first two
years in a place that is immediately available to representatives of
the Commission for inspection and examination. In the case of the
written policies and procedures to address cybersecurity risks, the
Commission interprets this provision of Rule 13n-7 to require that the
record would need to be maintained until five years after the
termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\390\ See 17 CFR 240.13n-7.
\391\ See paragraph (b)(1) of Rule 13n-7.
\392\ See paragraph (b)(2) of Rule 13n-7.
---------------------------------------------------------------------------
Clearing agencies that are exempt from registration would be
Covered Entities under proposed Rule 10.\393\ Exempt clearing agencies
are not subject to Rule 17a-1. However, while exempt clearing
agencies--as entities that have limited their clearing agency
functions--might not be subject to the full range of clearing agency
regulation, the Commission has stated that, for example, an entity
seeking an exemption from clearing agency registration for matching
services would be required to, among other things, allow the Commission
to inspect its facilities and records.\394\ In this regard, exempt
clearing agencies are subject to conditions that mirror certain of the
recordkeeping requirements in Rule 17a-1,\395\ as set forth in the
respective Commission orders exempting each exempt clearing agency from
the requirement to register as a clearing agency (the ``clearing agency
exemption orders'').\396\ Pursuant to the terms and conditions of the
clearing agency exemption orders, the Commission may modify by order
the terms, scope, or conditions if the Commission determines that such
modification is necessary or appropriate in the public interest, for
the protection of investors, or otherwise in furtherance of the
[[Page 20262]]
purposes of the Exchange Act.\397\ In support of the public interest
and the protection of investors, the Commission is proposing to amend
the clearing agency exemption orders to add a condition that each
exempt clearing agency must retain the Rule 10 Records for a period of
at least five years after the record is made or, in the case of the
written policies and procedures to address cybersecurity risks, for at
least five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
\393\ See paragraph (a)(1)(ii) of proposed Rule 10 (defining as
a ``covered entity'' a clearing agency (registered or exempt) under
section 3(a)(23)(A) of the Exchange Act). See also section I.A.2.c.
of this release (discussing the clearing agency exemptions provided
by the Commission).
\394\ See Confirmation and Affirmation of Securities Trades;
Matching, Exchange Act Release No. 39829 (Apr. 6, 1998) [63 FR 17943
(Apr. 13, 1998)] (providing interpretive guidance and requesting
comment on the confirmation and affirmation of securities trades and
matching).
\395\ See, e.g., BSTP SS&C Order, 80 FR at 75411 (conditioning
BSTP's exemption by requiring BSTP to, among other things, preserve
a copy or record of all trade details, allocation instructions,
central trade matching results, reports and notices sent to
customers, service agreements, reports regarding affirmation rates
that are sent to the Commission or its designee, and any complaint
received from a customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall retain these
records for a period of not less than five years, the first two
years in an easily accessible place.).
\396\ See DTCC ITP Matching Order, 66 FR 20494; BSTP SS&C Order,
80 FR 75388; Euroclear Bank Order, 81 FR 93994.
\397\ See Clearstream Banking Order, 62 FR 9225.
---------------------------------------------------------------------------
b. Request for Comment
The Commission requests comment on all aspects of the proposed
recordkeeping requirements. In addition, the Commission is requesting
comment on the following specific aspects of the proposals:
73. Should the proposed amendments to Rules 17a-4, 18a-6, and/or
17ad-7 be modified? If so, describe how they should be modified and
explain why the modification would be appropriate. For example, should
the retention periods for the records be five years (consistent with
Rule 17a-1) or some other period of years as opposed to three years? If
so, explain why. If not, explain why not.
74. As discussed above, the Commission is proposing to amend the
clearing agency exemption orders to specifically require the exempt
clearing agencies to retain the Rule 10 Records. Should the ordering
language be consistent with the proposed amendments to Rules 17a-4,
17ad-7, and18a-6? For example, should the ordering language provide
that the exempt clearing agency must maintain and preserve: (1) the
written policies and procedures required to be adopted and implemented
pursuant to paragraph (b)(1) of proposed Rule 10 until five years after
the termination of the use of the policies and procedures; (2) the
written documentation of any risk assessment pursuant to paragraph
(b)(1)(i)(B) of proposed Rule 10 for five years; (3) the written
documentation of the occurrence of a cybersecurity incident pursuant to
paragraph (b)(1)(v)(B) of proposed Rule 10, including any documentation
related to any response and recovery from such an incident, for five
years; (4) the written report of the annual review required to be
prepared pursuant to paragraph (b)(2)(ii) of proposed Rule 10 for five
years; (5) a copy of any notice transmitted to the Commission pursuant
to paragraph (c)(1) of proposed Rule 10 or any Part I of proposed Form
SCIR filed with the Commission pursuant to paragraph (c)(2) of proposed
Rule 10 for five years; and (6) a copy of any Part II of proposed Form
SCIR filed with the Commission pursuant to paragraph (d) of proposed
Rule 10 for five years? Additionally, should the ordering language
provide that the exempt clearing agency must allow the Commission to
inspect its facilities and records? If so, explain why. If not, explain
why not.
C. Proposed Requirements for Non-Covered Broker-Dealers
1. Cybersecurity Policies and Procedures, Annual Review, Notification,
and Recordkeeping
As discussed earlier, not all broker-dealers would be Covered
Entities under proposed Rule 10.\398\ Consequently, these Non-Covered
Broker-Dealers would not be subject to the requirements of proposed
Rule 10 to: (1) include certain elements in their cybersecurity risk
management policies and procedures; \399\ (2) file confidential reports
that provide information about the significant cybersecurity incident
with the Commission and, for some Covered Entities, other regulators;
\400\ and (3) make public disclosures about their cybersecurity risks
and the significant cybersecurity incidents they experienced during the
current or previous calendar year.\401\
---------------------------------------------------------------------------
\398\ See section II.A.1. of this release (discussing the
definition of ``covered entity'' and why certain broker-dealers
would not be included within the definition).
\399\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
\400\ See paragraph (c)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity risk'').
\401\ See paragraph (d) of proposed Rule 10.
---------------------------------------------------------------------------
In light of their limited business activities, Non-Covered Broker-
Dealers would not be subject to the same requirements as would Covered
Entities. Instead, Non-Covered Broker-Dealers would be required to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address their cybersecurity risks taking
into account the size, business, and operations of the firm.\402\ They
also would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review. They also would be
required to make a record with respect to the annual review. In
addition, they would be required to provide the Commission and their
examining authority with immediate written electronic notice of a
significant cybersecurity incident affecting them.\403\ Finally, they
would be required to maintain and preserve versions of their policies
and procedures and the record of the annual review.
---------------------------------------------------------------------------
\402\ See paragraph (e)(1) of proposed Rule 10.
\403\ See paragraph (e)(2) of proposed Rule 10.
---------------------------------------------------------------------------
A Non-Covered Broker-Dealer could be a firm that limits its
business to selling mutual funds on a subscription-way basis or a
broker-dealer that limits its business to engaging in private
placements for clients. Alternatively, it could be a broker-dealer that
limits its business to effecting securities transactions in order to
facilitate mergers, acquisitions, business sales, and business
combinations or a broker-dealer that limits its business to engaging in
underwritings for issuers. Moreover, a Non-Covered Broker-Dealer--
because it does not meet the definition of ``covered entity''--would
not a be a broker-dealer that: maintains custody of customer securities
and cash; \404\ connects to a broker-dealer that maintains custody of
customer securities through an introducing relationship; \405\ is a
large proprietary trading firm; \406\ operates as a market maker; \407\
or operates an ATS.\408\
---------------------------------------------------------------------------
\404\ See paragraph (a)(1)(i)(A) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that maintains custody
of cash and securities for customers or other broker-dealers and is
not exempt from the requirements of Rule 15c3-3).
\405\ See paragraph (a)(1)(i)(B) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that introduces
customer accounts on a fully disclosed basis to another broker-
dealer that maintains custody of cash and securities for customers
or other broker-dealers and is not exempt from the requirements of
Rule 15c3-3).
\406\ See paragraphs (a)(1)(i)(C) and (D) of proposed Rule 10
(defining ``covered entity'' to include a broker-dealer with
regulatory capital equal to or exceeding $50 million or total assets
equal to or exceeding $1 billion).
\407\ See paragraph (a)(1)(i)(E) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that is a market maker
under the Exchange Act or the rules thereunder (which includes a
broker-dealer that operates pursuant to Rule 15c3-1(a)(6)) or is a
market maker under the rules of an SRO of which the broker-dealer is
a member).
\408\ See paragraph (a)(1)(i)(F) of proposed Rule 10 (defining
``covered entity'' to include a broker-dealer that is an ATS).
---------------------------------------------------------------------------
A broker-dealer that limits its business to one of the activities
described above and that does not engage in functions that would make
it a Covered Entity under proposed Rule 10 generally does not use
information systems to carry out its operations to the same degree as a
broker-dealer that is a Covered Entity. For example, the information
systems used by a Non-Covered Broker-Dealer could be limited to smart
phones and personal computers with internet and email access. Moreover,
this type of firm may have a small staff of employees using these
information systems. Therefore, the
[[Page 20263]]
overall footprint of the information systems used by a Non-Covered
Broker-Dealer may be materially smaller in scale and complexity than
the footprint of the information systems used by a broker-dealer that
is a Covered Entity. In addition, the amount of data stored on these
information systems relating to the Non-Covered Broker-Dealer's
business may be substantially less than the amount of data stored on a
Covered Entity's information systems. This means the information system
perimeter of these firms that needs to be protected from cybersecurity
threats and vulnerabilities is significantly smaller than that of a
Covered Broker-Dealer. For these reasons, proposed Rule 10 would
provide that the written policies and procedures required of a Non-
Covered Broker-Dealer must be reasonably designed to address the
cybersecurity risks of the firm taking into account the size, business,
and operations of the firm.
Therefore, unlike the requirements for a Covered Entity, proposed
Rule 10 does not specify minimum elements that would need to be
included in a Non-Covered Broker-Dealer's policies and procedures.\409\
Nonetheless, a Non-Covered Broker-Dealer may want to consider whether
any of those required elements would be appropriate components of it
policies and procedures for addressing cybersecurity risk.\410\
---------------------------------------------------------------------------
\409\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the elements that would need to be included in a Covered Entity's
policies and procedures).
\410\ As discussed earlier, the elements are consistent with
industry standards for addressing cybersecurity risk. See section
II.B.1. of this release (discussing the policies and procedures
requirements for Covered Entities).
---------------------------------------------------------------------------
Proposed Rule 10 also would require that the Non-Covered Broker-
Dealer annually review and assess the design and effectiveness of its
cybersecurity policies and procedures, including whether the policies
and procedures reflect changes in cybersecurity risk over the time
period covered by the review.\411\ The annual review and assessment
requirement is designed to require Non-Covered Broker-Dealers to
evaluate whether their cybersecurity policies and procedures continue
to work as designed. Non-Covered Broker-Dealers could consider using
this information to determine whether changes are needed to assure
their continued effectiveness (i.e., to make sure their policies and
procedures continue to be reasonably designed to address their
cybersecurity risks as required by the rule).
---------------------------------------------------------------------------
\411\ See paragraph (e)(1) of proposed Rule 10.
---------------------------------------------------------------------------
The rule also would require the Non-Covered Broker-Dealer to make a
written record that documents the steps taken in performing the annual
review and the conclusions of the annual review. Therefore, Non-Covered
Broker-Dealers would need to make a record of the review rather than
documenting the review in a written report, as would be required of
Covered Entities.\412\ A report is a means to communicate information
within an organization. The personnel that prepare the report for the
Covered Entity would be able to use it to communicate their assessment
of the firm's policies and procedures to others within the organization
such as senior managers. For purposes of proposed Rule 10, a record,
among other things, is a means to document that an activity took place,
for example, to demonstrate compliance with a requirement. As discussed
above, Non-Covered Broker-Dealers generally would be smaller and less
complex organizations than Covered Entities. A record of the annual
review could be used by Commission examination staff to review the Non-
Covered Broker-Dealer's compliance with the annual review requirement
without imposing the additional process involved in creating an
internal report.
---------------------------------------------------------------------------
\412\ See section II.B.1.f. of this release (discussing in more
detail the annual report that would be required of Covered
Entities).
---------------------------------------------------------------------------
As discussed earlier, Covered Entities would be subject to a
requirement to give the Commission immediate written electronic notice
of a significant cybersecurity incident upon having a reasonable basis
to conclude that the significant cybersecurity incident has occurred or
is occurring.\413\ Non-Covered Broker-Dealers would be subject to the
same immediate written electronic notice requirement. In particular,
they would be required to give immediate written electronic notice to
the Commission of a significant cybersecurity incident upon having a
reasonable basis to conclude that the incident has occurred or is
occurring.\414\ The Commission would keep the notices nonpublic to the
extent permitted by law. The notice would need to identify the Non-
Covered Broker-Dealer, state that the notice is being given to alert
the Commission of a significant cybersecurity incident impacting the
Non-Covered Broker-Dealer, and provide the name and contact information
of an employee of the Non-Covered Broker-Dealer who can provide further
details about the nature and scope of the significant cybersecurity
incident. In addition, Non-Covered Broker-Dealers--like Covered Broker-
Dealers--would need to give the notice to their examining
authority.\415\ The immediate written electronic notice is designed to
alert the Commission on a confidential basis to the existence of a
significant cybersecurity incident impacting a Non-Covered Broker-
Dealer so the Commission staff can quickly begin to assess the event.
---------------------------------------------------------------------------
\413\ See paragraph (c)(1) of proposed Rule 10. See also section
II.B.2.a. of this release (discussing the immediate notification
requirement for Covered Entities in more detail).
\414\ See paragraph (e)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity incident'').
\415\ See paragraph (e)(2) of proposed Rule 10. See also
paragraph (c)(1)(i) of proposed Rule 10 (requiring Covered Broker-
Dealers to provide the notice to their examining authority).
---------------------------------------------------------------------------
Finally, as discussed above, proposed Rule 10 would require the
Non-Covered Broker-Dealer to: (1) establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
the cybersecurity risks of the firm; (2) make a written record that
documents its annual review; and (3) provide immediate electronic
written notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring.\416\
The Commission is proposing to amend the broker-dealer record
preservation and maintenance rule to identify these records
specifically as being subject to the rule's requirements.\417\ Under
the amendments, the written policies and procedures would need to be
maintained until three years after the termination of the use of the
policies and procedures and all other records would need to be
maintained for three years.
---------------------------------------------------------------------------
\416\ See paragraph (e) of proposed Rule 10.
\417\ This amendment would add a new paragraph (e)(13) to Rule
17a-4.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on all aspects of the proposed
requirements for non-covered broker-dealers. In addition, the
Commission is requesting comment on the following specific aspects of
the proposals:
75. Should paragraph (e)(1) of proposed Rule 10 be modified to
specify certain minimum elements that would need to be included in the
policies and procedures of Non-Covered Broker-Dealers? If so, identify
the elements and explain why they should be included. For example,
should paragraph (e) of proposed Rule 10 specify that the policies and
procedures must include policies and procedures to address any
[[Page 20264]]
or all of the following: (1) risk assessment; (2) user security and
access; (3) information protection; (4) cybersecurity threat and
vulnerability management; and (5) cybersecurity incident response and
recovery? If so, explain why. If not, explain why not.
76. Should paragraph (e)(2) of proposed Rule 10 be modified to
require the notice to be given within a specific timeframe such as on
the same day the requirement was triggered or within 24 hours? If so,
explain why. If not, explain why not.
77. Should paragraph (e)(2) of proposed Rule 10 be modified to
revise the trigger for the immediate notification requirement? If so,
explain why. If not, explain why not. For example, should the trigger
be when the Non-Covered Broker-Dealer ``detects'' a significant
cybersecurity incident (rather than when it has a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring)? If so, explain why. If not, explain why not. For example,
would a detection standard be a less subjective standard? If so,
explain why. If not, explain why not. Is there another trigger standard
that would be more appropriate? If so, identify it and explain why it
would be more appropriate.
78. Should paragraph (e)(2) of proposed Rule 10 be modified to
eliminate the requirement that a Non-Covered Broker-Dealer give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is occurring? If
so, explain why. If not, explain why not. For example, would this
requirement be unduly burdensome on Non-Covered Broker-Dealers? Please
explain.
79. If the immediate notification requirement of paragraph (e)(2)
is adopted as proposed, it is anticipated that a dedicated email
address would be established to receive these notices. Are there other
methods the Commission should use for receiving these notices? If so,
identity them and explain why they would be more appropriate than
email. For example, should the notices be received through the EDGAR
system? If so, explain why. If not, explain why not.
80. Should paragraph (e) of proposed Rule 10 be modified to include
any other requirements that would be applicable to Covered Entities
under proposed Rule 10 that also should be required of Non-Covered
Broker-Dealers? If so, identify them and explain why they should apply
to Non-Covered Broker-Dealers. For example, should the paragraph be
modified to require Non-Covered Broker-Dealers to report information
about a significant cybersecurity incident confidentially on Part I of
proposed Form SCIR? If so, explain why. If not, explain why not. Should
the timeframe for filing Part I of Proposed Form SCIR be longer for
Non-Covered Broker-Dealers? For example, should the reporting timeframe
be within 72 or 96 hours instead of 48 hours? Please explain. If Non-
Covered Broker-Dealers were required to file Part I of Form SCIR,
should they be permitted to provide more limited information about the
significant cybersecurity incident than Covered Entities? If so,
identify the more limited set of information and explain why it would
be appropriate to permit Non-Covered Broker-Dealers omit the additional
information that Covered Entities would need to report.
81. Should Non-Covered Broker-Dealers be required to make and
preserve for three years in accordance with Rule 17a-4 a record of any
significant cybersecurity incident that impacts them containing some or
all of the information that would be reported by Covered Entities on
Part I of proposed Form SCIR? If so, explain why. If not, explain why
not.
82. Should paragraph (e) of proposed Rule 10 be modified to require
a Non-Covered Broker-Dealer to prepare a written report of the annual
review (rather than a record, as proposed)? If so, explain why. If not,
explain why not.
D. Cross-Border Application of the Proposed Cybersecurity Requirements
to SBS Entities
1. Background on the Cross-Border Application of Title VII Requirements
Security-based swap transactions take place across national
borders, with agreements negotiated and executed between counterparties
in different jurisdictions (which might then be booked and risk-managed
in still other jurisdictions).\418\ Mindful that this global market
developed prior to the enactment of the Dodd-Frank Act and the fact
that the application of Title VII \419\ to cross-border activities
raises issues of potential conflict or overlap with foreign regulatory
regimes,\420\ the Commission has adopted a taxonomy to classify
requirements under section 15F of the Exchange Act as applying at
either the transaction-level or at the entity-level.\421\ Transaction-
level requirements under section 15F of the Exchange Act are those that
primarily focus on protecting counterparties to security-based swap
transactions by requiring SBSDs to, among other things, provide certain
disclosures to counterparties, adhere to certain standards of business
conduct, and segregate customer funds, securities, and other
assets.\422\ In contrast to transaction-level requirements, entity-
level requirements under section 15F of the Exchange Act are those that
are expected to play a role in ensuring the safety and soundness of the
SBS Entity and thus relate to the entity as a whole.\423\ Entity-level
requirements include capital and margin requirements, as well as other
requirements relating to a firm's identification and management of its
risk exposure, including the risk management procedures required under
section 15F(j) of the Exchange Act, a statutory basis for rules
applicable to SBS Entities that the Commission is proposing in this
release.\424\ Because these requirements relate to the entire entity,
they apply to SBS Entities on a firm-wide basis, without
exception.\425\
---------------------------------------------------------------------------
\418\ See Cross-Border Proposing Release, 78 FR at 30976, n. 48.
\419\ Unless otherwise indicated, references to ``Title VII'' in
this section of this release are to Subtitle B of Title VII of the
Dodd-Frank Act.
\420\ See Cross-Border Proposing Release, 78 FR at 30975.
\421\ See id. at 31008-25. See also Business Conduct Standards
for Security-Based Swap Dealers and Major Security-Based Swap
Participants, Exchange Act Release No. 77617 (Apr. 14, 2016) [81 FR
29959, 30061-69 (May 13, 2016)] (``Business Conduct Standards
Adopting Release'').
\422\ Cross-Border Proposing Release, 78 FR at 31010.
\423\ See id. at 31011, 31035.
\424\ See id. at 31011-16 (addressing the classification of
capital and margin requirements, as well as of the risk management
requirements of section 15F(j) of the Exchange Act and other entity-
level requirements applicable to SBSDs).
\425\ See id. at 31011, 31024-25. See also id. at 31035
(applying the analysis to MSBSPs). In reaching this conclusion, the
Commission explained that it ``preliminarily believes that entity-
level requirements are core requirements of the Commission's
responsibility to ensure the safety and soundness of registered
security based swap dealers,'' and that ``it would not be consistent
with this mandate to provide a blanket exclusion to foreign
security-based swap dealers from entity-level requirements
applicable to such entities.'' Id. at 31024 (footnotes omitted). The
Commission further expressed the preliminary view that concerns
regarding the application of entity-level requirements to foreign
SBSDs would largely be addressed through the proposed approach to
substituted compliance. See id.
---------------------------------------------------------------------------
The Commission applied this taxonomy in 2016 when it adopted rules
to implement business conduct standards for SBS Entities. At that time,
the Commission also stated that the rules and regulations prescribed
under section 15F(j) should be treated as entity-level
requirements.\426\ The
[[Page 20265]]
Commission has not, however, expressly addressed the entity-level
treatment of the cybersecurity requirements under proposed Rule 10,
except with regard to recordkeeping and reporting.\427\
---------------------------------------------------------------------------
\426\ See Business Conduct Standards Adopting Release, 81 FR at
30064-65.
\427\ The Commission has previously stated that recordkeeping
and reporting requirements are entity-level requirements. See
Recordkeeping and Reporting Requirements for Security-Based Swap
Dealers, Major Security-Based Swap Participants, and Broker-Dealers,
Exchange Act Release No. 87005 (Sept. 19, 2019), 84 FR 68550, 68596-
97 (Dec. 16, 2019) (``SBS Entity Recordkeeping and Reporting
Adopting Release'').
---------------------------------------------------------------------------
2. Proposed Entity-Level Treatment
a. Proposal
Consistent with its approach to the obligations described in
Section 15F(j) and to capital,\428\ margin,\429\ risk mitigation,\430\
and recordkeeping,\431\ the Commission is proposing to apply the
requirements of proposed Rule 10 to an SBS Entity's entire security-
based swap business without exception, including in connection with any
security-based swap business it conducts with foreign
counterparties.\432\
---------------------------------------------------------------------------
\428\ See Capital, Margin, and Segregation Requirements for
Security-Based Swap Dealers and Major Security-Based Swap
Participants and Capital and Segregation Requirements for Broker-
Dealers. Exchange Act Release No. 86175 (Jun. 21, 2019), 84 FR
43872, 43879 (Aug, 22, 2019) (``Capital, Margin, and Segregation
Requirements Adopting Release'').
\429\ Id.
\430\ See Risk Mitigation Techniques for Uncleared Security-
Based Swaps, Exchange Act Release No. 87782 (Dec. 18, 2019) [85 FR
6359, 6378 (Feb. 4, 2020)] (``SBS Entity Risk Mitigation Adopting
Release'').
\431\ See SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68596-97.
\432\ As entity-level requirements, transaction-level exceptions
such as in 17 CFR 3a71-3(c) and 17 CFR 3a67-10(d), would not be
available for the proposed cybersecurity requirements.
---------------------------------------------------------------------------
Cybersecurity policies and procedures and the related requirements
of proposed Rule 10 serve as an important mechanism for allowing SBS
Entities and their counterparties to manage risks associated with their
operations, including risks related to the entity's safety and
soundness.\433\ An alternative approach that does not require an SBS
Entity to take steps to manage cybersecurity risk throughout the firm's
entire business could contribute to operational risk affecting the
entity's security-based swap business as a whole, and not merely
specific security-based swap transactions. Moreover, to the extent that
these risks affect the safety and soundness of the SBS Entity, they
also may affect the firm's counterparties and the functioning of the
broader security-based swap market. Accordingly, the Commission
proposes to apply the requirements to the entirety of an SBS Entity's
business.\434\ However, as described below, the Commission is proposing
that foreign SBS Entities have the potential to avail themselves of
substituted compliance to satisfy the cybersecurity requirements under
proposed Rule 10.
---------------------------------------------------------------------------
\433\ See sections I.A. and II.B.1. of this release (discussing,
respectively, cybersecurity risks and how those risks can be managed
by certain policies, procedures, and controls). See also sections
II.B.2-5 of this release.
\434\ The Commission has expressed the view that an entity that
has registered with the Commission subjects itself to the entire
regulatory system governing such registered entities. Cross-Border
Proposing Release, 78 FR at 30986. See also Business Conduct
Standards Adopting Release, 81 FR at n.1306 (determining that the
requirements described in section 15F(j) of the Exchange Act should
be treated as entity-level requirements, and stating that such
treatment would not be tantamount to applying Title VII to persons
that are ``transact[ing] a business in security-based swaps without
the jurisdiction of the United States,'' within the meaning of
section 30(c) of the Exchange Act). That treatment of section 15F(j)
of the Exchange Act was also deemed necessary or appropriate as a
prophylactic measure to help prevent the evasion of the provisions
of the Exchange Act that were added by the Dodd-Frank Act, and thus
help prevent the relevant purposes of the Dodd-Frank Act from being
undermined. Id. (citing Application of ``Security-Based Swap
Dealer'' and ``Major Security-Based Swap Participant'' Definitions
to Cross-Border Security-Based Swap Activities; Republication,
Exchange Act Release No. 72472 (June 25, 2014) [79 FR 47277, 47291-
92 (Aug. 12, 2014)] (``SBS Entity Definitions Adopting Release'')
(interpreting anti-evasion provisions of the Exchange Act, section
30(c)). A different approach in connection with proposed Rule 10
would not be consistent with the purposes of Title VII of the Dodd-
Frank Act and could allow SBS Entities to avoid compliance with
these proposed rules for portions of their business in a manner that
could increase the risk to the registered entity.
---------------------------------------------------------------------------
b. Request for Comment
The Commission generally requests comments on the proposed entity-
level application of proposed Rule 10. In addition, the Commission
requests comments on the following specific issues:
83. Does the proposed approach appropriately treat the proposed
requirements as entity-level requirements applicable to the entire
business conducted by foreign SBS Entities? If not, please identify any
particular aspects of proposed Rule 10 that should not be applied to a
foreign SBS Entity, or applied only to specific transactions, and
explain how such an approach would be consistent with the goals of
Title VII of the Dodd-Frank Act.
84. Should the Commission apply the same cross-border approach to
the application of proposed Rule 10 for both SBSDs and MSBSPs? If not,
please describe how the cross-border approach for SBSDs should differ
from the cross-border approach for MSBSPs, and explain the reason(s)
for any potential differences in approach.
85. What types of conflicts might a foreign SBS Entity face if it
had to comply with proposed Rule 10 in more than one jurisdiction? In
what situations would compliance with more than one of these
requirements be difficult or impossible? For Market Entities that are
U.S. persons, could compliance with the proposed rules create
compliance challenges with requirements in a foreign jurisdiction?
86. As an alternative to treating the proposed requirements as
entity-level requirements, should the Commission instead treat the
proposed requirements as transaction-level requirements? If so, to
which cross-border security-based swap transactions should these
requirements apply and why? Please describe how these requirements
would apply differently if classified as transaction-level requirements
instead of as entity-level requirements.
3. Availability of Substituted Compliance
a. Existing Substituted Compliance Rule
In 2016,\435\ the Commission adopted Exchange Act Rule 3a71-6
(``Rule 3a71-6'') \436\ to provide that the Commission may, by order,
make a determination that compliance with specified requirements under
a foreign financial regulatory system by non-U.S. SBS Entities \437\
may satisfy certain business conduct requirements under Exchange Act
section 15F, subject to certain conditions. The rule in part provides
that the Commission shall not make a determination providing for
substituted compliance unless the Commission determines, among other
things, that the foreign regulatory requirements are
[[Page 20266]]
comparable to otherwise applicable requirements.\438\
---------------------------------------------------------------------------
\435\ See Business Conduct Standards Adopting Release, 81 FR at
30070-81. Separately, in 2015, the Commission adopted a rule making
substituted compliance potentially available in connection with
certain regulatory reporting and public dissemination requirements
related to security-based swaps. See Regulation SBSR-Reporting and
Dissemination of Security-Based Swap Information, Exchange Act
Release No. 74244 (Feb. 11, 2015) [80 FR 14563 (Mar. 19, 2015)]
(adopting 17 CFR 242.908 (``Rule 908'')). Paragraph (c) of Rule 908
does not contemplate substituted compliance for the rules being
proposing today.
\436\ See 17 CFR 240.3a71-6.
\437\ If the Commission makes a substituted compliance
determination under paragraph (a)(1) of Rule 3a71-6, SBS Entities
that are not U.S. persons (as defined in 17 CFR 240.3a71-3(a)(4)
(``Rule 3a71-3(a)(4)'')), but not SBS Entities that are U.S.
persons, may satisfy specified requirements by complying with
comparable foreign requirements and any conditions set forth in the
substituted compliance determination made by the Commission. See
paragraphs (b) and (d) of Rule 3a71-6.
\438\ See paragraph (a)(2) of 3a71-6. See also Business Conduct
Standards Adopting Release, 81 FR at 30074.
---------------------------------------------------------------------------
When the Commission adopted this substituted compliance rule that
addressed the specified business conduct requirements, the Commission
also noted that Exchange Act section 15F(j)(7) authorizes the
Commission to prescribe rules governing the duties of SBS
Entities.\439\ The Commission stated that it was not excluding that
provision from the potential availability of substituted compliance,
and that it expected to separately consider whether substituted
compliance may be available in connection with any future rules
promulgated pursuant to that provision.\440\ Further, the Commission
stated that it expected to assess the potential availability of
substituted compliance in connection with other requirements when the
Commission considers final rules to implement those requirements.\441\
Consistent with these statements, the Commission subsequently amended
Rule 3a71-6 to provide SBS Entities that are non U.S. persons with the
potential to avail themselves of substituted compliance with respect to
the following Title VII requirements: (1) trade acknowledgment and
verification,\442\ (2) capital and margin requirements,\443\ (3)
recordkeeping and reporting,\444\ and (4) portfolio reconciliation,
portfolio compression, and trading relationship documentation.\445\
---------------------------------------------------------------------------
\439\ Business Conduct Standards Adopting Release, 81 FR at n.
1438.
\440\ Id.
\441\ See Business Conduct Standards Adopting Release, 81 FR at
30074.
\442\ See Trade Acknowledgment and Verification of Security-
Based Swap Transactions, Exchange Act Release No. 78011 (Jun. 8,
2016) [81 FR 39807, 39827-28 (Jun. 17, 2016)] (``SBS Entity Trade
Acknowledgment and Verification Adopting Release'').
\443\ See Capital, Margin, and Segregation Requirements Adopting
Release, 84 FR at 43948-50.
\444\ See SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68597-99.
\445\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6379-80.
---------------------------------------------------------------------------
b. Proposed Amendment to Rule 3a71-6
The Commission is proposing to further amend Rule 3a71-6 to provide
SBS Entities that are not U.S. persons (as defined in Rule 3a71-3(a)(4)
of the Exchange Act) with the potential to avail themselves of
substituted compliance to satisfy the cybersecurity requirements of
proposed Rule 10 and Form SCIR as applicable to SBS Entities.\446\ In
proposing to amend the rule, the Commission preliminarily believes that
the principles associated with substituted compliance, as previously
adopted in connection with both the business conduct requirements and
the recordkeeping and reporting requirements, in large part should
similarly apply to the cyber security risk management requirements
being proposing today. The discussions in the Business Conduct
Standards Adopting Release, including for example those regarding
consideration of supervisory and enforcement practices,\447\ certain
multi-jurisdictional issues,\448\ and application procedures \449\ are
applicable to the proposed cybersecurity requirements. Accordingly, the
proposed substituted compliance rule would apply to the cybersecurity
risk management requirements in the same manner as it already applies
to existing business conduct requirements and the recordkeeping and
reporting requirements.
---------------------------------------------------------------------------
\446\ Substituted compliance would only be available to eligible
SBS Entities. For example, substituted compliance would not be
available to a Market Entity registered as both an SBS Entity and a
broker-dealer with respect to the broker-dealer's obligations under
the proposed rules.
\447\ Business Conduct Standards Adopting Release, 81 FR at
30079.
\448\ Business Conduct Standards Adopting Release, 81 FR at
30079-80.
\449\ Business Conduct Standards Adopting Release, 81 FR at
30080-81.
---------------------------------------------------------------------------
Making substituted compliance available for the cybersecurity risk
management requirements would be consistent with the approach the
Commission has taken with other rules applicable to SBS Entities. This
approach takes into consideration the global nature of the security-
based swap market and the prevalence of cross-border transactions
within that market.\450\ The application of the cybersecurity risk
management requirements may lead to requirements that are duplicative
of, or in conflict with, applicable foreign requirements, even when the
two sets of requirements implement similar goals and lead to similar
results. Those results have the potential to disrupt existing business
relationships and, more generally, to reduce competition and market
efficiency. To address those effects, under certain circumstances it
may be appropriate to allow the possibility of substituted compliance,
whereby non-U.S. market participants may satisfy the cybersecurity risk
management requirements by complying with comparable foreign
requirements. Allowing for the possibility of substituted compliance in
this manner would help achieve the benefits of those particular
requirements in a way that helps avoid regulatory conflict and
minimizes duplication, thereby promoting market efficiency, enhancing
competition, and contributing to the overall functioning of the global
security-based swap market.
---------------------------------------------------------------------------
\450\ See generally Business Conduct Standards Adopting Release,
81 FR at 30073-74 (addressing the basis for making substituted
compliance available in the context of the business conduct
requirements).
---------------------------------------------------------------------------
Accordingly, the Commission is proposing to amend paragraph (d)(1)
of Rule 3a71-6 to make substituted compliance available for proposed
Rule 10 and Form SCIR if the Commission determines with respect to a
foreign financial regulatory system that compliance with specified
requirements under such foreign financial regulatory system by a
registered SBS Entity, or class thereof, satisfies the corresponding
requirements of proposed Rule 10 and Form SCIR.\451\ However, the
proposal would not amend Rule 3a71-6 in connection with the proposed
amendments to Rule 18a-6 regarding records to be preserved by certain
SBS Entities. Rule 3a71-6 currently permits eligible applicants to seek
a substituted compliance determination from the Commission with regard
to the requirements of Rule 18a-6.\452\
---------------------------------------------------------------------------
\451\ Paragraph (a)(1) of Rule 3a71-6 provides that the
Commission may, conditionally or unconditionally, by order, make a
determination with respect to a foreign financial regulatory system
that compliance with specified requirements under the foreign
financial system by an SBS Entity, or class thereof, may satisfy the
corresponding requirements identified in paragraph (d) of the rule
that would otherwise apply. See section II.D.3.c. of this release.
\452\ See paragraph (d)(6) of Rule 3a71-6.
---------------------------------------------------------------------------
c. Comparability Criteria, and Consideration of Related Requirements
If adopted, the proposed amendment to paragraph (d)(1) of Rule
3a71-6 would provide that eligible applicants may request that the
Commission make a substituted compliance determination with respect to
one or more of the requirements Rule 10 and Form SCIR.\453\ Further,
existing paragraph (d)(6) of Rule 3a71-6 would permit eligible
applicants to request that the Commission make a substituted compliance
determination with respect to one or more of the requirements of the
proposed amendments to Rule 18a-6, if adopted. A positive substituted
compliance determination with respect to requirements existing before
adoption of the proposed Rule 10, Form SCIR, and the related record
preservation requirements would not automatically result in a positive
substituted compliance determination with respect
[[Page 20267]]
to proposed Rule 10, Form SCIR or the proposed amendments to Rule 18a-
6. Before making a substituted compliance determination, the substance
of each foreign regulatory system to which substituted compliance would
apply should be evaluated for comparability to such newly adopted
requirements. As such, if the Commission adopts the proposed amendment
to Rule 3a71-6, eligible applicants \454\ seeking a Commission
determination permitting SBS Entities that are not U.S. persons to
satisfy the requirements of proposed Rule 10, Form SCIR, or the
proposed amendments to Rule 18a-6 by complying with comparable foreign
requirements would be required to file an application, pursuant to the
procedures set forth in 17 CFR 240.0-13, requesting that the Commission
make a such a determination pursuant to 17 CFR 3a71-6(a)(1).\455\
---------------------------------------------------------------------------
\453\ See paragraph (c) of Rule 3a71-6.
\454\ See 17 CFR 3a71-6(c).
\455\ Existing Commission substituted compliance determinations
do not address the requirements of the proposed new rules or the
proposed amendments. If the Commission adopts the requirements in
the proposed new or amended rules, SBS Entities (or the relevant
foreign financial regulatory authority or authorities) seeking a
substituted compliance determination with respect to those
requirements would be required to file an application requesting
that the Commission make the determination. Applicants may not
request that the Commission make a substituted compliance
determination related to the new requirements by amending a
previously filed application that requested a substituted compliance
determination related to other Commission requirements. However, new
applications may incorporate relevant information from the
applicant's previously filed requests for substituted compliance
determinations if the information remains accurate.
---------------------------------------------------------------------------
The Commission has taken a holistic approach in determining the
comparability of foreign requirements for substituted compliance
purposes, focusing on regulatory outcomes as a whole, rather than on a
requirement-by-requirement comparison.\456\ The Commission
preliminarily believes that such a holistic approach would be
appropriate for determining comparability for substituted compliance
purposes in connection with the requirements of proposed Rule 10, Form
SCIR, and the proposed amendments to Rule 18a-6. Under the proposed
amendment to Rule 3a71-6, the Commission's comparability assessments
associated with the proposed cybersecurity risk management requirements
accordingly would consider whether, in the Commission's view, the
foreign regulatory system achieves regulatory outcomes that are
comparable to the regulatory outcomes associated with those
requirements. Rule 3a71-6 provides that the Commission's substituted
compliance determination will take into account factors that the
Commission determines appropriate, such as, for example, the scope and
objectives of the relevant foreign regulatory requirements (taking into
account the applicable criteria set forth in paragraph (d) of the
rule), as well as the effectiveness of the supervisory compliance
program administered, and the enforcement authority exercised, by a
foreign financial regulatory authority or authorities in such foreign
financial regulatory system to support its oversight of the SBS Entity
(or class thereof) or of the activities of such SBS Entity (or class
thereof).\457\
---------------------------------------------------------------------------
\456\ See Business Conduct Standards Adopting Release, 81 FR at
30078-79. See also SBS Entity Trade Acknowledgment and Verification
Adopting Release, 81 FR at 39828; SBS Entity Recordkeeping and
Reporting Adopting Release, 84 FR at 68598-99.
\457\ See 17 CFR 240.3a71-6(a)(2)(i).
---------------------------------------------------------------------------
The Commission may determine to conduct its comparability analyses
regarding Rule 10, Form SCIR, and the related record preservation
requirements in conjunction with comparability analyses regarding other
Exchange Act requirements that, like the requirements being proposed
today, relate to risk management, recordkeeping, reporting, and
notification requirements of SBS Entities. If the Commission adopts the
proposed amendment to Rule 3a71-6, substituted compliance requests
related to Rule 10, Form SCIR, and the related record preservation
requirements may be filed by (i) applicants filing a request for a
substituted compliance determination solely in connection with Rule 10,
Form SCIR, and the related record preservation requirements,\458\ and
(ii) applicants filing a request for a substituted compliance
determination in connection with Rule 10, Form SCIR, and the related
record preservation requirements combined with a request for a
substituted compliance determination related to other eligible
requirements. In either event, depending on the applicable facts and
circumstances, the Commission's comparability assessment associated
with the Rule 10, Form SCIR, or the related record preservation
requirements may constitute part of a broader assessment of Exchange
Act risk management, recordkeeping, reporting, and notification
requirements for SBS Entities, and the applicable comparability
decisions may be made at the level of those risk management,
recordkeeping, reporting, and notification requirements for SBS
Entities as a whole.
---------------------------------------------------------------------------
\458\ This category of applicants would include those who
previously filed requests for the Commission to make substituted
compliance determinations related to other requirements eligible for
substituted compliance determinations under Rule 3a71-6.
---------------------------------------------------------------------------
d. Request for Comment
The Commission generally requests comments on all aspects of the
proposed amendment to Rule 3a71-6 and proposed availability of
substituted compliance. In addition, the Commission requests comments
on the following specific issues:
87. Should the Commission make substituted compliance available
with respect to proposed Rule 10, Form SCIR, and the related record
preservation requirements? Why or why not? If you believe that
substituted compliance should not be available with respect to these
requirements, how would you distinguish this policy decision from the
Commission's previous determination to make substituted compliance
potentially available with respect to other Title VII requirements
(i.e., the business conduct, trade acknowledgment and verification,
capital and margin, recordkeeping and reporting, and portfolio
reconciliation, portfolio compression, and trading relationship
documentation rules)?
88. Are there other aspects of the scope of the substituted
compliance rule for which the Commission should amend or provide
additional guidance in light of proposed Rule 10, Form SCIR, and the
proposed amendment to Rule 18a-6? If so, what other amendments or
additional guidance would be appropriate and why?
89. Are the items identified in Rule 3a71-6 as factors the
Commission will consider prior to making a substituted compliance
determination in connection with proposed Rule 10, Form SCIR, and the
related record preservation requirements appropriate? If so, explain
why. If not, explain why not. Should any of those items be modified or
deleted? Should additional considerations be added? If so, please
explain.
E. Amendments to Rule 18a-10
1. Proposal
Exchange Act Rule 18a-10 (``Rule 18a-10'') permits an SBSD that is
registered as a swap dealer and predominantly engages in a swaps
business to elect to comply with the capital, margin, segregation,
recordkeeping, and reporting requirements of the Commodity Exchange Act
and the CFTC's rules in lieu of complying with the capital, margin,
segregation, recordkeeping, and reporting requirements of Exchange Act
Rules 18a-1, 18a-3, 18a-4, 18a-5, 18a-
[[Page 20268]]
6, 18a-7, 18a-8, and 18a-9.\459\ An SBSD may elect to operate pursuant
to Rule 18a-10 if it meets certain conditions.\460\ First, the firm
must be registered with the Commission as a stand-alone SBSD (i.e., not
also registered as a broker-dealer or an OTC derivatives dealer) and
registered with the CFTC as a swap dealer. Second, the firm must be
exempt from the segregation requirements of Rule 18a-4. Third, the
aggregate gross notional amount of the firm's outstanding security-
based swap positions must not exceed the lesser of two thresholds as of
the most recently ended quarter of the firm's fiscal year.\461\ The
thresholds are: (1) a maximum fixed-dollar gross notional amount of
open security-based swaps of $250 billion; \462\ and (2) 10% of the
combined aggregate gross notional amount of the firm's open security-
based swap and swap positions.
---------------------------------------------------------------------------
\459\ See 17 CFR 240.18a-10.
\460\ See Capital, Margin, and Segregation Requirements Adopting
Release, 84 at 43944-46 (discussing the conditions and the reasons
for them). See also SBS Entity Recordkeeping and Reporting Adopting
Release, 84 FR at 68549.
\461\ The gross notional amount is based on the notional amounts
of the firm's security-based swaps and swaps that are outstanding as
of the quarter end. It is not based on transaction volume during the
quarter.
\462\ The maximum fixed-dollar threshold of $250 billion is set
for a transition period of 3 years from the compliance date of the
rule. Three years after that date it will drop to $50 billion
(unless the Commission issues an order retaining the $250 billion
threshold or lesser amount that is greater than $50 billion).
---------------------------------------------------------------------------
As discussed above, Rule 18a-6 is proposed to be amended to require
SBSDs to maintain and preserve the records required to be made pursuant
to proposed Rule 10.\463\ However, because Rule 18a-6 is within the
scope of Rule 18a-10, an SBSD operating pursuant to Rule 18a-10 would
not be subject to the maintenance and preservation requirements of Rule
18a-6 with respect to the records required to be made pursuant to
proposed Rule 10. Therefore, while an SBSD would be subject to proposed
Rule 10 and need to make these records, the firm would not need to
maintain or preserve them in accordance with Rule 18a-6. For these
reasons, the Commission is proposing to amend Rule 18a-10 to exclude
from its scope the record maintenance and preservation requirements of
Rule 18a-6 as they pertain to the records required to be made pursuant
to proposed Rule 10.\464\ Therefore, the records required to be made
pursuant to proposed Rule 10 would need to be preserved and maintained
in accordance with Rule 18a-6, as it is proposed to be amended.
---------------------------------------------------------------------------
\463\ See section II.B.5. of this release (discussing these
proposals in more detail).
\464\ See proposed paragraph (g) of Rule 18a-10.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on all aspects of the proposed
amendments relating to Rule 18a-10. In addition, the Commission is
requesting comment on the following specific aspects of the proposals:
90. Should the proposed amendments to Rule 18a-10 be modified? If
so, describe how and explain why the modification would be appropriate.
For example, would the records required to be made pursuant to proposed
Rule 10 be subject to CFTC record preservation and maintenance rules?
If so, identify the rules and explain the preservation and maintenance
requirements they would impose on the records required to be made
pursuant to proposed Rule 10. In addition, explain whether it would be
appropriate to permit an SBSD operating pursuant to Rule 18a-10 to
comply with these CFTC rules in terms of preserving and maintaining the
records required to be made pursuant to proposed Rule 10 in lieu of the
complying with the preservation and maintenance requirements that would
apply to the records under the proposed amendments to Rule 18a-6.
F. Market Entities Subject to Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID
1. Discussion
a. Introduction
As discussed in more detail below, certain types of Market Entities
are subject to Regulation SCI and Regulation S-P.\465\ The Commission
separately is proposing to amend Regulation SCI and Regulation S-
P.\466\ Regulation SCI and Regulation S-P (currently and as they would
be amended) have or would have provisions requiring policies and
procedures that address certain types of cybersecurity risks.\467\
Regulation SCI (currently and as it would be amended) also requires
immediate written or telephonic notice and subsequent reporting to the
Commission on Form SCI of certain types of incidents.\468\ These
notification and subsequent reporting requirements of Regulation SCI
could be triggered by a ``significant cybersecurity incident'' as that
term would be defined in proposed Rule 10.\469\ Finally, Regulation SCI
and Regulation S-P (currently and as they would be amended) have or
would have provisions requiring disclosures to persons affected by
certain incidents.\470\ These current or proposed disclosure
requirements of Regulation SCI and Regulation S-P could be triggered by
a cybersecurity-related event that also would be a ``significant
cybersecurity incident'' as that term would be defined in proposed Rule
10.\471\ Consequently, if proposed Rule 10 is adopted (as proposed),
Market Entities could be subject to requirements in that rule and in
Regulation SCI and Regulation S-P that pertain to cybersecurity. While
the Commission preliminarily believes that these requirements are
nonetheless appropriate, it is seeking comment on the proposed
amendments, given the following: (1) each proposal has a different
scope and purpose; (2) the policies and procedures related to
cybersecurity that would be required under each of the proposed rules
would be consistent; (3) the public disclosures or notifications
required by the proposed rules would require different types of
information to be disclosed, largely to different audiences at
different times; and (4) it should be appropriate for entities to
comply with the proposed requirements.
---------------------------------------------------------------------------
\465\ See 17 CFR 242.1000 through 1007 (Regulation SCI); 17 CFR
248.1 through 248.30 (Regulation S-P). See also section II.F.1.b. of
this release (discussing the types of Market Entities that are or
would be subject to Regulation SCI and/or Regulation S-P).
\466\ See Regulation SCI 2023 Proposing Release; Regulation S-P
2023 Proposing Release.
\467\ See section II.F.1.c. of this release (discussing the
existing and proposed requirements of Regulation SCI and Regulation
S-P to have policies and procedures that address certain
cybersecurity risks).
\468\ See section II.F.1.d. of this release (discussing the
existing and proposed immediate notification and subsequent
reporting requirements of Regulation SCI).
\469\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
\470\ See section II.F.1.e. of this release (discussing the
existing and proposed disclosure requirements of Regulation SCI and
Regulation S-P).
\471\ See paragraph (a)(10) of proposed Rule 10 (defining the
term ``significant cybersecurity incident'').
---------------------------------------------------------------------------
The Commission encourages interested persons to provide comments on
the discussion below, as well as on the potential related application
of proposed Rule 10, Regulation SCI, and Regulation S-P. More
specifically, the Commission encourages commenters: (1) to identify any
areas where they believe the requirements of proposed Rule 10 and the
existing or proposed requirements of Regulation SCI and Regulation S-P
would be particularly costly or create practical implementation
difficulties; (2) to provide details on what in particular about
implementation would be difficult; and (3) to make
[[Page 20269]]
recommendations on how to minimize these potential impacts. To assist
this effort, the Commission is seeking specific comment below on these
topics.\472\
---------------------------------------------------------------------------
\472\ See section II.F.2. of this release.
---------------------------------------------------------------------------
b. Market Entities That Are or Would Be Subject to Regulation SCI and
Regulation S-P
Certain Market Entities that would be subject to the requirements
of proposed Rule 10 applicable to Covered Entities are subject to the
existing requirements of Regulation SCI. In particular, SCI entities
include the following Covered Entities that also would be subject to
the requirements of proposed Rule 10: (1) ATSs that trade certain
stocks exceeding specific volume thresholds; (2) registered clearing
agencies; (3) certain exempt clearing agencies; (4) the MSRB; (5)
FINRA; and (6) national securities exchanges.\473\ Therefore, if
proposed Rule 10 is adopted (as proposed), these Covered Entities would
be subject to its requirements and the requirements of Regulation SCI
(currently and as it would be amended). The Commission is separately
proposing to revise Regulation SCI to expand the definition of ``SCI
entity'' to include the following Covered Entities that also would be
subject to the requirements of proposed Rule 10: (1) broker-dealers
that exceed an asset-based size threshold or a volume-based trading
threshold in NMS stocks, exchange-listed options, agency securities, or
U.S. treasury securities; (2) all exempt clearing agencies; and (3)
SBSDRs.\474\ Therefore, if these amendments to Regulation SCI are
adopted and proposed Rule 10 is adopted (as proposed), these additional
Covered Entities would be subject to the requirements of proposed Rule
10 and also to the requirements of Regulation SCI. Additionally,
broker-dealers and transfer agents that would be subject to proposed
Rule 10 also would be subject to some or all of the existing or
proposed requirements of Regulation S-P.\475\
---------------------------------------------------------------------------
\473\ See 17 CFR 242.1000 (defining the terms ``SCI alternative
trading system,'' ``SCI self-regulatory system,'' and ``Exempt
clearing agency subject to ARP,'' and including all of those defined
terms in the definition of ``SCI Entity''). The definition of ``SCI
entities'' includes additional Commission registrants that would not
be subject to the requirements of proposed Rule 10: plan processors
and SCI competing consolidators. However, the Commission is seeking
comment on whether these registrants should be subject to the
requirements of proposed Rule 10.
\474\ All exempt clearing agencies and SBSDRs would be subject
to the requirements of proposed Rule 10 applicable to Covered
Entities. See paragraphs (a)(1)(ii) and (vii) of proposed Rule 10
(defining these registrants as ``covered entities''). Broker-dealers
that exceed the asset-based size threshold under the proposed
amendments to Regulation SCI (which would be several hundred billion
dollars) also would be subject to the requirements of proposed Rule
10 applicable to Covered Entities, as they would exceed the $1
billion total assets threshold in the broker-dealer definition of
``covered entity.'' See paragraph (a)(1)(i)(D) of proposed Rule 10.
A broker-dealer that exceeds one or more of the volume-based trading
thresholds under the proposed amendments to Regulation SCI likely
would meet one of the broker-dealer definitions of ``covered
entity'' in proposed Rule 10 given their size and activities. For
example, it would either be a carrying broker-dealer, have
regulatory capital equal to or exceeding $50 million, have total
assets equal to or exceeding $1 billion, or operate as a market
maker. See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10. The Commission is seeking comment above on whether a
broker-dealer that is an SCI entity should be defined specifically
as a ``covered entity'' under proposed Rule 10.
\475\ Broadly, Regulation S-P's requirements apply to all
broker-dealers, except for ``notice-registered broker-dealers'' (as
defined in 17 CFR 248.30), who in most cases will be deemed to be in
compliance with Regulation S-P if they instead comply with the
financial privacy rules of the CFTC, and are otherwise explicitly
excluded from certain of Regulation S-P's obligations. See 17 CFR
248.2(c). For the purposes of this section II.F. of this release,
the term ``broker-dealer'' when used to refer to broker-dealers that
are subject to Regulation S-P (currently and as it would be amended)
excludes notice-registered broker-dealers. Currently, transfer
agents registered with the Commission (``SEC-registered transfer
agents'') (but not transfer agents registered with another
appropriate regulatory agency) are subject to Regulation S-P's
``disposal rule'' (``Regulation S-P Disposal Rule''). See 17 CFR
248.30(b). However, no transfer agent is currently subject to any
other portion of Regulation S-P, including the ``safeguards rule''
under Regulation S-P (``Regulation S-P Safeguards Rule''). See 17
CFR 248.30(a). Under the proposed amendments to Regulation S-P, SEC-
registered transfer agents and transfer agents registered with
another appropriate regulatory agency (as defined in 15 U.S.C.
78c(34)(B)) would be subject to the Regulation S-P Safeguards Rule
and the Regulation S-P Disposal Rule. Regulation S-P also applies to
additional financial institutions that would not be subject to
proposed Rule 10. See 17 CFR 248.3.
---------------------------------------------------------------------------
c. Policies and Procedures to Address Cybersecurity Risks
i. Different Scope and Purpose of the Policies and Procedures
Requirements
Each of the policies and procedures requirements has a different
scope and purpose. Regulation SCI (currently and as it would be
amended) limits the scope of its requirements to certain systems of the
SCI Entity that support securities market related functions.
Specifically, it does and would require an SCI Entity to have
reasonably designed policies and procedures applicable to its SCI
systems and, for purposes of security standards, its indirect SCI
systems.\476\ While certain aspects of the policies and procedures
required by Regulation SCI (as it exists today and as proposed to be
amended) are designed to address certain cybersecurity risks (among
other things),\477\ the policies and procedures required by Regulation
SCI focus on the SCI entities' operational capability and the
maintenance of fair and orderly markets.
---------------------------------------------------------------------------
\476\ See 17 CFR 242.1001(a)(1). ``SCI systems'' are defined as
electronic or similar systems of, or operated by or on behalf of, an
SCI entity that directly support at least one of six market
functions: (1) trading; (2) clearance and settlement; (3) order
routing; (4) market data; (5) market regulation; or (6) market
surveillance. 17 CFR 242.1000. ``Indirect SCI systems'' are defined
as those of, or operated by or on behalf of, an SCI entity that, if
breached, would be reasonably likely to pose a security threat to
SCI systems. 17 CFR 242.1000. The distinction between SCI systems
and indirect SCI systems seeks to encourage SCI Entities that their
SCI systems, which are core market-facing systems, should be
physically or logically separated from systems that perform other
functions (e.g., corporate email and general office systems for
member regulation and recordkeeping). See Regulation Systems
Compliance and Integrity, Release No. 34-73639 79 FR 72251 (Dec. 5,
2014), at 79 FR at 72279-81 (``Regulation SCI 2014 Adopting
Release''). Indirect SCI systems are subject to Regulation SCI's
requirements with respect to security standards. Further, ``critical
SCI systems'' (a subset of SCI systems) are defined as those that
directly support functionality relating to: (1) clearance and
settlement systems of clearing agencies; (2) openings, reopenings,
and closings on the primary listing market; (3) trading halts; (4)
initial public offerings; (5) the provision of market data by a plan
processor; or (6) exclusively-listed securities; and as a catchall,
systems that provide functionality to the securities markets for
which the availability of alternatives is significantly limited or
nonexistent and without which there would be a material impact on
fair and orderly markets. 17 CFR 242.1000.
\477\ See 17 CFR 242.1000 (defining ``indirect SCI systems'').
The distinction between SCI systems and indirect SCI systems seeks
to encourage SCI Entities that their SCI systems, which are core
market-facing systems, should be physically or logically separated
from systems that perform other functions (e.g., corporate email and
general office systems for member regulation and recordkeeping). See
Regulation SCI 2014 Adopting Release, 79 FR at 72279-81. Indirect
SCI systems are subject to Regulation SCI's requirements with
respect to security standards.
---------------------------------------------------------------------------
Similarly, Regulation S-P (currently and as it would be amended)
also has a distinct focus. The policies and procedures required under
Regulation S-P, both currently and as proposed to be amended, are
limited to protecting a certain type of information--customer records
or information and consumer report information \478\--and they apply to
such information even when stored outside of SCI systems or indirect
SCI systems. Furthermore, these policies and procedures need not
address other types of information stored on the systems of the broker-
dealer or transfer agent.
---------------------------------------------------------------------------
\478\ Or as proposed herein, ``customer information'' and
``consumer information.'' See proposed rules 248.30(e)(5) and
(e)(1), respectively.
---------------------------------------------------------------------------
Proposed Rule 10 would have a broader scope than Regulation SCI and
Regulation S-P (currently and as they would be amended) because it
would require Market Entities to establish, maintain, and enforce
written policies
[[Page 20270]]
and procedures that are reasonably designed to address their
cybersecurity risks.\479\ Unlike Regulation SCI, these requirements
would therefore cover SCI systems, indirect SCI systems, and
information systems that are not SCI systems or indirect SCI systems.
And, unlike Regulation S-P, the proposed requirements would also
encompass information beyond customer information and consumer
information.
---------------------------------------------------------------------------
\479\ See paragraphs (b) and (e) of proposed Rule 10 (setting
forth the requirements of Covered Entities and Non-Covered Entities,
respectively, to have policies and procedures to address their
cybersecurity risks).
---------------------------------------------------------------------------
To illustrate, a Market Entity could use one comprehensive set of
policies and procedures to satisfy the requirements of proposed Rule 10
and the existing and proposed cybersecurity-related requirements of
Regulation SCI and Regulation S-P, so long as: (1) the cybersecurity-
related policies and procedures required under Regulation S-P and
Regulation SCI fit within and are consistent with the scope of the
policies and procedures required under proposed Rule 10; and (2) and
the policies and procedures requirements of proposed Rule 10 also
address the more narrowly-focused existing and proposed cybersecurity-
related policies and procedures requirements under Regulation SCI and
Regulation S-P.
ii. Consistency of the Policies and Procedures Requirements
Covered Entities
As discussed above, the Market Entities that would be SCI Entities
under the existing and proposed requirements of Regulation SCI would be
subject the policies and procedures requirements of proposed Rule 10
applicable to Covered Entities. In addition, broker-dealers and
transfer agents are subject to the requirements of Regulation S-P
(currently and as it would be amended).\480\ Transfer agents would be
Covered Entities under proposed Rule 10 and, therefore, subject to the
policies and procedures requirements of that rule applicable to Covered
Entities.\481\ Further, the two categories of broker-dealers that
likely would have the largest volume of customer information and
consumer information subject to the existing or proposed requirements
of Regulation S-P would be Covered Entities under proposed Rule 10:
carrying broker-dealers and introducing broker-dealers.\482\ For these
reasons, the Commission first analyzes the potential overlap between
proposed Rule 10 and the current and proposed requirements of
Regulation SCI and Regulation S-P by taking into account the policies
and procedures requirements of proposed Rule 10 that would apply to
Covered Entities.
---------------------------------------------------------------------------
\480\ As discussed above, SEC-registered transfer agents are
subject to the Regulation S-P Disposal Rule but not to the
Regulation S-P Safeguards Rule. The proposed amendments to
Regulation S-P would apply the Regulation S-P Safeguards Rule and
the Regulation S-P Disposal Rule to all transfer agents.
\481\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the policies and procedures requirements for Covered Entities).
\482\ See paragraphs (a)(1)(i)(A) and (B) of proposed Rule 10
(defining, respectively, carrying broker-dealers and introducing
broker-dealers as Covered Entities).
---------------------------------------------------------------------------
Regulation SCI and Regulation S-P General Policies and Procedures
Requirements
Regulation SCI, Regulation S-P, and proposed Rule 10 all include
requirements that address certain cybersecurity-related risks.
Regulation SCI requires an SCI Entity to have reasonably designed
policies and procedures to ensure that its SCI systems and, for
purposes of security standards, indirect SCI systems, have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain the SCI entity's operational capability and promote the
maintenance of fair and orderly markets.\483\
---------------------------------------------------------------------------
\483\ See 17 CFR 242.1001(a)(1).
---------------------------------------------------------------------------
The Regulation S-P Safeguards Rule requires broker-dealers (but not
transfer agents) to adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection
of customer records and information.\484\ The Regulation S-P Safeguards
Rule further provides that these policies and procedures must: (1)
insure the security and confidentiality of customer records and
information; (2) protect against any anticipated threats or hazards to
the security or integrity of customer records and information; and (3)
protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to
any customer.\485\ Additionally, the Regulation S-P Disposal Rule
requires broker-dealers and SEC-registered transfer agents that
maintain or otherwise possess consumer report information for a
business purpose to properly dispose of the information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\486\
---------------------------------------------------------------------------
\484\ See 17 CFR 248.30(a).
\485\ See 17 CFR 248.30(a)(1) through (3).
\486\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
---------------------------------------------------------------------------
Proposed Rule 10 would require a Covered Entity to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address the Covered Entity's cybersecurity
risks. In addition, Covered Entities would be required to include the
following elements in their policies and procedures: (1) periodic
assessments of cybersecurity risks associated with the Covered Entity's
information systems and written documentation of the risk assessments;
(2) controls designed to minimize user-related risks and prevent
unauthorized access to the Covered Entity's information systems; (3)
measures designed to monitor the Covered Entity's information systems
and protect the Covered Entity's information from unauthorized access
or use, and oversight of service providers that receive, maintain, or
process information, or are otherwise permitted to access the Covered
Entity's information systems; (4) measures to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems; and (5) measures to detect,
respond to, and recover from a cybersecurity incident and written
documentation of any cybersecurity incident and the response to and
recovery from the incident.\487\
---------------------------------------------------------------------------
\487\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
As discussed earlier, the inclusion of these elements in proposed
Rule 10 is designed to enumerate the core areas that Covered Entities
would need to address when designing, implementing, and assessing their
policies and procedures.\488\ Taken together, these requirements are
designed to position Covered Entities to be better prepared to protect
themselves against cybersecurity risks, to mitigate cybersecurity
threats and vulnerabilities, and to recover from cybersecurity
incidents. They are also designed to help ensure that Covered Entities
focus their efforts and resources on the cybersecurity risks associated
with their operations and business practices.
---------------------------------------------------------------------------
\488\ See section II.B.1. of this release.
---------------------------------------------------------------------------
A Covered Entity that implements reasonably designed policies and
procedures in compliance with the requirements of proposed Rule 10
described above that cover its SCI systems and indirect SCI systems
should generally satisfy the existing general policies and procedures
[[Page 20271]]
requirements of Regulation SCI that pertain to cybersecurity.\489\
Similarly, policies and procedures implemented by a Covered Broker-
Dealer that are reasonably designed in compliance with the requirements
of proposed Rule 10 should generally satisfy the existing general
policies and procedures requirements of the Regulation S-P Safeguards
Rule discussed above that pertain to cybersecurity, to the extent that
such information is stored electronically and, therefore, falls within
the scope of proposed Rule 10. In addition, reasonably designed
policies and procedures implemented by a Covered Broker-Dealer or SEC-
registered transfer agent in compliance with the requirements of
proposed Rule 10 should generally satisfy the existing requirements of
the Regulation S-P Disposal Rule discussed above.
---------------------------------------------------------------------------
\489\ As noted above, the CAT System is a facility of each of
the Participants and an SCI system. See also CAT NMS Plan Approval
Order, 81 FR at 84758. It would also qualify as an ``information
system'' of each national securities exchange and each national
securities association under proposed Rule 10. The CAT NMS Plan
requires the CAT's Plan Processor to follow certain security
protocols and industry standards, including the NIST Cyber Security
Framework, subject to Participant oversight. See, e.g., CAT NMS Plan
at appendix D, section 4.2. For the reasons discussed above and
below with respect to SCI systems, the policies and procedures
requirements of proposed Rule 10 are not intended to be inconsistent
with the security protocols set forth in the CAT NMS Plan. Moreover,
to the extent the CAT NMS Plan requires security protocols beyond
those that would be required under proposed Rule 10, those
additional security protocols should generally fit within and be
consistent with the policies and procedures required under proposed
Rule 10 to address all cybersecurity risks.
---------------------------------------------------------------------------
Regulation SCI and Regulation S-P Requirements to Oversee Service
Providers. Under the amendments to Regulation SCI, the policies and
procedures required of SCI entities would need to include a program to
manage and oversee third party providers that provide functionality,
support or service, directly or indirectly, for SCI systems and
indirect SCI systems.\490\ In addition, proposed amendments to the
Regulation S-P Safeguards Rule would require broker-dealers and
transfer agents to include written policies and procedures within their
response programs that require their service providers, pursuant to a
written contract, to take appropriate measures that are designed to
protect against unauthorized access to or use of customer information,
including notification to the broker-dealer or transfer agent as soon
as possible, but no later than 48 hours after becoming aware of a
breach, in the event of any breach in security resulting in
unauthorized access to customer information maintained by the service
provider to enable the broker-dealer or transfer agent to implement its
response program expeditiously.\491\
---------------------------------------------------------------------------
\490\ See Regulation SCI 2023 Proposing Release. These policies
and procedures would need to include initial and periodic review of
contracts with such vendors for consistency with the SCI entity's
obligations under Regulation SCI; and a risk-based assessment of
each third party provider's criticality to the SCI entity, including
analyses of third party provider concentration, of key dependencies
if the third party provider's functionality, support, or service
were to become unavailable or materially impaired, and of any
potential security, including cybersecurity, risks posed. Id.
\491\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity risks
as these proposed amendments to Regulation SCI and Regulation S-P.
First, a Covered Entity's policies and procedures under proposed Rule
10 would need to require periodic assessments of cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems.\492\ This element of the
policies and procedures would need to include requirements that the
Covered Entity identify its service providers that receive, maintain,
or process information, or are otherwise permitted to access its
information systems and any of its information residing on those
systems, and assess the cybersecurity risks associated with its use of
these service providers.\493\ Second, under proposed Rule 10, a Covered
Entity's policies and procedures would need to require oversight of
service providers that receive, maintain, or process its information,
or are otherwise permitted to access its information systems and the
information residing on those systems, pursuant to a written contract
between the Covered Entity and the service provider, through which the
service providers would need to be required to implement and maintain
appropriate measures that are designed to protect the Covered Entity's
information systems and information residing on those systems.\494\
---------------------------------------------------------------------------
\492\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this requirement in
more detail).
\493\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\494\ See paragraphs (b)(1)(iii)(B) of proposed Rule 10; see
also section II.B.1.c. of this release (discussing this requirement
in more detail).
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the proposed requirements of Regulation SCI
that the SCI entity's policies and procedures include a program to
manage and oversee third party providers that provide functionality,
support or service, directly or indirectly, for SCI systems and
indirect SCI systems. Similarly, a broker-dealer or transfer agent that
implements these requirements of proposed Rule 10 generally would
comply with the proposed requirements of the Regulation S-P Safeguards
Rule relating to the oversight of service providers.
Regulation SCI and Regulation S-P Unauthorized Access Requirements.
Under the proposed amendments to Regulation SCI, SCI entities would be
required to have a program to prevent the unauthorized access to their
SCI systems and indirect SCI systems, and information residing
therein.\495\ The proposed amendments to the Regulation S-P Disposal
Rule would require broker-dealers and transfer agents that maintain or
otherwise possess consumer information or customer information for a
business purpose to properly dispose of this information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\496\ The broker-dealer
or transfer agent would be required to adopt and implement written
policies and procedures that address the proper disposal of consumer
information and customer information in accordance with this
standard.\497\
---------------------------------------------------------------------------
\495\ See Regulation SCI 2023 Proposing Release.
\496\ See Regulation S-P 2023 Proposing Release. As discussed
above, the general policies and procedures requirements of the
Regulation S-P Safeguards Rule require the policies and procedures--
among other things--to protect against unauthorized access to or use
of customer records or information that could result in substantial
harm or inconvenience to any customer. See 17 CFR 248.30(a)(3).
\497\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these proposed requirements of Regulation SCI and the
Regulation S-P Disposal Rule. First, a Covered Entity's policies and
procedures under proposed Rule 10 would need to require controls: (1)
requiring standards of behavior for individuals authorized to access
the Covered Entity's information systems and the information residing
on those systems, such as an acceptable use policy; (2) identifying and
authenticating individual users, including but not limited to
implementing authentication measures that require users to present a
combination of two or more credentials for access verification; (3)
establishing procedures for the timely distribution,
[[Page 20272]]
replacement, and revocation of passwords or methods of authentication;
(4) restricting access to specific information systems of the Covered
Entity or components thereof and the information residing on those
systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the Covered Entity; and (5) securing remote
access technologies.\498\
---------------------------------------------------------------------------
\498\ See paragraphs (b)(1)(ii)(A) through (E) of proposed Rule
10; see also section II.B.1.b. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Second, under proposed Rule 10, a Covered Entity's policies and
procedures would need to include measures designed to protect the
Covered Entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the Covered Entity's information systems and the
information that resides on the systems.\499\ The periodic assessment
would need to take into account: (1) the sensitivity level and
importance of the information to the Covered Entity's business
operations; (2) whether any of the information is personal information;
(3) where and how the information is accessed, stored and transmitted,
including the monitoring of information in transmission; (4) the
information systems' access controls and malware protection; and (5)
the potential effect a cybersecurity incident involving the information
could have on the Covered Entity and its customers, counterparties,
members, registrants, or users, including the potential to cause a
significant cybersecurity incident.\500\
---------------------------------------------------------------------------
\499\ See paragraph (b)(1)(iii)(A) of proposed Rule 10; see also
section II.B.1.c. of this release (discussing these requirements in
more detail).
\500\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10.
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the proposed requirements of Regulation SCI
that the SCI entity's policies and procedures include a program to
prevent the unauthorized access to their SCI systems and indirect SCI
systems, and information residing therein. Similarly, a broker-dealer
or transfer agent that implements these requirements of proposed Rule
10 should generally satisfy the proposed requirements of the Regulation
S-P Disposal Rule to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information.
Regulation SCI and Regulation S-P Response Programs. Regulation SCI
requires SCI entities to have policies and procedures to monitor its
SCI systems and indirect SCI systems for SCI events, which include
systems intrusions for unauthorized access, and also requires them to
have policies and procedures that include escalation procedures to
quickly inform responsible SCI personnel of potential SCI events.\501\
---------------------------------------------------------------------------
\501\ See 17 CFR 242.1001(a)(2)(vii) and (c)(1), respectively.
---------------------------------------------------------------------------
The amendments to Regulation S-P's safeguards provisions would
require the policies and procedures to include a response program for
unauthorized access to or use of customer information. Further, the
response program would need to be reasonably designed to detect,
respond to, and recover from unauthorized access to or use of customer
information, including procedures, among others: (1) to assess the
nature and scope of any incident involving unauthorized access to or
use of customer information and identify the customer information
systems and types of customer information that may have been accessed
or used without authorization; \502\ and (2) to take appropriate steps
to contain and control the incident to prevent further unauthorized
access to or use of customer information.\503\
---------------------------------------------------------------------------
\502\ Regulation SCI's obligation to take corrective action may
include a variety of actions, such as determining the scope of the
SCI event and its causes, among others. See Regulation SCI 2014
Adopting Release, 79 FR at 72251, 72317. See also 17 CFR
242.1002(a).
\503\ See Regulation S-P 2023 Proposing Release. The response
program also would need to have procedures to notify each affected
individual whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
The amendments to the Regulation S-P Safeguards Rule would require
the policies and procedures to include a response program for
unauthorized access to or use of customer information. Further, the
response program would need to be reasonably designed to detect,
respond to, and recover from unauthorized access to or use of customer
information, including procedures, among others: (1) to assess the
nature and scope of any incident involving unauthorized access to or
use of customer information and identify the customer information
systems and types of customer information that may have been accessed
or used without authorization; and (2) to take appropriate steps to
contain and control the incident to prevent further unauthorized access
to or use of customer information.\504\
---------------------------------------------------------------------------
\504\ See Regulation S-P 2023 Proposing Release. As discussed
below, the response program also would need to have procedures to
notify each affected individual whose sensitive customer information
was, or is reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these proposed requirements of the Regulation S-P Safeguards
Rule. First, under proposed Rule 10, a Covered Entity's policies and
procedures would need to require measures designed to detect, mitigate,
and remediate any cybersecurity threats and vulnerabilities with
respect to the Covered Entity's information systems and the information
residing on those systems.\505\ Second, under proposed Rule 10, a
Covered Entity's policies and procedures would need to have measures
designed to detect, respond to, and recover from a cybersecurity
incident, including policies and procedures that are reasonably
designed to ensure (among other things): (1) the continued operations
of the Covered Entity; (2) the protection of the Covered Entity's
information systems and the information residing on those systems; and
(3) external and internal cybersecurity incident information sharing
and communications.\506\
---------------------------------------------------------------------------
\505\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d. of this release (discussing this requirement in
more detail).
\506\ See paragraph (b)(1)(v) of proposed Rule 10; see also
section II.B.1.e. of this release (discussing this requirement in
more detail).
---------------------------------------------------------------------------
A Covered Entity that implements reasonably designed policies and
procedures in compliance with these requirements of proposed Rule 10
generally should satisfy the proposed requirements of the Regulation
SCI and Regulation S-P Safeguards Rule to have a response program
relating to response programs for unauthorized access.
Regulation SCI Review Requirements. Regulation SCI currently
prescribes certain elements that must be included in each SCI entity's
policies and procedures.\507\ These required elements include policies
and procedures that must provide for regular reviews and
[[Page 20273]]
testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats.\508\ In addition, Regulation SCI requires SCI entities to
conduct penetration tests as part of a review of their compliance with
Regulation SCI.\509\ While these reviews must be conducted not less
than once each calendar year, the penetration tests currently need to
be conducted not less than once every three years.\510\ The amendments
to Regulation SCI would increase the required frequency of the
penetration tests to not less than once each calendar year.\511\ The
amendments to Regulation SCI also would require that the penetration
tests include tests of any vulnerabilities of the SCI entity's SCI
systems and indirect SCI systems identified under the existing
requirement to perform regular reviews and testing of SCI systems and
indirect SCI systems, including backup systems, to identify
vulnerabilities from internal and external threats.\512\
---------------------------------------------------------------------------
\507\ See 17 CFR 242.1001(a)(2).
\508\ 17 CFR 242.1001(a)(2)(iv).
\509\ See 17 CFR 242.1003(b)(1)(i).
\510\ Id.
\511\ See Regulation SCI 2023 Proposing Release.
\512\ See Regulation SCI 2023 Proposing Release; 17 CFR
242.1001(a)(2)(iv).
---------------------------------------------------------------------------
Proposed Rule 10 would have several policies and procedures
requirements that are designed to address similar cybersecurity-related
risks as these existing and proposed requirements of Regulation SCI.
First, a Covered Entity's policies and procedures under proposed Rule
10 would need to require periodic assessments of cybersecurity risks
associated with the Covered Entity's information systems and
information residing on those systems.\513\ Moreover, this element of
the policies and procedures would need to include requirements that the
Covered Entity categorize and prioritize cybersecurity risks based on
an inventory of the components of the Covered Entity's information
systems and information residing on those systems and the potential
effect of a cybersecurity incident on the Covered Entity.\514\ Second,
under proposed Rule 10, a Covered Entity's policies and procedures
would need to require measures designed to detect, mitigate, and
remediate any cybersecurity threats and vulnerabilities with respect to
the Covered Entity's information systems and the information residing
on those systems.\515\
---------------------------------------------------------------------------
\513\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this requirement in
more detail).
\514\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10.
\515\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d. of this release (discussing this requirement in
more detail).
---------------------------------------------------------------------------
A Covered Entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems
generally should satisfy the current requirements of Regulation SCI
that the SCI entity's policies and procedures require regular reviews
and testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats.
Further, while proposed Rule 10 does not require penetration
testing, the proposed rule--as discussed above--requires measures
designed to protect the Covered Entity's information systems and
protect the information residing on those systems from unauthorized
access or use, based on a periodic assessment of the Covered Entity's
information systems and the information that resides on the
systems.\516\ As discussed earlier, penetration testing could be part
of these measures.\517\ Therefore, the existing and proposed
requirements of Regulation SCI requiring penetration testing could be
incorporated into and should fit within a Covered Entity's policies and
procedures to address cybersecurity risks under proposed Rule 10.
---------------------------------------------------------------------------
\516\ See paragraph (b)(1)(iii)(A) of proposed Rule 10.
\517\ See also section II.B.1.c. of this release. The Commission
also is requesting comment above on whether proposed Rule 10 should
be modified to specifically require penetration testing.
---------------------------------------------------------------------------
Non-Covered Broker-Dealers
Non-Covered Broker-Dealers--which would be subject to Regulation S-
P but not Regulation SCI--are smaller firms whose functions do not play
as significant a role in the U.S. securities markets, as compared to
Covered Broker-Dealers.\518\ For example, Non-Covered Broker-Dealers
tend to offer a more focused and limited set of services such as
facilitating private placements of securities, selling mutual funds and
variable contracts, underwriting securities, and participating in
direct investment offerings.\519\ Further, they do not hold customer
securities and cash or serve as a conduit (i.e., an introducing broker-
dealer) for customers to access their accounts at a carrying broker-
dealer that holds the customers' securities and cash. If these Non-
Covered Broker-Dealers do not possess or maintain any customer
information or consumer information for a business purpose in
connection with the services they provide, they would not be subject to
either the current or proposed requirements of Regulation S-P,
including those that pertain to cybersecurity.
---------------------------------------------------------------------------
\518\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10). As discussed below in
section IV.C.2. of this release, the 1,541 broker-dealers that would
meet the definition of ``covered entity'' in proposed Rule 10 had
average total assets of $3.5 billion and average regulatory equity
of $325 million; whereas the 1,969 that would not meet the
definition of ``covered entity'' had average total assets of $4.7
million and regulatory equity of $3 million. This means that broker-
dealers that would not meet the definition of ``covered entity'' in
proposed Rule 10 accounted for about 0.2% of the total assets of all
broker-dealers and 0.1% of total capital for all broker-dealers.
\519\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10).
---------------------------------------------------------------------------
However, Non-Covered Broker-Dealers under proposed Rule 10 that do
possess or maintain customer information or consumer information for a
business purpose would be subject to the current and proposed
requirements of Regulation S-P. Given their smaller size, some of these
Non-Covered Broker-Dealers may store and dispose of the information in
paper form and, therefore, under the existing and proposed requirements
of Regulation S-P would need to address the physical security aspects
of storing and disposing of this information. These paper records would
not be subject to proposed Rule 10.
Some Non-Covered Broker-Dealers likely would store customer
information and consumer information for a business purpose
electronically on an information system. Under the existing and
proposed requirements of Regulation S-P, these Non-Covered Broker-
Dealers would need to address the cybersecurity risks of storing this
information on an information system. These Non-Covered Broker-Dealers
would be subject the requirements of proposed Rule 10 to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address their cybersecurity risks taking into
account the size, business, and operations of the firm.\520\ Under
proposed Rule 10, they also would be required to review and assess the
design and effectiveness of their cybersecurity policies and
procedures, including whether the policies and procedures reflect
changes in cybersecurity risk over the time period covered by the
[[Page 20274]]
review. This means the Non-Covered Broker-Dealer would need to
comprehensively address all of its cybersecurity risks. The policies
and procedures to address cybersecurity risks required under proposed
Rule 10 would need to address cybersecurity risks involving information
systems on which customer information and consumer information is
stored. Therefore, complying with this requirement of proposed Rule 10
would be consistent with complying with the existing and proposed
requirements of Regulation S-P that relate to cybersecurity.
---------------------------------------------------------------------------
\520\ See paragraph (e) of proposed Rule 10 (setting forth the
policies and procedures requirements for Market Entities that are
not broker-dealers). See also section II.C. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
As discussed above, Regulation S-P (currently and as it would be
amended) sets forth certain specific requirements that pertain to
cybersecurity risk; whereas the requirements of proposed Rule 10
applicable to Non-Covered Broker-Dealers more generally require the
firm to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address its cybersecurity
risks taking into account the size, business, and operations of the
firm. As explained above, those more specific existing and proposed
requirements of Regulation S-P are consistent with certain of the
elements--which are based on industry standards for addressing
cybersecurity risk--that Covered Entities would be required to include
in their policies and procedures under proposed Rule 10.\521\ Further,
proposed Rule 10 would require a Non-Covered Broker-Dealer to take into
account its size, business, and operations when designing its policies
and procedures to address its cybersecurity risks. Storing customer
information and consumer information on an information system is the
type of operation a Non-Covered Broker-Dealer would need to take into
account. Consequently, the specific existing and proposed requirements
of Regulation S-P should fit within and be consistent with a Non-
Covered Broker-Dealer's reasonably designed policies and procedures to
address its cybersecurity risks under proposed Rule 10, including the
risks associated with storing customer information and consumer
information on an information system.
---------------------------------------------------------------------------
\521\ See section II.B.1. of this release (discussing the
policies and procedures requirements for Covered Entities).
---------------------------------------------------------------------------
iii. Regulation ATS and Regulation S-ID
Certain broker-dealers that operate an ATS are subject to
Regulation ATS and certain broker-dealers that offer and maintain
certain types of accounts for customers are subject to requirements of
Regulation S-ID to establish an identity theft program.\522\
Additionally, SBS Entities and transfer agents could be subject to
Regulation S-ID if they are ``financial institutions'' or
``creditors.'' \523\ As discussed below, Regulation ATS and Regulation
S-ID are more narrowly focused on certain cybersecurity risks as
compared to proposed Rule 10, which focuses on all cybersecurity risks
of a Market Entity. In addition, the current requirements of Regulation
ATS and Regulation S-ID should fit within and be consistent with the
broader policies and procedures required under proposed Rule 10 to
address all cybersecurity risks.
---------------------------------------------------------------------------
\522\ See 17 CFR 242.301 through 304 (conditions to the
Regulation ATS exemption); 17 CFR 248.201 and 202 (Regulation S-ID
identity theft program requirements).
\523\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
---------------------------------------------------------------------------
Regulation ATS requires certain broker-dealers that operate an ATS
to review the vulnerability of its systems and data center computer
operations to internal and external threats, physical hazards, and
natural disasters if during at least four of the preceding six calendar
months, such ATS had: (1) with respect to municipal securities, 20
percent or more of the average daily volume traded in the United
States; or (2) with respect to corporate debt securities, 20 percent or
more of the average daily volume traded in the United States.\524\
Therefore, in addition to other potential systems issues, the broker-
dealer would need to address cybersecurity risk of relating to its ATS
system. Further, this requirement applies to systems that support order
entry, order handling, execution, order routing, transaction reporting,
and trade comparison in the particular security.\525\ Therefore, it has
a narrower focus than proposed Rule 10.
---------------------------------------------------------------------------
\524\ See 17 CFR 242.301(b)(6). Currently, no ATS has crossed
the either of the volume-based thresholds and, therefore, no ATS is
subject to the requirements pertaining, in part, to cybersecurity.
See also Amendments Regarding the Definition of ``Exchange'' and
ATSs Release, 87 FR 15496.
\525\ See Regulation of Exchanges and Alternative Trading
Systems, Exchange Act Release No. 40760 (Dec. 8, 1998) [63 FR 70844,
70876 (Dec. 22, 1998)].
---------------------------------------------------------------------------
Regulation ATS also requires all broker-dealers that operate an ATS
to establish adequate written safeguards and written procedures to
protect subscribers' confidential trading information.\526\ The written
safeguards and procedures must include, among other things, limiting
access to the confidential trading information of subscribers to those
employees of the alternative trading system who are operating the
system or responsible for its compliance with these or any other
applicable rules.\527\ These requirements apply to all broker-dealers
that operate an ATS and, as indicated, apply to a narrow set of
information stored on their information systems: the confidential
trading information of the subscribers to the ATS.
---------------------------------------------------------------------------
\526\ See 17 CFR 242.301(b)(10).
\527\ See 17 CFR 242.301(b)(10)(i)(A).
---------------------------------------------------------------------------
As discussed above, Covered Entities under proposed Rule 10--which
would include broker-dealers that operate as an ATS--would be required
to establish, maintain, and enforce written policies and procedures
that are reasonably designed to address the Covered Entity's
cybersecurity risks. In addition, Covered Entities would be required to
include the following elements in their policies and procedures: (1)
periodic assessments of cybersecurity risks associated with the Covered
Entity's information systems and written documentation of the risk
assessments; (2) controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems; (3) measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems; (4) measures to
detect, mitigate, and remediate any cybersecurity threats and
vulnerabilities with respect to the Covered Entity's information
systems; and (5) measures to detect, respond to, and recover from a
cybersecurity incident and written documentation. Consequently, a
broker-dealer operates an ATS and that implements reasonably designed
policies and procedures in compliance with the requirements of proposed
Rule 10 should generally satisfy the current requirements of Regulation
ATS to review the vulnerability of its systems and data center computer
operations to internal and external threats and to protect subscribers'
confidential trading information to the extent these requirements
pertain to cybersecurity.
Regulation S-ID requires--among other things--a financial
institution or creditor within the scope of the regulation that offers
or maintains one or more covered accounts to develop and implement a
written identity theft prevention program that is designed to detect,
prevent, and mitigate identity theft in connection with the opening of
a covered account or any existing
[[Page 20275]]
covered account.\528\ Regulation S-ID defines the term ``covered
account''--in pertinent part--as an account that the financial
institution or creditor maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple
payments or transactions, such as a brokerage account with a broker-
dealer, and any other account that the financial institution or
creditor offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the
financial institution or creditor from identity theft, including
financial, operational, compliance, reputation, or litigation
risks.\529\ Therefore, Regulation S-ID is narrowly focused on one
cybersecurity risk--identity theft. Identity theft--as discussed
earlier--is one of the tactics threat actors use to cause harm after
obtaining unauthorized access to personal information.\530\ As a
cybersecurity risk, Market Entities would need to address it as part of
their policies and procedures under proposed Rule 10. Consequently, the
requirement of Regulation S-ID should fit within and be consistent with
a Market Entity's reasonably designed policies and procedures to
address its cybersecurity risks under proposed Rule 10, including the
risks associated with identity theft.
---------------------------------------------------------------------------
\528\ See 17 CFR 248.201(d)(1).
\529\ See 17 CFR 248.201(b)(3).
\530\ See section I.A. of this release.
---------------------------------------------------------------------------
d. Notification and Reporting to the Commission
Regulation SCI (currently and as it would be amended) provides the
framework for notifying the Commission of SCI events including, among
other things, to: immediately notify the Commission of the event;
provide a written notification on Form SCI within 24 hours that
includes a description of the SCI event and the system(s) affected,
with other information required to the extent available at the time;
provide regular updates regarding the SCI event until the event is
resolved; and submit a final detailed written report regarding the SCI
event.\531\ If proposed Rule 10 is adopted as proposed, it would
require Market Entities that are Covered Entities to provide the
Commission (and other regulators, if applicable) with immediate written
electronic notice of a significant cybersecurity incident affecting the
Covered Entity and, thereafter, report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission (and other regulators, if applicable).\532\
Part I of proposed of Form SCIR would elicit information about the
significant cybersecurity incident and the Covered Entity's efforts to
respond to, and recover from, the incident.
---------------------------------------------------------------------------
\531\ See 17 CFR 242.1002(b). An ``SCI event'' is an event at an
SCI entity that is: (1) a ``systems disruption,'' which is an event
in an SCI entity's SCI systems that disrupts, or significantly
degrades, the normal operation of an SCI system; (2) a ``systems
intrusion,'' which is any unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity; or (3) a ``systems compliance
issue,'' which is an event at an SCI entity that has caused any SCI
system of such entity to operate in a manner that does not comply
with the Exchange Act and the rules and regulations thereunder or
the entity's rules or governing documents, as applicable. See 17 CFR
242.1000 (defining the terms ``systems disruption,'' ``system
intrusion,'' and ``system compliance issue'' and including those
terms in the definition of ``SCI event''). The amendments to
Regulation SCI would broaden the definition of ``system intrusion''
to include a cybersecurity event that disrupts, or significantly
degrades, the normal operation of an SCI system, as well as a
material attempted unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity. Regulation SCI 2023 Proposing
Release.
\532\ See paragraphs (c)(1) and (2) of proposed Rule 10
(requiring Covered Entities to provide immediate written notice and
subsequent reporting on Part I of proposed Form SCIR of significant
cybersecurity incidents); sections II.B.2. and II.B.4. of this
release (discussing the requirements of paragraphs (c)(1) and (2) of
proposed Rule 10 and Part I of Form SCIR in more detail). Non-
Covered Broker-Dealers also would be subject to an immediate written
electronic notice requirement under paragraph (e)(2) of proposed
Rule 10. However, as discussed above, a Non-Covered Broker-Dealer
likely would not be an SCI Entity.
---------------------------------------------------------------------------
Consequently, a Covered Entity that is also an SCI entity that
experiences a significant cybersecurity incident under proposed Rule 10
that also is an SCI event would be required to make two filings for the
single incident: one on Part I of proposed Form SCIR and the other on
Form SCI. The Covered Entity also would be required to make additional
filings on Forms SCIR and SCI pertaining to the significant
cybersecurity incident (i.e., to provide updates and final reports).
The approach of having two separate notification and reporting
programs--one under proposed Rule 10 and the other under Regulation
SCI--would be appropriate for the following reasons.
As discussed earlier, certain broker-dealers and all transfer
agents would not be SCI entities under the current and proposed
requirements of Regulation SCI.\533\ Certain of the broker-dealers that
are not SCI entities (currently and as it would be amended) would be
Covered Entities and all transfer agents would be Covered
Entities.\534\ In addition, the current and proposed reporting
requirements of Regulation SCI are or would be triggered by events
impacting SCI systems and indirect SCI systems. The Covered Entities
that are or would be SCI entities use and rely on information systems
that are not SCI systems or indirect SCI systems under the current and
proposed amendments to Regulation SCI. For these reasons, Covered
Entities could be impacted by significant cybersecurity incidents that
do not trigger the current and proposed notification requirements of
Regulation SCI either because they do not meet the current or proposed
definitions of ``SCI entity'' or the significant cybersecurity incident
does not meet the current or proposed definitions of ``SCI event.''
---------------------------------------------------------------------------
\533\ See section II.F.1.b. of this release. Currently, broker-
dealers that operate as ATSs and trade certain stocks exceeding
specific volume thresholds are SCI entities. The proposed amendments
to Regulation SCI would expand the definition of ``SCI entity'' to
include broker-dealers that exceed an asset-based size threshold or
a volume-based trading threshold in NMS stocks, exchange-listed
options, agency securities, or U.S. treasury securities. See
Regulation SCI 2023 Proposing Release.
\534\ See paragraphs (a)(1)(i)(A) and (F) proposed Rule 10
(defining the categories of broker-dealers that would be Covered
Entities); paragraph (a)(1)(ix) proposed Rule 10 (defining transfer
agents as ``covered entities'').
---------------------------------------------------------------------------
As discussed earlier, the objective of the notification and
reporting requirements of proposed Rule 10 is to improve the
Commission's ability to monitor and evaluate the effects of a
significant cybersecurity incident on Covered Entities and their
customers, counterparties, members, registrants, or users, as well as
assess the potential risks affecting financial markets more
broadly.\535\ For this reason, Part I of proposed Form SCIR is tailored
to elicit information relating specifically to cybersecurity, such as
information relating to the threat actor, and the impact of the
incident on any data or personal information that may have been
accessed.\536\ The Commission and its staff could use the information
reported on Part I of Form SCIR to monitor the U.S. securities markets
and the Covered Entities that support those markets broadly from a
cybersecurity perspective, including identifying cybersecurity threats
and trends from a market-wide view. By requiring all Covered Entities
to report information about a significant cybersecurity incident on a
common form, the information obtained from these filings over time
would create a comprehensive set of data of all significant
cybersecurity incidents impacting Covered Entities that is based on
these entities responding to the same check boxes and questions on the
form. This would facilitate analysis of the data, including analysis
across different Covered Entities and significant cybersecurity
incidents. Eventually, this
[[Page 20276]]
set of data and the ability to analyze it by searching and sorting how
different Covered Entities responded to the same questions on the form
could be used to spot common trending risks and vulnerabilities as well
as best practices employed by Covered Entities to respond to and
recover from significant cybersecurity incidents.
---------------------------------------------------------------------------
\535\ See section II.B.2.a. of this release.
\536\ See section II.B.2.b. of this release.
---------------------------------------------------------------------------
The current and proposed definitions of ``SCI event'' include
events that are not related to significant cybersecurity
incidents.\537\ For example, under the current and proposed
requirements of Regulation SCI, the definition of ``SCI event''
includes an event in an SCI entity's SCI systems that disrupts, or
significantly degrades, the normal operation of an SCI system.\538\
Therefore, the definitions are not limited to events in an SCI entity's
SCI systems that disrupt, or significantly degrade, the normal
operation of an SCI system caused by a significant cybersecurity
incident. The information elicited in Form SCI reflects the broader
scope of the reporting requirements of Regulation SCI (as compared to
the narrower focus of proposed Rule 10 on reporting about significant
cybersecurity incidents). For example, the form requires the SCI entity
to identify the type of SCI event: systems compliance issue, systems
disruption, and/or systems intrusion. In addition, Form SCI is tailored
to elicit information specifically about SCI systems. For example, the
form requires the SCI entity to indicate whether the type of SCI system
impacted by the SCI event directly supports: (1) trading; (2) clearance
and settlement; (3) order routing; (4) market data; (5) market
regulation; and/or (6) market surveillance. If the impacted system is a
critical SCI system, the SCI entity must indicate whether it directly
supports functionality relating to: (1) clearance and settlement
systems of clearing agencies; (2) openings, reopenings, and closings on
the primary listing market; (3) trading halts; (4) initial public
offerings; (5) the provision of consolidated market data; and/or (6)
exclusively-listed securities. The form also requires the SCI entity to
indicate if the systems that provide functionality to the securities
markets for which the availability of alternatives is significantly
limited or nonexistent and without which there would be a material
impact on fair and orderly markets.
---------------------------------------------------------------------------
\537\ See 17 CFR 242.1000 (defining the term ``SCI event'');
Regulation SCI 2023 Proposing Release.
\538\ See 17 CFR 242.1000 (defining the term ``system
disruption'' and including that term in the definition of ``SCI
event''); Regulation SCI 2023 Proposing Release.
---------------------------------------------------------------------------
e. Disclosure
Proposed Rule 10 and the existing and proposed requirements of
Regulation SCI and the proposed requirements of Regulation S-P also
have similar, but distinct, requirements related to notification about
certain cybersecurity incidents. Regulation SCI requires that SCI
entities disseminate information to their members, participants, or
customers (as applicable) regarding SCI events.\539\ The proposed
amendments to Regulation S-P would require broker-dealers and transfer
agents to notify affected individuals whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization.\540\ Proposed Rule 10 would require a Covered
Entity to make two types of public disclosures relating to
cybersecurity on Part II of proposed Form SCIR.\541\ Covered Entities
would be required to make the disclosures by filing Part II of proposed
Form SCIR on EDGAR and posting a copy of the filing on their business
internet websites.\542\ In addition, a Covered Entity that is either a
carrying or introducing broker-dealer would be required to provide a
copy of the most recently filed Part II of Form SCIR to a customer as
part of the account opening process. Thereafter, the carrying or
introducing broker-dealer would need to provide the customer with the
most recently filed form annually. The copies of the form would need to
be provided to the customer using the same means that the customer
elects to receive account statements (e.g., by email or through the
postal service). Finally, a Covered Entity would be required to
promptly make updated disclosures through each of the methods described
above (as applicable) if the information required to be disclosed about
cybersecurity risk or significant cybersecurity incidents materially
changes, including, in the case of the disclosure about significant
cybersecurity incidents, after the occurrence of a new significant
cybersecurity incident or when information about a previously disclosed
significant cybersecurity incident materially changes.
---------------------------------------------------------------------------
\539\ See 17 CFR 242.1002(c).
\540\ See Regulation S-P 2023 Proposing Release. The proposed
amendments to Regulation S-P would define ``sensitive customer
information'' to mean any component of customer information alone or
in conjunction with any other information, the compromise of which
could create a reasonably likely risk of substantial harm or
inconvenience to an individual identified with the information. Id.
The proposed amendments would provide example of sensitive customer
information. Id.
\541\ See paragraph (d)(1) of proposed Rule 10.
\542\ See section II.B.3.b. of this release (discussing these
proposed requirements in more detail).
---------------------------------------------------------------------------
Consequently, a Covered Entity would--if it experiences a
``significant cybersecurity incident''--be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business internet
website, and, in the case of a carrying or introducing broker-dealer,
by sending the disclosure to its customers using the same means that
the customer elects to receive account statements. Moreover, if Covered
Entity is an SCI entity and the significant cybersecurity incident is
or would be an SCI event under the current or proposed requirements of
Regulation SCI, the Covered Entity also could be required to
disseminate certain information about the SCI event to certain of its
members, participants, or customers (as applicable). Further, if the
Covered Entity is a broker-dealer or transfer agent and, therefore,
subject to Regulation S-P (as it is proposed to be amended), the
broker-dealer or transfer agent also could be required to notify
individuals whose sensitive customer information was, or is reasonably
likely to have been, accessed or used without authorization.
However, despite these similarities, there are distinct
differences. First, proposed Rule 10, Regulation SCI, and Regulation S-
P (as proposed to be amended) require different types of information to
be disclosed. Second, the disclosures, for the most part, would be made
to different persons: (1) the public at large in the case of proposed
Rule 10; \543\ (2) affected members, participants, or customers (as
applicable) of the SCI entity in the case of Regulation SCI; \544\ and
(3) affected individuals whose sensitive customer information was, or
is reasonably likely to have been, accessed or used without
authorization or, in some cases, all individuals whose information
resides in the customer information system that was accessed or used
without authorization in the case of Regulation S-P (as proposed to be
amended).
---------------------------------------------------------------------------
\543\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
\544\ Information regarding major SCI events is and would be
required to be disseminated by an SCI entity to all of its members,
participants, or customers (as applicable) under the existing and
proposed requirements of Regulation SCI. See Regulation SCI 2023
Proposing Release.
---------------------------------------------------------------------------
Additionally, the disclosure or notification provided about certain
cybersecurity incidents is different
[[Page 20277]]
under proposed Rule 10 and the existing and/or proposed requirements of
Regulation SCI and Regulation S-P, given their distinct goals. For
example, the requirement to disclose summary descriptions of certain
cybersecurity incidents from the current or previous calendar year
publicly on EDGAR, among other methods, under proposed Rule 10 serves a
different purpose than: (1) the member, participant, or customer (as
applicable) dissemination of information regarding SCI events under
Regulation SCI; and (2) the customer notification obligation under the
proposed amendments to Regulation S-P, which would provide more
specific information to individuals affected by a security compromise
involving their sensitive customer information, so that those
individuals may take remedial actions if they so choose.
2. Request for Comment
The Commission requests comment on the potential duplication or
overlap between the requirements of proposed Rule 10, Regulation SCI
(as it currently exists and as it is proposed to be amended), and
Regulation S-P (as it currently exists and as it is proposed to be
amended). In addition, the Commission is requesting comment on the
following matters:
91. Should the policies and procedures requirements of proposed
Rule 10 be modified to address Market Entities that also would be
subject to the existing and proposed requirements of Regulation SCI
and/or Regulation S-P? For example, would it be particularly costly or
create practical implementation difficulties to apply the requirements
of proposed Rule 10 (if it is adopted) to have policies and procedures
to address cybersecurity risks to Market Entities even if they also
would be subject to requirements to have policies and procedures under
Regulation SCI and/or Regulation S P that address certain cybersecurity
risks (currently and as they would be amended)? If so, explain why. If
not, explain why not. Are there ways the policies and procedures
requirements of proposed Rule 10 could be modified to minimize these
potential impacts while achieving the separate goals of this proposal
to protect participants in the U.S. securities markets and the markets
themselves from cybersecurity risks? If so, explain how and suggest
specific modifications.
92. Would it be appropriate to modify proposed Rule 10 to exempt
SCI systems or indirect SCI systems from its policies and procedures
requirements and instead rely on the policies and procedures
requirements of Regulation SCI to address cybersecurity risks to these
information systems of Covered Entities? If so, explain why. If not,
explain why not. What would be the costs and benefits of this approach?
For example, if one set of policies and procedures generally would
satisfy the requirements of both rules, would this approach result in
incremental costs or benefits? Please explain. Would this approach
achieve the objectives of this rulemaking to address cybersecurity
risks to Covered Entities, given that Rule 10 is specifically designed
to address cybersecurity risks and Regulation SCI is designed to
address a broader range of risks to certain information systems? Please
explain. Would this approach create practical implementation and
compliance complexities insomuch as one set of the Covered Entity's
systems would be subject to Regulation SCI (i.e., SCI systems and
indirect SCI systems) and the other set would be subject to Rule 10?
Please explain. If it would create practical implementation and
compliance difficulties, would Covered Entities nonetheless apply
separate policies and procedures requirements to their information
systems based on whether they are or are not SCI systems and indirect
SCI Systems or would they develop a single set of policies and
procedures that comprehensively addresses the requirements of
Regulation SCI and Rule 10? Please explain. Would a comprehensive set
of policies and procedures result in stronger measures to protect SCI
systems and indirect SCI systems from cybersecurity risks? Please
explain. If so, would this be appropriate given the nature of SCI
systems and indirect SCI systems and the roles these systems play in
the U.S. securities markets? Please explain.
93. Should the policies and procedures requirements of proposed
Rule 10 be modified to address Market Entities that also would be
subject to the requirements of Regulation ATS? If so, explain why. If
not, explain why not.
94. Should the immediate notification and reporting requirements of
proposed Rule 10 be modified to address Covered Entities that also
would be subject to the existing and proposed requirements of
Regulation SCI? For example, would it be particularly costly or create
practical implementation difficulties to apply the immediate
notification and subsequent reporting requirements of proposed Rule 10
and Part I of proposed Form SCIR (if they are adopted) to Covered
Entities even if they also would be subject to immediate notification
and subsequent reporting requirements under Regulation SCI (as it
currently exists and would be amended)? If so, explain why. If not,
explain why not. Are there ways the notification and reporting
requirements of proposed Rule 10 and Part I of proposed Form SCIR could
be modified to minimize these potential impacts while achieving the
separate goals of this proposal to protect participants in the U.S.
securities markets and the markets themselves from cybersecurity risks?
If so, explain how and suggest specific modifications. For example,
should Part I of proposed Form SCIR be modified to include a section
that incorporates the check boxes and questions of Form SCI so that a
single form could be filed to meet the reporting requirements of
proposed Rule 10 and Regulation SCI? If so, explain why. If not,
explain why not. Are there other ways Part I of proposed Form SCIR
could be modified to combine the elements of Form SCI? If so, explain
how. Should Rule 10 be modified to require that the initial Part I of
Form SCIR must be filed within 24 hours (instead of promptly but not
later than 48 hours) to align the filing timeframe with Regulation SCI?
If so, explain why. If not, explain why not.
95. Should the public disclosure requirements of proposed Rule 10
be modified to address Covered Entities that also would be subject to
the existing and proposed requirements of Regulation SCI and/or
Regulation S-P? For example, would it be particularly costly or create
practical implementation difficulties to apply the public disclosure
requirements of proposed Rule 10 and Part II of proposed form SCIR (if
they are adopted) to Covered Entities even if they also would be
subject to the current and proposed disclosure requirements of
Regulation SCI and Regulation S-P? If so, explain why. If not, explain
why not. Are there ways the public disclosure requirements of proposed
Rule 10 could be modified to minimize these potential impacts while
achieving the separate goals of this proposal to protect participants
in the U.S. securities markets and the markets themselves from
cybersecurity risks? If so, explain how and suggest specific
modifications. For example, should proposed Rule 10 be modified to
permit the customer notification that would be required under the
amendments to Regulation S-P to satisfy the requirement of proposed
Rule 10 that a Covered Entity that is a carrying broker-dealer or
introducing broker-dealer send a copy of an updated Part II of proposed
Form SCIR to its customers? If so, explain why. If not, explain why
not. Would sending the notification required by proposed Rule 10 and
the
[[Page 20278]]
notification required by the proposed amendments to Regulation S-P to
the same customer be confusing to the customer? If so, explain why. If
not, explain why not.
G. Cybersecurity Risk Related to Crypto Assets
The creation, distribution, custody, and transfer of crypto assets
depends almost exclusively on the operations of information
systems.\545\ Crypto assets, therefore, are exposed to cybersecurity
risks.\546\ Further, crypto assets are attractive targets for threat
actors.\547\ Therefore, information systems that involve crypto assets
may be subject to heightened cybersecurity risks. If Market Entities
engage in business activities involving crypto assets, they could be
exposed to these heighted cybersecurity risks.\548\
---------------------------------------------------------------------------
\545\ The term ``digital asset'' or ``crypto asset'' refers to
an asset that is issued and/or transferred using distributed ledger
or blockchain technology (``distributed ledger technology''),
including, but not limited to, so-called ``virtual currencies,''
``coins,'' and ``tokens.'' See Custody of Digital Asset Securities
by Special Purpose Broker-Dealers, Exchange Act Release No. 90788
(Dec. 23, 2020) [86 FR 11627, 11627, n.1 (Feb. 26, 2021)]. To the
extent digital assets rely on cryptographic protocols, these types
of assets are commonly referred to as ``crypto assets.'' A crypto
asset may or may not meet the definition of a ``security'' under the
federal securities laws. See, e.g., Report of Investigation Pursuant
to Section 21(a) of the Securities Exchange Act of 1934: The DAO,
Securities Exchange Act Release No. 81207 (July 25, 2017), available
at https://www.sec.gov/litigation/investreport/34-81207.pdf. See
also SEC v. W.J. Howey Co., 328 U.S. 293 (1946). ``Digital asset
securities'' can be referred to as ``crypto asset securities'' and
for purposes of this release, the Commission does not distinguish
between the terms ``digital asset securities'' and ``crypto asset
securities.''
\546\ See KPMG, Assessing crypto and digital asset risks (May
2022), available at https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2022/assessing-crypto-and-digital-asset-risks.pdf
(``Properly securing digital assets[] is typically viewed as the
biggest risk that companies must address.'').
\547\ See U.S. Department of Treasury, Crypto-Assets:
Implications for Consumers, Investors, and Businesses (Sept. 2022),
available at https://home.treasury.gov/system/files/136/CryptoAsset_EO5.pdf (``Treasury Crypto Report'') (``Moreover, the
crypto-asset ecosystem has unique features that make it an
increasingly attractive target for unlawful activity, including the
ongoing evolution of the underlying technology, pseudonymity,
irreversibility of transactions, and the current asymmetry of
information between issuers of crypto-assets and consumers and
investors.'').
\548\ Moreover, if the Market Entity's activities involving
crypto asset securities involve its information systems, the
requirements being proposed in this release would be implicated.
---------------------------------------------------------------------------
Crypto assets are an attractive target for unlawful activity due,
in large part, to the unique nature of distributed ledger technology.
Possession or control of crypto assets on a distributed ledger is based
on ownership or knowledge of public and private cryptographic key
pairings. These key pairings are somewhat analogous to user names and
passwords and consist of strings of letters and numbers used to sign
transactions on a distributed ledger and to prove ownership of a
blockchain address, which is commonly known as a ``digital wallet.''
\549\ Digital wallets, in turn, generally require the use of internet-
connected hardware and software to receive and transmit information
about crypto asset holdings.
---------------------------------------------------------------------------
\549\ See, e.g., NIST Glossary (defining ``private key'').
---------------------------------------------------------------------------
A digital wallet can be obtained by anyone, including a potential
threat actor. If a victim's digital wallet is connected to the
internet, and a threat actor obtains access to the victim's private
key, the threat actor can transfer the contents of the wallet to
another blockchain address (such as the threat actor's own digital
wallet) without authorization from the true owner. It may be difficult
to subsequently track down the identity of the threat actor because the
owner of a digital wallet can remain anonymous (absent additional
attribution information) and because intermediaries involved in the
transfer of crypto assets, such as trading platforms, may not comply
with or may actively claim not to be subject to applicable ``know your
customer'' or related diligence requirements.\550\
---------------------------------------------------------------------------
\550\ See, e.g., Treasury Crypto Report (``Compared to
registered financial market intermediaries--which are subject to
rules and laws that promote market integrity and govern risks and
business conduct, including identifying, disclosing, and mitigating
conflicts of interest and adhering to AML/CFT requirements--many
crypto-asset platforms may either not yet be in compliance with, or
may actively claim not to be subject to, existing applicable U.S.
laws and regulations, including registration requirements. . . .
When the onboarding process used by platforms is limited or opaque,
the risk that the platform may be used for illegal activities
increases.'').
---------------------------------------------------------------------------
The current state of distributed ledger technology may present
other challenges to defending against cybercriminal activity. First,
there is no centralized information technology (``IT'') infrastructure
that can dynamically detect and prevent cyberattacks on wallets or
prevent the transfer of illegitimately obtained crypto assets by threat
actors.\551\ This is unlike traditional infrastructures, such as those
used by banks and broker-dealers, where behavioral and historic
transaction patterns can be used to detect and prevent account
takeovers in real-time. Furthermore, distributed ledger technology
often makes it difficult or impossible to reverse erroneous or
fraudulent crypto asset transactions, whereas processes and protocols
exist to reverse erroneous or fraudulent transactions when trading more
traditional assets.\552\ In addition, certain code that governs the
operation of a blockchain and that governs so-called ``smart
contracts'' are often transparent to the public. This provides threat
actors with visibility into potential vulnerabilities associated with
the code, though developers may have limited ability to patch those
vulnerabilities.\553\ These characteristics of distributed ledger
technology, and others, present cybersecurity vulnerabilities that, if
taken advantage of by a threat actor, could lead to financial harm
without meaningful recourse to reverse fraudulent transactions, recover
or replace lost crypto assets, or correct errors.
---------------------------------------------------------------------------
\551\ See CipherTrace, Cryptocurrency crime and anti-money
laundering report (June 2022), available at https://4345106.fs1.hubspotusercontent-na1.net/hubfs/4345106/CAML%20Reports/CipherTrace%20Cryptocurrency%20Crime%20and%20Anti-Money%20Laundering%20Report%2c%20June%202022.pdf?_hstc=56248308.2ea6daf13b00f00afe4d9acf0886eddf.1667865330143.1667865330143.1667917991763.2&_hssc=56248308.1.1667917991763&_hsfp=247897319 (``CipherTrace
2022 Report'').
\552\ For example, this is the case with Bitcoin and Ether, the
two crypto assets with the largest market values. See CoinMarketCap,
Today's Cryptocurrency Prices by Market Cap, available at https://coinmarketcap.com/ (``Crypto Asset Market Value Chart''). See also,
e.g., Kaili Wang, Qinchen Wang, and Dan Boneh, ERC-20R and ERC-721R:
Reversible Transactions on Ethereum (Oct. 11, 2022), available at
https://arxiv.org/pdf/2208.00543.pdf#page=16&zoom=100,96,233
(Stanford University proposal discussing the immutability of
Ethereum-based tokens, and proposing that reversible Ethereum
transactions may facilitate more wide-spread adoption of these
crypto assets). With respect to securities, the clearance and
settlement of securities that are not crypto assets are
characterized by infrastructure whereby intermediaries such as
clearing agencies and securities depositories serve as key
participants in the process. The clearance and settlement of crypto
asset securities, on the other hand, may rely on fewer, if any,
intermediaries and remain evolving areas of practices and
procedures.
\553\ See Treasury Crypto Report (``Smart contracts, which are
widely used by many permissionless blockchains, also present risks
as they combine the features of generally being immutable and
publicly viewable. Taken together, these attributes pose several
vulnerabilities that may be exploited by illicit actors to steal
customer funds: once an attacker finds a bug in a smart contract and
exploits it, immutable smart contract protocols limit developers'
ability to patch the exploited vulnerability, giving attackers more
time to exploit the vulnerability and steal assets.'').
---------------------------------------------------------------------------
The amount of crypto assets stolen by threat actors annually
continues to increase.\554\ Threat actors looking to
[[Page 20279]]
exploit the vulnerabilities associated with crypto assets often employ
social engineering techniques, such as phishing to acquire a user's
cryptographic key pairing information. Phishing tactics that have been
employed to reach and trick crypto asset users into disclosing their
private keys include: (1) monitoring social media for users reaching
out to wallet software support, intervening with direct messages, and
impersonating legitimate support staff who need the user's private key
to fix the problem; (2) distributing new crypto assets at no cost to a
set of wallets in an ``airdrop,'' and then failing transactions on
those assets with an error message to redirect the owner to a phishing
website or a website that installs plug-in software and steals the
user's credentials from a local device; and (3) impersonating a wallet
software provider and stealing private keys directly from the
user.\555\ To the extent that the activities of Market Entities involve
crypto assets, these types of phishing tactics could be used against
their employees.
---------------------------------------------------------------------------
\554\ See Treasury Crypto Report (noting that of the total
amount of crypto asset based crime in 2021, theft rose by over 500%
year-over-year to $3.2 billion in total); Chainalysis, The 2022
Crypto Crime Report (Feb. 2022), available at https://go.chainalysis.com/2022-Crypto-Crime-Report.html (``Chainalysis 2022
Report'') (predicting that illicit transaction activity will reach
an all-time high in terms of value in 2022, and noting that crypto
asset based crime hit a new all-time high in 2021, with illicit
addresses receiving $14 billion over the course of the year, up from
$7.8 billion in 2020).
\555\ See Microsoft 365 Defender Research Team, `Ice Phishing'
on the Blockchain (Feb. 16, 2022), available at https://www.microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain/.
---------------------------------------------------------------------------
Another related variation of a social engineering attack that is
similar to phishing, but does not involve stealing private keys
directly, is called ``ice phishing.'' In this scheme, the threat actor
tricks the user into signing a digital transaction that delegates
approval and control of the user's wallet to the attacker, allowing the
threat actor to become the so-called ``spender'' of the wallet. Once
the threat actor obtains control over the user's wallet, the threat
actor can transfer all of the crypto assets to a new wallet controlled
by the threat actor.\556\
---------------------------------------------------------------------------
\556\ See CipherTrace June 2022 Report. Delegating authority to
another user reportedly is a common transaction on decentralized
finance (``DeFi'') platforms, as the user may need to provide the
DeFi platform with approval to conduct transactions with the user's
tokens. In an ``ice phishing'' attack, the attacker modifies the
spender address to the attacker's address. Once the approval
transaction has been signed, submitted, and mined, the spender can
access the funds. The attacker can accumulate approvals over a
period of time and then drain the victim's wallets quickly.
---------------------------------------------------------------------------
Threat actors also target private keys and crypto assets through
other means, such as installing key logging software,\557\ exploiting
vulnerabilities in code used in connection with crypto assets (such as
smart contracts), and deploying flash loan attacks.\558\ Installing key
logging software, in particular, is an example of malware that threat
actors looking to exploit the vulnerabilities associated with crypto
assets often employ. Other common types of crypto asset-focused malware
techniques include info stealers, clippers, and cryptojackers.\559\
---------------------------------------------------------------------------
\557\ Key logging can involve a threat actor deploying a
software program designed to record which keys are pressed on a
computer keyboard to obtain passwords or other encryption keys,
therefore bypassing certain security measures. See NIST Glossary
(defining ``key logger''). Key logging software can be installed,
for example, when the victim clicks a link or downloads an
attachment in a phishing email, downloads a Trojan virus that is
disguised as a legitimate file or application, or is directed to a
phony website.
\558\ See Treasury Crypto Report (``In an innovation unique to
DeFi lending, some protocols may support `flash loans,' which enable
users to borrow, use, and repay crypto assets in a single
transaction that is recorded on the blockchain in the same data
block. Because there is no default risk associated with flash loans,
users can borrow without posting collateral and without risk of
being liquidated. A `flash loan attack' can occur when the temporary
surge of funds obtained in a flash loan is used to manipulate prices
of crypto-assets, often through the interaction of multiple DeFi
services, enabling attackers to take over the governance of a
protocol, change the code, and drain the treasury.''). In 2021, code
exploits and flash loan attacks accounted for 49.8% of all crypto
asset value stolen across all crypto asset services. See Chainalysis
2022 Report.
\559\ Specifically, ``info stealers'' collect saved credentials,
files, autocomplete history, and crypto asset wallets from
compromised computers. ``Clippers'' can insert new text into the
victim's clipboard, replacing text the user has copied. Hackers can
use clippers to replace crypto asset addresses copied into the
clipboard with their own, allowing them to reroute planned
transactions to their own wallets. ``Cryptojackers'' make
unauthorized use of the computing power of a victim's device to mine
crypto assets. See Chainalysis 2022 Report.
---------------------------------------------------------------------------
The size and growth of the crypto asset markets, along with the
fact that many participants in these markets (such as issuers,
intermediaries, trading platforms, and service providers) may be acting
in noncompliance with applicable law, continue to make them an
attractive target for threat actors looking for quick financial gain.
The crypto asset ecosystem has exhibited rapid growth in the past few
years. For example, industry reports have suggested that the total
crypto asset market value increased from approximately $135 billion on
January 1, 2019 to just under $2.1 trillion on March 31, 2022.\560\
According to these reports, the crypto asset market value peaked at
almost $3 trillion in November 2021.\561\ Various sources also report
that the market value remains over $1 trillion today.\562\
---------------------------------------------------------------------------
\560\ See CipherTrace June 2022 Report. The amount of total
activity in the crypto asset markets has increased as well.
According to the CipherTrace June 2022 Report, while the total
activity in 2020 was around $4.3 trillion, there was approximately
$16 trillion of total activity in the first half of 2021 alone. See
id.
\561\ See id.
\562\ See Crypto Asset Market Value Chart; see also Treasury
Crypto Report.
---------------------------------------------------------------------------
III. General Request for Comment
In addition to the specific requests for comment above, the
Commission is requesting comments from all members of the public on all
aspects of the proposed rule and amendments. Commenters are requested
to provide empirical data in support of any arguments or analyses. With
respect to any comments, the Commission notes that they are of the
greatest assistance to this rulemaking initiative if accompanied by
supporting data and analysis of the issues addressed in those comments
and by alternatives to the Commission's proposals where appropriate.
IV. Economic Analysis
A. Introduction
The Commission is mindful of the economic effects, including the
costs and benefits, of: (1) proposed Rule 10; (2) Parts I and II of
proposed Form SCIR; (3) the proposed amendments to Rules 17a-4, 17ad-7,
and 18a-6; (4) the proposed amendments to existing orders that exempt
certain clearing agencies from registering with the Commission; and (5)
the proposed amendments to paragraph (d)(1) of Rule 3a71-6 to add
proposed Rule 10 and Form SCIR to the list of Commission requirements
eligible for a substituted compliance determination. Section 3(f) of
the Exchange Act provides that when engaging in rulemaking that
requires the Commission to consider or determine whether an action is
necessary or appropriate in the public interest, to also consider, in
addition to the protection of investors, whether the action will
promote efficiency, competition, and capital formation.\563\ Section
23(a)(2) of the Exchange Act also requires the Commission to consider
the effect that the rules and rule amendments would have on
competition, and it prohibits the Commission from adopting any rule
that would impose a burden on competition not necessary or appropriate
in furtherance of the Exchange Act.\564\ The analysis below addresses
the likely economic effects of the proposed rule and form, the proposed
rule amendments, and the proposed amendments to the exemptive orders,
including the anticipated and estimated benefits and costs of these
proposals and their likely effects on efficiency, competition, and
capital formation. The Commission also discusses the potential economic
effects of certain alternatives
[[Page 20280]]
to the approaches taken with respect to these proposals.
---------------------------------------------------------------------------
\563\ See 15 U.S.C. 78c(f).
\564\ See 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------
As discussed above, Market Entities rely on information systems to
perform functions that support the fair, orderly, and efficient
operation of the U.S. securities markets.\565\ This exposes them and
the U.S. securities markets to cybersecurity risk. According to the
Bank for International Settlements, the financial sector has the
second-largest share of COVID-19-related cybersecurity events between
the end of February and June 2020.\566\ As is the case with other risks
(e.g., market, credit, or liquidity risk), cybersecurity risk can be
addressed through policies and procedures that are reasonably designed
to manage the risk. A second means to address cybersecurity risk to the
U.S. securities markets is through the Commission gathering and sharing
information about significant cybersecurity incidents. This risk also
can be addressed through greater transparency.\567\ For these reasons
(and the reasons discussed throughout the release), the Commission is
proposing Rule 10 and Form SCIR to require that Market Entities address
cybersecurity risks, to improve the Commission's ability to obtain
information about significant cybersecurity incidents impacting Covered
Entities and to require Covered Entities to disclose publicly summary
descriptions of their cybersecurity risks and significant cybersecurity
incidents (if applicable).
---------------------------------------------------------------------------
\565\ See section I.A. of this release (discussing cybersecurity
risks and the use of information systems by Market Entities).
\566\ Id. The health sector is ranked first in term of the
cyberattacks.
\567\ ``The Council recommends that regulators and market
participants continue to work together to improve the coverage,
quality, and accessibility of financial data, as well as improve
data sharing among relevant agencies.'' FSOC 2021 Annual Report, at
16.
---------------------------------------------------------------------------
It is important to note that the Market Entities serve different
functions in the U.S. securities markets and are subject to different
regulatory regimes. As a result, Market Entities today have varying
approaches to cybersecurity protections and would have different costs
and benefits associated with complying with proposed Rule 10 and for
Covered Entities to file Parts I and II of proposed Form SCIR. In
addition, Market Entities may have different costs and benefits
depending on the size and complexity of their businesses. For example,
because Non-Covered Broker-Dealers likely are materially smaller in
size than Covered Entities, use fewer and less complex information
systems, and have less data stored on information systems, the
obligations of Non-Covered Broker-Dealers under proposed Rule 10 are
more limited, and likely would have lower compliance costs. This could
be the case even though Non-Covered Broker-Dealers may still need to
invest in hardware and software, employ legal and compliance personnel,
or contract with a third party. Furthermore, in addition to the direct
benefits and costs realized by Market Entities, other market
participants, such as investors and third-party service providers would
realize indirect benefits and costs from the adoption of the proposed
rule. The direct and indirect benefits and costs realized by each type
of Market Entity and market participants are discussed below.\568\
---------------------------------------------------------------------------
\568\ See section IV.D. of this release (discussing these
benefits and costs).
---------------------------------------------------------------------------
Many of the benefits and costs discussed below are difficult to
quantify. For example, the effectiveness of cybersecurity strengthening
measures taken as a result of proposed Rule 10 depends on the extent to
which they reduce the likelihood of a cybersecurity incident and on the
expected cost of such an incident, including remediation costs in the
event that a cybersecurity incident causes harm. As a result, the
effectiveness of cybersecurity strengthening is subject to numerous
assumptions and unknowns, and thus is difficult to quantify.
Effectively, because cybersecurity infrastructure as well as policies
and procedures help to prevent successful cybersecurity intrusions, the
benefit of cybersecurity protection can be measured as the expected
loss from a cybersecurity incident. In 2020, the average loss in the
financial services industry was $18.3 million, per company per
incident. The average cost of a financial services data breach was
$5.85 million.\569\ Thus, those values would represent the benefit of
avoiding a cybersecurity incident.
---------------------------------------------------------------------------
\569\ Jennifer Rose Hale, The Soaring Risks of Financial
Services Cybercrime: By the Numbers, Diligent (Apr. 9, 2021),
available at https://www.diligent.com/insights/financial-services/cybersecurity/#.
---------------------------------------------------------------------------
The Commission has limited information on cybersecurity incidents
impacting Market Entities. For example, as discussed above, certain
Market Entities are SCI entities subject to the requirements of
Regulation SCI. \570\ SCI entities must report SCI events to the
Commission on Form SCI, which could include cybersecurity
incidents.\571\ However, only certain Market Entities are SCI entities
and the reporting requirements of Regulation SCI are limited to SCI
systems and indirect SCI systems, which are a subset of the information
systems used by SCI entities. To the extent that a cybersecurity
incident at a Market Entity that is also a SCI entity is an SCI event,
the Market Entity would be required to file Form SCI. However, only
certain SCI events are also considered to be cybersecurity incidents.
Consequently, the Commission currently has only partial knowledge of
the cybersecurity incidents that occur at Market Entities. The
Commission believes using the benefit and cost values related to SCI
Entities as a basis to estimate the benefits and costs of the proposed
rule for Covered Entities would be instructive but may be under
inclusive.
---------------------------------------------------------------------------
\570\ See section II.F.1.b. of this release (discussing the
Covered Entities that are subject to Regulation SCI).
\571\ See section II.F.1.d. of this release (discussing the
reporting requirements of Regulation SCI).
---------------------------------------------------------------------------
Similarly, the Commission has access to information contained in
confidential anti-money laundering (AML) suspicious activity reports
(``SARs'') that broker-dealers file with the Department of the
Treasury's Financial Crime Enforcement Network (``FinCEN''), which
includes known or suspected cybersecurity incidents.\572\ However, the
SARs filed by broker-dealers with FinCEN do not necessarily include all
of the details associated with an incident, such as whether the
incident was confirmed, the extent of the impact, and how the breach
was remediated. Furthermore, the SAR filing may not be timely, as a
broker-dealer has up to 30 days to file the SAR if a suspect is
identified, or up to 60 days if a suspect is not identified. Issues
that require immediate attention--such as terrorist financing or
ongoing money laundering schemes--must be reported to law
enforcement.\573\ If reporting is not otherwise required by the
Commission or an SRO, a broker-dealer ``may also, but is not required
to'' contact the Commission.\574\ Broker-dealers must make the
supporting documentation available to the Commission and registered
SROs (as well as to FinCEN, law enforcement agencies, and Federal
regulatory authorities that examine for Bank Secrecy Act compliance)
upon request.\575\ The benefits and costs of filing SARs with FinCEN
can serve as a basis to approximate the cost of filing Part I of
proposed Form SCIR. However, the proposed rule would require a
[[Page 20281]]
quicker reporting timeline, more information to be provided, and
multiple updates with regard to a given significant cybersecurity
event. Thus, the costs related to complying with SAR filings serves as
a floor for Covered Entities complying with the proposed rule.
---------------------------------------------------------------------------
\572\ See, e.g., Fergus Shiel and Ben Hallman, International
Consortium of Investigative Journalists, Suspicious Activity
Reports, Explained (Sept. 20, 2020), available at https://www.icij.org/investigations/fincen-files/suspicious-activity-reports-explained/ (stating that approximately 85% of SARs are filed
by a few large banks to report money laundering).
\573\ See 31 CFR 1023.320(b)(3).
\574\ See 31 CFR 1023.320(a)(1), (b)(3).
\575\ See 31 CFR 1023.320(d).
---------------------------------------------------------------------------
While the Commission has attempted to quantify economic effects
where possible, some of the discussion of economic effects is
qualitative in nature. The Commission seeks comment on all aspects of
the economic analysis, especially any data or information that would
enable the Commission to quantify the proposal's economic effects more
accurately.
B. Broad Economic Considerations
Market Entities generally have financial incentives to maintain
some level of cybersecurity protection because failure to safeguard
their operations from attacks on their information systems and protect
information about their customers, counterparties, members,
registrants, or users as well as their funds and assets could lead to
losses of funds, assets, and customer information, as well as damage
the Market Entity's reputation. As a result, Market Entities generally
have an incentive to invest some amount of money to address
cybersecurity risk.
Market Entities' reputational motives generally should encourage
them to invest in measures to protect their information systems from
cybersecurity risk.\576\ Moreover, the damage caused by a significant
cybersecurity incident, including the associated remediation costs, may
exceed that of implementing cybersecurity policies and procedures that
may have prevented the incident and its harmful impacts. As a result,
significant losses arising from a potential significant cybersecurity
incident can encourage Market Entities to invest in cybersecurity
protections today. However, such investments in cybersecurity
protections may not be sufficient. The Investment Company Institute
notes that the remediation costs of $252 million associated with the
2013 data breach experienced by Target Brands, Inc. (``Target'') far
exceeded the cost of the cybersecurity insurance the company purchased
($90 million), resulting in an out-of-pocket loss for Target of $162
million.\577\ PCH Technologies states that in 2020, small companies (1-
49 employees) lost an average of $24,000 per cybersecurity incident.
That loss increased to $50,000 per incident for medium-sized companies
(50-249 employees). Large companies (250-999 employees) and enterprise-
level firms (1,000 employees or more) lost an average of $133,000 and
$504,000 per cybersecurity incident, respectively.\578\
---------------------------------------------------------------------------
\576\ See Marc Dupuis and Karen Renaud, Scoping the Ethical
Principles of Cybersecurity Fear Appeals, 23 Ethics and Info. Tech.
265 (2021), available at https://doi.org/10.1007/s10676-020-09560-0.
\577\ See National Law Review, Target Data Breach Price Tag:
$252 Million and Counting (Feb. 26, 2015), available at https://www.natlawreview.com/article/target-data-breach-price-tag-252-million-and-counting.
\578\ Timothy Guim, Cost of Cyber Attacks vs. Cost of Cyber
Security in 2021, PCH Technologies (July 7, 2021), available at
https://pchtechnologies.com/cost-of-cyber-attacks-vs-cost-of-cyber-
security-in-2021/
#:~:text=1%20Large%20businesses%3A%20Between%20%242%20million%20and%2
0%245,%24500%2C000%20or%20less%20spent%20on%20cybersecurity%20per%20y
ear.
---------------------------------------------------------------------------
Having an annual penetration testing requirement can help Market
Entities reduce the likelihood of costly data breaches. For instance,
according to one industry source, RSI Security, a penetration test
``can measure [the entity's] system's strengths and weaknesses in a
controlled environment before [the entity has] to pay the cost of an
extremely damaging data breach.'' \579\ For example, RSI Security
explains that penetration testing ``can cost anywhere from $4,000-
$100,000,'' and ``[o]n average, a high quality, professional
[penetration testing] can cost from $10,000-$30,000.'' \580\ RSI
Security, however, was clear that the magnitudes of these costs can
vary with size, complexity, scope, methodology, types, experience, and
remediation measures.\581\ On the other hand, the same article cited
IBM's 2019 Cost of a Data Breach Study, which reported that the average
cost of a data breach is $3.92 million with an average loss of 25,575
records,\582\ which would more than justify ``the average $10,000-
$30,000 bill from a professional, rigorous [penetration testing].''
\583\ Another source estimates a ``high-quality, professional
[penetration testing to cost] between $15,000-$30,000,'' while
emphasizing that ``cost varies quite a bit based on a set of
variables.'' \584\ This is in line with a third source, which states
that ``[a] true penetration test will likely cost a minimum of
$25,000.'' \585\ It is the Commission's understanding that multi-cloud
architecture could introduce more complexity and accordingly,
cybersecurity risks into Market Entities back-up systems, to the extent
they have them.\586\
---------------------------------------------------------------------------
\579\ RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5,2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\580\ See RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5, 2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\581\ See id.
\582\ See IBM, Cost of a Data Breach Report (2019), available at
https://www.ibm.com/downloads/cas/RDEQK07R (``2019 Cost of Data
Breach Report'').
\583\ See RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (posted Mar. 5, 2020), available at
https://blog.rsisecurity.com/what-is-the-average-cost-of-
penetration-testing/
#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%20of%20a%
20large%20company.
\584\ Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.), available at
https://www.securitymetrics.com/blog/how-much-does-pentest-cost.
\585\ Mitnick Security, What Should You Budget for a Penetration
Test? The True Cost, Mitnick Security Blog, (posted Jan. 29, 2021,
5:13 a.m.), available at https://www.mitnicksecurity.com/blog/what-should-you-budget-for-a-penetration-test-the-true-cost.
\586\ For example, security breach possibilities could increase
because of the interconnection of Market Entities through their
multi cloud providers.
---------------------------------------------------------------------------
Large Market Entities that have economies of scale are able to
implement cybersecurity policies and procedures in a more cost-
effective manner. Smaller Market Entities, on the other hand, generally
do not enjoy the same economies of scale or scope. The marginal cost
for smaller Market Entities when implementing cybersecurity policies
and procedures that are just as robust as those that would be needed by
large Market Entities likely would be relatively high for smaller
Market Entities. As a result, investment costs in cybersecurity
protection at small broker-dealers, for example, (most of which would
be Non-Covered Broker-Dealers under proposed Rule 10) likely will
account for a larger proportion of their revenue than at relatively
large broker-dealers (which likely would be Covered Entities that
realize economies of scale).
Having policies and procedures in place to address cybersecurity
risk would benefit the customers, counterparties, members, registrants,
or users with whom Market Entities interact. However, a cybersecurity
budget likely is tempered, in part, such that the total sum spent to
address cybersecurity risk provides some, but possibly not complete,
protection against cyberattacks.\587\ Ultimately,
[[Page 20282]]
those costs to address cybersecurity risks will be passed on, to the
extent possible, to the persons with whom the Market Entities do
business.\588\
---------------------------------------------------------------------------
\587\ See Martijn Wessels, Puck van den Brink, Thijmen Verburgh,
Beatrice Cadet, and Theo van Ruijven, Understanding Incentives for
Cybersecurity Investments: Development and Application of a
Typology, 1 Digit. Bus. 1-7 (Oct. 2021), available at https://doi.org/10.1016/j.digbus.2021.100014; Scott Dynes, Eric Goetz, and
Michael Freeman, Cyber Security: Are Economic Incentives Adequate?
(Intern. Conf. on Critical Infrastructure Protection, Conference
Paper, 2007), available at https://doi.org/10.1007/978-0-387-75462-8_2; Brent R. Rowe and Michael P. Gallaher, Private Sector Cyber
Security Investment Strategies: An Empirical Analysis, The Fifth
Workshop on the Economics of Information Security (Mar. 2006),
available at https://www.infosecon.net/workshop/downloads/2006/pdf/18.pdf (``Private Sector Cyber Security Investment Strategies
Analysis''); Nicole van der Meulen, RAND Europe, Investing in
Cybersecurity (Aug. 2015), available at https://repository.wodc.nl/bitstream/handle/20.500.12832/2173/2551-full-text_tcm28-73946.pdf?sequence=4&isAllowed=y.
\588\ See Derek Mohammed, Cybersecurity Compliance in the
Financial Sector, J. Internet Banking and Com. (2015), available at
https://www.icommercecentral.com/open-access/cybersecurity-compliance-in-the-financial-sector.php?aid=50498.
---------------------------------------------------------------------------
The level of cybersecurity protection instituted by Market Entities
may be inadequate from the perspective of overall economic
efficiency.\589\ In other words, the chosen level of cybersecurity
protection may, in fact, represent an underinvestment relative to the
optimal level of cybersecurity protection that should be maintained by
Market Entities from an overall economic perspective. Levels of
cybersecurity protection that are not optimal may exacerbate the
occurrence of harmful cybersecurity incidents. Cybersecurity events
have grown in both number and sophistication.\590\ These developments
in the market have significantly increased the negative externalities
that may flow from systems failures.
---------------------------------------------------------------------------
\589\ Low levels of investment in cybersecurity protection,
which are different from underinvestment in cybersecurity
protection, can be a function of a number of issues, such as firm
budget, available solutions, knowledge of the threat actors'
capabilities, and the performance of in-house or contracted
information technology teams.
\590\ See, e.g., Chuck Brooks, Alarming Cyber Statistics For
Mid-Year 2022 That You Need To Know (June 3, 2022), available at
https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2429c57e7864.
---------------------------------------------------------------------------
Underinvestment in cybersecurity may occur because a Market Entity
is aware that it would not bear the full cost of a cybersecurity
incident (i.e., some negative externalities may be borne by its
customers, counterparties, members, registrants, or users). As a
result, the Market Entity does not have to internalize the complete
cost of cybersecurity protection when deciding upon its level of
investment. This underinvestment by the Market Entity is considered to
be a moral hazard problem, because other market participants are harmed
by a significant cybersecurity incident and are forced to bear those
costs that spill over to them. At the same time, even though Market
Entities may not bear the full cost of a cybersecurity failure (e.g.,
loss of the personal information or the assets of their customers,
members, registrants, or users), they likely would incur some costs
themselves and therefore have incentives to avoid cybersecurity
failures. These incentives could cause them to implement policies and
procedures to address cybersecurity risk, which would likely result in
benefits that accrue in large part to their customers, counterparties,
members, registrants, or users. Market Entities could do this in order
to avoid the harms that could be caused by a significant cybersecurity
incident (e.g., loss of funds, assets, or personal, confidential, or
proprietary information; damage to or the holding hostage of their
information systems; or reputational damage). As a result, Market
Entities have a potential incentive to rely overly on reactive
solutions to cybersecurity threats and attacks instead of proactive
ones.\591\
---------------------------------------------------------------------------
\591\ See Private Sector Cyber Security Investment Strategies
Analysis.
---------------------------------------------------------------------------
1. In the context of cybersecurity, negative externalities arising
from the moral hazard problem can have significant negative
repercussions on the financial system more broadly, particularly due to
the interconnectedness of Market Entities.\592\ Borg notes that the
level of interconnectedness and complexity can have an influence on the
degree of damage that cybersecurity incidents impose on Market Entities
as well as their customers, counterparties, members, registrants, and
users.\593\ As for the availability of substitutes the negative effect
of a cybersecurity incident could be lessened to the extent that there
is one or more competing firms that can complete the task, such as
another broker-dealer or national securities exchange. On the flip
side, significant cybersecurity incidents may be the most damaging when
there are no substitutes available to execute the required task.
---------------------------------------------------------------------------
\592\ See Anil K. Kashyap and Anne Wetherilt, Some Principles
for Regulating Cyber Risk, 109 Amer. Econ. Assoc. Papers and Proc.
482 (May 2019).
\593\ See Scott Borg, Economically Complex Cyberattacks, IEEE
Computer Society (2005), available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1556539.
---------------------------------------------------------------------------
In addition to other firms being negatively affected by a
cybersecurity incident, investors can be negatively affected. For
example, a significant cybersecurity incident at a national securities
exchange could affect its ability to execute trades, causing orders to
go unfilled. Depending on how long it takes the national securities
exchange to resolve the issue, the prices of securities traded on the
exchange may be different from when the orders were originally
placed.\594\ A loss of confidence in an exchange due to a cybersecurity
incident could result in a longer-term reallocation of trading volume
to competing exchanges or other trading venues.\595\ A significant
cybersecurity incident could produce negative effects that spill over
and affect market participants outside of the national securities
exchange itself. It also may adversely affect market confidence, and
curtail economic activity through a reduction in securities trading
among market participants.\596\
---------------------------------------------------------------------------
\594\ National securities exchanges currently are subject to
certain obligations under Regulation SCI.
\595\ National securities exchanges may be required to meet
certain regulatory obligations in such circumstances.
\596\ See Electra Ferriello, Prof. Robert Shiller's U.S. Crash
Confidence Index, Yale School of Management, Intern. Ctr. for Fin.
(Nov. 3, 2020), available at https://som.yale.edu/blog/prof-robert-shillers-us-crash-confidence-index; Gregg E. Berman, Senior Advisor
to the Director, Division of Trading and Markets, Commission, Speech
by SEC Staff: Market Participants and the May 6 Flash Crash (Oct.
2010), available at https://www.sec.gov/news/speech/2010/spch101310geb.htm.
---------------------------------------------------------------------------
While the negative externalities that arise from the moral hazard
problem are usually depicted as being absorbed by other market
participants, the losses to other parties may be potentially covered in
part or in full by insurance policies.\597\ An even stronger incentive
to underinvest is the possibility that an outside party can make whole
or at least mitigate some of the losses incurred by the various market
participants. Market Entities may underinvest in their cybersecurity
measures due to the moral hazard that results from expectations of
government support.\598\ Most threat
[[Page 20283]]
actors primarily have a monetary incentive, and there is a large
monetary incentive to breach cybersecurity protections in the financial
sector. As a result, Covered Entities--such as clearing agencies, large
national securities exchanges, and large carrying broker-dealers--may
be attractive targets to sophisticated threat actors aiming to
compromise or disrupt the U.S. financial system because of the services
they perform to support the functioning of the U.S. securities markets;
the protection of confidential, proprietary, or personal information
they store; or the financial assets they hold. Protection against
``advanced persistent threats'' \599\ from sophisticated threat actors,
whatever their motives, is costly.\600\ The belief--no matter how
misplaced--that a widespread and crippling cybersecurity attack would
be met with government support, such as direct payments for recovery
and immediate cybersecurity investments, could lead to moral hazard
where certain Covered Entities underinvest in defenses aimed at
countering that threat.\601\
---------------------------------------------------------------------------
\597\ See Marsh, Underinvestment in Cyber Insurance Can Leave
Organizations Vulnerable (2022), available at https://www.marsh.com/pr/en/services/cyber-risk/insights/underinvestment-in-cyber-insurance.html.
\598\ It has long been noted that it is difficult for
governments to commit credibly to not providing support to entities
that are seen as critical to the functioning of the financial
system, resulting in problems of moral hazard. See, e.g., Walter
Bagehot, Lombard Street: A Description of the Money Market (Henry S.
King & Co., 1873). Historically, banking entities seen as ``too big
to fail'' or ``too interconnected to fail'' have been the principal
recipients of such government support. Since the financial crisis of
2007-2009, non-bank financial institutions (such as investment
banks), money market funds, and insurance companies, as well as
specific markets such as the repurchase market have also benefited.
See, e.g., Gary B. Gorton, Slapped by the Invisible Hand: The Panic
of 2007, Oxford Univ. Press (2010); see also Viral V. Acharya, Deniz
Anginer, and A. Joseph Warburton, The End of Market Discipline?
Investor Expectations of Implicit Government Guarantees, SSRN
Scholarly Paper, Rochester, NY: Social Science Research Network (May
1, 2016).
\599\ ``Advanced persistent threat'' refers to sophisticated
cyberattacks by hostile organizations with the goal of: gaining
access to defense, financial, and other targeted information from
governments, corporations and individuals; maintaining a foothold in
these environments to enable future use and control; and modifying
data to disrupt performance in their targets. See Michael K. Daly,
The Advanced Persistent Threat (or Informationized Force
Operations), Raytheon (Nov. 4, 2009), available at https://www.usenix.org/legacy/event/lisa09/tech/slides/daly.pdf.
\600\ See Nikos Virvilis and Dimitris Gritzalis, The Big Four--
What We Did Wrong in Advanced Persistent Threat Detection?, 2013
Int'l Conf. on Availability, Reliability and Security 248 (2013).
\601\ See Lawrence A. Gordon, Martin P. Loeb, and William
Lucyshyn, Cybersecurity Investments in the Private Sector: The Role
of Governments, 15 Geo. J. Int'l Aff. 79 (2014).
---------------------------------------------------------------------------
Suboptimal spending on cybersecurity also can be the result of
asymmetric information among Market Entities and market participants. A
Market Entity may not know what its optimal cybersecurity expenditures
should be because the nature and scope of future attacks are unknown.
In addition, a Market Entity may not know what its competitors do in
terms of cybersecurity planning, whether they have been subject to
unsuccessful cyberattacks, or have been a victim of one or more
significant cybersecurity incidents. Market Entities also may not be
able to signal credibly to their customers, counterparties, members,
registrants, or users that they are better at addressing cybersecurity
risks than their peers, thus reducing their incentive to bear such
cybersecurity investment costs.\602\ Lastly, Market Entities'
customers, counterparties, members, registrants, or users typically do
not have information about the Market Entities' cybersecurity spending,
the efficacy of the cybersecurity investments made, or their policies
and procedures. Therefore, those market participants cannot make
judgments about Market Entities' cybersecurity preparedness. Because of
this information asymmetry, Market Entities may not have as strong of
an incentive to have robust cybersecurity measures compared to a
scenario in which customers, counterparties, members, registrants, or
users had perfect information about the Market Entities' cybersecurity
practices and the risks that they face.
---------------------------------------------------------------------------
\602\ See Sanford J. Grossman, The Informational Role of
Warranties and Private Disclosure about Product Quality, 24 J. L.
Econ. 461 (Dec. 1981); see also Michael Spence, Competitive and
Optimal Responses to Signals: An Analysis of Efficiency and
Distribution, 7 J. Econ. Theory 296 (Mar. 1, 1974); George. A.
Akerlof, The Market for ``Lemons'': Quality Uncertainty and the
Market Mechanism, 84 Q. J. Econ. 488 (Aug. 1970).
---------------------------------------------------------------------------
Underinvestment in cybersecurity also may stem from the principal-
agent problem of divergent goals in economic theory. The relationship
between a Market Entity (i.e., the agent) and the principals (i.e., its
customers, counterparties, members, registrants, or users) can be
affected if the principal relies on the agent to perform services on
the principal's behalf.\603\ Because principals and their agents may
not have perfectly aligned preferences and goals, agents may take
actions that increase their well-being at the expense of principals,
thereby imposing ``agency costs'' on the principals.\604\ Although
private contracts between principals and agents may aim to minimize
such costs, they are limited in their ability to do so in that agents
can decide not enter into such agreements and ultimately not provide
the particular services to the principals. Furthermore, agents can
charge much higher fees that the principals choose not to bear. These
limitations provides one rationale for regulatory intervention.\605\
Market-based incentives alone are unlikely to result in optimal
provision of cybersecurity protection. In this context, having plans
and procedures in place to prepare for and respond to cybersecurity
incidents,\606\ and the rule would help ensure that the infrastructure
of the U.S. securities markets remains robust, resilient, and secure. A
well-functioning financial system is a public good.
---------------------------------------------------------------------------
\603\ See Michael C. Jensen and William H. Meckling, Theory of
the Firm: Managerial Behavior, Agency Costs and Ownership Structure,
3 J. Fin. Econ. 305 (1976).
\604\ Id.
\605\ Such limitations can arise from un-observability or un-
verifiability of actions, transactions costs associated with
including numerous contingencies in contracts, or bounded
rationality in the design of contracts. See, e.g., Jean Tirole,
Cognition and Incomplete Contracts, 99 a.m. Econ. Rev. 265 (Mar.
2009) (discussing a relatively modern treatment of these issues).
\606\ For example, according to an IBM report, in the context of
system issues arising from cybersecurity events, having an incident
response plan and ``testing that plan regularly can help [each firm]
proactively identify weaknesses in [its] cybersecurity and shore up
[its] defenses'' and ``save millions in data breach costs.'' See
2019 Cost of Data Breach Report; see also Alex Asen et al., Are You
Spending Enough on Cybersecurity (Feb. 19, 2020), available at
https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity (noting ``[a]s the world becomes ever more reliant on
technology, and as cybercriminals refine and intensify their
attacks, organizations will need to spend more on cybersecurity'').
---------------------------------------------------------------------------
Beyond reputational damage to the affected agent (Market Entity),
the principals (the Market Entity's customers, counterparties, members,
registrants, or users) can be negatively affected by a cybersecurity
breach as a result of loss in personal information and/or funds and
assets. Thus the principals and the agents may have different reasons
for needing cybersecurity protocols. Furthermore, the negative effects
of a cybersecurity incident also can spread among Market Entities due
to their interconnectedness.\607\ Those other Market Entities prefer
that the principals employ strong cybersecurity practices that reduce
the chances of a successful breach and its negative cascading effects
throughout the financial sector. All of the preceding negative
externalities are arguments for proposed Rule 10.
---------------------------------------------------------------------------
\607\ See sections I.A.1. and I.A.2. of this release (discussing
how the interconnectedness of Market Entities creates cybersecurity
risk).
---------------------------------------------------------------------------
In the production of cybersecurity defenses and controls, the main
input is information. In particular, information about prior attacks
and their degree of success, as well as prior human errors and their
degree of harm, is valuable in mounting effective countermeasures and
controls.\608\ However, Market Entities may be naturally reluctant to
share such information, as doing so could assist future attackers as
well as lead to loss of customers, reputational harm, litigation, or
regulatory scrutiny, which would be costs associated with public
disclosure.\609\ On the other hand, disclosure of such information
creates a positive information externality--the benefits of which
accrue to society at large and are not fully captured by the Market
Entity making the disclosure.
[[Page 20284]]
This situation can occur because the disclosure informs the Market
Entity's customers, counterparties, members, registrants, or users--as
well as the Market Entity's competitors--about the cybersecurity
incidents experienced by the Market Entity. As a result, information
disclosures intended to close the information asymmetry gap can have
both positive and negative consequences.
---------------------------------------------------------------------------
\608\ See Peter W. Singer and Allan Friedman, Cybersecurity:
What Everyone Needs to Know 222 (Oxford Univ. Press, 2014).
\609\ See, e.g., FTC Equifax Civil Action.
---------------------------------------------------------------------------
As discussed earlier, sources of market failure in cybersecurity
come from information asymmetries at two different levels: (1) between
Market Entities and their customers, counterparties, members,
registrants, or users; and (2) between Market Entities and threat
actors. These two failures, in turn, create distinct consequences for
each of these stakeholders.
At the first level, a Market Entity's customers, counterparties,
members, registrants, or users have incomplete information about their
own cybersecurity risks due to incomplete information about the Market
Entity's actual cybersecurity policies and procedures. To exacerbate
the first level of information asymmetry, Market Entities typically
interact with other market participants. For example, investors do
business with broker-dealers, introducing broker-dealers work with
carrying broker-dealers, FINRA supervises broker-dealers, broker-
dealers interact with national securities exchanges, and national
securities exchanges work with clearing agencies.
When utilizing the services of a Market Entity, other market
participants may not have full information regarding the Market
Entity's exposure to material harm as a result of a cybersecurity
incident. A cybersecurity incident that harms a Market Entity can harm
its customers, counterparties, members, registrants, or users.
Disclosure of information regarding significant cybersecurity incidents
by Market Entities could be used by their customers, counterparties,
members, registrants, or users to manage their own cybersecurity risk
by investing in additional cybersecurity protection, and, to the extent
they have a choice, selecting a different Market Entity with
satisfactory cybersecurity protection with whom to transact or
otherwise conduct business.\610\ That is, a Market Entity with strong
cybersecurity policies and procedures and a clean record in terms of
past significant cybersecurity incidents may be perceived by these
market participants as more desirable to interact with, or obtain
services from, than Market Entities of the same type that do not fit
that profile. Even general details about the cybersecurity incidents,
as well as the number of significant cybersecurity incidents during the
current or previous calendar year, could allow customers,
counterparties, members, registrants, and users to compare Market
Entities.
---------------------------------------------------------------------------
\610\ As discussed earlier, the public disclosure requirements
of proposed Rule 10 would apply to Market Entities that meet the
proposed rule's definition of ``covered entity.'' See paragraph (d)
of proposed Rule 10; section II.B.3. of this release (discussing the
public disclosure requirements of proposed Rule 10).
---------------------------------------------------------------------------
As a result, information from the disclosure may permit customers,
counterparties, members, registrants, and users to gauge the riskiness
of doing business with a certain Market Entity when they would not have
been able to without that knowledge, and the disclosures may encourage
those market participants to move their business to competing Market
Entities that would have to disclose information under proposed Rule 10
and are perceived to be more prepared for cybersecurity attacks.\611\
The information disclosed by competitors also can incentivize Market
Entities to increase their investment in cybersecurity protections and
allow them to adjust their defenses when they would not have done so
otherwise, thus increasing overall market stability by further limiting
harmful cybersecurity incidents.
---------------------------------------------------------------------------
\611\ The firms making the disclosure may be incentivized to
invest more in cybersecurity protection, potentially to the point of
overinvestment in order not to lose customers, counterparties,
members, registrants, and users.
---------------------------------------------------------------------------
At the second level, there are differences in the capabilities of
threat actors that are external to Market Entities and the assumed
level of cybersecurity preparations needed by Market Entities to
protect against significant cybersecurity incidents. Specifically,
Market Entities cannot fully anticipate the type, method, and
complexity of all types of cyberattacks that may materialize. Moreover,
cyberattacks evolve over time, becoming more complex and using new
avenues to circumvent Market Entities' cybersecurity protections.\612\
Furthermore, Market Entities cannot predict the timing or the target of
a given cyberattack. Though this information asymmetry is impossible to
eradicate fully given the inherent secretive nature of threat actors,
regulation may help to prevent an expansion of information asymmetry by
requiring Market Entities to gather and assess information about
cybersecurity risks and vulnerabilities more often. Doing so would not
only help to contain the negative effects of successful cybersecurity
attacks on any one Market Entity going forward, but it also would aid
in minimizing the growth in negative externalities as the effects of
successful cyberattacks spillover to other Market Entities as well as
to their customers, counterparties, members, registrants, or users.
---------------------------------------------------------------------------
\612\ See, e.g., Verizon DBIR.
---------------------------------------------------------------------------
Cybersecurity defenses must constantly evolve in order to keep up
with the threat actors who are exogenous to the Market Entity, and its
ability to anticipate specific attacks on itself is difficult at best.
Within the reasonable scenario of an interconnected market with
multiple points of entry for a potential threat actor, it may be more
costly for Market Entities that are the victims of cascading
cybersecurity breaches than for the initial target itself, as the other
Market Entities within the network ultimately would need to prepare for
a multitude of attacks originating from many different initial
targets.\613\ A strong cybersecurity program can also help Market
Entities to protect themselves from cybersecurity attacks that could
possibly come from one of multiple entry points. Having comprehensive
cybersecurity policies and procedures will aid Market Entities
identifying the source of a breach, which can result in lower detection
costs and the identification of the threat actor in a more expeditious
manner.
---------------------------------------------------------------------------
\613\ See Cybersecurity and its Cascading Effect on Societal
Systems.
---------------------------------------------------------------------------
C. Baseline
Each type of Market Entity that would be subject to proposed Rule
10 has a distinct business model and role in the U.S. financial
markets. As a result, the risks and practices, regulation, and market
structure for each Market Entity will form the baseline for the
economic analysis.
1. Cybersecurity Risks and Current Relevant Regulations
a. Cybersecurity Risks
With the widespread adoption of internet-based products and
services over the last two decades, all businesses have had to address
cybersecurity issues.\614\ For financial services firms, the stakes are
particularly high because they transact, hold custody of, and maintain
ownership records of wealth in the form of cash, securities, or other
liquid assets that cyber threat actors might strive to obtain
illegally. Such entities also represent attack vectors for threat
actors. In addition, Market Entities have linkages with each other as
[[Page 20285]]
a result of the business they conduct together. A breach at one Market
Entity may be exploited and serve as a means of compromising other
Market Entities. Cybersecurity threat intelligence surveys consistently
find the financial sector to be one of the most--if not the most--
attacked industries,\615\ and remediation costs for an incident can be
substantial.\616\ As a result, firms in the financial sector need to
invest in cybersecurity to protect their business operations along with
the accompanying assets and data stored on information systems.
---------------------------------------------------------------------------
\614\ See section I.A.1. of this release (discussing
cybersecurity risks to the U.S. securities markets).
\615\ See, e.g., IBM, X-Force Threat Intelligence Index 2022
(2022), available at https://www.ibm.com/security/data-breach/threat-intelligence.
\616\ See, e.g., 2019 Cost of Data Breach Report (noting the
average cost of a data breach in the financial industry in the
United States is $5.97 million).
---------------------------------------------------------------------------
Further, as discussed earlier, the custody and transfer of crypto
assets depends almost exclusively on the operations of information
systems.\617\ Crypto assets, therefore, are exposed to cybersecurity
risks and they are attractive targets for threat actors. Information
systems that involve crypto assets may be subject to heightened
cybersecurity risks. To the extent that Market Entities engage in
business activities involving crypto assets, they could be exposed to
these heighted cybersecurity risks.
---------------------------------------------------------------------------
\617\ See section II.G. of this release (discussing
cybersecurity risks related to crypto assets).
---------------------------------------------------------------------------
The ubiquity and rising costs of cybercrime,\618\ along with
financial services firms' increasingly costly efforts to prevent
it,\619\ have been the motivation behind the growth in the
cybersecurity industry.\620\ Many Market Entities cite the NIST
Framework as the main standard for implementing strong cybersecurity
measures.\621\ The focus that has been placed on cybersecurity also has
led to the development of numerous technologies and standards by
private sector firms aimed at mitigating cybersecurity threats. Many of
these developments, such as multi-factor authentication, secure
hypertext transfer protocol,\622\ and user-access control, are now
commonplace. Practitioners--chief technology officers (``CTOs''), chief
compliance officers (``CCOs''), chief information officers (``CIOs''),
chief information security officers (``CISOs''), and their staffs--
frequently utilize industry standard frameworks \623\ and similar
offerings from cybersecurity consultants and product vendors to assess
and address institutional cybersecurity preparedness. Such frameworks
include information technology asset management, controls, change
management, vulnerability management, incident management, continuity
of operations, risk management, dependencies on third parties,
training, and information sharing. In recent years, companies' boards
of directors and executive management teams have focused on these
areas.
---------------------------------------------------------------------------
\618\ See FBI internet Crime Report (noting that cybercrime
victims lost approximately $6.9 billion in 2021).
\619\ See Office of Financial Research, Annual Report to
Congress 2021, available at https://www.financialresearch.gov/annual-reports/files/OFR-Annual-Report-2021.pdf.
\620\ Sage Lazzaro, The Cybersecurity Industry Is Burning--But
VCs Don't Care, VentureBeat (Sept. 2, 2021), available at https://venturebeat.com/2021/09/02/the-cybersecurity-industry-is-burning-and-vcs-dont-care/ (``VentureBeat'').
\621\ FCI, Top 5 Ways the Financial Services Industry Can
Leverage NIST for Cybersecurity Compliance, available at https://fcicyber.com/top-5-ways-the-financial-services-industry-can-leverage-nist-for-cybersecurity-compliance/.
\622\ Hypertext transfer protocol, HTTP, is the primary set of
rules that allow a web browser to communicate with (i.e., send data
to) a website.
\623\ CISA, Cyber Resilience Review (CRR): Method Description
and Self-Assessment User Guide (Apr. 2020), available at https://www.cisa.gov/sites/default/files/publications/2_CRR%204.0_Self-Assessment_User_Guide_April_2020.pdf.
---------------------------------------------------------------------------
Unaddressed cybersecurity risks, particularly at Market Entities,
impose negative externalities on the broader financial system. Actions
taken to implement, maintain, and upgrade cybersecurity protections
likely reduce overall risk in the economy. In addition, due to the
potential for large-scale losses with respect to funds, securities, and
customer information, Market Entities have a vested interest in
installing, maintaining, and upgrading cybersecurity-related software
and hardware. Based on staff discussions with market participants,
cybersecurity-related activities can be performed in-house or
contracted out to third parties with expertise in those areas.
Financial services firms may employ a mix of in-house and outsourced
staff and resources to meet their cybersecurity needs and goals.
b. Current Relevant Regulations
i. Broker-Dealers
Broker-dealers are subject to Regulation S-P \624\ and Regulation
S-ID.\625\ In addition, ATSs that trade certain stocks exceeding
specific volume thresholds are subject to Regulation SCI.\626\ Further,
an ATS is subject to Regulation ATS.\627\ As discussed earlier,
Regulation SCI, Regulation S-P, Regulation ATS, and Regulation S-ID
have provisions requiring policies and procedures to address certain
types of cybersecurity risks.\628\ Regulation SCI also requires
immediate written or telephonic notice and subsequent reporting to the
Commission on Form SCI of certain types of incidents.\629\ Finally,
Regulation SCI has provisions requiring disclosures to persons affected
by certain incidents.\630\
---------------------------------------------------------------------------
\624\ See 17 CFR 248.1 through 248.30.
\625\ See 17 CFR 248.201 and 202.
\626\ See 17 CFR 242.1000 through 1007.
\627\ See 17 CFR 242.301 through 304.
\628\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID to have policies and procedures
to address certain cybersecurity risks).
\629\ See section II.F.1.d. of this release (discussing in more
detail the existing immediate notification and subsequent reporting
requirements of Regulation SCI).
\630\ See section II.F.1.e. of this release (discussing in more
detail the existing disclosure requirements of Regulation SCI).
---------------------------------------------------------------------------
Broker-dealers are also subject to the Commission's financial
responsibility rules. Rule 15c3-1 requires broker-dealers to maintain
minimum amounts of net capital, ensuring that the broker-dealer at all
times has enough liquid assets to promptly satisfy all creditor claims
if the broker-dealer were to go out of business.\631\ Rule 15c3-3 under
the Exchange Act imposes requirements relating to safeguarding customer
funds and securities.\632\ These rules provide protections for broker-
dealer counterparties and customers and can help to mitigate the risks
to, and impact on, customers and other market participants by
protecting them from the consequences of financial failure that may
occur because of a systems issue at a broker-dealer.
---------------------------------------------------------------------------
\631\ See 17 CFR 240.15c3-1.
\632\ See 17 CFR 240.15c3-3.
---------------------------------------------------------------------------
Under Exchange Act Rule 15c3-4, OTC derivatives dealers must
establish, document, and maintain a system of internal risk management
controls to assist it in managing the risks associated with its
business activities, including market, credit, leverage, liquidity,
legal, and operational risks.\633\ The required risk management system
must include, among other things: a risk control unit that reports
directly to senior management, periodic reviews which may be performed
by internal audit staff, and annual reviews which must be conducted by
independent certified public accountants.\634\ Management must
periodically review the entity's business activities for consistency
with risk management guidelines, including that the data necessary to
conduct the risk monitoring and risk management function as well as the
valuation process
[[Page 20286]]
over the entity's portfolio of products is accessible on a timely basis
and information systems are available to capture, monitor, analyze, and
report relevant data.\635\
---------------------------------------------------------------------------
\633\ See 17 CFR 240.15c3-4(a).
\634\ See 17 CFR 240.15c3-4(c).
\635\ Id.
---------------------------------------------------------------------------
Exchange Act Rules 17a-3 and 17a-4 require broker-dealers to make
and keep current records detailing, among other things, securities
transactions, money balances, and securities positions.\636\ Further, a
broker-dealer that fails to make and keep current the records required
by Rule 17a-3 must give notice to the Commission of this fact on the
same day and, thereafter, within 48 hours transmit a report to the
Commission stating what the broker-dealer has done or is doing to
correct the situation.\637\
---------------------------------------------------------------------------
\636\ See 17 CFR 240.17a-3; 17 CFR 240.17a-4.
\637\ See 17 CFR 240.17a-11.
---------------------------------------------------------------------------
Moreover, with certain exceptions, broker-dealers must file
confidential SARs with FinCEN to report any suspicious transaction
relevant to a possible violation of law or regulation.\638\ The SARs
include information regarding who is conducting the suspicious
activity, what instruments or mechanisms are being used, when and where
the suspicious activity took place, and why the filer thinks the
activity is suspicious. Broker-dealers must make the records available
to FinCEN as well as to other appropriate law enforcement agencies,
federal or state securities regulators, and SROs registered with the
Commission.
---------------------------------------------------------------------------
\638\ See 31 CFR 1023.320; section IV.A. of this release
(discussing the requirements to file SARs in more detail).
---------------------------------------------------------------------------
Broker-dealers are generally required to register with the
Commission and join a national securities association or national
securities exchange.\639\ As SROs, national securities associations and
national securities exchanges are required to enforce their members'
compliance with the Exchange Act, the rules and regulations thereunder,
and the SRO's own rules. The vast majority of brokers and dealers join
FINRA. Broker-dealers that are members of FINRA are subject FINRA Rules
3110, 3120, and 4530(b) (among other FINRA rules).\640\ FINRA Rule 3110
requires broker-dealer members to have in place a system to supervise
its activities so that they are in compliance with applicable rules and
regulations. FINRA Rule 3120 requires broker-dealer members to test and
verify that the supervisory procedures are reasonably designed with
respect to the activities of the member and its associated persons, as
well as to achieve compliance with applicable securities laws and
regulations and with applicable FINRA rules. In addition, broker-dealer
members must create additional or amended supervisory procedures where
a need is identified by such testing and verification. The designated
individual(s) must submit to the broker-dealer member's senior
management no less than annually a report detailing each member's
system of supervisory controls, the summary of the test results and
significant identified exceptions, and any additional or amended
supervisory procedures created in response to the test results. FINRA
Rule 4530(b) states that each broker-dealer member shall promptly
report to FINRA, but not later than 30 calendar days after the member
has concluded or reasonably should have concluded, that an associated
person of the member or the member itself has violated any securities-,
insurance-, commodities-, financial- or investment-related laws, rules,
regulations, or standards of conduct of any domestic regulatory body,
foreign regulatory body, or SRO. Furthermore, Commission staff has
issued statements \641\ and FINRA has issued guidance \642\ in the area
of cybersecurity.\643\ The statements and FINRA guidance with respect
to these rules identify common elements of reasonably designed
cybersecurity policies and procedures including risk assessment, user
security and access, information protection, incident response,\644\
and training.\645\
---------------------------------------------------------------------------
\639\ See 15 U.S.C. 78o(a)(1) and 15 U.S.C. 78o(b)(8).
\640\ Broker-dealers that are members of national securities
exchanges are also subject to the rules of the national securities
exchanges regarding membership, registration, operation, and
business conduct, among other exchange regulations.
\641\ See, e.g. EXAMS, Risk Alert, Safeguarding Client Accounts;
EXAMS, Risk Alert, Select COVID-19 Compliance Risks and
Considerations for Broker-Dealers and Investment Advisers (Aug. 12,
2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf; EXAMS,Risk Alert, Ransomeware; EXAMS,
Report on OCIE Cybersecurity and Resiliency Observations (Jan. 27,
2020), available at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf (``EXAMS
Cybersecurity and Resiliency Observations''); EXAMS, Safeguarding
Customer Records and Information in Network Storage--Use of Third
Party Security Features (May 23, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf;
EXAMS, Investment Adviser and Broker-Dealer Compliance Issues
Related to Regulation S-P--Privacy Notices and Safeguard Policies
(Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf; EXAMS, Observations
from Cybersecurity Examinations (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf
(``EXAMS Observations from Cybersecurity Examinations''); EXAMS,
Cybersecurity: Ransomware Alert (May 17, 2017), available at https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf;
EXAMS, OCIE's 2015 Cybersecurity Examination Initiative (Sept. 15,
2015), available at https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf; EXAMS, Cybersecurity
Examination Sweep Summary (Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf (``Cybersecurity Examination Sweep Summary''); EXAMS,
OCIE's 2014 Cybersecurity Initiative (Apr. 15, 2014), available at
https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert-Appendix-4.15.14.pdf.
\642\ See FINRA, Core Cybersecurity Threats and Effective
Controls for Small Firms (May 2022), available at https://www.finra.org/sites/default/files/2022-05/Core_Cybersecurity_Threats_and_Effective_Controls-Small_Firms.pdf;
FINRA, Cloud Computing in the Securities Industry (Aug. 16, 2021),
available at https://www.finra.org/sites/default/files/2021-08/2021-cloud-computing-in-the-securities-industry.pdf; FINRA, 2021 Report
on FINRA's Examination and Risk Monitoring Program (Feb. 1, 2021),
available at https://www.finra.org/sites/default/files/2021-02/2021-report-finras-examination-risk-monitoring-program.pdf (``FINRA 2021
Report on Examination and Risk Monitoring Program''); FINRA, 2019
Report on FINRA Examination Findings and Observations (Oct. 16,
2019), available at https://www.finra.org/sites/default/files/2019-10/2019-exam-findings-and-observations.pdf; FINRA Common
Cybersecurity Threats; FINRA, Report on Selected Cybersecurity
Practices--2018 (Dec. 1, 2018), available at https://www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf (``FINRA Report on
Selected Cybersecurity Practices''); FINRA, Report on FINRA
Examination Findings (Dec. 6, 2017), available at https://www.finra.org/sites/default/files/2017-Report-FINRA-Examination-Findings.pdf; FINRA, Small Firm Cybersecurity Checklist (May 23,
2016), available at https://www.finra.org/compliance-tools/small-firm-cybersecurity-checklist.
\643\ Cybersecurity has also been a regular theme of FINRA's
Regulatory and Examination Priorities Letter since 2008 often with
reference to Regulation S-P. Similarly, while risks related to data
compromises were highlighted in the Commission staff's exam
priorities, an official focus on ``cyber'' began in 2014 after the
SEC sponsored a Cybersecurity Roundtable and the Division of
Examination conducted cybersecurity initiative I and II to assess
industry practices and legal and compliance issues associated with
broker-dealer and investment adviser cybersecurity preparedness.
Cybersecurity initiatives I and II were each separate series of
examinations of cybersecurity practices conducted by EXAMS,
concluding in 2014 and 2017. The examinations covered broker-
dealers, investment advisers, and funds. EXAMS released a summary
report for each initiative.
\644\ See FINRA 2021 Report on Examination and Risk Monitoring
Program (noting that FINRA recommended among effective practices
with respect to incident response: (1) establishing and regularly
testing--often using tabletop exercises--a written formal incident
response plan that outlines procedures for responding to
cybersecurity and information security incidents; and (2) developing
frameworks to identify, classify, prioritize, track and close
cybersecurity-related incidents).
\645\ These categories vary somewhat in terms of nomenclature
and the specific categories themselves across different Commission
and FINRA publications.
---------------------------------------------------------------------------
Consistent with these rules, nearly all broker-dealers that
participated in two Commission exam sweeps in 2015 and 2017 reported
\646\ maintaining some
[[Page 20287]]
cybersecurity policies and procedures; conducting some periodic risk
assessments to identify threats and vulnerabilities,\647\ conducting
firm-wide systems inventorying or cataloguing, ensuring regular system
maintenance including the installation of software patches to address
security vulnerabilities, performing some penetration testing.\648\ A
separate staff statement observed that at least some firms implemented
capabilities that are able to control, monitor, and inspect all
incoming and outgoing network traffic to prevent unauthorized or
harmful traffic and implemented capabilities that are able to detect
threats on endpoints.\649\ In the two Commission exam sweeps, many
firms indicated that policies and procedures were vetted and approved
by senior management and that firms provided annual cybersecurity
reports to the board while some also provided ad hoc reports in the
event of major cybersecurity events.\650\ Broadly, many broker-dealers
reported relying on industry standards with respect to cybersecurity
\651\ typically by adhering to a specific industry standard or
combination of industry standards or by using industry standards as
guidance in designing policies and procedures.
---------------------------------------------------------------------------
\646\ See Cybersecurity Examination Sweep Summary (noting that
of 57 examined broker-dealers, the vast majority adopted written
information security policies, conducted periodic audits to
determine compliance with these information security policies and
procedures, conducted risk assessments and reported considering such
risk assessments in establishing their cybersecurity policies and
procedures, and that with respect to vendors, the majority of the
broker-dealers required cybersecurity risk assessments of vendors
with access to their firms' networks and had at least some specific
policies and procedures relating to vendors). See also EXAMS
Observations from Cybersecurity Examinations (noting that nearly all
firms surveyed had incident response plans).
\647\ See FINRA Report on Selected Cybersecurity Practices. This
report noted that FINRA has conducted a voluntary Risk Control
Assessment (``RCA'') Survey with all active member firms for a
number of years. According to the 2018 RCA, 94% of higher revenue
firms and 70% of mid-level revenue firms use a risk assessment as
part of their cybersecurity program.
\648\ Id. According to FINRA's 2018 RCA, 100% of higher revenue
firms include penetration testing as a component in their overall
cybersecurity program.
\649\ See EXAMS Cybersecurity and Resiliency Observations.
\650\ See FINRA, Report on Cybersecurity Practices (Feb. 2015),
available at https://www.finra.org/sites/default/files/2020-07/2015-report-on-cybersecurity-practices.pdf (``FINRA Report on
Cybersecurity Practices'').
\651\ Id. Among the firms that were part of the sweep, nearly
90% used one or more of the NIST, International Organization for
Standardization (``ISO'') or Information Systems Audit and Control
Association (``ISACA'') frameworks or standards. More specifically,
65% of the respondents reported that they use the ISO 27001/27002
standard while 25% use the Control Objectives for Information and
Related Technologies (``COBIT'') framework created by ISACA. Some
firms use combinations of these standards for various parts of their
cybersecurity programs. While the report focused on firm utilization
of cybersecurity frameworks specifically, in many cases, the
referenced frameworks were broader IT frameworks.
---------------------------------------------------------------------------
With respect to broker-dealer reporting to their boards regarding
cybersecurity policies and procedures and cybersecurity incidents, the
board reporting frequency ranged from quarterly to ad-hoc among the
firms FINRA reviewed.\652\ Approximately two-thirds of the broker-
dealers (68%) examined in a 2015 survey had an individual explicitly
assigned as the firm's CISO which might suggest extensive executive
leadership engagement.
---------------------------------------------------------------------------
\652\ See FINRA Report on Cybersecurity Practices. At a number
of firms, the board received annual cybersecurity-related reporting
while other firms report on a quarterly basis. A number of firms
also provide ad hoc reporting to the board in the event of major
cybersecurity events.
---------------------------------------------------------------------------
There are no current Commission or FINRA requirements for broker-
dealers to disseminate notifications of breaches to members or clients
although many firms do so \653\ pursuant to various state data breach
laws.\654\ Broker-dealers are subject to state laws known as ``Blue Sky
Laws,'' which generally are regulations established as safeguards for
investors against securities fraud.\655\ All 50 states have enacted
laws in recent years requiring firms to notify individuals of data
breaches. These laws differ by state, with some states imposing
heightened notification requirements relative to other states.\656\
---------------------------------------------------------------------------
\653\ See Cybersecurity Examination Sweep Summary. Based on a
small sample of firms, the vast majority of broker-dealers
maintained plans for data breach incidents and most had plans for
notifying customers of material events.
\654\ See Digital Guardian, The Definitive Guide to U.S. State
Data Breach Laws (Nov. 15, 2022), available at https://info.digitalguardian.com/rs/768-OQW-145/images/the-definitive-guide-to-us-state-data-breach-laws.pdf.
\655\ See, e.g., Office of Investor Education and Advocacy,
Commission, Blue Sky Laws, available at https://www.investor.gov/introduction-investing/investing-basics/glossary/blue-sky-laws.
\656\ For example, some states may require a firm to notify
individuals when a data breach includes biometric information, while
others do not. Compare Cal. Civil Code Sec. 1798.29 (stating that
notice to California residents of a data breach is generally
required when a resident's personal information was or is reasonably
believed to have been acquired by an unauthorized person and that
``personal information'' is defined to mean an individual's first or
last name in combination with one of a list of specified elements,
which includes certain unique biometric data), with Ala. Stat.
Sec. Sec. 8-38-2, 8-38-4, 8-38-5 (stating that notice of a data
breach to Alabama residents is generally required when sensitive
personally identifying information has been acquired by an
unauthorized person and is reasonably likely to cause substantial
harm to the resident to whom the information relates and that
``sensitive personally identifying information'' is defined as the
resident's first or last name in combination with one of a list of
specified elements, which does not include biometric information).
---------------------------------------------------------------------------
ii. SROs
National securities exchanges, registered clearing agencies, FINRA,
and the MSRB are all SROs and are all considered to be SCI Entities,
which requires them to comply with Regulation SCI.\657\ As discussed
earlier, Regulation SCI has provisions requiring policies and
procedures to address certain types of cybersecurity risks.\658\
Regulation SCI also requires immediate written or telephonic notice and
subsequent reporting to the Commission on Form SCI of certain types of
incidents.\659\ Finally, Regulation SCI has provisions requiring
disclosures to persons affected by certain incidents.\660\
---------------------------------------------------------------------------
\657\ See 17 CFR 242.1000 through 1007.
\658\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation SCI to have policies
and procedures to address certain cybersecurity risks).
\659\ See section II.F.1.d. of this release (discussing in more
detail the existing immediate notification and subsequent reporting
requirements of Regulation SCI).
\660\ See section II.F.1.e. of this release (discussing in more
detail the existing disclosure requirements of Regulation SCI).
---------------------------------------------------------------------------
In addition, as described above, Rule 613 of Regulation NMS
requires the Participants to jointly develop and submit to the
Commission a CAT NMS Plan.\661\ The Participants conduct the activities
of the CAT through a jointly owned limited liability company,
Consolidated Audit Trail, LLC. The CAT is intended to function as a
modernized audit trail system that provides regulators with more timely
access to a comprehensive set of trading data, thus enabling regulators
to more efficiently and effectively reconstruct market events, monitor
market behavior, and investigate misconduct. The CAT System accepts
data that are submitted by the Participants and broker-dealers, as well
as data from certain market data feeds like SIP and OPRA.\662\
---------------------------------------------------------------------------
\661\ See 17 CFR 242.613; see also section II.F.1.c. of this
release (discussing the CAT NMS Plan in general and describing the
roles of the Participants and Plan Processor).
\662\ CAT data is not public, although some information in the
CAT may be available through public sources (e.g., market data feeds
like the SIP or proprietary exchange feeds).
---------------------------------------------------------------------------
FINRA CAT, LLC--a wholly-owned subsidiary of FINRA--has entered
into an agreement with the Company to act as the Plan Processor and, as
such, is responsible for building, operating and maintaining the CAT.
However, because the CAT System is owned and operated by FINRA CAT, LLC
on behalf of the national securities exchanges and FINRA, the
Participants remain ultimately responsible for the performance of the
CAT and its compliance with statutes, rules, and regulations.
[[Page 20288]]
Under the Commission approved CAT NMS Plan, the Plan Processor must
develop various policies and procedures related to data security,
including a comprehensive information security program that includes,
among other things, requirements related to: (1) connectivity and data
transfer, (2) data encryption, (3) data storage, (4) data access, (5)
breach management, including requirements related to the development of
a cyber incident response plan and documentation of all information
relevant to breaches, and (6) personally identifiable information data
management.\663\ As part of this requirement, the Plan Processor is
required to create and enforce policies, procedures, and control
structures to monitor and address CAT data security, including reviews
of industry standards \664\ and periodic penetration testing.\665\
Under the CAT NMS Plan the comprehensive information security program
must be updated by the Plan Processor at least annually.\666\
Furthermore, both the Participants and the Plan Processor must also
implement various data confidentiality measures that include safeguards
to secure access and use of the CAT.\667\ The Plan Processor must also
review Participant information security policies and procedures related
to the CAT to ensure that such policies and procedures are comparable
to those of the CAT System.\668\ In addition to these policies and
procedures requirements,\669\ the CAT NMS Plan requires several forms
of periodic review of CAT, including an annual written assessment,\670\
regular reports,\671\ and an annual audit.\672\
---------------------------------------------------------------------------
\663\ See CAT NMS Plan, appendix D, sections 4 and 6.12.
\664\ The Company is subject to certain industry standards with
respect to its comprehensive information security program, including
but not limited to: NIST 800-23 (Guidelines to Federal Organizations
on Security Assurance and Acquisition/Use of Test/Evaluated
Products), NIST 800-53 (Security and Privacy Controls for Federal
Information Systems and Organizations), NIST 800-115 (Technical
Guide to Information Security Testing and Assessment), and, to the
extent not otherwise specified, all other provisions of the NIST
cyber security framework. See CAT NMS Plan, Appendix D, section 4.2.
\665\ Id. at section 6.2(b)(v); Appendix D, sections 4 and 6.12.
\666\ See CAT NMS Plan at Appendix D, section 4.1.
\667\ Specifically, the measures implemented by the Plan
Processor must include, among other things: (1) restrictions on the
acceptable uses of CAT Data; (2) role-based access controls; (3)
authentication of individual users; (4) MFA and password controls;
(5) implementation of information barriers to prevent unauthorized
staff from accessing CAT Data; (6) separate storage of sensitive
personal information and controls on transmission of data; (7)
security-driven monitoring and logging; (8) escalation of non-
compliance events or security monitoring; and (9) remote access
controls. Id. at Appendix D, sections 4.1, 5.3, 8.1.1, and 8.2.2;
section 6.2(a)(v)(J)-(L); section 6.2(b)(vii); section 6.5(c)(i);
section 6.5(f).
\668\ CAT NMS Plan at section 6.2(b)(vii).
\669\ In August 2020, the Commission proposed certain amendments
to the CAT NMS Plan that are designed to enhance the security of the
CAT. See https://www.sec.gov/rules/proposed/2020/34-89632.pdf.
\670\ The Participants are required to provide the Commission
with an annual written assessment of the Plan Processor's
performance, which must include, among other things, an evaluation
of potential technology upgrades and an evaluation of the CAT
information security program. Id. at section 6.6(b); section
6.2(a)(v)(G).
\671\ The Plan Processor is required to provide the operating
committee with regular reports on various topics, including data
security issues and the Plan Processor. Id. at section 6.1(o);
section 6.2(b)(vi); section 6.2(a)(v)(E); and section 4.12(b)(i).
\672\ The Plan Processor is required to create and implement an
annual audit plan that includes a review of all Plan Processor
policies, procedures, control structures, and tools that monitor and
address data security, in addition to other types of auditing
practices. Id. at section 6.2(a)(v)(B)-(C); Appendix D, section
4.1.3; Appendix D, section 5.3.
---------------------------------------------------------------------------
iii. SBS Entities
Section 15F(j)(2) of the Exchange Act, among other things, requires
each SBS Entity to establish robust and professional risk management
systems adequate for managing its day-to-day business.\673\
Additionally, certain SBS Entities must comply with specified
provisions of Rule 15c3-4 and, therefore, establish, document, and
maintain a system of internal risk management controls to assist in
managing the risks associated with their business activities.\674\
Further, SBS Entities could be subject to Regulation S-ID if they are
``financial institutions'' or ``creditors.'' \675\
---------------------------------------------------------------------------
\673\ 15 U.S.C. 78o-10(j). The Commission also requires that
specified SBS Entity trading relationship documentation include the
process for determining the value of each security-based swap for
purposes of complying with, among other things, the risk management
requirements of section 15F(j) of the Exchange Act and paragraph
(h)(2)(iii)(I) of Rule 15Fh-3, and any subsequent regulations
promulgated pursuant to section 15F(j). See 17 CFR 140.15Fi-5(b)(4).
The documentation must include either: (1) alternative methods for
determining the value of the security-based swap in the event of the
unavailability or other failure of any input required to value the
security-based swap for such purposes; or (2) a valuation dispute
resolution process by which the value of the security-based swap
shall be determined for the purposes of complying with the rule. See
17 CFR 140.15Fi-5(b)(4)(ii). Further, SBS Entities must engage in
portfolio reconciliation to resolve discrepancies, among other
things. See 17 CFR 240.15Fi-3(a) and (b). Such discrepancies include
those resulting from a cybersecurity incident.
\674\ See 17 CFR 240.15c3-1(a)(7)(iii) (applies to broker-
dealers authorized to use models, including broker-dealers dually
registered as an SBSD); 17 CFR 240.15c3-1(a)(10)(ii) (applies to
broker-dealers not authorized to use models that are dually
registered as an SBSD); 17 CFR 240.18a-1(f) (applies to SBSDs that
are not registered as a broker-dealer, other than an OTC derivatives
dealer, and that do not have a prudential regulator); 17 CFR
240.18a-2(c) (applies to MSBSPs); see also 17 CFR 240.15c3-4; see
section IV.C.1.b.i. of this section (discussing requirements of Rule
15c3-4).
\675\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15. U.S.C. 1681) that is required to be
``registered under the Securities Act of 1934.'' See 17 CFR
248.201(a). Because SBS Entities are required to be so registered,
an SBS Entity that is a ``financial institution'' or ``creditor'' as
defined in the Fair Credit Reporting Act is within the scope of
Regulation S-ID.
---------------------------------------------------------------------------
SBS Entities are subject to additional Commission rules to have
risk management policies and procedures, to review policies and
procedures, to report information about compliance to the Commission,
and to disclose certain risks to their counterparties. For example,
paragraph (h) of Rule 15Fh-3 requires, among other things, that an SBSD
or MSBSP establish, maintain, and enforce written policies and
procedures regarding the supervision of the types of security-based
swap business in which it is engaged and the activities of its
associated persons that are reasonably designed to prevent violations
of applicable federal securities laws and the rules and regulations
thereunder.\676\ The policies and procedures must include, among other
things: (1) procedures for a periodic review, at least annually, of the
security-based swap business in which the SBS Entity engages and (2)
procedures reasonably designed to comply with duties set forth in
section 15F(j) of the Exchange Act, such as risk management duties set
forth in section 15F(j)(2).\677\
---------------------------------------------------------------------------
\676\ See 17 CFR 240.15Fh-3(h). An SBS Entity must amend its
written supervisory procedures, as appropriate, when material
changes occur in its business or supervisory system. Material
amendments to the SBS Entity's supervisory procedures must be
communicated to all associated persons to whom such amendments are
relevant based on their activities and responsibilities. See 17 CFR
240.15Fh-3(h)(4).
\677\ See 17 CFR 240.15Fh-3(h)(2)(iii).
---------------------------------------------------------------------------
Paragraph (b) of Rule 15Fk-1 requires each SBS Entity's CCO to,
among other things, report directly to the board of directors or to the
senior officer of the SBS Entity and to take reasonable steps to ensure
that the SBS Entity establishes, maintains, and reviews written
policies and procedures reasonably designed to achieve compliance with
the Exchange Act and the rules and regulations thereunder relating to
its business as an SBS Entity by: (1) reviewing its compliance with
respect to the requirements described in section 15F of the Act and the
rules and regulations thereunder, where the review involves preparing
the an annual assessment of its written policies and procedures
reasonably designed to achieve compliance with section 15F of
[[Page 20289]]
the Act and the rules and regulations thereunder; (2) taking reasonable
steps to ensure that the SBS Entity establishes, maintains, and reviews
policies and procedures reasonably designed to remediate non-compliance
issues identified by the chief compliance officer through any means;
and (3) taking reasonable steps to ensure that the SBS Entity
establishes and follows procedures reasonably designed for the
handling, management response, remediation, retesting, and resolution
of non-compliance issues.\678\
---------------------------------------------------------------------------
\678\ See 17 CFR 240.15Fk-1(b)(2). The CCO also must administer
each policy and procedure that is required to be established
pursuant to section 15F of the Exchange Act and the rules and
regulations thereunder. See 17 CFR 240.15Fk-1(b)(4).
---------------------------------------------------------------------------
Paragraph (c) of Rule 15Fk-1 requires an SBS Entity to submit an
annual compliance report containing, among other things, a description
of: (1) its assessment of the effectiveness of its policies and
procedures relating to its business as an SBS Entity; (2) any material
changes to the SBS Entity's policies and procedures since the date of
the preceding compliance report; (3) any areas for improvement, and
recommended potential or prospective changes or improvements to its
compliance program and resources devoted to compliance; (4) any
material non-compliance matters identified; and (5) the financial,
managerial, operational, and staffing resources set aside for
compliance with the Exchange Act and the rules and regulations
thereunder relating to its business as a SBSD or MSBSP, including any
material deficiencies in such resources.\679\ The compliance report
must be submitted to the Commission within 30 days following the
deadline for filing the SBS Entity's annual financial report.\680\
---------------------------------------------------------------------------
\679\ See 17 CFR 240.15Fk-1(c)(2).
\680\ Id.
---------------------------------------------------------------------------
SBS Entities' operations also are governed, in part, by paragraph
(b) of Rule 15Fh-3 in that they must, at a reasonably sufficient time
prior to entering into a security-based swap, disclose to a
counterparty (other than a SBSD, MSBSP, swap dealer, or major swap
participant) material information concerning the security-based swap in
a manner reasonably designed to allow the counterparty to assess
material risks and characteristics as well as material incentives or
conflicts of interest.\681\ Relevant risks may include market, credit,
liquidity, foreign currency, legal, operational, and any other
applicable risks.\682\ Further, SBSDs must establish, maintain, and
enforce written policies and procedures reasonably designed to obtain
and retain a record of the essential facts concerning each counterparty
whose identity is known to the SBSD that are necessary for conducting
business with such counterparty.\683\ Among other things, the essential
facts regarding the counterparty are facts required to implement the
SBSD's operational risk management policies in connection with
transactions entered into with such counterparty.\684\
---------------------------------------------------------------------------
\681\ See 17 CFR 240.15Fh-3(b).
\682\ See 17 CFR 240.15Fh-3(b)(1).
\683\ See 17 CFR 240.15Fh-3(e).
\684\ See 17 CFR 240.15Fh-3(e)(2).
---------------------------------------------------------------------------
iv. SBSDRs
Section 13(n) of the Exchange Act specifies the requirements and
core principles with which SBSDRs are required to comply. The
Commission adopted rules that cover the receiving and maintenance of
security-based swap data, how entities can access such information, and
the maintaining the continued privacy of confidential information.
Security-based swap data repositories must have written policies and
procedures reasonably designed to review any prohibition or limitation
of any person with respect to access to services offered, directly or
indirectly, or data maintained by the SBSDR.\685\
---------------------------------------------------------------------------
\685\ 17 CFR 240.13n-4(c)(1)(iv).
---------------------------------------------------------------------------
The SBSDRs must enforce written policies and procedures reasonably
designed to protect the privacy of security-based swap transaction
information.\686\ As a result, they must establish and maintain
safeguards, policies, and procedures reasonably designed to prevent the
misappropriation or misuse, directly or indirectly, of confidential
information, including, but not limited to, trade data; position data;
and any nonpublic personal information about a market participant or
any of its customers, material, nonpublic information, and/or
intellectual property, such as trading strategies or portfolio
positions, by the SBSDR or any person associated with the SBSDR for
personal benefit or for the benefit of others. Such safeguards,
policies, and procedures must address, without limitation: (1) limiting
access to such confidential information, material, nonpublic
information, and intellectual property; (2) standards pertaining to
trading by persons associated with the SBSDR for their personal benefit
or for the benefit of others; and (3) adequate oversight to ensure
compliance with these safeguards. These rules cover potential
unauthorized access from within or outside of the SBSDR, which could
include a cybersecurity breach.\687\
---------------------------------------------------------------------------
\686\ 17 CFR 240.13n-9(b)(1).
\687\ 17 CFR 240.13n-9(b)(2).
---------------------------------------------------------------------------
Additionally, a SBSDR must furnish to a market participant, prior
to accepting its securities-based swap data, a disclosure document that
contains information from which the market participant can identify and
evaluate accurately the risks and costs associated with using the
services of the SBSDR.\688\ Key points include, among other things, the
criteria for providing others with access to services offered and data
maintained by the SBSDR; criteria for those seeking to connect to or
link with the SBSDR; policies and procedures regarding the SBDR's
safeguarding of data and operational reliability, as described in Rule
13n-6; policies and procedures reasonably designed to protect the
privacy of any and all security-based swap transaction information that
the SBSDR receives from a SBSD, counterparty, or any registered entity,
as described in Rule 13n-9(b)(1); policies and procedures regarding its
non-commercial and/or commercial use of the security-based swap
transaction information that it receives from a market participant, any
registered entity, or any other person; dispute resolution procedures
involving market participants, as described in Rule 13n-5(b)(6); and
governance arrangements of the swap-based security data
repository.\689\
---------------------------------------------------------------------------
\688\ See 17 CFR 240.13n-10.
\689\ See 17 CFR 240.13n-10(b).
---------------------------------------------------------------------------
v. Transfer Agents
Transfer agents registered with the Commission (but not transfer
agents registered with another appropriate regulatory agency) are
subject to the Regulation S-P Disposal Rule.\690\ Transfer agents also
may be subject to Regulation S-ID if they are ``financial
institutions'' or ``creditors.'' \691\ As discussed earlier, the
Regulation S-P Disposal Rule and Regulation S-ID have provisions
requiring policies and procedures to address certain types of
cybersecurity risks.\692\
---------------------------------------------------------------------------
\690\ See 17 CFR 248.30(b)(2).
\691\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
\692\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of the Regulation S-P Disposal Rule
and Regulation S-ID to have policies and procedures to address
certain cybersecurity risks).
---------------------------------------------------------------------------
Rule 17Ad-12 requires transfer agents to ensure that all securities
are held in safekeeping and are handled, in light of all facts and
circumstances, in a manner that is reasonably free from risk of theft,
loss, or destruction. In addition, the transfer agent must ensure that
funds
[[Page 20290]]
are protected, in light of all facts and circumstances, against misuse.
In evaluating which particular safeguards and procedures must be
employed, the cost of the various safeguards and procedures as well as
the nature and degree of potential financial exposure are two relevant
factors.\693\
---------------------------------------------------------------------------
\693\ 17 CFR 240.17Ad-12(a).
---------------------------------------------------------------------------
Transfer agents are subject indirectly to state corporation law
when acting as agents of corporate issuers, and they are directly
subject to state commercial law, principal-agent law, and other laws,
many of which are focused on corporate governance and the rights and
obligations of issuers and securityholders.\694\ The transfer of
investment securities is primarily governed by UCC Article 8, which has
been adopted by the legislatures of all 50 states,\695\ the District of
Columbia, Puerto Rico, and the Virgin Islands. Transfer agents may also
be subject to the laws of the states of incorporation for both issuers
and their securityholders that apply to specific services provided by
the transfer agent, such as data privacy.\696\
---------------------------------------------------------------------------
\694\ See, e.g., Del. Code Ann. tit. 8 (Delaware General
Corporation Law), Del. Code Ann. tit. 6, art. 8 (Investment
Securities), Restatement (Third) of Agency (2006).
\695\ Louisiana has enacted the provisions of Article 8 into the
body of its law, among others, but has not adopted the UCC as a
whole.
\696\ For example, California's privacy statute which became
effective in 2003, was the first significant effort by a state to
assert substantive regulation of privacy of customer data. See Cal.
Civ. Code Sec. Sec. [thinsp]1798.80-1798.84. While state
regulations vary across jurisdictions, other states have followed
suit with similar regulatory initiatives. See, e.g., Minn. Stat.
Sec. [thinsp]325E.61, Neb. Rev. Stat. Sec. Sec. [thinsp]87-801-
807.
---------------------------------------------------------------------------
c. Market Entities Subject to CFTC Regulations
Certain types of Market Entities are dually registered with the
Commission and the CFTC. For example, some clearing agencies are
registered with the CFTC as derivative clearing organizations
(``DCOs'') and some SBSDRs are registered with the CFTC as swap data
repositories (``SDRs''). In addition, some broker-dealers are
registered with the CFTC as futures commission merchants (``FCMs'') or
swap dealers. Most currently registered SBSDs are also registered with
the CFTC as swap dealers. As CFTC registrants, these Market Entities
are subject to requirements that pertain to cybersecurity or are
otherwise relevant to the proposals in this release.
i. Requirements for DCOs
DCOs are subject to a CFTC systems safeguards rule.\697\ This rule
requires them--among other things--to establish and maintain: (1) a
program of risk analysis and oversight with respect to their operations
and automated systems to identify and minimize sources of operational
risk; and (2) a business continuity and disaster recovery plan,
emergency procedures, and physical, technological, and personnel
resources sufficient to enable the timely recovery and resumption of
operations and the fulfillment of each obligation and responsibility of
the DCO, including, but not limited to, the daily processing, clearing,
and settlement of transactions, following any disruption of its
operations.\698\ The safeguards rule also requires vulnerability and
penetration testing (among other things).\699\ Further, it requires
notice to the CFTC staff if the DCO experiences certain exceptional
events.\700\
---------------------------------------------------------------------------
\697\ See 17 CFR 39.18.
\698\ See 17 CFR 39.18(b) and (c). The program of risk analysis
and oversight must include--among other elements--information
security, including, but not limited to, controls relating to:
access to systems and data (including, least privilege, separation
of duties, account monitoring and control); user and device
identification and authentication; security awareness training;
audit log maintenance, monitoring, and analysis; media protection;
personnel security and screening; automated system and
communications protection (including, network port control, boundary
defenses, encryption); system and information integrity (including,
malware defenses, software integrity monitoring); vulnerability
management; penetration testing; security incident response and
management; and any other elements of information security included
in generally accepted best practices. See 17 CFR 39.18(b)(2)(i).
\699\ See 17 CFR 39.18(e).
\700\ See 17 CFR 39.18(g).
---------------------------------------------------------------------------
ii. Requirements for SDRs
SDRs are subject to a CFTC systems safeguards rule.\701\ This rule
requires them--among other things--to: (1) establish and maintain a
program of risk analysis and oversight to identify and minimize sources
of operational risk through the development of appropriate controls and
procedures and the development of automated systems that are reliable,
secure, and have adequate scalable capacity; (2) establish and maintain
emergency procedures, backup facilities, and a business continuity-
disaster recovery plan that allow for the timely recovery and
resumption of operations and the fulfillment of their duties and
obligations as an SDR; and (3) periodically conduct tests to verify
that backup resources are sufficient to ensure continued fulfillment of
all their duties under the Commodity Exchange Act and the CFTC's
regulations.\702\ The program of risk analysis and oversight required
by the SDR safeguards rule--among other things--must address: (1)
information security; and (2) business continuity-disaster recovery
planning and resources.\703\ The safeguards rule also requires the SDR
to notify the CFTC promptly of--among other events--all cyber security
incidents or targeted threats that actually or potentially jeopardize
automated systems operation, reliability, security, or capacity.\704\
---------------------------------------------------------------------------
\701\ See 17 CFR 49.24.
\702\ See 17 CFR 49.24(a).
\703\ See 17 CFR 49.24(b)(2) and (3). For the purposes of the
SDR safeguards rule, information security includes, but is not
limited to, controls relating to: access to systems and data
(including least privilege, separation of duties, account monitoring
and control); user and device identification and authentication;
security awareness training; audit log maintenance, monitoring, and
analysis; media protection; personnel security and screening;
automated system and communications protection (including network
port control, boundary defenses, encryption); system and information
integrity (including malware defenses, software integrity
monitoring); vulnerability management; penetration testing; security
incident response and management; and any other elements of
information security included in generally accepted best practices.
See 17 CFR 49.24(b)(2).
\704\ See 17 CFR 49.24(g)(2).
---------------------------------------------------------------------------
iii. Requirements for FCMs and Swap Dealers
The CFTC does not have a cybersecurity regime for FCMs and swap
dealers comparable to that being proposed in this release.\705\
However, FCMs and swap dealers are currently subject to information
security requirements by virtue of their membership with the National
Futures Association (NFA).\706\ Specifically, NFA
[[Page 20291]]
examines swap dealers and FCMs for compliance with NFA Interpretive
Notice 9070, which establishes general requirements for NFA members
relating to their information systems security programs (ISSPs).\707\
The notice requires members to adopt and enforce a written ISSP
reasonably designed to provide safeguards to protect against security
threats or hazards to their technology systems. The safeguards must be
appropriate to the member's size, complexity of operations, type of
customers and counterparties, the sensitivity of the data accessible
within its systems, and its electronic interconnectivity with other
entities. The notice further provides guidance on how to meet this
requirement, including that members should document and describe the
safeguards in the ISSP, identify significant internal and external
threats and vulnerabilities, create an incident response plan, and
monitor and regularly review their ISSPs for effectiveness, among other
things. Members should also have procedures to promptly notify NFA in
the form and manner required of a cybersecurity incident related to the
member's commodity interest business and that results in: (1) any loss
of customer or counterparty funds; (2) any loss of a member's own
capital; or (3) in the member providing notice to customers or
counterparties under state or federal law.
---------------------------------------------------------------------------
\705\ Current CFTC requirements relating to information security
for FCMs and swap dealers are more general in nature or limited in
application. See, e.g., 17 CFR 23.600(c)(4)(vi) (providing that swap
dealer's risk management program policies and procedures shall take
into account, among other things, secure and reliable operating and
information systems with adequate, scalable capacity, and
independence from the business trading unit; safeguards to detect,
identify, and promptly correct deficiencies in operating and
information systems; and reconciliation of all data and information
in operating and information systems); 162.21, 160.30 (requiring
FCMs and swap dealers to adopt written policies and procedures
addressing administrative, technical, and physical safeguards with
respect to the information of consumers). The current CFTC Chairman
has, however, announced support for developing cybersecurity
requirements for FCMs and swap dealers. See CFTC, Address of
Chairman Rostin Behnam at the ABA Business Law Section Derivatives &
Futures Law Committee Winter Meeting (Feb. 3, 2023), available at
https://www.cftc.gov/PressRoom/SpeechesTestimony/opabehnam31.
\706\ See NFA, Interpretive Notice 9070--NFA Compliance Rules 2-
9, 2-36 and 2-49: Information Systems Security Programs (Sept. 30,
2019), available at https://www.nfa.futures.org/rulebooksql/rules.aspx?RuleID=9070&Section=9. NFA has also issued guidance
relating to the oversight of third-party service providers. See NFA,
Interpretive Notice 9079--NFA Compliance Rules 2-9 and 2-36:
Members' Use of Third-Party Service Providers (Sept. 30, 2021),
available at https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079.
\707\ Id.
---------------------------------------------------------------------------
The CFTC does require swap dealers to establish and maintain a
business continuity and disaster recovery plan that outlines the
procedures to be followed in the event of an emergency or other
disruption of their normal business activities.\708\ The business
continuity and disaster recovery plan must be designed to enable the
swap dealer to continue or to resume any operations by the next
business day with minimal disturbance to its counterparties and the
market, and to recover all documentation and data required to be
maintained by applicable law and regulation.\709\ The business
continuity and disaster recovery plan must--among other requirements--
be tested annually by qualified, independent internal personnel or a
qualified third party service.\710\ The date the testing was performed
must be documented, together with the nature and scope of the testing,
any deficiencies found, any corrective action taken, and the date that
corrective action was taken.\711\
---------------------------------------------------------------------------
\708\ See 17 CFR 23.603. The business continuity and disaster
recovery plan must include: (1) the identification of the documents,
data, facilities, infrastructure, personnel and competencies
essential to the continued operations of the swap dealer and to
fulfill its obligations; (2) the identification of the supervisory
personnel responsible for implementing each aspect of the business
continuity and disaster recovery plan and the emergency contacts
required to be provided; (3) a plan to communicate with specific
persons the in the event of an emergency or other disruption, to the
extent applicable to the operations of the swap dealer; (4)
procedures for, and the maintenance of, back-up facilities, systems,
infrastructure, alternative staffing and other resources to achieve
the timely recovery of data and documentation and to resume
operations as soon as reasonably possible and generally within the
next business day; (5) maintenance of back-up facilities, systems,
infrastructure and alternative staffing arrangements in one or more
areas that are geographically separate from the swap dealer's
primary facilities, systems, infrastructure and personnel (which may
include contractual arrangements for the use of facilities, systems
and infrastructure provided by third parties); (6) back-up or
copying, with sufficient frequency, of documents and data essential
to the operations of the swap dealer or to fulfill the regulatory
obligations of the swap dealer and storing the information off-site
in either hard-copy or electronic format; and (7) the identification
of potential business interruptions encountered by third parties
that are necessary to the continued operations of the swap dealer
and a plan to minimize the impact of such disruptions. See 17 CFR
23.603(b).
\709\ See 17 CFR 23.603(a).
\710\ See 17 CFR 23.603(g).
\711\ Id.
---------------------------------------------------------------------------
d. Market Entities Subject to Federal Banking Regulations
Broker-dealers affiliated with a banking organization \712\ and
some SBS Entities and transfer agents that are banking organizations
are subject to the requirements of prudential regulators such as the
FDIC, Federal Reserve Board, and the OCC. These prudential regulators
have rules requiring banking organizations to notify them no later than
36 hours after learning of a ``computer-security incident,'' which is
defined ``as an occurrence that results in actual harm to the
confidentiality, integrity, or availability of an information system or
the information that the system processes, stores, or transmits.''
---------------------------------------------------------------------------
\712\ In the simplification of the Volcker Rule, effective Jan.
21, 2020, Commission staff estimated that there were 202 broker-
dealers that were affiliated with banking organizations.
---------------------------------------------------------------------------
The rule also requires a bank service provider to notify at least
one bank-designated point of contact at each affected customer bank as
soon as possible when it determines it has experienced a computer-
security incident that has materially disrupted or degraded, or is
reasonably likely to disrupt or degrade, covered services provided to
the bank for four or more hours. If the bank has not previously
provided a designated point of contact, the notification must be made
to the bank's chief executive officer (``CEO'') and CIO or to two
individuals of comparable responsibilities.'' \713\ Prudential
regulators have also published guidance for banking organizations
relating to cybersecurity.\714\
---------------------------------------------------------------------------
\713\ See 12 CFR 53.1 through 53.4 (OCC); 12 CFR 225.300 through
225.303 (Federal Reserve Board); 12 CFR 304.21 through 24 (FDIC).
\714\ See, e.g., SR 21-14: Authentication and Access to
Financial Institution Services and Systems (Aug. 11, 2021),
available at https://www.federalreserve.gov/supervisionreg/srletters/sr2114.htm; SR 15-9: FFIEC Cybersecurity Assessment Tool
for Chief Executive Officers and Boards of Directors (July 2, 2015),
available at https://www.federalreserve.gov/supervisionreg/srletters/sr1509.htm; SR 05-23/CA 05-10: Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice (Dec. 1, 2005), available at https://www.federalreserve.gov/boarddocs/srletters/2005/SR0523.htm.
---------------------------------------------------------------------------
e. Information Sharing
Information sharing is an important part of cybersecurity. Alerts
that are issued by the Commission or by the securities industry make
Market Entities aware of trends in cybersecurity incidents and
potential threats. This advanced warning can help Market Entities to
prepare for future cybersecurity attacks by testing and upgrading their
cybersecurity infrastructure.
The value of such information sharing has long been recognized. In
1998, Presidential Decision Directive 63 established industry-based
information sharing and analysis centers (``ISACs'') to promote the
disclosure and sharing of cybersecurity information among firms.\715\
The FS-ISAC provides financial firms with such a forum.\716\ However,
observers have questioned the efficacy of these information-sharing
partnerships.\717\ Although the Commission does not have data on the
extent of Market Entities' use of such forums or their efficacy,
surveys of securities firms conducted by FINRA suggest that there is
considerable variation in firms' willingness to share
[[Page 20292]]
information about cybersecurity threats on a voluntary basis, with
larger firms being more likely to do so.\718\ Similarly, a recent
survey of financial firms found that while recognition of the value of
information-sharing arrangements is widespread, the majority of firms
report hesitance to participate due to regulatory restrictions or
privacy concerns.\719\
---------------------------------------------------------------------------
\715\ See President Decision Directive/NSC-63, Critical
Infrastructure Protection (May 22, 1998); Presidential Decision
Directive 63, Critical Infrastructure Protection: Sector
Coordinators, 98 FR 41804 (Aug. 5, 1998) (notice and request for
expressions of interest); see also National Council of ISACs,
available at https://www.nationalisacs.org.
\716\ Information about FS-ISAC is available at https://www.fsisac.com.
\717\ See James A. Lewis and Denise E. Zheng, Cyber Threat
Information Sharing, 2015 Cre. for Strategic and Int'l Stud. 62
(Mar. 2015) (stating that the ``benefits of information sharing,
when done correctly, are numerous'' but that [p]rogrammatic,
technical, and legal challenges, as well as lack of buy-in from the
stakeholder community, are the key impediments'' to effective
information-sharing partnerships).
\718\ See FINRA Report on Cybersecurity Practices. Survey
respondents included large investment banks, clearing firms, online
brokerages, high-frequency traders, and independent dealers.
\719\ See Julie Bernard, Mark Nicholson, and Deborah Golden,
Reshaping the Cybersecurity Landscape, Deloitte (Jul. 24, 2020),
available at https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html (``Reshaping the Cybersecurity Landscape''). Survey
respondents consisted of CISOs (or equivalent) of 53 members of the
FS-ISAC. Of the respondents, 24 reported being in the retail/
corporate banking sector, 20 reported being in the consumer/
financial services (non-banking) sector, and 17 reported being in
the insurance sector. Other respondents included IT service
providers, financial utilities, trade associations, and credit
unions. Some respondents reported being in multiple sectors.
---------------------------------------------------------------------------
Market surveillance and regulatory activities--such as enforcement
by SROs--can result in information sharing with--and referrals to--the
Commission and other federal agencies, particularly if the issues being
investigated are cybersecurity related.
f. Adequacy of Current Cybersecurity Policies and Procedures
While spending on cybersecurity measures in the financial services
industry is considerable, and the growing risk of cybersecurity events
has led many corporate executives to significantly increase their
cybersecurity budget,\720\ the budget levels themselves are not the
most important facet of a cybersecurity program.\721\ In a recent
survey of 20 consumer/financial (non-banking) services firms,
respondents ranked cybersecurity budget levels lower than other facets
of cybersecurity maintenance.\722\ For example, financial companies'
boards and management teams indicated that overall cybersecurity
strategy, the identification threats and cybersecurity risks, the
firm's susceptibility to breaches when other financial institutions are
successfully attacked, and the results of cybersecurity testing all
ranked higher than security budgets themselves.\723\ Surveys of
financial services firms indicate that 10.5% of their information
technology budgets are spent on cybersecurity, and the per-employee
expenditure is approximately $2,348 annually as of 2020.\724\ This per-
employee value can be used to estimate the cybersecurity expenditures
at each of the Market Entities that would be affected by the proposed
rule.\725\
---------------------------------------------------------------------------
\720\ For example, according to one source, as of 2020, ``55% of
enterprise executives [were planning] to increase their
cybersecurity budgets in 2021 and 51% are adding full-time cyber
staff in 2021.'' Louis Columbus, The Best Cybersecurity Predictions
for 2021 Roundup, Forbes.com (Dec. 15, 2020), available at https://www.forbes.com/sites/louiscolumbus/2020/12/15/the-best-cybersecurity-predictions-for-2021-roundup/?sh=6d6db8b65e8c.
\721\ See Reshaping the Cybersecurity Landscape.
\722\ Id.
\723\ Id.
\724\ Id.
\725\ The per-employee expenditure can be multiplied by the
Market Entity's employee head count on a full-time equivalent basis
to estimate its spending on cybersecurity protection.
---------------------------------------------------------------------------
2. Market Structure
a. Broker-Dealers
The operations and functions of broker-dealers are discussed
earlier in this release.\726\ The following broker-dealers would be
Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customer accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS.\727\ Broker-dealers that do not fall into one of those
six categories would not be Covered Entities (i.e., they would be Non-
Covered Broker-Dealers). As discussed above, broker-dealers that are
Covered Entities would be subject to additional policies and
procedures, reporting, and disclosure requirements under proposed Rule
10.\728\ These additional requirements would not apply to broker-
dealers that are not Covered Entities.\729\
---------------------------------------------------------------------------
\726\ See section I.A.2.b. of this release.
\727\ See paragraphs (a)(1)(i)(A) through (F) of proposed Rule
10.
\728\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity'').
\729\ See paragraph (e) of proposed Rule 10 (setting forth the
requirements for Market Entities that do not meet the definition of
``covered entity'').
---------------------------------------------------------------------------
Table 1 presents a breakdown of all broker-dealers registered with
the Commission as of the third quarter of 2022. Based on 2022 FOCUS
Part II/IIA data, there were 3,510 registered broker-dealers with
average total assets of $1.5 billion and average regulatory capital of
$144 million. Of those broker-dealers, 1,541 would be classified as
Covered Entities with average total assets of $3.5 billion and average
regulatory capital of $325 million. Meanwhile, the 1,969 brokers that
would be classified as Non-Covered Broker-Dealers were generally much
smaller than broker-dealers that would be classified as Covered
Entities, having an average total asset level of $4.7 million and
regulatory capital of $3 million. In other words, Non-Covered Broker-
Dealers accounted for only about 0.2 percent of total asset value and
only 0.1 percent of total regulatory capital in the third quarter of
2022.
The majority of small broker-dealers, as defined by Rule 0-10 \730\
were classified as Non-Covered Broker-Dealers (74%) compared to a
minority of small broker-dealers that were classified as Covered
Entities (26%), which means that most small broker-dealers would be
subject to the less stringent regulatory requirements under the
proposed Rule 10 for Non-Covered Broker-Dealers. The small broker-
dealers that qualified as Covered Entities and would be subject to
additional requirements of proposed Rule 10 generally were broker-
dealers that introduce their customer accounts to carrying broker-
dealers on a fully disclosed basis.
---------------------------------------------------------------------------
\730\ See 17 CFR 240.0-10 (``Rule 0-10'') for definition of
small entities including small broker-dealers under the Exchange Act
for purposes of the Regulatory Flexibility Act (``RFA''). This
definition is for the economic analysis only. See also section VI of
this release (setting forth the Commission's RFA analysis).
Table 1--Broker-Dealers as Covered Entities as of September 2022
[Average broker-dealer total assets and regulatory equity]
----------------------------------------------------------------------------------------------------------------
Average
Total number Number of Number of Average total regulatory
Categories of covered BDs of BDs small BDs retail BDs assets equity
included (millions) (millions)
----------------------------------------------------------------------------------------------------------------
Carrying........................ 162 0 145 $28,250.9 $2,528.7
Introducing..................... 1219 195 1106 103.0 44.3
Market making................... 19 0 1 179.2 17.4
[[Page 20293]]
ATS............................. 36 0 21 4.1 3.1
>$50 Million Regulatory Equity 105 0 44 6,891.6 351.5
and/or >$1 billion total assets
----------------------------------------------------------------------------------------------------------------
Covered......................... 1541 195 1317 3,523.3 325.1
----------------------------------------------------------------------------------------------------------------
Non-Covered..................... 1969 569 1115 4.7 3.0
-------------------------------------------------------------------------------
Total....................... 3510 764 2432 1,549.9 144.4
----------------------------------------------------------------------------------------------------------------
Covered Broker-Dealers provide a broad spectrum of services to
their clients, including, for example: trade execution, clearing,
market making, margin and securities lending, sale of investment
company shares, research services, underwriting and selling, retail
sales of corporate securities, private placements, and government and
Series K securities sales and trading. In contrast, Non-Covered Broker-
Dealers tend to offer a more focused and limited set of services.
In terms of specific services offered, as presented in Table 2
below, while the majority of broker-dealers that are Covered Entities
have lines of business devoted to broker and dealer services across a
broad spectrum of financial instruments, Non-Covered Broker-Dealers as
a whole focus on private placements. In addition, a significant
minority of Non-Covered Broker-Dealers also engages in mutual fund
sales and underwriting, variable contract sales, corporate securities
underwriting, and direct investment offerings.
Table 2--Lines of Business at Broker-Dealers as of September 2022 *
[Percent of covered entity and non-covered broker-dealers engaged in
each line of business]
------------------------------------------------------------------------
Percent of Percent of non-
covered broker- covered broker-
Line of business dealers dealers
(percent) (percent)
------------------------------------------------------------------------
Retailing Corporate Equity Securities 76.4 8.1
Over The Counter.......................
Corporate Debt Securities............... 69.6 7.9
Mutual Funds............................ 62.2 19.5
Private Placements...................... 58.1 72.1
Options................................. 58.1 3.7
US Government Securities Broker......... 56.2 3.9
Municipal Debt/Bonds--Broker............ 53.1 6.4
Other Securities Business............... 52.0 65.1
Underwriter--Corporate Securities....... 45.0 11.5
Trading Via Floor Broker................ 43.4 5.7
Variable Contracts...................... 42.4 16.3
Proprietary Trading..................... 40.4 3.8
Investment Advisory Services............ 25.8 4.6
Municipal Debt/Bonds--Dealer............ 25.4 1.5
Direct investments--Primary............. 21.2 13.2
US Government Securities Dealer......... 20.7 0.9
Other Non-Securities Business........... 18.1 11.2
Time Deposits........................... 16.5 1.2
Commodities............................. 12.5 1.1
Market Making........................... 12.3 0.6
Mortgage or Asset Backed Securities..... 11.9 1.3
Bank Networking/Kiosk Relationship...... 11.0 0.4
Internet/Online Trading Accounts........ 10.8 0.5
Exchange Non-Floor Activities........... 10.6 0.9
Direct investments--Secondary........... 8.2 2.0
Oil and Gas Interests................... 7.9 3.1
Underwriter--Mutual Funds............... 6.4 7.8
Exchange Floor Activities............... 5.9 1.2
Executing Broker........................ 5.5 0.6
Day Trading Accounts.................... 4.8 0.3
Insurance Networking/Kiosk Relationship. 4.7 0.6
Non Profit Securities................... 4.2 0.4
Real Estate Syndication................. 2.8 2.8
Prime Broker............................ 1.6 0.0
Issuer Affiliated Broker................ 1.2 1.1
Clearing Broker in a Prime Broker 1.2 0.0
Arrangement............................
Crowdfunding FINRA Rule 4518 (a)........ 0.7 1.1
Funding Portal.......................... 0.2 0.3
Crowdfunding FINRA Rule 4518 (b)........ 0.1 0.3
[[Page 20294]]
Capital Acquisition Broker.............. 0.1 1.2
------------------------------------------------------------------------
* This information is derived from Form BD, Question 12.
As of November 2022, there were 33 NMS Stock ATSs with an effective
Form ATS-N on file with the Commission \731\ and 68 non-NMS Stock ATSs
with a Form ATS on file with the Commission.\732\ Most broker-dealer
ATS operators operate a single ATS.
---------------------------------------------------------------------------
\731\ See Form ATS-N Filings and Information, available at
https://www.sec.gov/divisions/marketreg/form-ats-n-filings.htm.
\732\ See the current list of registered ATSs on the
Commission's website, available at https://www.sec.gov/foia/docs/atslist.
---------------------------------------------------------------------------
b. Clearing Agencies
The operations and functions of clearing agencies are discussed
earlier in this release.\733\ A clearing agency (whether registered
with the Commission or exempt) would be considered a Covered Entity
under proposed Rule 10.\734\ There are a total of 16 clearing agencies
that would meet the definition of a Covered Entity under proposed Rule
10. There are seven registered and active clearing agencies: DTC, FICC,
NSCC, ICC, ICEEU, the Options Clearing Corp., and LCH SA. Two clearing
agencies are registered with the Commission but are inactive and
currently do not provide clearing and settlement activities. Those
clearing agencies are the BSECC and SCCP.\735\ In addition, there are
five clearing agencies that are exempt from registering with the
Commission. Those exempt clearing agencies are DTCC ITP Matching U.S.
LLC, Bloomberg STP LLC, and SS&C Technologies, Inc., which provide
matching services; and Clearstream Banking, S.A. and Euroclear Bank SA/
NV, which provide clearing agency services with respect to transactions
involving U.S. government and agency securities for U.S.
participants.\736\
---------------------------------------------------------------------------
\733\ See section I.A.2.c. of this release.
\734\ See paragraph (a)(1)(iii). of proposed Rule 10.
\735\ BSECC and SCCP have not provided clearing services in over
a decade. See BSECC Notice (stating that BSECC ``returned all
clearing funds to its members by September 30, 2010, and [ ] no
longer maintains clearing members or has any other clearing
operations as of that date . . . . BSECC [ ] maintain[s] its
registration as a clearing agency with the Commission for possible
active operations in the future''); SCCP Notice (noting that SCCP
``returned all clearing fund deposits by September 30, 2009; [and]
as of that date SCCP no longer maintains clearing members or has any
other clearing operations . . . . SCCP [] maintain[s] its
registration as a clearing agency for possible active operations in
the future.''). BSECC and SCCP are included in the economic baseline
and must be considered in the benefits and costs analysis due to
their registration with the Commission. They also are included in
the PRA for purposes of the PRA estimate. See section V of this
release (setting forth the Commission's PRA analysis).
\736\ In addition to the 14 clearing agencies discussed above,
the Commission's expects that two entities may apply to register or
to seek an exemption from registration as a clearing agency in the
next three years. As a result, they were included in the PRA in
section V.
---------------------------------------------------------------------------
Of the seven operating registered clearing agencies, six provide
CCP clearing services and one provides CSD services. In addition, NSCC,
FICC, and DTC are all registered clearing agencies that are
subsidiaries of the Depository Trust and Clearing Corporation.
Together, this subset of registered clearing agencies offer clearing
and settlement services for equities, corporate, and municipal bonds,
government and mortgage-backed securities, derivatives, money market
instruments, syndicated loans, mutual funds, and alternative investment
products in the United States. ICC and ICEEU are both registered
clearing agencies for credit default swaps (``CDS'') and are both
subsidiaries of ICE. LCH SA, a France-based subsidiary of LCH Group
Holdings Ltd, is a registered clearing agency that also offers clearing
for CDS. The seventh registered clearing agency, the Options Clearing
Corp., offers clearing services for exchange-traded U.S. equity
options.
c. The MSRB
The operations and functions of the MSRB are discussed earlier in
this release.\737\ The MSRB would be considered a Covered Entity under
proposed Rule 10.\738\ As an SRO registered with the Commission, the
MSRB protects municipal securities investors, municipal entities,
obligated persons, and the public interest. While the MSRB used to only
regulate the activities of broker-dealers and banks that buy, sell, and
underwrite municipal securities, it regulates certain activities of
municipal advisors.
---------------------------------------------------------------------------
\737\ See section I.A.2.d. of this release.
\738\ See paragraph (a)(1)(iv) of proposed Rule 10.
---------------------------------------------------------------------------
d. National Securities Associations
The operations and functions of national securities association are
discussed earlier in this release.\739\ A national securities
association would be considered a Covered Entity under proposed Rule
10.\740\ FINRA currently is the only national securities association
registered with the Commission and is a not-for-profit organization
with 3,700 employees that oversees broker-dealers, including their
branch offices, and registered representatives through examinations,
enforcement, and surveillance.
---------------------------------------------------------------------------
\739\ See section I.A.2.e. of this release.
\740\ See paragraph (a)(1)(i)(v) of proposed Rule 10.
---------------------------------------------------------------------------
FINRA, among other things, provides a forum for securities
arbitration and mediation; conducts market regulation, including by
contract for a majority of the national securities exchanges; regulates
its broker-dealer members; administers testing and licensing of
registered persons; collects and stores regulatory filings; \741\ and
operates industry utilities such as Trade Reporting Facilities.\742\
Through the collection of regulatory filings submitted by broker-
dealers as well as stock options and fixed-income quote, order, and
trade data, FINRA maintains certain confidential information--not only
its own but of other SROs.
---------------------------------------------------------------------------
\741\ Some of the filings collected include FOCUS reports; Form
OBS; Form SSOI; Form Custody; firm clearing arrangements filings;
Blue Sheets; customer margin balance reporting; short interest
reporting; Form PF; Form 211; public offering and private placement
related filings; FINRA Rules 4311 and 4530 reporting; subordination
agreements; and Regulations M, T, and NMS.
\742\ These include Trade Reporting and Compliance Engine
(TRACE), OTC ATS and Non-ATS data, Over-the-Counter Reporting
Facility (ORF), Trade Reporting Facility (TRF), Alternative Display
Facility (ADF), and Order Audit Trail System (OATS) (phased out as
of 2021).
---------------------------------------------------------------------------
e. National Securities Exchanges
The operations and functions of the national securities exchanges
are discussed earlier in this release.\743\ A national securities
exchange would be considered a Covered Entity under proposed Rule
10.\744\ There are 24
[[Page 20295]]
national securities exchanges \745\ currently registered with the
Commission that would meet the definition of a Covered Entity under
proposed Rule 10(a)(1): BOX Exchange LLC; Cboe BYX Exchange, Inc.; Cboe
BZX Exchange, Inc.; Cboe C2 Exchange, Inc.; Cboe EDGA Exchange, Inc.;
Cboe EDGX Exchange, Inc.; Cboe Exchange, Inc.; Investors Exchange LLC;
Long-Term Stock Exchange, Inc.; MEMX, LLC; Miami International
Securities Exchange; MIAX Emerald, LLC; MIAX PEARL, LLC; Nasdaq BX,
Inc.; Nasdaq GEMX, LLC; Nasdaq ISE, LLC; Nasdaq MRX, LLC; Nasdaq PHLX
LLC; The Nasdaq Stock Market; New York Stock Exchange LLC; NYSE Arca,
Inc.; NYSE Chicago, Inc.; NYSE American, LLC; and NYSE National,
Inc.\746\
---------------------------------------------------------------------------
\743\ See section I.A.2.f. of this release.
\744\ See paragraph (a)(1)(vi) of proposed Rule 10.
\745\ Exempt securities exchanges governed by section 5 of the
Act are not considered to be national securities exchanges.
\746\ Two exchanges, The Island Futures Exchange, LLC, and NQLX
LLC, were formerly registered with the Commission as national
securities exchanges.
---------------------------------------------------------------------------
f. SBS Entities and SBSDRs
Operations and functions of SBS Entities and SBSDRs are discussed
earlier in this release.\747\ An SBS Entity and an SBSDR would be
considered a Covered Entity under proposed Rule 10.\748\ As of January
4, 2023, there were 50 registered SBSDs that would meet the definition
of a Covered Entity under proposed Rule 10(a)(1).\749\ There were no
MSBSPs as of January 4, 2023.
---------------------------------------------------------------------------
\747\ See sections I.A.2.g. and I.A.2.h. of this release.
\748\ See paragraphs (a)(1)(iii), (vii), and (viii) of proposed
Rule 10 (defining, respectively, MSBSPs, SBSDRs, and SBSDs as
``covered entities'').
\749\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants (Jan. 4, 2023), available at
https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants.
---------------------------------------------------------------------------
There are three SBSDRs that would meet the definition of a Covered
Entity under proposed Rule 10(a)(1). The Commission has two registered
security-based swap data repositories (ICE Trade Vault, LLC and DTCC
Data Repository (U.S.), LLC). GTR North America provides transaction
reporting services for derivatives in the United States through the
legal entity DTCC Data Repository (U.S.) LLC. DTCC Data Repository
(U.S.), LLC enables firms to meet their reporting obligations under the
Dodd-Frank Act and accepts trade submissions directly from reporting
firms as well as through third-party service providers.\750\ In
addition to the two registered SBSDRs, the Commission expects that an
additional entity may apply to be a registered SBSDR in the next three
years.
---------------------------------------------------------------------------
\750\ See DTCC, GTR North America, available at https://www.dtcc.com/repository-and-derivatives-services/repository-services/gtr-north-america.
---------------------------------------------------------------------------
g. Transfer Agents
The operations and functions of transfer agents are discussed
earlier in this release.\751\ Transfer agents would be Covered Entities
under proposed Rule 10.\752\ Transfer agents generally work for issuers
of securities. Among other functions, they may: (1) track, record, and
maintain on behalf of issuers the official record of ownership of each
issuer's securities; (2) cancel old certificates, issue new ones, and
perform other processing and recordkeeping functions that facilitate
the issuance, cancellation, and transfer of securities; (3) facilitate
communications between issuers and registered securityholders; and (4)
make dividend, principal, interest, and other distributions to
securityholders.\753\ Transfer agents are required to be registered
with the Commission, or if the transfer agent is a bank, then with a
bank regulatory agency. As of December 31, 2022, there were 353
registered transfer agents.\754\
---------------------------------------------------------------------------
\751\ See section I.A.2.i. of this release.
\752\ See paragraph (a)(1)(ix) of proposed Rule 10.
\753\ See Transfer Agent Regulations, Exchange Act Release No.
76743 (Dec. 22, 2015), 80 FR 81948, 81949 (Dec. 31, 2015).
\754\ See Commission, Transfer Agent Data Sets (Dec. 31, 2022),
available at https://www.sec.gov/dera/data/transfer-agent-data-sets.
---------------------------------------------------------------------------
h. Service Providers
Many Market Entities utilize service providers to perform some or
all of their cybersecurity functions. Market Entities that are large--
relative to other Market Entities--in terms of their total assets,
number of clients or members, or daily transactions processed are
likely to have significant information technology, their own
information technology departments and dedicated staff such that some
functions are performed in-house. Other services may be contracted out
to service providers that cater to Market Entities. Smaller Market
Entities that do not have large technology budgets may rely more
heavily (or completely) on third parties for their cybersecurity needs.
According to a voluntary survey, financial services firms spend
approximately 0.3 percent of revenue or 10% of their information
technology budgets on cybersecurity, highlighting the fact that
identifying vulnerabilities and having cybersecurity policies and
procedures in place are more important than the actual cybersecurity
budget itself, particularly with respect to expensive hardware and
software.\755\
---------------------------------------------------------------------------
\755\ See Reshaping the Cybersecurity Landscape.
---------------------------------------------------------------------------
In performing their contracted duties, specialized service
providers may receive, maintain, or process confidential information
from Market Entities, or are otherwise permitted to access Market
Entities' information systems and the information residing on those
systems. Market Entities work with service providers that provide
certain critical functions, such as process payment providers,
regulatory services consultants, data providers, custodians, and
valuation services. However, Market Entities also employ general
service providers, such as email providers, relationship management
systems, cloud applications, and other technology vendors.
Regardless of their size, Market Entities typically enter into
contracts with service providers to perform a specific function for a
given time frame at a set price. At the conclusion of a contract, it
may be renewed if both parties are satisfied. Because prices typically
increase over time, there may be some need to negotiate a new fee for
continued service. Negotiations also occur if additional services are
requested from a given third-party provider. In the instance where
additional services are required mid-contract, for example, due to
increased regulatory requirements, the service provider may be able to
bill for the extra work that it must incur separately to provide the
additional service, particularly if that party is in a highly
concentrated market for that service and can wield market power. This
may be the case because that condition is specified in the contract
with the Market Entity.
Service providers that cater to the securities industry with
specialized services are likely to have economies of scale that allow
them to more easily handle requests from Market Entities for additional
services.\756\ Some service providers, however, may not have the
technical expertise to provide a requested additional service or may
refuse to do so for other reasons. In this case, the Market Entity
would need to find another service provider. The costs associated with
service provider contracts, including those of renegotiating them or
tacking on of supplemental fees, are passed on to the Market Entity's
customers, counterparties, members, participants,
[[Page 20296]]
or users to the extent that the Market Entities are able to do so.
---------------------------------------------------------------------------
\756\ See Bharath Aiyer et al., New Survey Reveals $2 Trillion
Market Opportunity for Cybersecurity Technology and Service
Providers (2022), available at https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers.
---------------------------------------------------------------------------
D. Benefits and Costs of Proposed Rule 10, Form SCIR, and Rule
Amendments
In this section, the Commission considers the benefits and costs of
the rule, form, and amendments being proposed in this release.\757\ As
discussed earlier, proposed Rule 10 would require all Market Entities
(Covered Entities and non-Covered Entities) to establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks.\758\ All Market Entities also, at
least annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\759\ They also would
be required to prepare a report (in the case of Covered Entities) or a
record (in the case of non-Covered Entities) with respect to the annual
review.\760\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\761\
---------------------------------------------------------------------------
\757\ Throughout the following, the Commission also considers
benefits and costs related to potential effects on economic
efficiency, competition, and capital formation. The Commission
summarizes these effects in section IV.E. of this release.
\758\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10; see also sections II.B.1. and II.C. of this release (discussing
these proposed requirements in more detail).
\759\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10; see also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\760\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10; see also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\761\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10; see also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\762\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\762\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity''); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\763\
---------------------------------------------------------------------------
\763\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
Section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities would need to make certain records
pursuant to the policies and procedures required under proposed Rule
10. In particular, Covered Entities would be required to document in
writing periodic assessments of cybersecurity risks associated with the
Covered Entity's information systems and information residing on those
systems.\764\ Additionally, Covered Entities would be required to
document in writing any cybersecurity incident, including the Covered
Entity's response to and recovery from the cybersecurity incident.\765\
---------------------------------------------------------------------------
\764\ See paragraph (b)(1)(i)(B) of proposed Rule 10; see also
section II.B.1.a. of this release (discussing this documentation
requirement in more detail).
\765\ See paragraph (b)(1)(v)(B) of proposed Rule 10; see also
section II.B.1.e. of this release (discussing this documentation
requirement in more detail).
---------------------------------------------------------------------------
Third, Covered Entities--in addition to providing the Commission
with immediate written electronic notice upon having a reasonable basis
to conclude that the significant cybersecurity incident has occurred or
is occurring--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission by filing it with the Commission through the
EDGAR system.\766\ The form would elicit information about the
significant cybersecurity incident and the Covered Entity's efforts to
respond to, and recover from, the incident. Covered Entities would be
required to file updated versions of proposed Form SCIR when material
information becomes available or previously reported information is
deemed inaccurate. Lastly, a final proposed Form SCIR would need to be
submitted after a significant cybersecurity incident is resolved.
---------------------------------------------------------------------------
\766\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Fourth, Covered Entities would need to disclose publicly summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\767\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's public-facing business internet website
and, in the case of Covered Entities that are carrying or introducing
broker-dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\767\ See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
Form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\768\ The proposed amendments would specify
that the Rule 10 Records must be retained for three years. In the case
of the written policies and procedures to address cybersecurity risks,
the record would need to be maintained until three years after the
termination of the use of the policies and procedures.\769\ In
addition, orders exempting certain clearing agencies from registering
with the Commission are proposed to be amended to establish
preservation and maintenance
[[Page 20297]]
requirements for the Rule 10 Records that would apply to the exempt
clearing agencies subject to those orders.\770\ The amendments would
provide that the records need to be retained for five years (consistent
with Rules 13n-7 and 17a-1).\771\ In the case of the written policies
and procedures to address cybersecurity risks, the record would need to
be maintained until three years after the termination of the use of the
policies and procedures.
---------------------------------------------------------------------------
\768\ See sections II.B.5. and II.C. of this release (discussing
these proposed amendments in more detail). Rule 17a-4 sets forth
record preservation and maintenance requirements for broker-dealers,
Rule 17ad-7 sets forth record preservation and maintenance
requirements for transfer agents, and Rule 18a-6 sets forth record
preservation and maintenance requirements for SBS Entities.
\769\ See proposed rule 17a-4(e).
\770\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\771\ As discussed in section II.B.5.a. of this release, the
existing requirements of Rule 13n-7 (which applies to SBSDRs) and
Rule 17a-1 (which applies to registered clearing agencies, the MSRB,
national securities associations, and national securities exchanges)
will require these Market Entities to retain the Rule 10 Records for
five years and, in the case of the written policies and procedures,
for five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
1. Benefits and Costs of the Proposal to the U.S. Securities Markets
The Commission is proposing rules to require all Market Entities,
based on the reasons discussed throughout, to take steps to protect
their information systems and the information residing on those systems
from cybersecurity risk.\772\ For example, as discussed above, Market
Entities may not take the steps necessary to address adequately their
cybersecurity risks.\773\ A Market Entity that fails to do so is more
vulnerable to succumbing to a significant cybersecurity incident. As
discussed earlier, a significant cybersecurity incident can cause
serious harm not only to the Market Entity but also to its customers,
counterparties, members, registrants, or users, as well as to any other
market participants (including other Market Entities) that interact
with the impacted Market Entity.\774\ Therefore, it is vital to the
U.S. securities markets and the participants in those markets that all
Market Entities address cybersecurity risk, which, as discussed above,
is increasingly threatening the financial sector.\775\
---------------------------------------------------------------------------
\772\ See section I.A.1. of this release (discussing the
attractiveness of the U.S. securities market to threat actors).
\773\ See section IV.B. of this release (discussing broad
economic considerations).
\774\ See section I.A.2. of this release (discussing how
critical operations of Market Entities are exposed to cybersecurity
risk).
\775\ See section I.A.1. of this release (discussing threats to
the U.S. financial sector).
---------------------------------------------------------------------------
a. Benefits
The Commission anticipates that an important economic benefit of
the proposal would be to protect the fair, orderly, and efficient
operations of the U.S. securities markets and the soundness of Market
Entities better by requiring all Market Entities to establish,
maintain, and enforce written policies and procedures cybersecurity
policies and procedures. As noted earlier, the average loss in the
financial services industry was $18.3 million, per company per
cybersecurity incident. Adopting and enforcing cybersecurity policies
and procedures could assist Market Entities from incurring such losses.
Furthermore, the requirement to implement cybersecurity policies and
procedures could protect potential negative downstream effects that
could be incurred by other participants in the U.S. securities markets,
such as the Market Entity's customers, counterparties, members,
registrants, and users, in the event of a cybersecurity attack. By
requiring each Market Entity to implement policies and procedures to
address cybersecurity risk, the proposed rule would reduce the
likelihood that one Market Entity's cybersecurity incident can
adversely affect other Market Entities and market participants, as well
as the U.S. securities markets at large.
In addition, FSOC has stated that ``[m]aintaining and improving
cybersecurity resilience of the financial sector requires continuous
assessment of cyber vulnerabilities and close cooperation across firms
and governments within the U.S. and internationally.'' \776\ The
information provided to the Commission under the proposed reporting
requirements could help in assessing potential cybersecurity risks that
affect the U.S. securities markets. The reporting of significant
cybersecurity incidents also could be used to address future
cyberattacks. For example, these reports could assist the Commission in
identifying patterns and trends across Covered Entities, including
widespread cybersecurity incidents affecting multiple Covered Entities
at the same time. Further, the reports could be used to evaluate the
effectiveness of various approaches that are used to respond to and
recover from significant cybersecurity incidents. Therefore, requiring
Covered Entities to report significant cybersecurity incidents to the
Commission could help assist the Commission in carrying out its mission
of maintaining fair, orderly, and efficient operations of the U.S.
securities markets.
---------------------------------------------------------------------------
\776\ FSOC, Annual Report (2022), at 70, available at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf (``FSOC
2022 Annual Report'') (``By exchanging cyber threat information
within a sharing community, organizations can leverage the
collective knowledge, experience, and capabilities of that sharing
community to gain a more complete understanding of the threats the
organization may face.'') See also NIST, Special Pub. 800-150, Guide
to Cyber Threat Information Sharing iii (2016), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.
The NIST Special Publication also notes that the use of structured
data can facilitate information sharing. Id. at 7 (``Structured data
that is expressed using open, machine-readable, standard formats can
generally be more readily accessed, searched, and analyzed by a
wider range of tools. Thus, the format of the information plays a
significant role in determining the ease and efficiency of
information use, analysis, and exchange.'').
---------------------------------------------------------------------------
Similarly, requiring Covered Entities to publicly disclose summary
descriptions of their cybersecurity risks and significant cybersecurity
incidents would provide enhanced transparency about cybersecurity
threats that could impact the U.S. securities markets. Participants in
these markets could use this additional information to enhance the
management of their own cybersecurity risks, which also could serve to
strengthen the resilience of the U.S. securities markets to future
cybersecurity threats.
b. Costs
In general, the costs associated with the proposals include the
costs of developing, implementing, documenting, and reviewing
cybersecurity policies and procedures. For example, a Market Entity
that has only the minimal cybersecurity protection needed to meet the
current regulatory requirements may incur substantial costs when
implementing the policies and procedures required by proposed Rule 10.
These costs could be significantly lower for a Market Entity that
currently has a well-developed and documented cybersecurity program. A
Market Entity that incurs costs under the proposal may attempt to pass
them on to other market participants and even other Market Entities to
the extent that they are able to do that. This could increase costs for
the Market Entity's customers, counterparties, members, registrants, or
users participate in the U.S. securities markets.
In general, compliance costs with proposed Rule 10 would vary
across the various types of Market Entities. As discussed above, one
factor determining costs would be the extent to which a Market Entity's
existing measures to address cybersecurity risk would comply with the
proposal. Other factors would be the Market Entity's particular
business model, size, and unique cybersecurity risks. While the
compliance costs for smaller entities, such as Non-Covered Broker-
Dealers, may be relatively smaller, those costs may not be
inconsequential relative to their size. Further, Covered Entities may
incur substantial compliance costs given their relatively large size.
[[Page 20298]]
2. Policies and Procedures and Annual Review Requirements for Covered
Entities
The definition of a ``covered entity'' includes a wide range of
Commission registrants. The different Covered Entities that would be
subject to proposed Rule 10 vary based on the types of businesses they
are involved in, their relative sizes, and the number of competitors
they face. As a result, the benefits and costs associated with the
requirements to establish, maintain, and enforce written cybersecurity
policies and procedures and to review them at least annually likely
will vary among the different types of Covered Entities. Because the
benefits and costs are heterogeneous across the different types of
Covered Entities, the costs and benefits that are common to all Covered
Entities are discussed first. Next, the benefits and costs associated
with each type of Covered Entity are examined separately to account for
the different operations and functions they perform and the differences
in how existing or proposed regulations apply to them. The estimated
cost of compliance for a given Covered Entity and for all Covered
Entities combined is provided in the common costs discussion.
a. Common Benefits and Costs for Covered Entities
i. Benefits
As discussed above, due to the interconnected nature of the U.S.
securities market, strong policies and procedures to address
cybersecurity risks are needed by Covered Entities to protect not only
themselves, but also the Market Entities with whom they do business, as
well as other market participants, such as the Covered Entity's
customers, counterparties, members, or users. The Commission
anticipates that an important economic benefit of the cybersecurity
policies and procedures and annual review requirements of proposed Rule
10 would be to reduce the cybersecurity vulnerabilities of each Market
Entity and enhance the preparedness of each Market Entity against
cybersecurity threats to its operations. This would reduce the
likelihood that the Market Entity experiences the adverse consequences
of a cybersecurity incident. With written cybersecurity policies and
procedures that are maintained and enforced, as well as periodically
reviewed and assessed, Market Entities can better protect themselves
against cybersecurity threats; harden the security surrounding their
information systems and the data, which includes the prevention of
unauthorized access; minimize the damage from successful cyberattacks;
and recover more quickly from significant cybersecurity incidents when
they do occur. For example, the Covered Entity's risk assessment
policies and procedures would need to require written documentation of
these risk assessments.\777\
---------------------------------------------------------------------------
\777\ See paragraph (b)(1)(i)(B) of proposed Rule 10.
---------------------------------------------------------------------------
Relatedly, proposed Rule 10 would require that the incident
response and recovery policies and procedures include written
documentation of a cybersecurity incident, including the Covered
Entity's response to and recovery from the incident.\778\ These records
could be used by the Covered Entity to assess the efficacy of, and
adherence to, its incident response and recovery policies and
procedures. The record of the cybersecurity incidents further could be
used as a ``lessons-learned'' document to help the Covered Entity
respond more effectively the next time it experiences a cybersecurity
incident. The Commission staff also could use the records to review
compliance with this aspect of proposed Rule 10.
---------------------------------------------------------------------------
\778\ See paragraph (b)(1)(v)(B) of proposed Rule 10.
---------------------------------------------------------------------------
The records discussed above generally could be used by the Covered
Entity when it performs its review to analyze whether its current
policies and procedures need to be updated, to inform the Covered
Entity of the risks specific to it, and to support responses to
cybersecurity risks by identifying cybersecurity threats to information
systems that, if compromised, could result in significant cybersecurity
incidents.\779\ The documentation also could be used by Commission
staff and internal auditors of the Covered Entity to examine for
adherence to the risk assessment policies and procedures.
---------------------------------------------------------------------------
\779\ See paragraph (b)(2) of proposed Rule 10 (which would
require a Covered Entity to review and assess the design and
effectiveness of the cybersecurity policies and procedures,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review). See
also section II.B.1.f. of this release (discussing the proposed
requirements in more detail).
---------------------------------------------------------------------------
Moreover, the annual review requirement is designed to require the
Covered Entity to evaluate whether its cybersecurity policies and
procedures continue to work as designed and whether changes are needed
to ensure their continued effectiveness, including oversight of any
delegated responsibilities. As discussed earlier, the sophistication of
the tactics, techniques, and procedures employed by threat actors is
increasing.\780\
---------------------------------------------------------------------------
\780\ See section I.A.1. of this release (discussing, for
example, how cybersecurity threats are evolving); see also Bank of
England CBEST Report (stating that ``[t]he threat actor community,
once dominated by amateur hackers, has expanded to include a broad
range of professional threat actors, all of whom are strongly
motivated, organised and funded'').
---------------------------------------------------------------------------
As discussed above, it is unlikely that Covered Entities do not
currently have some minimum level of cybersecurity policies and
procedures in place due to their own business decisions and certain
existing regulations and oversight. However, as discussed above,
current Commission regulations regarding cybersecurity policies and
procedures are narrower in scope. Proposed Rule 10 aims to be
comprehensive in terms of mandating that Covered Entities have
cybersecurity policies and procedures that address all cybersecurity
incidents that may affect their information systems and the funds and
securities as well as personal, confidential, and proprietary
information that may be stored on those systems. The benefits of the
proposed Rule 10 would be lessened to the extent that a Covered Entity
already has implemented cybersecurity policies and procedures that are
generally consistent with the written policies and procedures and
annual review requirements under proposed Rule 10.
If a Covered Entity has to supplement its existing cybersecurity
policies and procedures, amend them, or institute annual reviews and
document their assessments in a report, the benefit of proposed Rule 10
for that Covered Entity would be greater. The proposal will help ensure
the Covered Entity has robust procedures in place to prevent
cybersecurity incidents, may enable Covered Entities to detect
cybersecurity incidents earlier, and help ensure that Covered Entities
have a plan in place to remediate cybersecurity incidents quickly.
Lastly, as a second-order effect, it could reduce the Covered Entities'
risk of exposure to other Covered Entities' cybersecurity incidents
stemming--for example--from the interconnectedness of Covered Entities'
information systems.
The Commission currently does not have reliable data on the extent
to which each Covered Entity's existing policies and procedures are
consistent with the proposed Rule 10. Therefore, it is not possible to
quantify the scale of the benefits arising from the proposed policies
and procedures and annual review requirements. However, given the
importance of the U.S. securities markets, the value of the funds and
assets that are traded and held, and the current state of transactions
where much of them are electronic, it seems likely that the Covered
Entities that
[[Page 20299]]
transact business digitally have a strong incentive to implement
cybersecurity policies and procedures in order to protect and maintain
their operations. The proposed rule will require Covered Entities to
implement stronger protections that go beyond what they do based on
those market incentives.
To the extent that Covered Entities engage in business activities
involving crypto assets (which depend almost exclusively on the
operations of information systems), developing strong cybersecurity
policies and procedures would result in large benefits for them and
potentially for their customers, counterparties, members, registrants
or users. For example, robust cybersecurity policies and procedures
would help to ensure that Covered Entities are better shielded from the
theft of crypto assets by threat actors, which may be difficult or
impossible to recover, given the nature of the distributed ledger
technology.\781\ In addition, Covered Entities would avoid negative
reputational damage associated with a successful cyberattack.
---------------------------------------------------------------------------
\781\ See section II.G. of this release (noting that there is no
centralized IT infrastructure that can dynamically detect and
prevent cyberattacks on wallets or prevent the transfer of
illegitimately obtained crypto assets by bad actors).
---------------------------------------------------------------------------
ii. Costs
The costs associated with the policies and procedures and annual
review requirements of proposed Rule 10 would primarily result from
compliance costs borne by Covered Entities in the design,
implementation, review, written assessment, and updates of the
cybersecurity policies and procedures. The proposed requirement will
likely change a Covered Entity's behavior toward cybersecurity risk and
necessitates a certain amount of investment in cybersecurity
protection.\782\ In addition to the aforementioned direct compliance
costs faced by Covered Entities, those Covered Entities that utilize
service providers would need to take steps to oversee them under
proposed Rule 10.\783\ The costs of this oversight, including direct
compliance costs, ultimately would likely be passed on to the Covered
Entities' customers, counterparties, members, participants, or users to
the extent Covered Entities are able to do so. As indicated above, the
compliance costs generally may be lessened to the extent that Covered
Entities' existing policies and procedures would be consistent with the
requirements of proposed Rule 10. Therefore, the marginal increase in
compliance costs that arise likely would be due to the extent to which
a Covered Entity needs to make modifications to its existing
cybersecurity policies and procedures, implement annual reviews of
those policies and procedures, and/or write assessments reports.
---------------------------------------------------------------------------
\782\ While the existing policies and procedures of Covered
Entities largely could be consistent with the requirements of
proposed Rule 10, without a requirement to do so, they may not
conduct annual reviews and draft assessment reports. The annual
review and report costs are estimated be around $1,500 and $20,000
based on the costs of obtaining a cybersecurity audit. See How Much
Does a Security Audit Cost?, Cyber Security Advisor (Jan. 29, 2019),
available at https://cybersecadvisor.org/blog/how-much-does-a-security-audit-cost (``Cost of Security Audit'').
\783\ See paragraphs (b)(1)(i)(A)(2), (b)(1)(iii)(B), and (b)(2)
of proposed Rule 10.
---------------------------------------------------------------------------
The compliance costs associated with developing, implementing,
documenting, and reviewing the cybersecurity policies and procedures
for Covered Entities' activities that involve crypto assets likely
would be higher than those connected with traditional services and
technologies offered and used, respectively, by Covered Entities. The
cost difference primarily would be due to technological features of
distributed ledger technologies as well as with the costs increasing as
a Covered Entity engages in activities with additional crypto assets
and blockchains.
iii. Service Providers
As indicated above, Covered Entities may use service providers to
supply them with some or all of their necessary cybersecurity
protection. In general, the cost of contracted cybersecurity services
depends on the size of the entity, where larger firms may offer a wider
range of services and thus needing more cybersecurity protection.
According to a data security provider blog, ``[a]mong mid-market
organizations (250-999 employees), 46% spend under $250,000 on security
each year and 43% spend $250,000 to $999,999. Among enterprise
organizations (1,000-9,999 employees), 57% spend between $250,000 and
$999,999, 23% spend less than $250,000, and 20% spend at least $1
million. Half of large enterprises (more than 10,000 employees) spend
$1 million or more on security each year and 43% spend between $250,000
and $999,999.'' \784\
---------------------------------------------------------------------------
\784\ See Desdemona Bandini, New Security Report: The Security
Bottom Line, How Much Security Is Enough?, (Nov. 19, 2019),
available at https://duo.com/blog/new-security-report-the-security-bottom-line-how-much-security-is-enough.
---------------------------------------------------------------------------
Under the proposal, Covered Entities need to identify their service
providers that receive, maintain, or process information, or are
otherwise permitted to access its information systems and the
information residing on those systems, and then assess the
cybersecurity risks associated with their use by those service
providers.\785\ The policies and procedures for protecting information
would require oversight of the service providers that receive,
maintain, or process the Covered Entities' information, or are
otherwise permitted to access the Covered Entities' information systems
and the data residing on those systems, through a written contractual
agreement, as specified in paragraph (b)(iii)(B) of proposed Rule
10.\786\ Service providers would be required to implement and maintain,
pursuant to a written contract with the Covered Entities, appropriate
measures, including the practices described in paragraph (b) of
proposed Rule 10.
---------------------------------------------------------------------------
\785\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\786\ See paragraph (b)(1)(iii)(B) of proposed Rule 10.
---------------------------------------------------------------------------
The proposed requirements will likely impose additional costs, at
least initially, on service providers catering to Covered Entities, as
they would be asked to provide services not included in existing
contracts. The Commission believes that most service providers
providing business-critical services would likely face pressure to
enhance their cybersecurity practices to satisfy demand from Covered
Entities due to new regulatory requirements placed on those Covered
Entities.\787\ Service providers may be willing to bear additional
costs in order to continue their business relationships with the
Covered Entities, particularly if the parties are operating under an
ongoing contract.\788\ Such situations are more likely to arise with
services that are considered general information technology, such as
email, relationship management, website hosting, cloud applications,
and other common technologies, given that the service provider does not
have market power because it has many competitors offering these
services. In contrast, providers of more specialized services--such as
payment service providers, regulatory service providers, data
providers, custodians, and providers of valuation services--may have
significant market power and may be able to charge a Covered Entity
separately for the additional services that would be required under
proposed Rule 10. Whether passed on to Covered Entities immediately or
reflected in
[[Page 20300]]
subsequent contract renewals, the costs associated the additional
services--including the associated negotiation process--would likely be
passed on to the Covered Entities' customers, counterparties, members,
participants, or users to the extent that they are able to do so.
---------------------------------------------------------------------------
\787\ A service provider involved in any business-critical
function would likely need to receive, maintain, or process
information from the Covered Entities as well as the Covered
Entities' customers, counterparties, members, registrants, or users.
\788\ See, e.g., Cost of Security Audit.
---------------------------------------------------------------------------
In terms of the cost of additional services received from service
providers, those providers that offer a specialized service and have
market power may not be willing to give any price concessions in the
negotiation process. The same may be true for service providers where
Covered Entities make up a small proportion of their overall business.
Other service providers in a more competitive environment--such as
those that offer general information technology services--may be more
willing to provide a discount to keep the Covered Entity as a
customer.\789\ Moreover, the compliance costs for service providers of
common technologies may be generally larger than those realized by
firms that offer specialized services because they cater to a wider
variety of customers, which makes contracts with different parties more
idiosyncratic.
---------------------------------------------------------------------------
\789\ See Jon Brodkin, IT Shops Renegotiate Contracts to Get
Savings Out of Vendors, Computer World (Nov. 6, 2008), available at
https://www.computerworld.com/article/2781173/it-shops-renegotiate-contracts-to-get-savings-out-of-vendors.html.
---------------------------------------------------------------------------
Some Covered Entities may find that one or several of their
existing service providers may not be technically able to--or may not
wish to make the investment to--support the Covered Entities'
compliance with the proposed rule. Similarly, some Covered Entities may
find that one or several of their existing service providers may not be
able to--or wish to because of significant market power--enter into
written contracts where the costs are not mutually agreeable. Also,
some service providers may not want to amend their contracts and take
on the particular obligations even if they already have the technical
abilities. In those cases, the Covered Entities would need to change
service providers and bear the associated switching costs, while the
service providers would suffer loss of their customer base.\790\
---------------------------------------------------------------------------
\790\ For example, the Covered Entity has insufficient market
power to affect changes in the service provider's business practices
and the suite of cybersecurity technologies it currently offers to
that Covered Entity.
---------------------------------------------------------------------------
For service providers that do business with Covered Entities, the
proposed rule may impose additional costs related to revising the
service provider's cybersecurity practices to satisfy the requirements
that would be imposed on the Covered Entities. Moreover, if a service
provider is already providing services to a Covered Entity that are
largely compliant with proposed Rule 10, then the resulting increase in
compliance costs likely would be minor.
Even if satisfying additional client requirements would not
represent a significant expense for service providers, the processes
and procedures that are necessary to implement an infrequently utilized
service may prevent some service providers from continuing to work with
the Covered Entity.\791\ That is, the provision of the service may be
viewed as more burdensome than the revenue received from the Covered
Entity. This consequence would serve as a disincentive to the service
provider. In such cases, Covered Entities would bear costs related to
finding alternative service providers while existing service providers
would suffer lost revenue once the Covered Entities switch service
providers.\792\
---------------------------------------------------------------------------
\791\ For example, the costs associated with legal review of
alterations to standard contracts may not be worth bearing by the
service provider if Covered Entities represent a small segment of
the service provider's business.
\792\ At the same time, these frictions would benefit service
providers that cater to customers in regulated industries.
---------------------------------------------------------------------------
To estimate the costs associated with the proposed policies and
procedures requirements and annual review requirements, the Commission
considered the initial and ongoing compliance costs.\793\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$14,631.54 per Covered Entity, and $29,102,133.06 in total. These costs
include a blended rate of $462 for a compliance attorney and assistant
general counsel for a total of 31.67 hours. The annual external costs
for adopting and implementing the policies and procedures, as well as
the annual review of the policies and procedures are estimated to be
$3,472 per Covered Entity, and $6,905,808 in total. This includes the
cost of using outside legal counsel at a rate of $496 per hour for a
total of seven hours.
---------------------------------------------------------------------------
\793\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
b. Broker-Dealers
i. Benefits
The benefits of the policies and procedures requirements of
proposed Rule 10 for Covered Broker-Dealers likely will not be
consistent across these entities, as their services vary. Covered
Broker-Dealers that are larger, more interconnected with other market
participants, and offer more services have a higher potential for
greater losses for themselves and others in the event of a
cybersecurity incident. Thus, the benefits arising from robust
cybersecurity practices increases with the size and number of services
offered by Covered Broker-Dealers. For example, a cybersecurity
incident at a large Covered Broker-Dealer that facilitates trade
executions and/or provides carrying and clearing services carries
greater risk due to the larger number of services it provides as well
as its interconnections with other Market Entities. For example,
carrying broker-dealers may provide services to multiple introducing
brokers-dealers and their customers. Commission staff determined that,
as of September 2022, carrying broker-dealers have an average of 44
introducing broker-dealers on behalf of which they carry funds and
securities,\794\ with a median number of five broker-dealers.
Furthermore, a carrying broker-dealer may intermediate the connection
between one introducing broker-dealer and the final carrying broker-
dealer.\795\ As a result, there are potentially many avenues for
infiltration, from the introducing broker-dealers to the carrying
broker-dealers. Such Covered Broker-Dealers will not only hold
customers' personally identifiable information and records, but also
typically have control over customers' funds and assets. This makes
them attractive targets for threat actors. In addition, even a brief
disruption of the services offered by a carrying broker-dealer (e.g.,
from a ransomware attack) could have large, negative downstream
repercussions on the broker-dealer's customers and other Covered
Entities (e.g., inability to submit orders during volatile market
conditions or to access funds and securities). The persons negatively
impacted could include not only individuals but also institutional
customers, such as introducing broker-dealers, hedge funds, and family
offices. In this scenario, the Covered Broker-Dealer could incur major
losses if it experienced a significant cybersecurity incident. Thus,
compliance with written cybersecurity policies and procedures, along
with annual reviews and a written assessment report, likely would have
substantial benefits for those Covered Broker-Dealers that hold
customer information, funds, and assets.
---------------------------------------------------------------------------
\794\ Based on Form Custody, Item 4, as of 2021.
\795\ Id.
---------------------------------------------------------------------------
Because Covered Broker-Dealers perform a number of functions in the
U.S. securities markets and those functions are increasingly performed
through the use of information systems,
[[Page 20301]]
it is important that those information systems be secure against
cyberattacks. Covered Broker-Dealers use networks to connect their
information systems to those of national securities exchanges, clearing
agencies, and to communicate and transact with other Covered Broker-
Dealers. Written policies and procedures would strengthen a Covered
Broker-Dealer's cybersecurity protocols so that it would be more
difficult for threat actors to disrupt market-making activities in
securities or otherwise compromise the liquidity of the securities
markets, an occurrence that could negatively impact the ability of
investors to liquidate or purchase certain securities at favorable or
predictable prices or in a timely manner.
ATSs are trading systems that meet the definition of ``exchange''
under federal securities laws but are not required to register as
national securities exchanges if they comply with the conditions of the
Regulation ATS exemption, which includes registering as a broker-
dealer. ATSs have become significant venues for orders and non-firm
trading interest in securities.\796\ ATSs use data feeds, algorithms,
and connectivity to perform their functions. ATSs rely heavily on
information systems to perform these functions, including to connect to
other Market Entities, such as other Covered Broker-Dealers and
national securities exchanges.
---------------------------------------------------------------------------
\796\ Exchange Act Rule 3a1-1(a)(2) exempts an ATS from the
definition of exchange under section 3(a)(1) of the Exchange Act on
the condition that the ATS complies with Regulation ATS. See
generally Regulation of NMS Stock Alternative Trading Systems
Release, 83 FR 38768; Amendments Regarding the Definition of
``Exchange'' and ATSs Release, 87 FR 15496.
---------------------------------------------------------------------------
A significant cybersecurity incident that disrupts an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent it provides liquidity to the market for those
securities. Furthermore, the records stored by ATSs on their
information systems consist of proprietary information about Market
Entities that use their services, including confidential business
information (e.g., information about their trading activities). A
significant cybersecurity incident at an ATS could lead to the improper
use of this information to harm the Market Entities (e.g., public
exposure of confidential trading information) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information). Comprehensive cybersecurity policies and procedures,
along with periodic assessments, would fortify broker-dealer ATS
operations in their efforts to thwart cybersecurity attacks.
On the other hand, a small Covered Broker-Dealer could experience a
cybersecurity incident that has significant negative impacts on the
entity and its customers, such as a disruption to its services or the
theft of a customer's personal information. These types of incidents
would have profound negative effects for the small Covered Broker-
Dealer and its customers, but the negative effects would likely be
insignificant relative to the size of the entire U.S. securities
markets. In this case, strong cybersecurity policies and procedures
generally could provide substantial benefits to small Covered Broker-
Dealers themselves and their customers, but likely not to other market
participants.
As discussed in the baseline, Covered Broker-Dealers currently are
subject to Regulations S-P, Regulation S-ID, FINRA rules, and SRO and
Commission oversight, as well as Regulation ATS applying to broker-
dealer operated ATSs.\797\ In addition, Covered Broker-Dealers that
operate an ATS and trade certain stocks exceeding specific volume
thresholds are subject to Regulation SCI.\798\ As discussed above,
Regulation S-P, Regulation ATS, and Regulation S-ID have requirements
to establish policies and procedures that address certain cybersecurity
risks.\799\ Therefore, Covered Broker-Dealers subject to these other
regulations have existing cybersecurity policies and procedures that
address certain cybersecurity risks. However, proposed Rule 10 would
require all Covered Broker-Dealers to establish, maintain, and enforce
a set of cybersecurity policies and procedures that is broader and more
comprehensive than is required under the existing requirements of
Regulation S-P, Regulation S-ID, and Regulation ATS that pertain to
cybersecurity risk. This could substantially benefit these Covered
Broker-Dealers and their customers and counterparties as well as other
Market Entities that provide services to them or transact with them. In
particular, the failure to protect a particular information system from
cybersecurity risk can create a vulnerability that a threat actor could
exploit to access other information systems of the Covered Broker-
Dealer. Therefore, proposed Rule 10--because it would require all
information systems to be protected by policies and procedures--would
result in benefits to Covered Broker-Dealers (i.e., enhanced
cybersecurity resiliency).
---------------------------------------------------------------------------
\797\ See section IV.C.1.b.i. of this release (discussing as
part of the baseline the current relevant regulations applicable to
broker-dealers); see also section II.F. of this release (discussing
other relevant regulations applicable to Covered Broker-Dealers).
\798\ Id.
\799\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of Regulation S-P, Regulation ATS,
and Regulation S-ID to have policies and procedures to address
certain cybersecurity risks).
---------------------------------------------------------------------------
Covered Broker-Dealers that are registered as FCMs or swap dealers
are subject to NFA requirements that relate to proposed Rule 10.\800\
These additional requirements may bring those dually-registered Covered
Broker-Dealers more in line with the requirements of the proposed
rule.\801\ As a result, the marginal benefit of compliance for them may
be smaller than those that are only registered with the Commission.
---------------------------------------------------------------------------
\800\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline current CFTC-related requirements applicable to
FCMs and swap dealers).
\801\ See section I.B. of this release (discussing the proposed
requirements for Covered Entities, including Covered Broker-Dealers,
with respect to cybersecurity policies and procedures).
---------------------------------------------------------------------------
ii. Costs
The compliance costs of the policies and procedures requirements of
proposed Rule 10 for Covered Broker-Dealers may generally be lower, to
the extent their current policies and procedures are designed to comply
with Regulation SCI, Regulation S-P, Regulation ATS (if they operate an
ATS), Regulation S-ID, and FINRA rules and are consistent with certain
of the requirements of the proposed Rule 10.\802\ However, the
requirements of proposed Rule 10 are designed to address all of the
Covered Broker-Dealer's cybersecurity risks; whereas the requirements
of these other regulations that relate to cybersecurity are more
narrowly focused. Consequently, the marginal costs associated with
implementing the cybersecurity policies and procedures required under
the proposed Rule 10 would depend on the extent to which broker-
dealers' existing cybersecurity protections address cybersecurity risks
beyond those that are required to be addressed by these other
regulations.
---------------------------------------------------------------------------
\802\ See section II.F.1.c. of this release (discussing the
requirements of proposed Rule 10 and how they relate to Regulation
S-P, Regulation ATS, and Regulation S-ID).
---------------------------------------------------------------------------
Covered Broker-Dealers that are dually registered with the CFTC as
FCMs or swap dealers are subject to
[[Page 20302]]
NFA requirements, as noted above.\803\ These additional requirements
may make compliance with the proposed rule less burdensome and thus
less costly, as those NFA requirements are already in place.
---------------------------------------------------------------------------
\803\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline current CFTC-related requirements applicable to
FCMs and swap dealers).
---------------------------------------------------------------------------
c. Clearing Agencies and National Securities Exchanges
i. Benefits
Strong cybersecurity protocols at national securities exchanges
would help maintain their critical function of matching orders of
buyers and sellers. A cybersecurity incident could prevent an exchange
from executing trades, therefore preventing members and their customers
from buying or selling securities at the exchange. Interruptions in
order flow and execution timing could lead to inefficiencies in order
matching, possibly resulting in a less desirable execution price.
Moreover, customer information could be stolen and trading strategies
could be revealed. Lastly, a cybersecurity breach could be problematic
for market surveillance staff that monitors the market for illegal
trading activity. Thus, the policies and procedures requirements of
proposed Rule 10 could offer significant benefits to national
securities exchanges and market participants that depend on their
processing of order flow and the ability of regulators to surveil the
market.
Clearing agencies serve an important role in the securities markets
by ensuring that executed trades are cleared and that the funds and
securities are transferred to and from the appropriate accounts. A
cybersecurity incident at a clearing agency could result in delays in
clearing as well as in the movement of funds and assets. Such an
incident also could lead to the loss or misappropriation of customer
information, funds, and assets. Threat actors could also gain access to
and misappropriate the clearing agency's default fund by, for example,
obtaining access to the clearing agency's account in which the fund is
held. Strong cybersecurity policies and procedures would assist
clearing agencies in protecting the funds and securities in their
control. This would benefit the clearing agency, its members, and
market participants that rely on the services of its members.
As discussed in the baseline, national securities exchanges,
registered clearing agencies, and certain exempt clearing agencies are
subject to Regulation SCI.\804\ Regulation SCI has requirements for SCI
entities to establish policies and procedures that address certain
cybersecurity risks The proposed requirements of proposed Rule 10, in
contrast, apply to all of the Covered Entity's information systems. The
benefits of the policies and procedures requirements of proposed Rule
10 would depend on the extent to which the national securities
exchanges' and clearing agencies' current cybersecurity policies and
procedures (which include those required by Regulation SCI) are
consistent with those required under the proposed rule. Major changes
in cybersecurity policies and procedures could yield large benefits.
However, the marginal benefit of the proposed rule likely would decline
the more closely a national securities exchange's or clearing agency's
cybersecurity policies and procedures are consistent with the
requirements of proposed Rule 10.
---------------------------------------------------------------------------
\804\ See section IV.C.1.b.ii. of this release (discussing as
part of the baseline the relevant regulations applicable to national
securities exchanges and clearing agencies).
---------------------------------------------------------------------------
Clearing agencies that are registered as DCOs are subject to
additional CFTC requirements that may be related to those of proposed
Rule 10.\805\ As a result, the marginal benefit of proposed Rule 10 may
be smaller than those that are only registered with the Commission.
---------------------------------------------------------------------------
\805\ See section IV.C.1.d.i. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to DCOs).
---------------------------------------------------------------------------
ii. Costs
The incremental cost of compliance with the policies and procedures
requirements of proposed Rule 10 for national exchanges and clearing
agencies depends on how much their current cybersecurity policies and
procedures go beyond what is required by Regulation SCI. This is
because the requirements of proposed Rule 10 are designed to address
all of the cybersecurity risks faced by a national securities exchange
or clearing agency; in contrast, the requirements of Regulation SCI
that relate to cybersecurity are more narrowly focused.\806\ Therefore,
national securities exchanges and clearing agencies that have policies
and procedures in place that only address the requirements of
Regulation SCI will need to make potentially significant changes to
their cybersecurity policies and procedures in order to comply with the
requirements of proposed Rule 10. Alternatively, national securities
exchanges and clearing agencies that currently have comprehensive
cybersecurity policies and procedures may incur fewer costs to comply
with proposed Rule 10. Nevertheless, assuming that they do not do so
already, ensuring that those cybersecurity policies and procedures are
documented and reviewed on an annual basis as required by the proposal,
with an accompanying written assessment, would assist national
securities exchanges and clearing agencies to withstand cybersecurity
incidents and address them more effectively, thus minimizing the
negative effects of such occurrences.
---------------------------------------------------------------------------
\806\ See section II.F.1.c. of this release (discussing the
requirements of proposed Rule 10 and how they relate to the
requirements of Regulation SCI).
---------------------------------------------------------------------------
Clearing agencies that are dually registered with the CFTC as DCOs
are subject to that agency's systems safeguards rule, as noted
above.\807\ Complying with the CFTC requirements may make compliance
with the proposed rule less burdensome and thus less costly, to the
extent that the registered DCO implements the CFTC requirements on the
registered clearing agency side of its operations.
---------------------------------------------------------------------------
\807\ See section IV.C.1.c.i. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to DCOs).
---------------------------------------------------------------------------
Finally, national securities exchanges and clearing agencies that
are registered with the Commission but currently are not active would
incur substantially higher costs relative to their active peers if they
needed to come into compliance with proposed Rule 10. If they resume
clearing activities and operations, they may incur significant costs to
develop, document, implement, maintain, and enforce policies and
procedures, including cybersecurity policies and procedures, as well as
establish protocols for written annual reviews with necessary
modifications and updates.
d. FINRA and the MSRB
i. Benefits
FINRA is the only national securities association currently
registered with the Commission. Similarly, the MSRB is the only entity
(other than the Commission) established by Congress to, among other
activities, propose and adopt rules with respect to transactions in
municipal securities.
FINRA issues cybersecurity-related statements to members that
discuss best practices for achieving adequate cybersecurity
protection.\808\ FINRA and MSRB members are also subject to internal
oversight and external audits. Nevertheless, both FINRA and the
[[Page 20303]]
MSRB store proprietary information about their members, including
confidential business information, on their respective information
systems. FINRA stores information about broker-dealers and trades. Some
information and systems under FINRA's control may belong to other
organizations where FINRA is simply contracted to perform data
processing duties. There also may be sensitive information related to
FINRA's oversight practices that is not made public, such as regulatory
assessments of various broker-dealers or internal analyses regarding
its examinations and examination programs. Furthermore, FINRA may keep
information on cyberattacks on itself and on broker-dealers that, if
made public, could compromise existing cybersecurity systems.
Therefore, FINRA and the MSRB themselves require their own
cybersecurity policies and procedures.
---------------------------------------------------------------------------
\808\ See FINRA, Cybersecurity, available at https://www.finra.org/rules-guidance/key-topics/cybersecurity#overview.
---------------------------------------------------------------------------
As discussed in the baseline, FINRA and the MSRB are subject to
Regulation SCI.\809\ Regulation SCI has requirements to establish
policies and procedures that address certain cybersecurity risks.\810\
Therefore, the benefits of the policies and procedures requirements of
proposed Rule 10 would depend on the extent to which the FINRA's and
the MSRB's current cybersecurity policies and procedures (which include
those required by Regulation SCI) are consistent with those required
under the proposed rule. This means the marginal benefit of the
proposed rule may be limited depending on how closely FINRA's and the
MSRB's cybersecurity policies and procedures are consistent with
proposed Rule 10. Nevertheless, ensuring that those cybersecurity
policies and procedures are documented and reviewed on an annual basis,
with an accompanying written assessment, could assist the two entities
in avoiding cybersecurity incidents and addressing them more
effectively, thus minimizing the negative effects of such occurrences.
---------------------------------------------------------------------------
\809\ See section IV.C.1.b.ii. of this release (discussing as
part of the baseline the current relevant regulations applicable to
national securities associations and FINRA).
\810\ See section II.F.1.c. of this release (discussing in more
detail the requirements of Regulation SCI).
---------------------------------------------------------------------------
ii. Costs
As with national securities exchanges and clearing agencies, the
Commission does not expect that FINRA and the MSRB will incur
significant costs as a result of complying with the policies and
procedures requirements of proposed Rule 10 because they are already
subject to Regulation SCI and, due to their importance in the oversight
and oversight of their members or registrants, as well as the storage
of trade information and data owned by other parties, there are strong
incentives for FINRA and the MSRB to invest in comprehensive
cybersecurity programs.
e. SBS Entities
i. Benefits
As discussed in the baseline, SBS Entities must comply with section
15F(j)(2) of the Exchange Act and various Commission rules. SBS
Entities that are dually registered with the CFTC are subject to that
agency's rules as well as the rules of the NFA.\811\ The benefits that
would accrue to SBS Entities depend on the level of cybersecurity
protection they currently have in place. Policies and procedures that
are consistent with the policies and procedures requirements of
proposed Rule 10 may only need moderate updating and adjustment. As a
result the marginal benefits likely are small. There would be much
greater benefits for SBS Entities that must significantly revise their
current policies and procedures. Further, proposed Rule 10 would
require that SBS Entities have policies and procedures to respond to
and recover from cybersecurity incidents, which would assist the SBS
Entities in minimizing the harm caused by the incident and enhancing
their ability to recover from it. Annual reviews also would help them
update their policies and procedures to address emerging threats.
---------------------------------------------------------------------------
\811\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline current relevant regulations applicable to SBS
Entities).
---------------------------------------------------------------------------
SBS Entities that are registered as swap dealers are subject to
additional requirements of the CFTC and NFA that may be related to
those of proposed Rule 10.\812\ As a result, the marginal benefit of
compliance for them may be smaller than those that are only registered
with the Commission.
---------------------------------------------------------------------------
\812\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
ii. Costs
Complying with the policies and procedures requirements of proposed
Rule 10 may not be costly for SBS Entities. SBS Entities must comply
with section 15F(j)(2) of the Exchange Act and various Commission
rules. The costs that arise from compliance with proposed Rule 10
depend on how closely their current documented policies and procedures,
as well as annual reviews and summary reports, are consistent with the
proposed rule. SBS Entities that have very similar cybersecurity
policies and procedures to those that would be required under proposed
Rule 10 would have small associated costs to come into compliance with
the rule. SBS Entities that need to make more substantial changes to
their cybersecurity policies and procedures to comply with the proposed
rule would incur higher attendant costs. Ultimately, the ability of SBS
Entities to bear those additional costs depends on the competitive
landscape of the security-based swap market.
SBS Entities that are dually registered with the CFTC as swap
dealers are subject to that agency's requirements, as noted above.\813\
These additional requirements may make compliance with the proposed
rule less burdensome and thus less costly, as the CFTC requirements are
already in effect and dually registered SBS Entities must comply with
those regulations.
---------------------------------------------------------------------------
\813\ See section IV.C.1.c.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
f. SBSDRs
i. Benefits
SBSDRs collect and maintain security-based swap transaction data so
that relevant authorities can access and analyze the data from secure,
central locations, thereby allowing regulators to monitor for potential
market abuse and risks to financial stability.\814\ SBSDRs also reduce
operational risk and enhance operational efficiency in the security-
based swap market, such as by maintaining transaction records that help
counterparties ensure that their records reconcile.\815\
---------------------------------------------------------------------------
\814\ See SBSDR Adopting Release, 80 FR at 14440 (``[SBSDRs] are
required to collect and maintain accurate SBS transaction data so
that relevant authorities can access and analyze the data from
secure, central locations, thereby putting them in a better position
to monitor for potential market abuse and risks to financial
stability.'').
\815\ See SBSDR Proposing Release at 77307 (stating that ``[t]he
enhanced transparency provided by an [SBSDR is important to help
regulators and others monitor the build-up and concentration of risk
exposures in the [security-based swap] market . . . . In addition,
[SBSDRs] have the potential to reduce operational risk and enhance
operational efficiency in the [security-based swap] market'').
---------------------------------------------------------------------------
The Commission requires SBSDRs to have written documentation
regarding how they keep such transaction information secure.\816\ If
the policies and procedures requirements of proposed Rule 10 requires
an SBSDR to do additional development, documentation, implementation,
and review of its cybersecurity policies and procedures, then the
benefits that accrue
[[Page 20304]]
from doing so will be large. In this circumstance, compliance with the
policies and procedures requirements of proposed Rule 10 would bolster
SBSDRs' cybersecurity resiliency. As a result, SBSDRs would be better
prepared to identify cybersecurity vulnerabilities and prevent
significant cybersecurity incidents, thereby safeguarding the security-
based swap trade data that they receive and maintain. Further, proposed
Rule 10 would require that SBSDRs have policies and procedures to
respond to and recover from a significant cybersecurity incident, which
would assist SBSDRs in minimizing the harm caused by the incident and
enhancing their ability to recover from it. Annual reviews also would
help them update their policies and procedures to address emerging
threats.
---------------------------------------------------------------------------
\816\ See section IV.C.1.b.iv. of this release (discussing as
part of the baseline the current relevant regulations applicable to
SBSDRs).
---------------------------------------------------------------------------
SBSDRs that are dually registered with the CFTC as SDRs must comply
with that agency's systems safeguards rule, applicable to information
systems for data under the CFTC's jurisdiction.\817\ These additional
requirements may bring those dually-registered SBSDRs more in line with
the requirements of the proposed rule, to the extent that the
registered entity applies the CFTC's systems safeguard requirements to
the SBSDR operations. As a result, the marginal benefit of compliance
for them may be smaller than those that are only registered with the
Commission.
---------------------------------------------------------------------------
\817\ See section IV.C.1.d.ii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to SDRs).
---------------------------------------------------------------------------
ii. Costs
The costs that arise from compliance with the policies and
procedures requirements of proposed Rule 10 depend on how closely the
current documented policies and procedures of SBSDRs are consistent
with the proposed rule. SBSDRs that have very similar cybersecurity
policies and procedures to those that would be required under proposed
Rule 10 would face small costs to amend their cybersecurity policies
and procedures. SBSDRs that need to make more substantial changes to
their cybersecurity policies and procedures to comply with the proposed
rule would realize greater marginal benefits from attaining compliance,
while incurring higher attendant costs.
SBSDRs that are dually registered with the CFTC as SDRs are subject
to that agency's system safeguards rule, as noted above.\818\ These
additional requirements may make compliance with the proposed rule less
burdensome and thus less costly, to the extent the registered entity
applies the CFTC's system safeguard requirements to its SBSDR
operations.
---------------------------------------------------------------------------
\818\ See section IV.C.1.d.iii. of this release (discussing as
part of the baseline the current relevant CFTC regulations
applicable to swap dealers).
---------------------------------------------------------------------------
g. Transfer Agents
i. Benefits
The benefits of the policies and procedures requirements of
proposed Rule 10 likely will differ across transfer agents, as their
size and the level of their services may vary. Transfer agents, among
other functions, may: (1) track, record, and maintain on behalf of
issuers the official record of ownership of each issuer's securities;
(2) cancel old certificates, issue new ones, and perform other
processing and recordkeeping functions that facilitate the issuance,
cancellation, and transfer of those securities; (3) facilitate
communications between issuers and registered securityholders; and (4)
make dividend, principal, interest, and other distributions to
securityholders.\819\ A cybersecurity incident at a transfer agent
would have varying negative impacts depending on the range of services
offered by the transfer agent. Nonetheless, for the issuer who depends
on the transfer agent to maintain the official record of ownership, or
for securityholders who depend on the transfer agent for distributions,
an incident at even a small transfer agent with limited services could
have profound negative implications.
---------------------------------------------------------------------------
\819\ See section I.A.2.i. of this release (discussing critical
operations and functions of transfer agents).
---------------------------------------------------------------------------
In addition, some transfer agents may maintain records and
information related to securityholders that could include names,
addresses, phone numbers, email addresses, employers, employment
history, bank and specific account information, credit card
information, transaction histories, securities holdings, and other
detailed and individualized information related to the transfer agents'
recordkeeping and transaction processing on behalf of issuers. This
information may make a transfer agent particularly attractive to threat
actors. Compliance with written cybersecurity policies and procedures
under proposed Rule 10, along with annual reviews and a written
assessment report, would likely produce a large benefit for clients and
investors of transfer agents.
Preventing successful cyberattacks would keep securities from being
stolen by threat actors and would ensure that dividends are paid when
promised. In addition, because transfer agents have information on the
securityholders' personal information, policies and procedures to
protect that information from unauthorized access or use would benefit
the transfer agent and the securityholders. Moreover, if a significant
cybersecurity incident materializes, transfer agents would have a plan
to resolve the issue, thus potentially reducing the timeframe and
damage associated with the incident.
As discussed in the baseline, transfer agents registered with the
Commission (but not transfer agents registered with another appropriate
regulatory agency) are subject to the Regulation S-P Disposal Rule and
may be subject to Regulation S-ID.\820\ The Regulation S-P Disposal
Rule and Regulation S-ID require measures that implicate a certain
cybersecurity risk.\821\ Nonetheless, the policies and procedures
requirements of proposed Rule 10 would still provide substantial
benefits to transfer agents. This is because, as discussed above,
proposed Rule 10 would require all transfer agents to establish,
maintain, and enforce policies and procedures to address cybersecurity
risks that are broader and more comprehensive than those policies and
procedures required by the existing requirements of Regulation S-P or
Regulation S-ID.
---------------------------------------------------------------------------
\820\ See section IV.C.1.b.v. of this release (discussing as
part of the baseline the current relevant regulations applicable to
transfer agents). Transfer agents that are subsidiaries of bank
holding companies would incur minimal cost since they are already
subject to federal banking cybersecurity regulations.
\821\ See section II.F.1.c. of this release (discussing in more
detail the existing requirements of the Regulation S-P Disposal Rule
and Regulation S-ID).
---------------------------------------------------------------------------
ii. Costs
Transfer agents likely would incur moderate costs in complying with
the policies and procedures requirements of proposed Rule 10 if their
current policies and procedures--including those to comply with the
Regulation S-P Disposal Rule and Regulation S-ID (if either or both
apply)--would need to be augmented to meet the requirements of proposed
Rule 10. Transfer agents also would have to do annual reviews and write
assessment reports. Such costs likely would be passed on to the
entities that use transfer agent's services. Transfer agents that have
made the business decision to implement robust cybersecurity policies,
procedures, and practices would incur lower marginal compliance costs,
to the degree those policies, procedures, and practices are consistent
with the requirements of proposed Rule 10.
[[Page 20305]]
h. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the policies and procedures,
review and assessment, and report requirements of proposed Rule 10.
Commenters are requested to provide empirical data in support of any
arguments or analyses. In addition, the Commission is requesting
comment on the following matters:
1. Please discuss which types of Covered Entities have some level
of cybersecurity in place and which may not? If not, explain why.
Please describe the level of cybersecurity policies and procedures that
have been implemented by Covered Entities and compare them to the
requirements of proposed Rule 10.
2. Do the benefits and costs associated with Covered Entities
having written cybersecurity policies and procedures, including
provisions for written annual reviews and assessments, reports, and
updates (if necessary) vary by the type of Covered Entity? If so,
explain how. Are there benefits and costs of the proposals not
described above? If so, please describe them.
3. Are the estimated compliance costs (both initially and on an
ongoing basis) for Covered Entities to adopt cybersecurity policies and
procedures, along with reviewing them annually and drafting a summary
report, reasonable? If not, explain why and provide estimates of the
compliance costs.
4. How costly would it be for a given type of Covered Entity to
become compliant with proposed Rule 10? Please explain and provide
estimates of the costs.
5. Do Covered Entities typically document their cybersecurity
policies and procedures? If not, how costly would it be for them to be
documented?
6. Please describe practices of Covered Entities with regard to the
use of service providers in connection with their information systems
and the information residing on those systems. How many Market Entities
contract with service providers? What functions are contracted out
versus completed in house? Are the cybersecurity policies and
procedures implemented by these service providers comparable to the
requirements of proposed Rule 10? Please explain. Would it be costly
contractually to request that a service provider provide compliant
services, including documented policies and procedures? What are the
costs of finding a new service provider if one or more could not
provide services that are compliant with the proposed rule?
7. How costly would it be to review and update, if necessary,
cybersecurity policies and procedures at least annually? Would it be
preferable to conduct the reviews on either a more or less frequent
basis? Explain why. Would it be less costly to have a third party
conduct the review and update of a Covered Entities' cybersecurity
policies and procedures? Please explain.
3. Regulatory Reporting of Cybersecurity Incidents by Covered Entities
Under proposed Rule 10, Covered Entities would need to provide the
Commission with immediate written electronic notice of a significant
cybersecurity incident affecting the Covered Entity and, thereafter,
report and update information about the significant cybersecurity
incident by filing Part I of proposed Form SCIR with the Commission
through the EDGAR system.\822\ The form would elicit information about
the significant cybersecurity incident and the Covered Entity's efforts
to respond to, and recover from, the incident. In the case of certain
Covered Entities, the notice and subsequent reports would need to be
provided to other regulators.
---------------------------------------------------------------------------
\822\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
a. Benefits
The requirements of proposed Rule 10 that Covered Entities provide
immediate written electronic notice and subsequent reporting about
significant cybersecurity incidents to the Commission and would improve
the Commission's ability to assess these incidents. These requirements
also would allow the Commission to understand better the causes and
impacts of significant cybersecurity incidents and how Covered Entities
respond to and recover from them. Thus, the notification and reporting
requirements--through the information they would provide the
Commission--could be used to understand better how significant
cybersecurity incidents materialize and, therefore, how Covered
Entities can better protect themselves from them and, when they occur,
how Covered Entities can better mitigate their impacts and recover more
quickly from them. Over time, this database of information could
provide useful insights into how to minimize the harm more broadly that
is caused by significant cybersecurity incidents, which have the
potential to cause broader disruptions to the U.S. securities markets
and undermine financial stability.
A Covered Entity would be required to provide immediate written
electronic notice to the Commission of a significant cybersecurity
incident upon having a reasonable basis to conclude that the incident
has occurred or is occurring.\823\ This timeframe allows for quick
notification to the Commission and, in some cases, other regulators
about the significant cybersecurity incident, which--in turn--would
allow for more timely assessment of the incidents. These incidents, if
not addressed quickly, could have harmful spillover impacts to other
Market Entities and participants in the U.S. securities markets.
---------------------------------------------------------------------------
\823\ See paragraph (c)(1) of proposed Rule 10.
---------------------------------------------------------------------------
The immediate written electronic notice would need to identify the
Covered Entity, state that the notice is being given to alert the
Commission of a significant cybersecurity incident impacting the
Covered Entity, and provide the name and contact information of an
employee of the Covered Entity who can provide further details about
the significant cybersecurity incident.\824\ By not requiring detailed
information about the significant cybersecurity incident, the Covered
Entity would be able to provide the notice quickly while it continues
to assess which information systems have been subject to the
significant cybersecurity incident and the impact that the incident has
had on those systems. This would facilitate the Covered Entity's
ability to alert the Commission and other regulators (if applicable) at
a very early stage after it has a reasonable basis to conclude that a
significant cybersecurity incident has occurred or is occurring. This,
in turn, would allow the Commission and other regulators (if
applicable) to begin taking steps to assess the significant
cybersecurity incident at that early stage.
---------------------------------------------------------------------------
\824\ Id.
---------------------------------------------------------------------------
This proposed immediate written electronic notification requirement
is modelled on other notification requirements that apply to broker-
dealers and SBSDs pursuant to other Exchange Act rules. Under these
existing requirements, broker-dealers and certain SBSDs must provide
the Commission with same-day written notification if they undergo
certain adverse events, including falling below their minimum net
capital requirements or failing to make and keep current required books
and records.\825\ The objective of these requirements is to provide the
Commission staff with the opportunity to respond when a broker-
[[Page 20306]]
dealer or SBSD is in financial or operational difficulty.\826\
Similarly, the immediate written electronic notification requirement of
proposed Rule 10 would provide the Commission staff with the
opportunity to promptly begin to assess the situation when a Covered
Entity is experiencing a significant cybersecurity incident.
---------------------------------------------------------------------------
\825\ See 17 CFR 240.17a-11 (notification rule for broker-
dealers); 17 CFR 240.18a-8 (notification rule for SBS Entities).
\826\ See SBS Entity Recordkeeping and Reporting Proposing
Release, 79 FR at 25247.
---------------------------------------------------------------------------
Promptly thereafter (but no later than 48 hours), a Covered Entity
would be required to report separately more detailed information about
the significant cybersecurity incident by filing initial, amended and
final versions of Part I of proposed Form SCIR with the Commission
through the EDGAR.\827\ The Covered Entity also would be required to
file updated reports and a final report.
---------------------------------------------------------------------------
\827\ See paragraphs (c)(2) of proposed Rule 10. As discussed
below, Part II of proposed Form SCIR would be used by Covered
Entities to make public disclosures about the cybersecurity risks
they face and the significant cybersecurity incidents they
experienced during the current or previous calendar year. See
sections II.B.2. and II.B.4. of this release (discussing these
proposed requirements).
---------------------------------------------------------------------------
The reporting requirements under proposed Rule 10 would provide the
Commission and its staff with information to understand better the
nature and extent of a particular significant cybersecurity incident
and the efficacy of the Covered Entity's response to mitigate the
disruption and harm caused by the incident.\828\ It also strengthens
and expands the Commission's knowledge regarding cybersecurity
incidents beyond what is already required by current Commission
regulations. In addition, the reporting would provide the staff with a
view into the Covered Entity's understanding of the scope and impact of
the significant cybersecurity incident. All of this information would
assist the Commission and its staff in assessing the significant
cybersecurity incident impacting the Covered Entity. It also could
benefit other Market Entities to the extent the confidential
information provided by the impacted Covered Entity could be used to
assist them (without divulging the identity of the impacted Covered
Entity) in avoiding a similar significant cybersecurity incident or
succumbing to an attack by the same threat actor that caused the
significant cybersecurity incident.
---------------------------------------------------------------------------
\828\ See Line Items 2 through 14 of Part I of proposed Form
SCIR (eliciting information about the significant cybersecurity
incident and the Covered Entity's response to the incident).
---------------------------------------------------------------------------
The information provided to the Commission under the proposed
reporting requirements also would be used to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be used to address future significant
cybersecurity incidents or address cybersecurity vulnerabilities that
may be present at other similar Covered Entities. For example, these
reports could assist the Commission in identifying patterns and trends
across Covered Entities, including widespread cybersecurity incidents
affecting multiple Covered Entities at the same time. Further, the
reports could be used to evaluate the effectiveness of various
approaches to respond to and recover from a different types of
significant cybersecurity incidents. This could benefit all Market
Entities, other participants in the U.S. securities markets, and
ultimately promote the fair, orderly, and efficient operation of the
U.S. securities markets.
Requiring Covered Entities to file Part I of proposed Form SCIR in
EDGAR in a custom XML would allow for more efficient processing of
information about significant cybersecurity incidents. It would create
a comprehensive set of data of all significant cybersecurity incidents
impacting Covered Entities that is based on these entities responding
to the same check boxes and questions on the form. This would
facilitate analysis of the data, including analysis across different
Covered Entities and significant cybersecurity incidents. Eventually,
this set of data and the analysis of it by searching and sorting based
on how different Covered Entities responded to the same questions on
the form could be used to spot common trending risks and
vulnerabilities as well as best practices employed by Covered Entities
to respond to and recover from significant cybersecurity incidents.
As discussed above, Covered Entities have incentives to not
disclose information about significant cybersecurity incidents. Such
incentives constrain the information available about cybersecurity
threats and thereby inhibit the efficacy of collective (i.e., an
industry's or a society's) cybersecurity measures.\829\ At the same
time, complete transparency in this area likely runs the risk of
facilitating future attacks.\830\ As discussed above, the challenge of
effective information sharing has long been recognized, and government
efforts at encouraging such sharing on a voluntary basis have had only
limited success.\831\ The Commission would not publicly disclose and
would keep them confidential to the extent permitted by law Part I of
proposed Form SCIR. This would limit the risks associated with public
disclosure of vulnerabilities as a result of successful cybersecurity
incidents. The Commission also may share information with relevant law
enforcement or national security agencies.
---------------------------------------------------------------------------
\829\ See section IV.B. of this release (discussing broad
economic considerations); see, e.g., Lewis and Zheng, Cyber Threat
Information Sharing (recommending that regulators encourage
information sharing).
\830\ Although ``security through obscurity'' as a cybersecurity
philosophy has long been derided, ``obscurity,'' or more generally
``deception,'' has been recognized as an important cyber resilience
technique. See Ron Ross, Victoria Pillitteri, Richard Graubart,
Deborah Bodeau, and Rosalie McQuaid, Developing Cyber Resilient
Systems: A Systems Security Engineering Approach, 2 Nat. Inst. of
Standards and Tech. (Dec. 2021), available at https://doi.org/10.6028/NIST.SP.800-160v2r1. See also Section IV.D.2.b (discussion
of costs associated with disclosure).
\831\ See section IV.C.1.e. of this release (discussing
information sharing).
---------------------------------------------------------------------------
The aforementioned benefits arise from improved information sharing
between the affected Covered Entity and the Commission. Delays in
incident reporting may hinder the utility of Part I of proposed Form
SCIR because the Commission would not be able to assess the situation
close to the time of its occurrence or discovery. Thus, the utility of
such reports, at least initially, may be more limited if they are not
filed as quickly as proposed.
Requiring Covered Entities to identify themselves on Part I of
proposed Form SCIR with a UIC \832\ if they already have a UIC would be
beneficial because the LEI--which is a Commission-approved UIC--is a
globally-recognized standard identifier \833\ with reference data that
is
[[Page 20307]]
available free of charge.\834\ Unlike many identifiers that are
specific to a particular regulatory authority or jurisdiction, the LEI
is a permanent, unique global identifier that also contains ``Level 2''
parent and (direct/indirect) child entity information. Entity parent-
child relationships are particularly relevant to assessing the risks of
entities operating in the securities markets, where financial entities'
interconnectedness and complex group structures could otherwise make
understanding the scope of potential widespread risks challenging.\835\
Additionally, unlike most company registries, all LEI data elements are
validated annually and subject to a ``quality program [that] scans the
full [data] repository daily and publishes the results monthly in
quality reports[,]'' which helps to ensure the accuracy--and
usefulness--of LEI data as compared to other types of entity
identifiers that lack such features.\836\
---------------------------------------------------------------------------
\832\ As mentioned in section II.B.2.b. of this release, the
instructions of proposed Form SCIR would define UIC to mean an
identifier that has been issued by an IRSS that has been recognized
by the Commission pursuant to Rule 903(a) of Regulation SBSR (17 CFR
242.903(a)).
\833\ ``The [LEI] is a reference code--like a bar code--used
across markets and jurisdictions to uniquely identify a legally
distinct entity[.]'' Office of Financial Research, U.S. Treasury
Dep't, Legal Entity Identifier--Frequently Asked Questions,
available at https://www.financialresearch.gov/data/legal-entity-identifier-faqs/. ``The financial crisis underscored the need for a
global system to identify financial connections, so regulators and
private sector firms could understand better the true nature of risk
exposures across the financial system.'' Id. Using the LEI as a UIC
to facilitate tracking financial entity cybersecurity incidents and
risks is feasible because ``[t]he Global LEI System was established
for a large range of potential uses.'' The Legal Entity Identifier
Regulatory Oversight Committee (``LEIROC''), LEI Uses, available at
https://www.leiroc.org/lei/uses.htm. The functionality of the LEI is
such that it could be used to identify and track entities for
various purposes. For example, the LEI is one of three identifiers
that firms can use under a December 2022 U.S. Customs & Border
Protection Pilot for automation program for enhanced tracing in
international supply chains. See U.S. Customs and Border Protection,
Announcement of the National Customs Automation Program Test
Concerning the Submission Through the Automated Commercial
Environment of Certain Unique Entity Identifiers for the Global
Business Identifier Evaluative Proof of Concept, 87 FR 74157 (Dec.
2, 2022), available at https://www.federalregister.gov/documents/2022/12/02/2022-26213/announcement-of-the-national-customs-automation-program-test-concerning-the-submission-through-the.
\834\ Bank for Int'l Settlements, David Leung, et al., Corporate
Digital Identity: No Silver Bullet, but a Silver Lining, BIS Paper
No. 126, at 20 (June 2022), available at https://www.bis.org/publ/bppdf/bispap126.pdf. (``BIS Papers 126'') (stating that ``LEI data
[is] available free of charge to users in both the public and
private sector''). The FSOC has stated the LEI ``enables unique and
transparent identification of legal entities.'' FSOC, 2021 Annual
Report, at 171 (stating that ``[b]roader adoption of the LEI by
financial market participants continues to be a Council priority'').
The FSOC also has stated that the LEI ``facilitate[s] many financial
stability objectives, including improved risk management in firms
[and] better assessment of microprudential and macroprudential
risks[.]'' FSOC, 2022 Annual Report 99 (2022), available at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf. The
same principles that make the LEI well-suited for allowing
regulators to track entity exposures to financial market risks
across jurisdictions and entities should apply in other contexts,
such as cross-border payments. See FSB, FSB Options to Improve
Adoption of the LEI, in Particular for Use in Cross-border Payments
(July 7, 2022), available at https://www.fsb.org/wp-content/uploads/P070722.pdf.
\835\ FSB Peer Review Report; see also European Systemic Risk
Board, Francois Laurent, et al., The Benefits of the Legal Entity
Identifier for Monitoring Systemic Risk, Occasional Paper Series No.
18, (Sept. 2021) (``The fact that the LEI enables full reporting of
the group structure in the LEI database is also crucial for risk
analysis. Indeed, the risk usually stems from the group and not from
individual entities, and conducting a relevant risk analysis implies
aggregating exposures at the level of the group.''). For a
discussion of the cybersecurity implications of the
interconnectedness of Market Entities' information systems, see
section I.A.1 of this release.
\836\ See BIS Papers 126, at 16 (noting that ``[h]istorically,
corporate identification has mainly come from company registries in
individual jurisdictions[,]'' with the registries connected to the
filing of certain documents and the paying of required fees
necessary to create legal entities). Under company registry regimes,
each company typically is identified by name and ``a company
registration number'' that is not standardized across jurisdictions
and is not part of a harmonized system of corporate identification.
See id. (stating that ``[w]ith greater globalization of business and
finance, [the existing company registry system] has become a source
of inefficiency and risks from the standpoint of financial
stability, market integrity, and investor protection''). Further,
``company registries typically do not offer similar types of quality
programs for the corporate data they provide'' and that such data
generally is ``declarative--provided by the registrant'' without
independent verification or validation. See id. at 20.
---------------------------------------------------------------------------
b. Costs
Covered Entities would incur costs complying with the requirements
of proposed Rule 10 to provide immediate written electronic notice and
subsequent reporting about significant cybersecurity incidents to the
Commission and, in the case of certain Covered Entities, other
regulators, on Part I of proposed Form SCIR. The immediate notification
requirement would impose minimal costs given the limited nature of the
information that would need to be included in the written notice and
the fact that it would be filed electronically.
The costs of complying with the requirements to file Part I of
proposed Form SCIR to report a significant cybersecurity incident would
be significantly greater than the initial notice, given the amount of
information that would need to be included in the filing. In addition,
because Part I of proposed Form SCIR is a regulatory filing, Covered
Entities likely would incur costs associated with a legal and
compliance review prior to the form being filed on EDGAR.
In terms of the costs of filing Part I of Form SCIR on EDGAR,
several categories of Covered Entities already file forms in EDGAR.
Specifically, all transfer agents, SBSDs, MSBSPs, and SBSDRs must file
registration or reporting forms in EDGAR,\837\ and some broker-dealers
choose to file certain reports on EDGAR rather than filing them in
paper form. The applicable EDGAR forms for these entities are filed, at
least in part, in a custom XML. Covered Entities that do not currently
file registration or reporting forms on EDGAR would have to file a
notarized Form ID to receive a CIK number and access codes to file on
EDGAR.\838\ Consequently, the requirement to file Part I of proposed
Form SCIR in EDGAR using a form-specific XML may impose some compliance
costs on certain Covered Entities. These Covered Entities would need to
complete Form ID to obtain the EDGAR-system access codes that enable
entities to file documents through the EDGAR system. They would have to
pay a notary to notarize Form ID. The inclusion of a UIC on proposed
Form SCIR would not impose any marginal costs because a Covered Entity
would only be required to provide a UIC if they have already obtained
one.
---------------------------------------------------------------------------
\837\ SBSDRs received temporary relief from filing through
EDGAR. See Cross-Border Application of Certain Security-Based Swap
Requirements, Exchange Act Release No. 87780 (Dec. 18, 2019) [85 FR
6270, 6348 (Feb. 2, 2020)].
\838\ See section V of this release (discussing of the number of
Covered Entities who do not currently file forms in EDGAR and the
costs that would be associated with an EDGAR-filing requirement in
more detail).
---------------------------------------------------------------------------
To estimate the costs for Market Entities to research the validity
of a suspected significant cybersecurity incident and to provide
immediate written electronic notification to the Commission regarding
the significant cybersecurity incident that are real or reasonably
determined to be true, the Commission considered the initial and
ongoing compliance costs.\839\ The internal annual costs for these
requirements (which include an initial burden estimate annualized over
a three year period) are estimated to be $1,648.51 per Market Entity,
and $6,524,802.58 in total. These costs include a blended rate of $353
for an assistant general counsel, compliance manager, and systems
analyst for a total of 4.67 hours. The annual external costs for these
requirements are estimated to be $1,488 per Market Entity, and
$5,889,504 in total. This includes the cost of using outside legal
counsel at a rate of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\839\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
To estimate the costs for Covered Entities to fill out an initial
Part I of proposed Form SCIR, and file an amended Part I of Form SCIR,
the Commission considered the initial and ongoing compliance
costs.\840\ The internal annual costs for these requirements (which
include an initial burden estimate annualized over a three year period)
are estimated to be $1,077.50 per Covered Entity, and $2,143,147.50 in
total. These costs include a blended rate of $431 for an assistant
general counsel and compliance manager for a total of 2.5 hours. The
annual external costs for these requirements are estimated to be $992
per Covered Entity, and $1,973,088 in total. This includes the cost of
using outside legal counsel at a rate of $496 per hour for a total of
two hours.
---------------------------------------------------------------------------
\840\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
[[Page 20308]]
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the requirements to provide
immediate notification and subsequent reporting of significant
cybersecurity incidents. Commenters are requested to provide empirical
data in support of any arguments or analyses. In addition, the
Commission is requesting comment on the following matters:
8. Are the estimated compliance costs (both initially and on an
ongoing basis) for Covered Entities to provide the notification and
subsequent reports reasonable? If not, explain why and provide
estimates of the compliance costs.
9. Are there any other benefits and costs that the confidential
reporting would provide the Commission? If so, please describe them.
Please provide views on the costs of reporting significant
cybersecurity incidents to the Commission relative to the Commission's
cost estimates.
10. What are the costs and benefits associated with requiring
Covered Entities to file Part I of proposed Form SCIR using a
structured data language? Should the Commission require Covered
Entities to file Part I of proposed Form SCIR using a structured data
language, such as a custom XML? Should the Commission require Covered
Entities to file Part I of proposed Form SCIR using a different
structured data language than a custom XML, such as Inline XBRL? Why or
why not?
11. Are there any Covered Entities that should be exempted from the
proposed structured data requirements for filing Part I of proposed
Form SCIR? If so, what particular exemption threshold should the
Commission use for the structured data requirements and why?
12. Should Covered Entities be required to file proposed Form SCIR
with a CIK number? What are the costs and benefits associated with
requiring Covered Entities to identify themselves on Part I of proposed
Form SCIR with a CIK number?
13. Should Covered Entities be required to file Part I of proposed
Form SCIR with a UIC (i.e., such as an LEI), particularly when some
Covered Entities do not have a UIC and would have to obtain one? What
are the benefits associated with requiring Covered Entities with a UIC
to identify themselves with that UIC?
14. Would requiring a UIC on Part I of proposed Form SCIR allow the
Commission to better evaluate cybersecurity threats to Covered Entities
using data from other regulators and from law enforcement agencies?
Please explain how.
15. Are there any Covered Entities for which the proposed
structured data requirements for Part I of proposed Form SCIR should be
exempted? If so, what particular exemption threshold or thresholds
should the Commission use for the structured data requirements under
the proposed rule amendments, and why?
4. Public Disclosure of Cybersecurity Risks and Significant
Cybersecurity Incidents
Under proposed Rule 10, Covered Entities would need to publicly
disclose summary descriptions of their cybersecurity risks and the
significant cybersecurity incidents they experienced during the current
or previous calendar year on Part II of proposed Form SCIR.\841\ The
form would need to be filed with the Commission through the EDGAR
system and posted on the Covered Entity's business internet website
and, in the case of Covered Entities that are carrying or introducing
broker-dealers, provided to customers at account opening and at least
annually thereafter.
---------------------------------------------------------------------------
\841\ See sections II.B.3. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
a. Benefits
As discussed above, there exists an information asymmetry between
Covered Entities and their customers, counterparties, members,
registrants, or users.\842\ This information asymmetry, together with
limitations to private contracting, inhibits the ability of customers,
counterparties, members, registrants, and users to screen and
discipline the Covered Entities with whom they do business or obtain
services from based on the effectiveness of the Covered Entity's
cybersecurity policies. The public disclosure requirements of proposed
Rule 10 would help alleviate this information asymmetry, and in so
doing would enable customers, counterparties, members, registrants, or
users to better assess the effectiveness of Covered Entities'
cybersecurity preparations and the cybersecurity risks of doing
business with any one of them. For example, customers, counterparties,
members, registrants, or users could use the frequency or nature of
significant cybersecurity incidents--as disclosed under the proposed
public disclosure requirement--to infer a Covered Entity's effort
toward preventing cybersecurity incidents. Likewise customers,
counterparties, members, registrants, or users could use the
descriptions of cybersecurity risks to avoid certain Covered Entities
with less well-developed cybersecurity procedures.
---------------------------------------------------------------------------
\842\ See section IV.B. of this release (discussing broad
economic considerations).
---------------------------------------------------------------------------
Public disclosures mitigate the information asymmetry. Customers,
counterparties, members, registrants, or users can use the information
to understand better the risks of doing business with certain Covered
Entities. A Covered Entity disclosing that it addresses cybersecurity
risks in a robust manner and that it has not experienced a significant
cybersecurity incident or few such incidents could signal to customers,
counterparties, members, registrants, or users that customer
information, funds, and assets are safeguarded properly. In contrast,
disclosures of sub-par cybersecurity practices or a history of
significant cybersecurity incidents may convince customers,
counterparties, members, registrants, or users to not do business with
that Covered Entity.
In addition to mitigating information asymmetries with stakeholders
in general, public disclosure would also mitigate a source of
principal-agent problems in the customer-Covered Entity relationship.
As discussed above, Covered Entities may have different incentives than
customers in the area of cybersecurity prevention.\843\ Insofar as
principals (customers) prefer a higher level of cybersecurity focus by
agents (Covered Entities), public disclosure would act as an incentive
for Covered Entities to increase their focus in this area and signal
their commitment to protecting customers' funds and data.
---------------------------------------------------------------------------
\843\ See section IV.B. of this release (discussing broad
economic considerations).
---------------------------------------------------------------------------
The proposed requirement for Covered Entities to post the required
disclosures on their websites would help inform, for example, retail
customers about Covered Broker-Dealers because they are likely to look
for information about their broker-dealers on the firm's websites. In
addition, requiring the submission of Part II of proposed Form SCIR in
a custom XML data language would likely facilitate more effective and
thorough review, analysis, and comparison of cybersecurity risks and
significant cybersecurity incidents by the Commission and by Covered
Entities' existing and prospective customers, counterparties, members,
registrants, or users.\844\ The public disclosure
[[Page 20309]]
requirement of proposed Rule 10 expands Market Entities', other market
participants', the public's, the Commission's, and other regulatory
bodies' knowledge about the cybersecurity risks faced by Covered
Entities as well as their past experiences regarding significant
cybersecurity incidents that is beyond what is provided by current
Commission regulations.
---------------------------------------------------------------------------
\844\ While the Commission would separately receive the
information significant cybersecurity incidents impacting Covered
Entities thought the filings of Part I of proposed Form SCIR, those
filings would not include the Covered Entity's summary description
of the cybersecurity risks that could materially affect the Covered
Entity's business and operations and how it assesses, prioritizes,
and addresses those cybersecurity risks that would be disclosed on
Part II of proposed Form SCIR.
---------------------------------------------------------------------------
Requiring Covered Entities to file Part II of proposed Form SCIR
through the EDGAR system would allow the Commission--as well as
customers, counterparties, members, and users of Covered Entity
services--to download the Part II disclosures directly from a central
location, thus facilitating efficient access, organization, and
evaluation of the reported disclosures about significant cybersecurity
incidents. Likewise, because Part II of proposed Form SCIR would be
structured in SCIR-specific XML, the public disclosures would be
machine-readable and, therefore, more readily accessible to the public
and the Commission for comparisons across Covered Entities and time
periods. With centralized filing in EDGAR in a custom XML, Commission
staff as well as Covered Entities' customers, counterparties, members,
registrants, or users (and the Covered Entities themselves) would be
better able to assemble, analyze, review, and compare a large
collection of data about reported cybersecurity risks and significant
cybersecurity incidents, which could facilitate the efficient
identification of trends in cybersecurity risks and significant
cybersecurity incidents in the U.S. securities markets.
Centralized filing of the summary descriptions of the Covered
Entity's cybersecurity risks and significant cybersecurity incidents on
Part II of proposed Form SCIR in a structured format on EDGAR would
enable investors and others--such as other government agencies,
standard-setting groups, analysts, market data aggregators, and
financial firms--to more easily and efficiently compare how one Covered
Entity compares with others in terms of cybersecurity risks and
incidents. For example, banks assessing potential security-based swap
counterparties could efficiently aggregate and compare disclosures of
multiple security-based swap dealers. Similarly, public companies
deciding which transfer agent to use could efficiently aggregate and
compare the disclosures of many transfer agents.
These market participants would also be able to discern broad
trends in cybersecurity risks and incidents more efficiently due to the
central filing location and machine-readability of the disclosures. The
more efficient dissemination of information about trends regarding
cybersecurity risks and significant cybersecurity incidents could, for
example, enable Covered Entities to better and more efficiently
determine if they need to modify, change, or upgrade their
cybersecurity defense measures in light of those trends. Likewise, more
efficient assimilation of information about trends in significant
cybersecurity incidents could enable Covered Entities customers,
counterparties, members, or users and their services to more
efficiently understand and manage their cybersecurity risks.
Accordingly, centralized EDGAR filing of public cybersecurity
disclosures in a machine-readable data language could help reduce the
number of Covered Entities or their customers, counterparties, members,
or users that suffer harm from cybersecurity breaches, or reduce the
extent of such harm in the market, thus helping prevent or mitigate
cybersecurity-related disruptions to the orderly operations of the U.S.
securities markets.
Lastly, Covered Entities rely on electronic information,
communication, and computer systems to perform their functions.\845\
Because many Covered Entities play critical global financial system, a
cyberattack against Covered Entities without strong cybersecurity
protocols could lead to more widespread breaches. Therefore, the
centralized, public, structured filing of cybersecurity disclosures
with Part II of proposed Form SCIR, which would be updated promptly
upon the occurrence of a new significant cybersecurity incident, would
increase the efficiency with which new cybersecurity information would
be assimilated into the market, thereby also likely increasing the
speed with which Covered Entities could react to potential contagion.
This increased agility on the part of Covered Entities could reduce
potential contagion in the U.S. securities markets. Additionally,
Covered Entities would know that the centralized, public filing of
information about significant cybersecurity incidents would make
comparison with their competitors easier, and this could motivate
Covered Entities to take cybersecurity preparedness and risk management
more seriously than they might otherwise, either by devoting more
resources to cybersecurity or by addressing cybersecurity risks in a
more effective manner. Such an effect could help reduce the number and
extent of cybersecurity incidents, particularly those that negatively
impact the U.S. securities markets.
---------------------------------------------------------------------------
\845\ See section I.A.2. of this release (discussing how Covered
Entities use information systems).
---------------------------------------------------------------------------
As with Part I of proposed Form SCIR, the Commission also is
proposing to require Covered Entities to identify themselves on Part II
of proposed Form SCIR with a UIC, such as an LEI, if they have obtained
one, to help facilitate efficient collection and analysis of
cybersecurity incidents in the financial markets. The addition of UICs
could facilitate coordinated inter-governmental responses to
cybersecurity incidents that affect U.S. firms.\846\ Existing
identifiers that are not UICs are more limited in scope, such as CIK
numbers, which are Commission-specific identifiers for companies and
individuals that have filed reports with the Commission. This limits
their utility in analyzing and comparing significant cybersecurity
incidents among Covered Entities and non-Commission-regulated financial
institutions.
---------------------------------------------------------------------------
\846\ The Commission has recognized the benefits of LEIs in
other contexts. See Joint Industry Plan; Order Approving the
National Market System Plan Governing the Consolidated Audit Trail,
Release No. 34-79318; File No. 4-698 (Nov. 15, 2016), 81 FR 84696,
84745 (Nov. 23, 2016) (``The Commission believes use of the LEI
enhances the quality of identifying information for Customers by
incorporating a global standard identifier increasingly used
throughout the financial markets.''); Investment Company Reporting
Modernization, Release Nos. 33-10231; 34-79095; IC-32314; File No.
S7-08-15 (Oct. 13, 2016), 81 FR 81870, 81877 (Nov. 18, 2016)
(``Uniform reporting of LEIs by funds [] will help provide a
consistent means of identification that will facilitate the linkage
of data reported on Form N-PORT with data from other filings and
sources that is or will be reported elsewhere as LEIs become more
widely used by regulators and the financial industry.'').
---------------------------------------------------------------------------
The markets for different Covered Entities present customers,
counterparties, members, registrants, or users with a complex, multi-
dimensional, choice problem. In choosing a Covered Entity to work with,
customers, counterparties, members, registrants, or users may consider
cybersecurity risk exposure (i.e., financial, operational, legal,
etc.), past significant cybersecurity incidents, reputation, etc. While
the Commission is not aware of any studies that examine the role
perceptions of cybersecurity play in this choice problem, the extant
academic literature suggests that investors focus on salient, headline-
grabbing information, such as large losses of customer information,
when
[[Page 20310]]
making such choices.\847\ Details regarding significant cybersecurity
incidents may allow customers, counterparties, members, registrants, or
users to assess the severity of one incident compared to that of
another. However, the public disclosures will be generalized (i.e.,
summary descriptions) to a degree such that threat actors cannot take
advantage of known vulnerabilities. Therefore, to the extent that
cybersecurity disclosures from Covered Entities are ``boilerplate,''
they may be less informative.\848\ Thus, it may be difficult to choose
among Covered Entities that have experienced similar significant
cybersecurity incidents.
---------------------------------------------------------------------------
\847\ See, e.g., Brad M. Barber, Terrance Odean, and Lu Zheng,
Out of Sight, Out of Mind: The Effects of Expenses on Mutual Fund
Flows, 78 J. Bus. 2095 (2005) (``Out of Sight, Out of Mind'').
\848\ However, as discussed above, the process of adopting
``boilerplate'' language by Covered Entities may itself affect
improvements in policies and procedures.
---------------------------------------------------------------------------
Significant cybersecurity incidents--especially those that involve
loss of data or assets of customers, counterparties, members,
registrants, or users--are likely to garner attention. Thus, the
Commission expects that the proposed requirement to disclose
significant cybersecurity incidents would have a direct effect on the
choices of customers, counterparties, members, registrants, or users.
In addition, third parties such as industry analysts--who may be more
capable of extracting useful information across Covered Entities'
disclosures--may incorporate it in assessment reports that are
ultimately provided to customers, counterparties, members, registrants,
or users. Whether directly or indirectly, Covered Entities with subpar
cybersecurity policies and procedures--as revealed by a relatively
large number of significant cybersecurity incidents--could face
pressure to improve their policies procedures to reduce such
incidents.\849\
---------------------------------------------------------------------------
\849\ This assumes that customers, counterparties, members,
registrants, or users evaluating the Covered Entities would favor
those Covered Entities that include language that cites strong
cybersecurity procedures in their disclosures. Further, the
Commission assumes that customers, counterparties, members,
registrants, and users would prefer to do business with Covered
Entities that have ``superior'' cybersecurity procedures.
---------------------------------------------------------------------------
The disclosures of significant cybersecurity incidents also should
benefit a Covered Entity's current customers, counterparties, members,
registrants, or users if the Covered Entity experiences a significant
cybersecurity incident by providing notice that, for example, personal
information, transaction data, securities, or funds may have been
compromised. While the customers, counterparties, members, registrants,
or users that are directly impacted may be individually notified of
significant cybersecurity incidents based on individual state laws and
Commission rules, thus initiating timely remedial actions, other
parties may benefit from the disclosures. Specifically, customers,
counterparties, members, registrants, or users that are not affected by
a significant cybersecurity incident may take the time to change and
strengthen passwords, monitor account activity on a more consistent
basis, and audit their financial statements for discrepancies.
b. Costs
The requirements to have reasonably designed policies and
procedures to address cybersecurity risk and to report significant
cybersecurity incidents to the Commission by filing Part I of proposed
Form SCIR on EDGAR would--in practice--require the collection of the
information that also would be used in the proposed public disclosures
required to be made on Part II of proposed Form SCIR. Therefore, the
disclosure requirement itself would not impose significant compliance
costs beyond those already discussed with respect to the requirements
to have reasonably designed policies and procedures to address
cybersecurity risk and to report significant cybersecurity incidents to
the Commission by filing Part I of proposed Form SCIR on EDGAR.\850\
Generally, it is expected that a compliance analysis would be needed to
summarize the cybersecurity risks faced by the Covered Entity and a
summary of previous significant cybersecurity incidents. In addition,
there may be internal legal review of the public disclosure and
administrative costs would be incurred associated with posting the
disclosure on the Covered Entity's website.
---------------------------------------------------------------------------
\850\ See sections IV.D.2. and IV.D.3. of this release
(discussing the costs of those requirements).
---------------------------------------------------------------------------
However, if the action of disclosing summary descriptions of a
Covered Entity's cybersecurity risks and significant cybersecurity
incidents encourages the Covered Entity and/or other Covered Entities
to review their policies and procedures and potentially direct more
resources to cybersecurity protection, that would be an additional
cost. Moreover, the disclosures may impose costs due to market
reactions and exploitable information they may reveal to adverse
parties.
Depending on the Covered Entity, reports of many significant
cybersecurity incidents and, to a lesser extent, reports of greater
cybersecurity risks and exposure to financial, operational, legal,
reputational, or other consequences that could materially affect its
business and operations as a result of a cybersecurity incident
adversely impacting its information systems may bear costs arising from
reactions in the marketplace. That is, a Covered Entity may lose
business or suffer harm to its reputation and brand value.\851\ These
costs would be borne by the affected Covered Entity even if it made
reasonable efforts to prevent them. If customers, counterparties,
members, registrants, or users ``overreact'' \852\ to disclosures of
significant cybersecurity incidents, Covered Entities may pursue a
strategy of overinvesting in cybersecurity precautions (to avoid such
overreactions), resulting in reduced efficiency. The extent of such
costs likely depends on a number of factors, including the size of a
Covered Entity relative to others in the same category (e.g., Covered
Broker-Dealers, national securities exchanges, and clearing agencies),
the severity and scope of the cybersecurity incident, and the
availability of substitutes for a given Covered Entity.\853\
---------------------------------------------------------------------------
\851\ Customers, counterparties, members, registrants, and users
would be more likely to act in response to realized significant
cybersecurity incidents than in response to Covered Entities'
descriptions of their cybersecurity risks and how they address those
risks.
\852\ Such overreactions can be the result of overconfidence
about the precision of the signal. See, e.g., Kent Daniel, David
Hirshleifer and Avanidhar Subrahmanyam, Investor Psychology and
Security Market Under- and Overreactions, 53 J. Fin. 1839 (1998);
see also Out of Sight, Out of Mind.
\853\ One can differentiate between the smallest and largest
Covered Broker-Dealer. A large broker-dealer may be more able to
absorb more costs associated with a cybersecurity incident and
continue to stay in business than a small broker-dealer. In
addition, a large broker-dealer could have a more prestigious
reputation that may persuade customers to continue using it despite
the cybersecurity event. Or a large broker-dealer could have more
news about it in the public domain that dilutes bad news about
cybersecurity incidents, whereas a smaller firm's name may become
inextricably associated with one significant cybersecurity incident.
In addition, significant cybersecurity incidents that are crippling
and affect all of a Covered Entity's customers, counterparties,
members, registrants, and users would be more costly its reputation
than ones that are more localized. Lastly, the cost of lost business
for a Covered Entity may be muted if there are fewer competitors to
choose from. For example, there is only one national securities
association (i.e., FINRA) relative to 353 transfer agents. It
therefore could be costly in terms of lost business for a transfer
agent as its customers can transfer their business to one of the
many others that perform the same services.
---------------------------------------------------------------------------
The national securities exchanges and clearing agencies that are
currently registered with the Commission but are not active would not
incur any costs related to the proposed public disclosure requirement
if they remain inactive. However, if their operations restart, they
likely would incur
[[Page 20311]]
moderate costs associated with the disclosure because they may need to
restart their websites and provide summary descriptions of their
cybersecurity risks. No significant cybersecurity incidents would need
to be disclosed initially since they have been dormant for so long. In
addition, many transfer agents do not have websites. Therefore, those
transfer agents that do not have websites would incur the cost of
obtaining a domain name as well as establishing and maintaining a
website (either by themselves or using a third party) before being able
to post their public disclosures. Small, independent broker-dealers
also may not have websites. In a 2015 survey of 13 broker-dealers, 80%
of respondents stated that they have a web policy or program; however,
7.6% do not have a web policy or program and 13.3% of the respondents
were not sure. Furthermore, 47% of respondents reported that less than
half of their firm's advisors (i.e., registered representatives)
currently have a website. Interestingly, the survey participants noted
the value of having a website to establish credibility (80%), generate
leads (53%), get referrals (40%), qualify and engage prospects (40%)
and maintain existing client relationships (47%).\854\ The remaining
Market Entities likely have websites.
---------------------------------------------------------------------------
\854\ See Broker Dealers and Web Marketing: What You Should Know
(Dec. 9, 2015), available at https://www.advisorwebsites.com/blog/
blog/general/broker-dealers-and-web-marketing-what-you-should-
know#:~:text=While%2080%25%20of%20Broker-
Dealers%20reps%20we%20polled%20say,to%20build%20and%20maintain%20a%20
strong%20web%20presence.
---------------------------------------------------------------------------
Website costs can be broken into several categories: (1) obtaining
a domain name ($12 to $15 per year); (2) web hosting ($100 per month
for premium service); (3) website theme or template (one-time fee of
$20 to $200 or more); and SSL certificate ($10 to $200 per year).\855\
Ongoing website costs could be as high as $1,215 per year to maintain.
---------------------------------------------------------------------------
\855\ See Jennifer Simonson, website Hosting Cost Guide 2023,
Forbes, available at https://www.forbes.com/advisor/business/website-hosting-cost/.
---------------------------------------------------------------------------
Mandating the disclosure of significant cybersecurity incidents
entails a tradeoff. While disclosure can inform customers,
counterparties, members, registrants, and users, disclosure can also
inform cyber attackers that they have been detected. Also, disclosing
too much (e.g., the types of systems that were affected and how they
were compromised) could be used by threat actors to better attack their
targets, imposing subsequent potential losses on Covered Entities. For
example, announcing a significant cybersecurity incident naming a
specific piece of malware and the degree of compromise can provide
details about the structure of the target's computer systems, the
security measures employed (or not employed), and potentially suggest
promising attack vectors for future targets by other would-be
attackers.
Under proposed Rule 10, to mitigate these costs and to promote
compliance with the disclosure requirements, each Covered Entity would
be required to disclose summary descriptions of their cybersecurity
risks and significant cybersecurity incidents on Part II of proposed
Form SCIR.\856\ In the summary description of the significant
cybersecurity incident, the Covered Entity would need to identify: (1)
the person or persons affected; (2) the date the incident was
discovered and whether it is still ongoing; (3) whether any data were
stolen, altered, or accessed or used for any other unauthorized
purpose; (4) the effect of the incident on the Covered Entity's
operations; and (5) whether the Covered Entity, or service provider,
has remediated or is currently remediating the incident.\857\ Thus,
Covered Entities generally would not be required to disclose technical
details about significant cybersecurity incidents that could compromise
their cybersecurity protections going forward. As before, the costs
associated with conveying this information to attackers is
impracticable to estimate.\858\
---------------------------------------------------------------------------
\856\ See paragraph (d)(1) of proposed Rule 10.
\857\ See paragraph (d)(1)(ii) of proposed Rule 10.
\858\ As noted in section IV.B. of this release, firms are
generally hesitant to provide information about cyberattacks.
Similarly, cybercriminals are not generally forthcoming with data on
attacks, their success, or factors that made the attacks possible.
Consequently, data from which plausible estimates could be made is
not available.
---------------------------------------------------------------------------
While registering with the EDGAR system is free, the requirement to
centrally file Part II of proposed Form SCIR in EDGAR would impose
incremental costs on Covered Entities that have not previously filed
documents in EDGAR. More specifically, Covered Entities that have never
made a filing with the Commission via EDGAR would need to file a
notarized Form ID, which is used to request the assignment of access
codes to file on EDGAR. Thus, first-time EDGAR filers would incur
modest costs associated with filing Form ID.\859\ That said, Covered
Entities that already file documents in EDGAR would not incur the cost
of having to register with EDGAR. As discussed earlier, the extent to
which different categories of Covered Entities are already required to
file documents in EDGAR varies. For example, SBSDs, MSBSPs, SBSDRs, and
transfer agents are already required to file some forms in EDGAR.
---------------------------------------------------------------------------
\859\ Any Covered Entity that has made at least one filing with
the Commission via EDGAR since 2002 has been entered into the EDGAR
system by the Commission and will not need to file Form ID to file
electronically on EDGAR.
---------------------------------------------------------------------------
Likewise, as mentioned earlier, the Commission approved a UIC--
namely, the LEI--in a previous rulemaking. The Commission could approve
another standard identifier as a UIC in the future, but currently the
LEI is the only approved UIC. Covered Entities that already have an LEI
would not bear any cost to including it on proposed Form SCIR, as they
would have already paid to obtain and maintain an LEI for some other
purpose. Covered Entities that do not already have an LEI are not
required to obtain an LEI in order to file proposed Form SCIR, thus,
there is no additional cost to those Covered Entities that do not have
an LEI.
In addition, a Covered Broker-Dealer would be required to provide
the written disclosure form to a customer as part of the account
opening process. Thereafter, the Covered Broker-Dealer would need to
provide the customer with the written disclosure form annually and when
it is updated using the same means that the customer elects to receive
account statements (e.g., by email or through some type of postal
service). The Commission anticipates that the cost of initial and
annual reporting will be negligible because the report text can be
incorporated into other initial disclosures and periodic statements.
The cost of furnishing updated reports in response to significant
cybersecurity incidents depends on the degree to which such incidents
occur and are detected, which cannot reliably be predicted. The
Commission assumes that the delivery costs are the same regardless of
the delivery method.
To estimate the costs associated for a Covered Entity to file a
Part II of proposed Form SCIR with the Commission through EDGAR, as
well as post a copy of the form on its website, the Commission
considered the initial and ongoing compliance costs.\860\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$1,377.46 per Covered Entity, and $2,739,767.94 in total. These costs
include a blended rate of $375.33 for an
[[Page 20312]]
assistant general counsel, senior compliance examiner, and compliance
manager for a total of 3.67 hours. The annual external costs for these
requirements are estimated to be $1,488 per Covered Entity, and
$2,959,632 in total. This includes the cost of using outside legal
counsel at a rate of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\860\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
To estimate the costs associated for a Covered Broker-Dealer to
deliver its disclosures to new customers, as well as deliver
disclosures to existing customers on an annual basis, the Commission
considered the initial and ongoing compliance costs.\861\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$3,536.94 per Covered Broker-Dealer, and $5,450,424.54 in total. These
costs include a rate of $69 per hour for a general clerk for a total of
51.26 hours. It is estimated that there will be $0 annual external cost
for this additional disclosure requirement for Covered Broker-Dealers.
With respect to the additional disclosure fees for broker dealers, the
cost covers the clerks employed by the broker-dealers for stuffing
envelopes and mailing them out. The legal fees associated with drafting
the disclosure is already tied to the burden of filing the disclosure
in Part II of EDGAR and putting the disclosure on its website.
---------------------------------------------------------------------------
\861\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the requirements to provide
immediate notification and subsequent reporting of significant
cybersecurity incidents. Commenters are requested to provide empirical
data in support of any arguments or analyses. In addition, the
Commission is requesting comment on the following matters:
16. Please provide views on the benefits and costs associated with
posting the public disclosures on Covered Entities' websites and
submitting them to the Commission through EDGAR. Will the general
nature of the public disclosure be useful to Market Entities as well as
customers, counterparties, members, participants, and users? Should the
Commission require Covered Entities to both post cybersecurity risk and
incident histories on Covered Entity websites and file that information
on Part II of proposed Form SCIR in EDGAR? Should the Commission exempt
some subset(s) of Covered Entities from the requirement to file Part II
of proposed Form SCIR in EDGAR? If so, please explain. Should the
Commission exempt some subset(s) of Covered Entities from the
requirement to post cybersecurity risk and incident history information
on their websites? Explain.
17. Are the cost estimates associated with posting the public
disclosure on the Covered Entities' websites, submitting Part II of
proposed Form SCIR to the Commission through EDGAR, and providing
disclosures to new and existing customers reasonable? If not, explain
why? Are there any other benefits and costs of these proposed
requirements? If so, please describe them.
18. Are there any other costs and benefits associated with
requiring Covered Entities to file Part II of proposed Form SCIR using
a structured data language? If so, please describe them. Should the
Commission require Covered Entities to file Part II of proposed Form
SCIR using a structured data language, such as a custom XML? Should the
Commission require Covered Entities to file Part II of proposed Form
SCIR using a different structured data language than a custom XML, such
as Inline XBRL? Why or why not?
19. Are there any Covered Entities for whom the proposed structured
data requirements of Part II of proposed Form SCIR should be exempted?
If so, what particular exemption threshold or thresholds should the
Commission use for the structured data requirements under the proposed
rule amendments, and why?
20. Please provide views on the benefits and costs associated with
requiring Covered Entities to identify themselves on Part II of
proposed Form SCIR with both a CIK number and a UIC (such as an LEI)?
What would be the benefits and costs of requiring Covered Entities
without a UIC to obtain one in order to file Part II of proposed Form
SCIR? What, if any, standard identifiers should the Commission require
Covered Entities to use to identify themselves on Part II of proposed
Form SCIR?
21. What would be the benefits and costs of requiring Covered
Entities to place the required cybersecurity risk and incident history
disclosures on individual Covered Entity websites and in EDGAR with
Part II of proposed Form SCIR relative to the alternatives discussed
below in section IV.F. of this release? Should the Commission instead
adopt one of the alternatives for the requirements around where Covered
Entities must place the public cybersecurity disclosures? Specifically,
the Commission is proposing to require Covered Entities to publish the
disclosures on their individual firm websites and to file the
information in EDGAR using Part II of proposed Form SCIR. Should the
Commission eliminate one, or both, of those requirements?
22. Are there any Covered Entities for whom the proposed structured
data requirements for Part II of proposed Form SCIR should be exempted?
If so, what particular exemption threshold or thresholds should the
Commission use for the structured data requirements under the proposed
rule amendments, and why?
5. Record Preservation and Maintenance by Covered Entities
As discussed above, proposed Rule 10 would require a Covered Entity
to: (1) establish, maintain, and enforce written policies and
procedures that are reasonably designed to address cybersecurity risks;
(2) create written documentation of risk assessments; (3) create
written documentation of any cybersecurity incident, including its
response to and recovery from the incident; (4) prepare a written
report each year describing its annual review of its policies and
procedures to address cybersecurity risks; (5) provide immediate
written notice of a significant cybersecurity incident; (6) report a
significant cybersecurity incident on Part I of proposed Form SCIR; and
(7) provide a written disclosure containing a summary description of
its cybersecurity risk and significant cybersecurity incidents on Part
II of proposed Form SCIR. Consequently, proposed Rule 10 would require
a Covered Entity to create several different types of records, but it
would not include its own record preservation and maintenance
provisions. Instead, these requirements would be imposed through
amendments, as necessary, to the existing record preservation and
maintenance rules applicable to the Covered Entities. In particular,
the Commission is proposing to amend the record preservation and
maintenance rules for: (1) broker-dealers (i.e., Rule 17a-4); (2) SBS
Entities (i.e., Rule 18a-6); and (3) transfer agents (i.e., Rule 17ad-
7). The proposed amendments would specify that the Rule 10 Records must
be retained for three years. In the case of the written policies and
procedures to address cybersecurity risks, the record would need to be
maintained until three years after the termination of the use of the
policies and procedures.
The existing record maintenance and preservation rule applicable to
registered clearing agencies, the MSRB, national securities
associations, and
[[Page 20313]]
national securities exchanges (i.e., Rule 17a-1) requires these
categories of Covered Entities keep and preserve at least one copy of
all documents, including all correspondence, memoranda, papers, books,
notices, accounts, and other such records as shall be made or received
by the Covered Entity in the course of its business as such and in the
conduct of its self-regulatory activity. Under the existing provisions
of Rule 17a-1, registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges would be
required to preserve at least one copy of the Rule 10 Records for at
least five years, with the first two years in an easily accessible
place. Similarly, the existing record maintenance and preservation rule
applicable to SBSDRs (i.e., Rule 13n-7) requires these Market Entities
to preserve records. And with respect to exempt clearing agencies, the
Commission is proposing to amend the clearing agency exemption orders
to add a condition that each exempt clearing agency must retain the
Rule 10 Records for a period of at least five years after the record is
made or, in the case of the written policies and procedures to address
cybersecurity risks, for at least five years after the termination of
the use of the policies and procedures.
a. Benefits
There would be a number of benefits for Covered Entities to
preserving and maintaining the Rule 10 records. With respect to
cybersecurity policies and procedures and the written documentation
concerning risk assessments and any cybersecurity incidents, the
Covered Entity's records could be reviewed for compliance purposes as
well as a reference in future self-conducted audits of the Covered
Entity's cybersecurity system. In addition, the written report each
year describing the Covered Entity's annual review of its policies and
procedures could be used to determine if the Covered Entity's
cybersecurity risk management program is working as expected and to see
if any changes should be made. Lastly, maintaining records of
compliance would assist the Commission in its oversight role,
particularly when conducting examinations of Covered Entities. With
respect to the immediate written notice of a significant cybersecurity
incident, as well as any submitted Part I of proposed Form SCIR, the
records would facilitate examination of Covered Entities for compliance
with proposed Rule 10.
Finally, with respect to the public disclosures that Covered
Entities would make on Part II of proposed Form SCIR, keeping records
of these forms and submissions would be beneficial to Covered Entities
for compliance purposes as well as use as a reference when updating the
public disclosure. For example, a Covered Entity would need to file an
updated Part II of proposed Form SCIR if the information in the summary
description of a significant cybersecurity incident included on the
form is no longer within the look-back period (i.e., the current or
previous calendar year). However, the retention period for the records
(e.g., three years in the case of broker-dealers, SBS Entities, and
transfer agents, or five years in the case of registered clearing
agencies, the MSRB, national securities associations, national
securities exchanges, SBSDRs, and certain exempt clearing agencies)
would require the Covered Entity to maintain a record of that
particular public disclosure for a longer period of time.
Benefits also arise due to the Commission's regulation and
oversight of Covered Entities with respect to their books and
records.\862\
---------------------------------------------------------------------------
\862\ The Commission also would retain copies of Parts I and II
of proposed Form SCIR filed through EDGAR.
---------------------------------------------------------------------------
b. Costs
The costs associated with preserving the Covered Entity's
cybersecurity policies and procedures and annual review are likely to
be small. The cost would result from the requirement to preserve the
Rule 10 Records for either three or five years. Given that the
incremental volume of records that each Covered Entity would be
required to retain would be relatively small, the costs should be
minimal. Moreover, Covered Entities subject to other record retention
requirements likely already have a system in place to maintain those
records. Therefore, adding the records associated with proposed Rule 10
likely would be a small burden.
To estimate the costs associated for a Covered Entity to comply
with its recordkeeping maintenance and preservation requirement, the
Commission considered the initial and ongoing compliance costs.\863\
The internal annual cost for this requirement is estimated to be $441
per Covered Entity, and $877,149 in total. These costs include a
blended rate of $73.50 for a general clerk and compliance clerk for a
total of 6 hours. It is estimated that there will be $0 annual external
cost for the recordkeeping maintenance and preservation requirement.
---------------------------------------------------------------------------
\863\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the proposed record preservation
and maintenance requirements. Commenters are requested to provide
empirical data in support of any arguments or analyses. In addition,
the Commission is requesting comment on the following matter:
23. Are there any other benefits and cost associated with the
requirements to preserve the Rule 10 Records? If so, please describe
them.
6. Policies and Procedures, Annual Review, Immediate Notification of
Significant Cybersecurity Incidents, and Record Preservation
Requirements for Non-Covered Broker-Dealers
As discussed earlier, proposed Rule 10 would require Non-Covered
Broker-Dealers to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address their cybersecurity
risks taking into account the size, business, and operations of the
firm.\864\ The proposed rule also would require Non-Covered Broker-
Dealers to review the design and effectiveness of their cybersecurity
policies and procedures annually, including whether the policies and
procedures reflect changes in cybersecurity risk over the time period
covered by the review. Furthermore, Non-Covered Broker-Dealers would be
required to provide the Commission and their examining authority with
immediate written electronic notice of the occurrence of a significant
cybersecurity incident.\865\ The Commission also is proposing to amend
the record preservation and maintenance rule for broker-dealers (Rule
17a-4) to specifically require Non-Covered Broker-Dealers to preserve
certain records in connection with Rule 10.
---------------------------------------------------------------------------
\864\ See section II.C.1. of this release (discussing in more
detail the proposed policies and procedures, annual review, and
record preservation requirements for Non-Covered Broker-Dealers).
\865\ The Commission is not proposing that Non-Covered Broker
Dealers be subject to the requirements to file Parts I and II of
proposed Form SCIR and post copies of the most recently filed Part
II of proposed Form SCIR on their websites and provide copies of
that filing to their customers.
---------------------------------------------------------------------------
a. Benefits
The requirement under proposed Rule 10 for Non-Covered Broker-
Dealers to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address their cybersecurity
risks would generally
[[Page 20314]]
improve cybersecurity preparedness of Non-Covered Broker-Dealers--and
hence reduce their clients' exposure to cybersecurity incidents. This
is because, in establishing and maintaining a set of cybersecurity
policies and procedures in a written format, a Non-Covered Broker-
Dealer can evaluate whether its cybersecurity policies and procedures
continue to work as designed and whether changes are needed to assure
their continued effectiveness. In addition, by permitting Non-Covered
Broker-Dealers to take into account their size, business, and
operations of the firm when designing their written policies and
procedures, Non-Covered Broker-Dealers can more efficiently utilize
their resources. Moreover, by requiring Non-Covered Broker-Dealers to
establish reasonably designed cybersecurity policies and procedures,
the Commission would be better able to understand the protections that
these broker-dealers put in place to address cybersecurity risk. During
an examination, the Commission can assess the adequacy and completeness
of a Non-Covered Broker-Dealers cybersecurity policies and procedures.
Documenting a Non-Covered Broker-Dealer's cybersecurity policies and
procedures in a written format also would aid the Commission in its
review and oversight.
Due to the varying sizes and operations of Non-Covered Broker-
Dealers, the benefits that accrue from the cybersecurity policies and
procedures requirement likely differ across entities. Because Non-
Covered Broker-Dealers are generally smaller and have fewer assets and
interconnections with other Market Entities than Covered Broker-
Dealers, there is less of a risk that a significant cybersecurity
incident at a Non-Covered Broker-Dealer could provide the threat actor
with access to other Market Entities. However, even though a Non-
Covered Broker-Dealer may not pose a significant overall risk to the
U.S. securities markets, a significant cybersecurity event at a Non-
Covered Broker-Dealer could have profound negative effects if a threat
actor is able to misappropriate customers' confidential financial
information. Consequently, greater cybersecurity investment by a Non-
Covered Broker-Dealer likely would lead to significant benefits for
itself and its customers.
Non-Covered Broker-Dealers may already have implemented
cybersecurity policies and procedures. The marginal benefits of the
proposed rule would be mitigated to the extent that these existing
policies and procedures are consistent with the proposed rule's
requirements. However, existing policies and procedures that are
already consistent with the proposed rule would facilitate Non-Covered
Broker-Dealers in conducting annual reviews, assessing the design and
effectiveness of their cybersecurity policies and procedures, and
making necessary adjustments.
The primary benefit of reviewing a Non-Covered Broker-Dealer's
cybersecurity policies and procedures on an annual basis would help to
ensure that they are working as designed, that they accurately reflect
the firm's cybersecurity practices, and that they reflect changes and
developments in the firm's cybersecurity risk over the time period
covered by the review. The documented policies and procedures would
serve as a benchmark when conducting the annual review. The Non-Covered
Broker-Dealer would be required, for compliance purposes and future
reference, to make a written record that documents the steps taken in
performing the annual review and the conclusions of the annual review.
Cybersecurity threats constantly evolve, and threat actors
consistently identify new ways to infiltrate information systems. An
annual review requirement would ensure that Non-Covered Broker-Dealers
conduct a regular assessment and undertake updates to prevent policies
and procedures from becoming stale or ineffective, in light of the
dynamism of cybersecurity threats.
The primary benefit of requiring Non-Covered Broker-Dealers to
retain their written cybersecurity policies and procedures as well as a
record of the annual reviews, is to assist the Commission in its
oversight function. In reviewing their records, Non-Covered Broker-
Dealers may see trends in their own cybersecurity risks, which may
serve as an impetus to make adjustments to their cybersecurity policies
and procedures. Furthermore, Proposed Rule 10 would expand beyond
current Commission regulations Non-Covered Broker-Dealers'
cybersecurity policies and procedures that address all cybersecurity
risks that may affect their information systems and the funds and
securities as well as personal, confidential, and proprietary
information that may be stored on those systems.
As noted above, Non-Covered Broker-Dealers would be required to
give the Commission immediate written electronic notice of a
significant cybersecurity incident upon having a reasonable basis to
conclude that the significant cybersecurity incident has occurred or is
occurring. Compared to the suite of proposed requirements for Covered
Entities, including filing Parts I and II of proposed Form SCIR and
publicly disclosing Part II (which would contain summary descriptions
of the Covered Entity's cybersecurity risks and significant
cybersecurity incidents that occurred in current and previous calendar
years), the proposed requirement to provide immediate written
electronic notice of significant cybersecurity incidents is relatively
small but can yield significant benefits. Most notably, such immediate
notifications would make Commission staff aware of significant
cybersecurity incidents across all broker-dealers and not just at
Covered Broker-Dealers, thus significantly increasing its oversight
powers in the broker-dealer space with respect to cybersecurity
incidents. Trends that impact Non-Covered Broker-Dealers, such as
through malware or a particular type of software, may be detected by
staff, which can then inform other Market Entities of emerging risks.
This is particularly important due to the interconnected nature of the
U.S. securities industry. Breaches that occur at Non-Covered Broker-
Dealers may spread to larger firms, such as Covered Entities, that
could cause more widespread financial disruptions. Furthermore, we
anticipate that the burden on Non-Covered broker dealers of furnishing
immediate written notification of a significant cybersecurity incident
will be minimal.\866\
---------------------------------------------------------------------------
\866\ See section IV.D.6.b. of this release.
---------------------------------------------------------------------------
b. Costs
The costs associated with proposed Rule 10 for Non-Covered Broker-
Dealers with respect to the written cybersecurity policies and
procedures requirements would primarily result from establishing
written cybersecurity policies and procedures that are reasonably
designed. Such costs may be passed on to the Non-Covered Broker-
Dealers' customers, either in part or in full.
Many Non-Covered Broker-Dealers currently have cybersecurity
policies and procedures in place; to the extent a Non-Covered Broker-
Dealer's existing policies and procedures are consistent with the
requirements of the proposed rule, those Non-Covered Broker-Dealers
would have limited need to update those policies and procedures, thus
mitigating the costs of the proposal. Non-Covered Broker-Dealers may be
subject to Regulation S-P, Regulation S-ID, and state regulations. In
those particular instances, they may have already implemented policies
and procedures that are consistent with the requirements of the
proposed Rule 10,
[[Page 20315]]
which would mitigate some of the compliance costs associated with the
proposed policies and procedures requirements.
The cost of complying with the proposed annual review requirement
along with the accompanying written review and conclusion would depend
on the size, business, and operations of the Non-Covered Broker-Dealer.
A Non-Covered Broker-Dealer with simpler operations likely would incur
lower annual review and modification costs than firms with larger
operations. Furthermore, a Non-Covered Broker-Dealer may choose to hire
a third-party for assistance or consultation regarding the completion
of a written annual review and conclusion. This cost, in those
situations, would depend on the services requested and the fees that
are charged by the third-parties and consultants. Such costs could be
passed along to the Non-Covered Broker-Dealer's customers depending on
the competitive nature of the Non-Covered Broker-Dealer's market and
its business model.
In either case, Non-Covered Broker-Dealers could tailor the
policies and procedures to its cybersecurity risks taking into account
its size, business, and operations. This offers Non-Covered Broker-
Dealers the flexibility to implement cybersecurity policies and
procedures based on the sophistication and complexity of their
information systems. Of course, the cost of cybersecurity systems and
modifications to cybersecurity policies and procedures may be higher as
the size, business, and operation of a Non-Covered Broker-Dealer
increases and becomes more complex.
The costs associated with giving the Commission immediate written
electronic notice of a significant cybersecurity incident are likely to
be relatively similar to, or possibly somewhat larger, than those
incurred by Covered Broker-Dealers. As noted previously, the cost of
immediate notification consists of notifying the Commission of a
significant cybersecurity incident upon having a reasonable basis to
conclude it has occurred or is occurring as well as researching the
detailing of the incident in question. Non-Covered Broker-Dealers may
be able to make the same determination and notify the Commission in the
same amount of time as their Covered Broker-Dealer counterparts.
However, smaller broker-dealers may not have the staffing or
information technology expertise to make a reasonable decision about a
suspected significant cybersecurity event as quickly as a Covered
Broker-Dealer that may have in-house staff dedicated to this function,
thus increasing the overall immediate notification cost. On the other
hand, smaller broker-dealers could instead contract with third parties
for cybersecurity functions that could identify plausible significant
cybersecurity attacks in the same amount of time as Covered Broker-
Dealers. Unlike Covered Broker-Dealers, Non-Covered Broker-Dealers do
not have to provide more detail beyond the immediate written
notification requirement. Additional information regarding significant
cybersecurity incidents do not have to be provided to the Commission on
a confidential basis through the filing of Part I of proposed Form
SCIR. Moreover, a summary of past incidents do not have to be publicly
disclosed on their websites and with the Commission.
To estimate the costs associated with the proposed policies and
procedures requirements and annual review requirements, the Commission
considered the initial and ongoing compliance costs.\867\ The internal
annual costs for these requirements (which include an initial burden
estimate annualized over a three year period) are estimated to be
$9,702 per Non-Covered Broker-Dealer, and $19,103,238 in total. These
costs include a blended rate of $462 for a compliance attorney and
assistant general counsel for a total of 21 hours. The annual external
costs for adopting and implementing the policies and procedures, as
well as the annual review of the policies and procedures are estimated
to be $2,480 per Non-Covered Broker-Dealer, and $4,883,120 in total.
This includes the cost of using outside legal counsel at a rate of $496
per hour for a total of five hours.
---------------------------------------------------------------------------
\867\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
The cost associated Non-Covered Broker Dealer to research a
suspected cybersecurity incident and provide immediate written
notification to the Commission were combined earlier with those costs
for Covered Entities.\868\ Broken out solely for Non-Covered Broker-
Dealers, the Commission considered the initial and ongoing compliance
costs. The internal annual costs for these requirements (which include
an initial burden estimate annualized over a three year period) are
estimated to be $1,648.51 per Non-Covered Broker-Dealer, and $3,245,916
in total. These costs include a blended rate of $353 for an assistant
general counsel, compliance manager, and systems analyst for a total of
4.67 hours. The annual external costs for these requirements are
estimated to be $1,488 per Non-Covered Broker-Dealer, and $2,959,872 in
total. This includes the cost of using outside legal counsel at a rate
of $496 per hour for a total of three hours.
---------------------------------------------------------------------------
\868\ See section IV.D.3.b. of this release (discussing the cost
of immediate notification).
---------------------------------------------------------------------------
Pursuant to proposed Rule 10, a Non-Covered Broker-Dealer would be
required to: (1) establish, maintain, and enforce written policies and
procedures that are reasonably designed to address the cybersecurity
risks of the firm; (2) make a written record that documents its annual
review; and (3) provide immediate electronic written notice to the
Commission of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring. The additional cost of the
proposed amendments to Rule 17a-4 of preserving and maintaining these
documents for three years, whether in paper or digital form, is likely
minimal.
To estimate the costs associated for a Non-Covered Broker-Dealer to
comply with its recordkeeping maintenance and preservation requirement,
the Commission considered the initial and ongoing compliance
costs.\869\ The internal annual cost for this requirement is estimated
to be $220.50 per Non-Covered Broker-Dealer, and $434,164.50 in total.
These costs include a blended rate of $73.50 for a general clerk and
compliance clerk for a total of 2 hours. It is estimated that there
will be $0 annual external cost for the recordkeeping maintenance and
preservation requirement.
---------------------------------------------------------------------------
\869\ See section V of this release (discussing these costs in
more detail).
---------------------------------------------------------------------------
c. Request for Comment
The Commission requests comment on all aspects of the foregoing
analysis of the benefits and costs of the proposed requirements for
Non-Covered Broker-Dealers. Commenters are requested to provide
empirical data in support of any arguments or analyses. In addition,
the Commission is requesting comment on the following matters:
24. What level of cybersecurity policies and procedures have Non-
Covered Broker-Dealers implemented? For example, would they meet the
cybersecurity policies and procedures requirements of the proposed
rule, thus making the compliance cost relatively low? Are those
policies and procedures documented?
25. Are there any other benefits and costs for a Non-Covered
Broker-Dealer
[[Page 20316]]
in establishing, maintaining, and enforcing written policies and
procedures under proposed Rule 10? If so, please describe them.
26. Are the estimated costs of compliance for Non-Covered Broker-
Dealers to establish, maintain, and enforce written policies and
procedures cybersecurity policies and procedures that comply with the
proposed rule reasonable? If not, why not?
27. Would Non-Covered Broker-Dealers consult with a third party or
hire a consultant with cybersecurity expertise in order to establish
the cybersecurity policies and procedures under proposed Rule 10?
28. Are there quantifiable benefits to complying with the
cybersecurity policies and procedures requirements of the proposed
rule? If so, please describe them. Are there quantifiable costs for
Non-Covered Broker-Dealers to review their cybersecurity policies
annually that are different than those discussed above? If so, describe
them.
29. Are there any other benefits in reviewing and updating Non-
Covered Broker-Dealers' cybersecurity policies and procedures on an
annual basis? If so, please describe them.
30. Is the estimated cost to review Non-Covered Broker-Dealers
cybersecurity policies and procedures reasonable? If not, explain why?
31. Would it be more or less costly to outsource the responsibility
of an annual review of cybersecurity policies and procedures to a third
party?
7. Substituted Compliance for Non-U.S. SBS Entities
Commission Rule 3a71-6 states that the Commission may,
conditionally or unconditionally, by order, make a determination with
respect to a foreign financial regulatory system that compliance with
specified requirements under such foreign financial regulatory system
by a registered SBS Entity or class thereof, may satisfy the certain
requirements that would otherwise apply to such an SBS Entity (or class
thereof). The Commission may make such substituted compliance
determinations to permit SBS Entities that are not U.S. persons (as
defined in 17 CFR 240.3a71-3(a)(4)), but not SBS Entities that are U.S.
persons, to satisfy the eligible requirements by complying with
comparable foreign requirements.\870\ The Commission is proposing to
amend Rule 3a71-6 to permit eligible applicants \871\ to seek a
Commission determination with respect to the cybersecurity requirements
of proposed Rule 10 and Form SCIR as applicable to SBS Entities that
are not U.S. persons.\872\ Additionally, Rule 3a71-6 currently permits
eligible applicants to seek a substituted compliance determination from
the Commission with regard to the requirements of Rule 18a-6, including
the proposed amendments to Rule 18a-6 if adopted.\873\
---------------------------------------------------------------------------
\870\ See 17 CFR 240.3a71-6(d).
\871\ See 17 CFR 240.3a71-6(c).
\872\ See section II.D.3.
\873\ See paragraph (d)(6) of Rule 3a71-6.
---------------------------------------------------------------------------
a. Benefits
The Commission is proposing amendments to Rule 3a71-6 to make
substituted compliance available to eligible SBS Entities that are not
U.S. persons, if the Commission determines that compliance with
specified requirements under a foreign financial regulatory system by a
registered SBS Entity, or class thereof, satisfies the corresponding
requirements of proposed Rule 10 and Form SCIR. Other regulatory
regimes may achieve regulatory outcomes that are comparable to the
Commission's proposed cybersecurity risk management requirements.
Allowing for the possibility of substituted compliance may avoid
regulatory duplication and conflict that may increase entities'
compliance burdens without an analogous increase in benefits. The
availability of substituted compliance could decrease the compliance
burden for non-U.S. SBS Entities, in particular as it pertains to the
establishment, maintenance, and enforcement of cybersecurity policies
and procedures, notification and reporting to regulators, disclosure of
cybersecurity risks and incidents, and record preservation. Allowing
for the possibility of substituted compliance may help achieve the
benefits of proposed Rule 10, Form SCIR, and the proposed amendments to
Rule 18a-6 in a manner that avoids the costs that SBS Entities that are
not U.S. persons would have to bear due to regulatory duplication or
conflict.
Further, substituted compliance may have broader market
implications, namely greater foreign SBSDs' activity in the U.S.
market, expanded access by both U.S. and foreign SBS Entities to global
liquidity, and reduced possibility of liquidity fragmentation along
jurisdictional lines. The availability of substituted compliance for
non-U.S. SBS Entities also could promote market efficiency, while
enhancing competition in U.S. markets. Greater participation and access
to liquidity is likely to improve efficiencies related to hedging and
risk sharing while simultaneously increasing competition between
domestic and foreign SBS Entities.
b. Costs
The Commission believes that the availability of substituted
compliance for proposed Rule 10, Form SCIR, and the proposed amendments
to Rule 18a-6 will not substantially alter the benefits intended by
those requirements. In particular, it is expected that the availability
of substituted compliance will not detract from the risk management
benefits that stem from implementing proposed Rule 10, Form SCIR, and
the proposed amendments to Rule 18a-6.
To the extent that substituted compliance reduces duplicative
compliance costs, non-U.S. SBS Entities may incur lower overall costs
associated with cybersecurity preparedness than they would otherwise
incur without the option of substituted compliance availability, either
because a non-U.S. SBS Entity may have already implemented foreign
regulatory requirements which have been deemed comparable by the
Commission, or because security-based swap counterparties eligible for
substituted compliance do not need to duplicate compliance with two
sets of comparable requirements.
A substituted compliance request can be made either by a foreign
regulatory jurisdiction on behalf of its market participants, or by the
registered market participant itself.\874\ The decision to request
substituted compliance is voluntary, and therefore, to the extent that
requests are made by individual market participants, such participants
would request substituted compliance only if compliance with foreign
regulatory requirements was less costly, in their own assessment, than
compliance with both the foreign regulatory regime and the relevant
Title VII requirements, including the requirements of proposed Rule 10,
Form SCIR, and the proposed amendments to Rule 18a-6. Even after a
substituted compliance determination is made, market participants would
only choose substituted compliance if the benefits that they expect to
receive exceed the costs that they expect to bear for doing so.
---------------------------------------------------------------------------
\874\ See 17 CFR 240.3a71-6(c).
---------------------------------------------------------------------------
E. Effects on Efficiency, Competition, and Capital Formation
As discussed in the foregoing sections, market imperfections could
lead to underinvestment in cybersecurity by Market Entities, and
information asymmetry could contribute
[[Page 20317]]
to a market-wide inefficient provision of cybersecurity defenses. The
proposed rule aims to mitigate the inefficiencies resulting from these
imperfections by: (1) imposing mandates for cybersecurity policies and
procedures that could reduce cybersecurity underinvestment; (2)
creating a reporting framework that could improve information sharing
and improved cybersecurity defense investment and protection; and (3)
providing public disclosure to inform Covered Entities' customers,
counterparties, members, registrants, or users about the Covered
Entities' cybersecurity efforts and experiences, thus potentially
reducing information asymmetry.\875\ While the proposed rule has the
potential to mitigate inefficiencies resulting from market
imperfections, the scale of the overall effect would depend on numerous
factors, including the state of existing of cybersecurity
preparations,\876\ the degree to which the proposed provisions induce
increases to these preparations, the effectiveness of additional
preparations at reducing cybersecurity risks,\877\ the degree to which
customers, counterparties, members, registrants, and users value
additional cybersecurity preparations,\878\ the degree of information
asymmetry and bargaining power between customers, counterparties,
members, registrants, and users vis-[agrave]-vis Market Entities,\879\
the bargaining power of Market Entities vis-[agrave]-vis service
providers,\880\ service providers' willingness to provide bespoke
contractual provisions to affected Market Entities,\881\ the
informational utility of the proposed disclosures, the scale of the
negative externalities on the broader financial system,\882\ the
effectiveness of existing information sharing arrangements, and the
informational utility of the required regulatory reports (as well as
the Commission's ability to make use of them).\883\
---------------------------------------------------------------------------
\875\ See sections IV.B. and IV.D. of this release (discussing
the broad economic considerations and benefits and costs of the
proposals, respectively.
\876\ See section IV.C.1. of this release. Here, the Commission
is concerned about the degree to which Market Entities' state of
cybersecurity preparations diverge from socially optimal levels.
\877\ Formally, the marginal product of the proposed policies
and procedures in the production of cybersecurity defenses.
\878\ Formally, customers', counterparties', members',
registrants', and users' utility functions--specifically the
marginal utilities of Covered Entities' and Non-Covered Broker-
Dealers' cybersecurity policies and procedures.
\879\ In other words, the degree to which customers,
counterparties, members, registrants, or users can affect the
policies of Market Entities. Generally, the Commission expects that
customers, counterparties, members, registrants, or users may be
smaller than the affected Market Entity with which they conduct
business and thus be subject to asymmetry and have limited ability
to affect the policies of the Market Entity. However, that may not
always be the case. For example, for customers of broker-dealers,
the situation is likely to involve more heterogeneity, with some
parties (e.g., small retail clients) wielding very little power over
the broker-dealer's policies while others (e.g., large institutional
investors) wielding considerable power.
\880\ In certain cases, a Covered Entity may determine that a
competing service provider can be used as a bargaining chip in the
renegotiation of existing service agreements, potentially imposing
substantial contracting costs on the parties, which would eventually
be passed on to the Covered Entities' customers, counterparties,
members, participants, or users.
\881\ Id.
\882\ See sections IV.D.2.a. and IV.D.2.b. of this release.
\883\ See section IV.D.3. of this release.
---------------------------------------------------------------------------
However, since the proposed cybersecurity policies and procedures
and related annual assessment are intended to prevent cybersecurity
incidents at Market Entities that would otherwise cause financial loss
and operational failure, compliance with the proposed rule likely would
result in a safer environment to engage in securities transactions that
protects the efficiency with which markets operate. Specifically, the
proposed requirements are intended to protect the efficiency of
securities market through the prevention of cybersecurity incidents
that can adversely impact Market Entities and that, in turn, can
interrupt the normal operations of U.S. securities markets and disrupt
the efficient flow of information and capital.
The additional requirements applicable to Covered Entities (namely,
the specific elements of the cybersecurity policies and procedures, the
reporting to the Commission of any significant cybersecurity incident
through Part I of proposed Form SCIR, and the disclosure of
cybersecurity risks and significant cybersecurity incidents) would also
allow for greater information sharing and would reduce the risk of
underinvestment in cybersecurity across the securities industry. For
example, confidential reporting to the Commission through Part I of
proposed Form SCIR would provide regulators with the opportunity to
promptly begin to assess the situation when a Covered Entity is
experiencing a significant cybersecurity incident and begin to evaluate
potential impacts on the market. In addition, public disclosures by
Covered Entities through Part II of proposed Form SCIR and website
postings would allow their customers, counterparties, members,
registrants, and users to manage risk and choose with whom to do
business, potentially allocating their resources to Covered Entities
with greater cybersecurity preparedness. In addition, the sharing of
information through public disclosures could assist in the development
and implementation of cybersecurity policies and procedures,
particularly by smaller and less sophisticated Market Entities which
likely have fewer resources to develop robust cybersecurity protocols.
Such information may be useful to them in in choosing one option over
another, potentially allowing those smaller and less sophisticated
Market Entities to develop their cybersecurity protection in the most
cost-effective way possible.
Because the proposed rule would likely have differential effects on
Market Entities along a number of dimensions, its overall effect on
competition among Market Entities may be difficult to predict in
certain instances. For example, smaller Market Entities, such as Non-
Covered Broker-Dealers and certain transfer agents are likely to face
disproportionately higher costs relative to revenues resulting from the
proposed rule.\884\ With respect to broker-dealers, the Commission has
endeavored to provide Non-Covered Broker-Dealers with a more limited
and flexible set of requirements that better suits their business
models and would therefore be less onerous. Still, a number of small
broker-dealers would be subject to the proposed rule as Covered
Entities, which could tilt the competitive playing field in favor of
their larger Covered Broker-Dealer counterparts.\885\ In addition, all
transfer agents would be Covered Entities under the proposed rule,
regardless of their size, so the same concern is present.
---------------------------------------------------------------------------
\884\ See section IV.B. of this release.
\885\ See section VI.C. of this release (noting that certain
small broker-dealers would meet the definition of ``covered entity''
for purposes of the proposed rule).
---------------------------------------------------------------------------
On the other hand, if customers, counterparties, members,
registrants, or users believe that the proposed rule effectively
induces the appropriate level of cybersecurity effort among Market
Entities, smaller Market Entities would likely benefit the most from
these improved perceptions, as they would be thought to have sufficient
cybersecurity policies and procedures in place compared to not having
enough cybersecurity protections. Similar differential effects can
occur within a particular group of Market Entities and service
providers that are more (or less) focused on their cybersecurity.
With respect to competition among Covered Entities' service
providers, the overall effect of the proposed rule and amendments is
similarly ambiguous. It is likely that requiring affected Covered
[[Page 20318]]
Entities to request oversight of service providers' cybersecurity
practices pursuant to a written contract would lead some service
providers to cease offering services to affected Covered Entities.\886\
The additional regulation could serve as a barrier to entry to new
service providers and could disproportionally affect would-be Market
Entities.
---------------------------------------------------------------------------
\886\ See section I.A.1. of this release.
---------------------------------------------------------------------------
In terms of capital formation, the proposed rule would have second-
order effects, namely through a safer financial marketplace. As noted
above, FSOC states that a destabilizing cybersecurity incident could
potentially threaten the stability of the U.S. financial system by
causing, among other things, a loss of confidence among a broad set of
market participants, which could cause participants to question the
safety or liquidity of their assets or transactions, and lead to
significant withdrawal of assets or activity.\887\ The Market Entities
covered by this rule play important roles in capital formation through
the various services they provide.\888\ Due to their interconnected
systems, a significant cybersecurity incident affecting Market Entities
could have a cascading effect across the U.S. financial system with a
significant impact on investor confidence, resulting in withdrawal of
assets and impairment of capital formation.
---------------------------------------------------------------------------
\887\ See FSOC 2021 Annual Report.
\888\ See sections I.A.1. and II.A.1. of this release.
---------------------------------------------------------------------------
The proposed rule provides the backbone for having sufficient
cybersecurity measures in place to protect customer information, funds,
and securities. Moreover, proposed provisions likely would lead to
increased efficiency in the market, thus resulting in improved capital
formation.\889\ With a more predictable investment environment due to
improved cybersecurity implementation by Market Entities and service
providers, capital formation through the demand for securities
offerings will be less prone to interruptions.
---------------------------------------------------------------------------
\889\ The proposed provisions do not implicate channels
typically associated with capital formation (e.g., taxation policy,
financial innovation, capital controls, intellectual property, rule-
of-law, and diversification). Thus, the proposed rule are likely to
have only indirect, second order effects on capital formation
arising from any improvements to economic efficiency. Qualitatively,
these effects are expected to be small.
---------------------------------------------------------------------------
As part of the analysis on competition, efficiency, and capital
formation, the Commission requests comment from all parties,
particularly the Market Entities that are affected by these proposed
rule:
a. Do firms within the Covered Entity and Non-Covered Broker-Dealer
groups compare their cybersecurity safety measures among themselves or
among firms of a particular type within a group (e.g., national
securities exchanges only or transfer agents only)? Does one entity's
level of cybersecurity protection incentivize competing entities to
improve their cybersecurity policies and procedures? Is it possible
that an entity with subpar cybersecurity protocols may be forced to
exit the market, either because of business migrating to its
competitors or because of the sheer number of cybersecurity incidents
at that entity?
b. Would better cybersecurity policies and procedures, especially
those that are reviewed and updated, provide more stability in the
securities markets that encourages additional investment?
c. Would public disclosures of cybersecurity risks and significant
cybersecurity incidents during the current or previous calendar year
encourage investment in cybersecurity protections that later provide
more stability in the market, thus encouraging capital formation?
d. Does the Commission's knowledge of cybersecurity incidents as
well as of the policy and procedures at Market Entities lead to a
calming effect on the market though oversight and compliance with the
proposed rule, which would then foster greater capital formation?
F. Reasonable Alternatives
1. Alternatives to the Policies and Procedures Requirements of Proposed
Rule 10
a. Require Only Disclosure of Cybersecurity Policies and Procedures
Without Prescribing Specific Elements
Rather than requiring Covered Entities to adopt cybersecurity
policies and procedures with specific enumerated elements, the
Commission considered requiring Covered Entities to only provide
explanations or summaries of their cybersecurity practices to their
customers, counterparties, members, registrants, or users. In this
alternative scenario, each Covered Entity would provide a disclosure
containing a general overview of its existing cybersecurity policies
and procedures, rather than be required to establish cybersecurity
policies and procedures pursuant to the requirements of paragraph (b)
of proposed Rule 10. Under this alternative, the general disclosure
about the Covered Entity's cybersecurity policies and procedures would
be publicly available to its customers, counterparties, members,
registrants, and users, but it would not reveal specific details of the
Covered Entity's policies and procedures. Further, under this
alternative, detailed and comprehensive information about the Covered
Entity's cybersecurity risks and protocols--including the policies and
procedures themselves--would remain internal to the Covered Entity. The
only other organizations that would be able to review or examine this
more detailed information would be the Commission, FINRA, the MSRB (to
the extent applicable), and other regulators with authority to examine
this information in the course of their oversight activities.
This alternative approach would create weaker incentives for
Covered Entities to address potential underspending on cybersecurity
measures, as it would rely, in part, on customers', counterparties',
members', registrants', or users' (or third parties' providing analyses
to those customers, counterparties, members, registrants, or users)
\890\ ability to assess the effectiveness of Covered Entities'
cybersecurity practices from the Covered Entities' public disclosures.
Further, any benefits to be gained by requiring public disclosure of a
Covered Entity's cybersecurity policies and procedures can also be
realized through the proposed rule's public disclosure requirement. In
particular, proposed Rule 10 would require each Covered Entity to
provide a summary description of the cybersecurity risks that could
materially affect its business and operations and how the Covered
Entity assesses, prioritizes, and addresses those cybersecurity risks.
In addition, each Covered Entity would need to disclose a summary
description of each significant cybersecurity incident that occurred
during the current or previous calendar year, if applicable. This
disclosure would serve as another way for market participants to
evaluate the Covered Entity's cybersecurity risks and vulnerabilities
apart from the general disclosure of its cybersecurity risks. As
mentioned above, this information could be useful to the Covered
Entity's customers, counterparties, members, registrants, or users to
manage their own cybersecurity risks and, to the extent they have
choice, select a Covered Entity with whom to transact or otherwise
conduct business.\891\
---------------------------------------------------------------------------
\890\ See section IV.D.1.a. of this release.
\891\ Furthermore, third-party financial service firms could
conduct studies on cybersecurity preparedness at Market Entities,
such as certain entities not being in line with industry practices
or standards, which also could inform the choices of customers,
counterparties, members, registrants, or users.
---------------------------------------------------------------------------
Given the cybersecurity risks of disclosing detailed explanations
of
[[Page 20319]]
cybersecurity practices (which would necessarily be disclosed if the
Covered Entity would be required to disclose its existing cybersecurity
policies and procedures),\892\ it is likely that requiring such
disclosure would result in the Covered Entity including only general
language in its disclosure and providing few, if any, specific details
that could be used by threat actors to take advantage of weak links in
a Covered Entity's cybersecurity preparedness. Consequently, this
alternative ``disclosure-only'' regime for cybersecurity policies and
procedures would be unlikely to provide enough information and detail
to differentiate between one Covered Entity's cybersecurity policies
and procedures from another's policies and procedures, thus maintaining
information asymmetry between the Covered Entity and other market
participants. If information asymmetry was maintained, it is unlikely
that meaningful change could be effected in the Covered Entities'
cybersecurity practices through market pressure or Commission oversight
over the Covered Entity's policies and procedures.\893\ Furthermore,
not requiring specific enumerated elements in cybersecurity policies
and procedures would likely result in less uniform cybersecurity
preparedness across Covered Entities, leaving market participants with
inconsistent information about the robustness of Covered Entities'
cybersecurity practices. However, if Market Entities believed that
providing more detailed information would give them a competitive
advantage, they would do so.
---------------------------------------------------------------------------
\892\ See section IV.D.2.b. of this release (discussing
tradeoffs of cybersecurity disclosure).
\893\ Here, changes in cybersecurity practices would depend
entirely on market discipline exerted by relatively uninformed
market participants.
---------------------------------------------------------------------------
On the other hand, the costs associated with this alternative
likely would be minimal relative to those associated with the proposed
requirements regarding written policies and procedures, as Covered
Entities would be unlikely to face pressure to adjust their existing
cybersecurity policies and procedures as long as they do not experience
any significant cybersecurity incidents. However, if a Covered Entity
does experience a significant cybersecurity incident, it may force the
Covered Entity to revise its existing cybersecurity policies and
procedures and consequently revise its disclosures to other market
participants concerning its cybersecurity policies and procedures. It
is also conceivable that being required to make public disclosures
regarding its cybersecurity policies and procedures or undergoing
third-party market analyses that aggregate these types of disclosures
(and may focus on, for example, the Covered Entity's lack of conformity
with industry practices and standards) may provide the impetus for a
Covered Entity to make its cybersecurity policies and procedures more
robust.
b. Limiting the Scope of the Proposed Cybersecurity Policies and
Procedures With Respect to Third-Party Service Providers
The Commission also considered limiting the scope of the proposed
requirement that the Covered Entity's policies and procedures require
oversight of service providers that receive, maintain, or process the
Covered Entity's information, or are otherwise permitted to access the
Covered Entity's information systems and the information residing on
those systems, pursuant to a written contract between the Covered
Entity and the service provider.\894\ Specifically, the Commission
considered narrowing the scope of service providers in the enumerated
categories discussed above \895\ and requiring a periodic review and
assessment of the pared-down list of service providers' cybersecurity
policies and procedures rather than apply the Service Provider
Oversight requirement to each service prover that receives, maintains,
or processes the Covered Entity's information, or is otherwise
permitted to access the Covered Entity's information systems and the
information residing on those systems. The types of service providers
that would still be covered by the written contract requirement would
be those that provide cybersecurity related-services as well as
business-critical services that are necessary for a Covered Entity to
operate its core functions. The Commission further considered requiring
service providers that receive, maintain, or process the Covered
Entity's information, or are otherwise permitted to access the Covered
Entity's information systems and the information residing on those
systems to provide security certifications in lieu of the written
contract requirement.
---------------------------------------------------------------------------
\894\ See paragraph (b)(1)(iii)(B) of proposed Rule 10 (setting
forth the Service Provider Oversight Requirement).
\895\ See section IV.C.2.h. of this release.
---------------------------------------------------------------------------
Narrowing the scope of the types of service providers affected by
the proposal could lower costs for Covered Entities, especially smaller
Covered Entities that rely on generic contracts with service providers
(because they have less negotiating power with their service providers)
and would have difficulty effecting changes in contractual terms with
such service providers.\896\ However, in the current technological
context in which businesses increasingly rely on third-party ``cloud
services'' that effectively place business data out of the business'
immediate control, the cybersecurity risk exposure of Covered Entities
is unlikely to be limited to (or even concentrated in) certain named
service providers. Narrowing the scope of service providers likely
would lead to lower costs only insofar as it reduces effectiveness of
the regulation. A related basis to reject this alternative is the
signaling effect that it sends to threat actors. By excluding certain
categories of service providers, the Commission could be providing
information to threat actors about which service providers would be
easiest to attack, as that universe of excluded vendors may have
relatively inferior policies and procedures than vendors that are
covered by the proposed rule.
---------------------------------------------------------------------------
\896\ See section IV.D.1.b. of this release (discussing service
providers).
---------------------------------------------------------------------------
Alternatively, maintaining the proposed scope but only requiring a
standard, recognized, certification in lieu of a written contract could
also lead to cost savings for Covered Entities, particularly if the
certification is completed in-house or if a particular entity has many
service contracts with different third parties that specify they are in
compliance with the certification.\897\ However, the Commission
preliminary believes that it would be difficult to prescribe a set of
characteristics for such a ``standard'' certification that would
sufficiently address the varied types of Covered Entities and their
respective service providers.\898\ Another difficulty may be that if a
single third-party entity is used for the certification, that entity
would have to be well-versed in all contracted services in order to
accurately assess them for compliance. In contrast, individualized
contracts with each
[[Page 20320]]
service provider likely would ensure better compliance with the intent
of the proposed rule as those third-party providers specialize in the
services that they offer.
---------------------------------------------------------------------------
\897\ Service providers may currently be providing
certifications as part of a registrant's policies and procedures.
See also section II.B.1.g. of this release (seeking comment on
alternative approaches to the Service Provider Oversight
Requirement, including whether this cybersecurity risk could be
addressed through policies and procedures to obtain written
assurances or certifications from service providers that the service
provider manages cybersecurity risk in a manner that would be
consistent with how the Covered Entity would need to manage this
risk under paragraph (b) of proposed Rule 10).
\898\ See section IV.C.3. of this release(discussing the variety
of affected registrants); see also section IV.F.1. of this release
(discussing the limitations of uniform prescriptive requirements).
---------------------------------------------------------------------------
c. Require Specific Standardized Elements for Addressing Cybersecurity
Risks of Covered Entities
The Commission considered including more standardized elements in
that would need to be included in a Covered Entity's cybersecurity
policies and procedures. For example, Covered Entities could be
required to implement particular controls (e.g., specific encryption
protocols, network architecture, or authentication procedures) that are
designed to address each general element of the required cybersecurity
policies and procedures. Given the considerable diversity in the size,
focus, and technical sophistication of affected Covered Entities,\899\
any specific requirements likely would result in some Covered Entities
needing to substantially alter their cybersecurity policies and
procedures.
---------------------------------------------------------------------------
\899\ See section IV.C.3. of this release.
---------------------------------------------------------------------------
The potential benefit of such an approach would be to provide
assurance that Covered Entities have implemented certain specific
cybersecurity practices. But this approach would also entail
considerably higher costs, as many Covered Entities would need to
adjust their existing practices to something else that is more costly
than potential alternatives that could provide the same outcome level
of protection. In addition, considering the variety of Covered Entities
registered with the Commission, it would be exceedingly difficult for
the Commission to devise specific requirements that are appropriately
suited for all Covered Entities: a uniform set of requirements would
certainly be both over- and under-inclusive, while providing varied
requirements based on the circumstances of each Covered Entity would be
complex and impractical. For example, standardized requirements that
ensure reasonably designed cybersecurity policies and procedures for
the largest, most sophisticated and active Covered Entities would
likely be overly burdensome for smaller and less sophisticated Covered
Entities with more limited cybersecurity risk exposures. Conversely, if
these standardized requirements were tailored to smaller Covered
Entities with more limited operations or cybersecurity risks, such
requirements likely would be inadequate in addressing larger Covered
Entities' cybersecurity risks. As a result, instituting blanket
requirements likely would not provide the most efficient and cost-
effective way of instituting appropriate cybersecurity policies and
procedures.
An important cost associated with this approach is the burden and
complexity of prescribing detailed technical requirements tailored to
the broad variety of Covered Entities that would be subject to proposed
Rule 10. More broadly, imposing standardized requirements would
effectively place the Commission in the role of dictating details
related to the information technology practices of Covered Entities
without the benefit of the Covered Entities' knowledge of their own
particular circumstances. Moreover, given the complex and constantly
evolving cybersecurity landscape, detailed regulatory requirements for
cybersecurity practices would likely limit Covered Entities' ability to
adapt quickly to changes in the cybersecurity landscape.\900\
---------------------------------------------------------------------------
\900\ If as in the previous example, the Commission were to
require Covered Entities to adopt a specific encryption algorithm,
future discovery of vulnerabilities in that algorithm would prevent
registrants from fully mitigating the vulnerability (i.e., switching
to improved algorithms) in the absence of Commission action.
---------------------------------------------------------------------------
d. Require Audits of Internal Controls Regarding Cybersecurity
Instead of requiring all Market Entities to establish, maintain,
and enforce cybersecurity policies and procedures, the Commission
considered requiring these entities to obtain audits of the
effectiveness of their existing cybersecurity controls--for example,
obtaining third-party audits with respect to their cybersecurity
practices. This approach would not require Market Entities to
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address their cybersecurity risks as
proposed, but instead would require Market Entities to engage an
independent, qualified third party to assess their cybersecurity
controls and prepare a report describing its assessment and any
potential deficiencies.
Under this alternative, an independent third party (e.g., an
auditing firm) would certify to the effectiveness of the Market
Entities' cybersecurity practices. If the firms providing such
certifications have sufficient reputational motives to issue credible
assessment,\901\ and if the scope of such certifications is not overly
circumscribed,\902\ it is likely that Market Entities' cybersecurity
practices would end up being more robust under this alternative than
under the current proposal. By providing certification of a Market
Entities' cybersecurity practices, a firm would--in effect--be lending
its reputation to the Market Entity. Because ``lenders'' are naturally
most sensitive to downside risks (here, loss of reputation, lawsuits,
damages, and regulatory enforcement actions), one would expect them to
avoid ``lending'' to Market Entities with cybersecurity practices whose
effectiveness is questionable.\903\
---------------------------------------------------------------------------
\901\ This would be the case if there was sufficient market
pressure or regulatory requirements to obtain certification from
``reputable'' third-parties with business models premised on
operating as a going-concern and maintaining a reputation for
honesty.
\902\ In this alternative, it is assumed that certification
would not be limited to only evaluating whether a Market Entity's
stated policies and procedures are reasonably designed, but rather
also would include an assessment of whether the policies and
procedures are actually implemented in an effective manner.
\903\ Under the proposal it is the Market Entity itself that
effectively ``certifies'' its own cybersecurity policies and
procedures. Like the third-party auditor, the Market Entity faces
down-side risks from ``certifying'' inadequate cybersecurity
practices (i.e., Commission enforcement actions). However, unlike
the auditor, the Market Entity also realizes the potential up-side:
cost savings through reduced cybersecurity expenditures.
---------------------------------------------------------------------------
While certification by industry-approved third parties could lead
to more robust cybersecurity practices, the costs of such an approach
would likely be considerably higher. Because of the aforementioned
sensitivity to downside risk, firms would likely be hesitant to provide
cybersecurity certifications without a thorough understanding of a
Market Entity's systems and practices. In many cases, developing such
an understanding would involve considerable effort particularly for
certain larger and more sophisticated Covered Entities.\904\ In
addition, there may be a need for a consensus as to what protocols
constitute industry standards in which certifying third parties would
need to stay proficient. Finally, while such a scenario is somewhat
similar to the Service Provider Oversight Requirement, this alternative
does not allow for immediate repercussions or remediation if the third-
party finds deficiencies in the Covered Entity's cybersecurity policies
and procedures. The Commission would need to have a copy of the report
and audit the Market Entity to ensure that Market Entity subsequently
resolved the problem(s). This leads to an inefficient method of
implementing reasonably
[[Page 20321]]
designed cybersecurity policies and procedures.
---------------------------------------------------------------------------
\904\ It would be difficult for an auditor to provide a credible
assessment of the effectiveness of the Market Entity's cybersecurity
practices without first understanding the myriad of systems involved
and how those practices are implemented. Presumably, a Market Entity
would not bear these costs as it is likely to possess such an
understanding.
---------------------------------------------------------------------------
e. Bifurcate Non-Broker-Dealer Market Entities Into Covered Entities
and Non-Covered Entities
The Commission considered bifurcating other categories of Market
Entities into Covered Entities and Non-Covered Entities (in addition to
broker-dealers) based on certain characteristics of the firm such that
the Non-Covered Entities would not be required to include certain
elements in their cybersecurity risk management policies and
procedures. For example, the Commission considered defining as Non-
Covered Entities Market Entities with assets below a certain threshold
or with only a limited number of customers, counterparties, members,
registrants, or users. This approach also could be scaled based on a
Covered Entity's size, business, or another criterion, similar to the
proposed distinction between Covered Broker-Dealers and Non-Covered
Broker-Dealers. However, as discussed above, cybersecurity risks are
likely to be unique to each Covered Entity primarily because Covered
Entities vary drastically based on their size, business, and the
services they provide. It would be difficult come up with one
characteristic that is common to all Covered Entities such that each of
them can be both broken out into separate groups. For example, it would
be difficult to differentiate between transfer agents the same way one
could distinguish between large and small clearing agencies or even
harder, national securities associations. The only effective way to
differentiate firms with a given Covered Entity category is to choose a
characteristic that is sensible for the type of Covered Entity.\905\
---------------------------------------------------------------------------
\905\ For additional detail on the importance of each of the
proposed Covered Entity's role in the U.S. securities markets, see
section I.A.2. of this release (discussing critical operations of
each Market Entity). See also section II.A.1. of this release
(discussing why it would not be appropriate to exclude small
transfer agents and certain small broker-dealers from the definition
of Covered Entity).
---------------------------------------------------------------------------
Finally, as discussed earlier, in determining which Market Entities
should be Covered Entities and which should be Non-Covered Entities,
the Commission considered: (1) how the category of Market Entity
supports the fair, orderly, and efficient operation of the U.S.
securities markets and the consequences if that type of Market Entity's
critical functions were disrupted or degraded by a significant
cybersecurity incident; (2) the harm that could befall investors,
including retail investors, if that category of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which the category of Market Entity poses
cybersecurity risk to other Market Entities though information system
connections, including the number of connections; (4) the extent to
which the category of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the category of Market Entity and other
persons (e.g., investors) stored on the Market Entity's information
systems and the harm that could be caused if that information were
accessed or used by threat actors through a cybersecurity breach.\906\
However, the Commission seeks comment on this topic, particularly if
certain proposed Covered Entities should be Non-Covered Entities with
attendant reduced requirements.\907\
---------------------------------------------------------------------------
\906\ See section II.A.1. of this release.
\907\ See section II.A.10. of this release.
---------------------------------------------------------------------------
f. Administration and Oversight of Cybersecurity Policies and
Procedures of Covered Entities
The Commission considered various alternative requirements with
respect to administration and oversight of Covered Entities'
cybersecurity policies and procedures, such as requiring them to
designate a CISO (or another individual that serves in a similar
capacity) or requiring the boards of directors (to the extent
applicable), to oversee directly a Covered Entity's cybersecurity
policies and procedures. There is a broad spectrum of potential
approaches to this alternative, ranging from the largely nominal (e.g.,
requiring Covered Entities simply to designate someone to be a CISO) to
the stringent (e.g., requiring a highly-qualified CISO to attest to the
effectiveness of the Covered Entities' policies).
Stringent requirements, such as requiring an attestation from a
highly qualified CISO as to the effectiveness of a Covered Entity's
cybersecurity practices in specific enumerated areas, could be quite
effective. Expert practitioners in cybersecurity are in high demand and
command high salaries.\908\ Thus, such an approach would impose
substantial ongoing costs on Covered Entities who do not already have
appropriately qualified individuals on staff. This burden would be
disproportionately borne by smaller Covered Entities, such as small
Covered Broker-Dealers or small transfer agents, for whom keeping a
dedicated CISO on staff would be cost prohibitive. Allowing Covered
Entities to employ part-time CISOs would mitigate this cost burden, but
such requirements would likely create a de facto audit regime. Such an
audit regime would certainly be more effective if explicitly designed
to function as such.\909\
---------------------------------------------------------------------------
\908\ A recent survey reports CISO median total compensation of
$668,903 for CISOs at companies with revenues of $5 billion or less.
See Matt Aiello and Scott Thompson, 2020 North American Chief
Information Security Officer (CISO) Compensation Survey (2020),
available at https://www.heidrick.com/-/media/heidrickcom/publications-and-reports/2020-north-american-chief-information-security-officer-ciso-compensation-survey.pdf.
\909\ In designing an effective audit regime, aligning
incentives of auditors to provide credible assessments is a central
concern. In the context of audit regimes, barriers to entry and the
reputation motives of auditing firms helps align incentives. It
would be considerably more difficult to obtain similar incentive
alignment with itinerant part-time CISOs. See section IV.F.1.e. of
this release (describing the audit regime alternative).
---------------------------------------------------------------------------
2. Alternatives to the Requirements of Proposed Form SCIR and Related
Notification and Disclosure Requirements of Proposed Rule 10
a. Public Disclosure of Part I of Proposed Form SCIR
The Commission considered requiring the public disclosure of Part I
of proposed Form SCIR. Making Part I of proposed Form SCIR filings
public would increase the knowledge of a Covered Entity's customer,
counterparties, members, registrants, or users about significant
cybersecurity incidents impacting the Covered Entity and thus improve
their ability to draw inferences about a Covered Entity's level of
cybersecurity preparations. At the same time, doing so could assist
would-be threat actors, who may gain additional insight into the
vulnerabilities of a Covered Entity's system. As discussed above,
releasing too much detail about a significant cybersecurity incident
could further compromise cybersecurity of the victim, especially in the
short term.\910\ Given these risks, requiring public disclosure of Part
I of proposed Form SCIR filings would likely have the effect of
incentivizing Covered Entities to significantly reduce the detail
provided in these filings. As a result, the information set of
customers, counterparties, members, registrants, users, and would-be
attackers would remain largely unchanged (vis-[agrave]-vis the
proposal), while the ability of the Commission to facilitate
information sharing and to coordinate responses aimed at reducing
overall risks to the financial system would be diminished.
---------------------------------------------------------------------------
\910\ See section IV.B. of this release.
---------------------------------------------------------------------------
[[Page 20322]]
b. Modify the Standard Identifier Requirements for Proposed Form SCIR
In addition to proposing to require Covered Entities to identify
themselves on Parts I and II of proposed Form SCIR with CIK numbers,
the proposed rule requests that Covered Entities with a UIC--such as an
LEI--include that identifier, if available, on both parts of proposed
Form SCIR. Those Covered Entities that do not have a UIC may file
either part of proposed Form SCIR without a UIC; they are not required
to obtain a UIC prior to filing proposed Form SCIR.
The Commission considered modifying the requirement that Covered
Entities identify themselves on proposed Form SCIR with CIK numbers and
UICs (if they have UICs). For example, the Commission could eliminate
the requirement that Covered Entities identify themselves on the forms
with a standard identifier, or the Commission could allow Covered
Entities to select a different standard identifier (or identifiers)
other than CIK numbers or UICs (if available). Alternatively, the
Commission could require the use of only one proposed standard
identifier--either CIK numbers, UICs (which would require Covered
Entities to obtain a UIC--such as an LEI--if they do not have
one),\911\ or some other standard identifier. While CIK numbers are
necessary to file in EDGAR and, as discussed earlier, the Commission
anticipates that significant benefits would flow from requiring Parts I
and II of proposed Form SCIR to be filed centrally in EDGAR using a
structured data language. Accordingly, the Commission's proposal would
require Covered Entities to identify themselves on the forms with CIK
numbers. One limitation of CIK numbers, however, is that they are a
Commission-specific identifier, which limits their utility for
aggregating, analyzing, and comparing financial market data involving
market participants that are not Commission registrants and EDGAR
filers.
---------------------------------------------------------------------------
\911\ Further, the Commission recognizes that some Covered
Entities may not have LEIs, which means that those Covered Entities
would have to register with a Local Operating Unit (``LOU'') of the
Global LEI System and pay fees initially and annually to obtain and
renew the LEI. See LEIROC, How To Obtain an LEI, available at
https://www.leiroc.org/lei/how.htm. A list of LOUs accredited by
GLEIF can be found at https://www.gleif.org/en/about-lei/get-an-lei-find-lei-issuing-organizations. Currently, U.S. entities may obtain
an LEI for a one-time fee of $65 and an annual renewal fee of $50.
See Bloomberg Finance L.P., Fees, Payments & Taxes (2022), available
at https://lei.bloomberg.com/docs/faq#what-fees-are-involved.
---------------------------------------------------------------------------
While the proposed rule does not require the inclusion of UICs on
proposed Form SCIR for those Covered Entities that do not have a UIC,
the Commission notes that the use of UICs would be beneficial because
the LEI, as a Commission-approved UIC, is a low-cost, globally-utilized
financial institution identifier that is available even to firms that
are not EDGAR filers or Commission registrants. For that reason, the
Commission considered proposing to require that every Covered Entity
that would need to file Part I or II of proposed Form SCIR to identify
themselves with a UIC. There is benefit to including a UIC identifier
on proposed Form SCIR. Among the alternative entity identifier policy
choices considered, requiring Covered Entities to identify themselves
on Parts I and II of proposed Form SCIR with a UIC is superior to other
alternatives, such as not requiring an entity identifier on proposed
Form SCIR or requiring only CIK numbers. Specifically, the mandatory
inclusion of a UIC on (Parts I and II of) proposed Form SCIR could
allow for greater inter-governmental and international coordination of
responses to cybersecurity incidents affecting financial institutions
globally because the LEI is a globally-utilized digital identifier that
is not specific to the Commission. Other regulatory entities and
bodies, including the CFTC, Alberta Securities Commission (Canada),
European Markets and Securities Authority, and Monetary Authority of
Singapore, require the use of an LEI.\912\ Another benefit of the LEI
is that the legal entity's identity is verified by a third party upon
issuance of the LEI and upon annual renewal of the LEI. Additionally,
LEIs contain ``Level 2'' information about the linkages between the
entities being identified and their various parents and subsidiaries,
which is particularly beneficial considering that some financial firms
and Commission registrants have complex, interlocking relationships
with affiliates and subsidiaries that can be different types of
Commission-regulated firms.
---------------------------------------------------------------------------
\912\ In addition, the FSB has stated that ``[t]he use of the
LEI in regulatory reporting can significantly improve the ability of
the public sector to understand and identify the build-up of risk
across multiple jurisdictions and across complex global financial
processes.'' FSB Peer Review Report.
---------------------------------------------------------------------------
A UIC requirement for Parts I and II of proposed Form SCIR would
not impose additional costs on those Covered Entities that already have
an LEI. For those Covered Entities that do not have an LEI, they would
need to obtain one before filing either part of proposed Form SCIR. An
LEI can be obtained for a $65 initial cost and a $50 per year renewal
cost.\913\ There also are administrative costs associated with filling
out the paperwork to obtain the LEI as well as to process payments for
the initial issuance of an LEI and its maintenance. The Commission
expects that this cost would be small relative to the benefit that
could be reaped if a significant cybersecurity incident were to occur
that impacted financial institutions across multiple domestic and
international jurisdictions.
After considering the benefits and costs of requiring the LEI as an
identifier for all Covered Entities via a UIC requirement, the
Commission is proposing to require Covered Entities to identify
themselves with a UIC on proposed Form SCIR only if they already have a
UIC so as to minimize the burden on Covered Entities and because
multiple other Commission disclosure forms also only require
registrants to identify themselves with UICs if they already have
UICs.\914\ In conclusion, requiring Covered Entities to identify
themselves on both parts of proposed Form SCIR with a CIK and with a
UIC (i.e., the LEI) if they already have a UIC is consistent with the
existing regulatory framework.
---------------------------------------------------------------------------
\914\ Covered Entities that do not have an LEI may obtain one if
they so choose.
---------------------------------------------------------------------------
Although CIK numbers and UICs (such as in the form of LEIs) are the
primary two entity standard identifiers used in Commission regulations,
the Commission could instead propose to require Covered Entities to
identify themselves with an alternative entity identifier other than
CIK numbers and UICs for the proposed rule. For the reasons stated
above, there are benefits from the use of CIK numbers (i.e., CIK
numbers enable EDGAR filing, which facilitates aggregation and analysis
of the information) and LEIs (i.e., the LEI is an affordable,
international standard identifier that facilitates information
sharing). Accordingly, the Commission decided against proposing to
require the use of another standard entity identifier for the purposes
of this proposal.
c. Require Only One Location for the Public Disclosures
Rather than requiring Covered Entities to publicly disclose their
cybersecurity risks and significant cybersecurity incidents during the
current or previous calendar year both on their websites and also file
that information centrally on Part II of proposed Form SCIR in EDGAR,
the Commission considered requiring that Covered Entities provide the
public disclosures on their websites only.
Requiring Covered Entities to place the cybersecurity disclosures
only on their websites could provide modest,
[[Page 20323]]
incremental reductions in the burdens associated with providing those
disclosures both on Covered Entity websites and through filing Part II
of proposed Form SCIR with the Commission. Additionally, the websites
of Covered Entities might be the natural place for their customers,
counterparties, members, registrants, or users to look for information
about the Covered Entity. Alternatively, requiring Covered Entities to
place their cybersecurity disclosures (Part II of Form SCIR) only in
EDGAR in a structured data language also could provide modest,
incremental reductions in the burdens associated with placing those
disclosures on their websites.
Accordingly, the Commission is proposing to require Covered
Entities to provide the information both on their websites and in EDGAR
on Part II of proposed Form SCIR.\915\ Publication on Covered Entity
websites is advantageous because that is where many Covered Entities'
customers, counterparties, members, registrants, or users will look for
information about their financial intermediaries. Centralized filing of
structured public disclosures of cybersecurity risks and significant
cybersecurity incidents during the current or previous calendar year in
EDGAR by Covered Entities would enable customers, counterparties,
members, registrants, and users, as well as financial analysts--and
even the Covered Entities themselves--to more efficiently discern broad
trends in cybersecurity risks and incidents, which would enable Covered
Entities and other market participants to more efficiently determine if
they need to modify, change, or upgrade their cybersecurity defense
measures in light of those trends. Accordingly, the Commission is
proposing to require Covered Entities to publish the required
cybersecurity disclosures on their websites and provide the information
in Part II of proposed Form SCIR, which would be filed in EDGAR using a
custom XML.
---------------------------------------------------------------------------
\915\ The Commission is seeking comment on this topic. See
section II.B.3.c. of this release.
---------------------------------------------------------------------------
d. Modify the Location of the EDGAR-Filed Public Cybersecurity
Disclosures for Some Covered Entities
Rather than requiring Covered Entities to provide the public
cybersecurity disclosures in EDGAR using Part II of proposed Form SCIR,
the Commission considered requiring Covered Entities that currently are
required to file forms in EDGAR to provide the disclosures in
structured attachments to existing EDGAR-filed forms. Currently, only
SBS Entities and transfer agents are required to file EDGAR forms.
SBSDs and MSBSPs must file in EDGAR registration applications on Form
SBSE, SBSE-A, or SBSE-BD, amendments to those Forms if the information
in them is or has become inaccurate, and certifications on Form SBSE-
C.\916\ As discussed above, Commission regulations require SBSDRs to
file Form SDR in EDGAR but the Commission temporarily relieved SBSDRs
of the EDGAR-filing requirement. Transfer agents file Forms TA-1, TA-2,
and TA-W in EDGAR in a custom XML.\917\ The Commission considered
permitting those types of Covered Entities that are not currently
subject to an EDGAR-filing requirement to file the cybersecurity
disclosures only on their individual firm websites (without needing to
also file the disclosures in EDGAR). Therefore, rather than requiring
all Covered Entities to file the cybersecurity disclosures using Part
II of proposed Form SCIR, the Commission could require Covered Entities
that are SBS Entities or transfer agents to provide the same
information as structured attachments to Form SBSE (for SBS Entities)
and Form TA-1 (for transfer agents). Likewise, the Commission could
require SBSDRs to file the cybersecurity disclosures as attachments to
Form SDR once the Commission temporary relief from the EDGAR-filing
requirement expires.
---------------------------------------------------------------------------
\916\ See Instruction A.2 to Form SBSE, Instruction A.2 to Form
SBSE-A, Instruction A.3 to Form SBSE-BD, and Instruction A.2 to Form
SBSE-C.
\917\ See Commission, Electronic Filing of Transfer Agent Forms
(Nov. 14, 2007), available at https://www.sec.gov/info/edgar/ednews/ta-filing.htm.
---------------------------------------------------------------------------
Requiring all Covered Entities to provide the disclosures on a
single, uniform form would likely be simpler (because the information
would be in one location)--and thereby more efficient--for the
Commission, Covered Entities, and others who might seek the information
in the cybersecurity disclosures (including Covered Entities' users,
members, customers, or counterparties) than putting the cybersecurity
disclosures in attachments on disparate forms and (for those firms not
subject to EDGAR-filing requirements) on individual Covered Entity
websites.
e. Modify the Structured Data Requirement for the Public Cybersecurity
Disclosures
Rather than requiring Covered Entities to file Part II of proposed
Form SCIR in EDGAR using a custom XML, the Commission could either
eliminate the structured data language requirement for some or all
Covered Entities or require the use of a different structured data
language, such as Inline XBRL.\918\ For example, the Commission could
eliminate the requirement that Covered Entities file Part II of
proposed Form SCIR in a custom XML or in any structured data language.
By eliminating the structured data requirement, the Commission would
allow Covered Entities to submit the new cybersecurity disclosures in
unstructured HTML or ASCII, thereby avoiding the need to put the
information for Part II of proposed Form SCIR into a fillable web form
that EDGAR would use to generate the custom XML filing, or instead file
Part II of proposed Form SCIR directly in custom XML using the XML
schema for proposed Form SCIR, as published on the Commission's
website.
---------------------------------------------------------------------------
\918\ XBRL is a structured data language that is specifically
designed to handle business-related information, including financial
information, entity descriptions, corporate actions, ledgers and
sub-ledgers, and other summary and ledger-level information. By
comparison, Inline XBRL is a structured data language that embeds
XBRL data directly into an HTML document, enabling a single document
to provide both human-readable and structured machine-readable data.
---------------------------------------------------------------------------
Another option is that the Commission could remove the structured
data filing requirement for some subset of Covered Entities. For
example, the Commission could instead require only certain types of
Covered Entities, such as national securities exchanges or SBS
Entities, to file Part II of proposed Form SCIR in a custom XML.
Alternatively, the Commission could require the use of a structured
data language only for those Covered Entities that exceeded some
threshold, be it assets or trading volumes, depending on the type of
Covered Entity in question. Eliminating the requirement that Part II of
proposed Form SCIR be filed in a structured data language, however,
would reduce the benefits of the proposed rule because the use of a
structured data language would make the information contained in Part
II of proposed Form SCIR easier and more efficient for Commission
staff--as well as the Covered Entity's customers, counterparties,
members, registrants, or users--to assemble, review, and analyze.
Financial analysts at third-party information providers also could use
the public disclosures to produce analyses and reports that market
participants may find useful.
The Commission could require Covered Entities to file Part II of
proposed Form SCIR in Inline XBRL rather than in custom XML on the
grounds that Inline XBRL is an internationally-recognized freely
available industry standard for reporting business-related information
and a data
[[Page 20324]]
language that allows EDGAR filers to prepare single documents that are
both human-readable and machine-readable, particularly in connection
with forms containing publicly-available registrant financial
statements. The Commission believes that the use of a form-specific XML
would be appropriate here given the relative simplicity of Part II of
proposed Form SCIR disclosures and the ability for EDGAR to provide
fillable web forms for entities to comply with their custom XML
requirements, leading to a lower burden of compliance for Covered
Entities without Inline XBRL experience.
3. General Request for Comment
The Commission requests comment on the benefits and costs
associated the alternatives outlined above.
V. Paperwork Reduction Act Analysis
Certain provisions of the proposed rule, form, and rule amendments
in this release would contain a new ``collection of information''
within the meaning of the Paperwork Reduction Act of 1995
(``PRA'').\919\ The Commission is submitting the proposed rule
amendments and proposed new rules to the Office of Management and
Budget (``OMB'') for review and approval in accordance with the PRA and
its implementing regulations.\920\ An agency may not conduct or
sponsor, and a person is not required to respond to a collection of
information unless it displays a currently valid OMB control
number.\921\ The titles for the collections of information are:
---------------------------------------------------------------------------
\919\ See 44 U.S.C. 3501 et seq.
\920\ See 44 U.S.C. 3507; 5 CFR 1320.11.
\921\ See 5 CFR 1320.11(l).
---------------------------------------------------------------------------
(1) Rule 10;
(2) Form SCIR;
(3) Rule 17a-4--Records to be preserved by certain exchange
members, brokers and dealers (OMB control number 3235-0279);
(4) Rule 17ad-7--Record retention (OMB control number 3235-0291);
(5) Rule 18a-6--Records to be preserved by certain security-based
swap dealers and major security-based swap participants (OMB control
number 3235-0751); and
(6) Rule 3a71-6--Substituted Compliance for Foreign Security-Based
Swap Entities (OMB control number 3235-0715).
The burden estimates contained in this section do not include any
other possible costs or economic effects beyond the burdens required to
be calculated for PRA purposes.
A. Summary of Collections of Information
1. Proposed Rule 10
Proposed Rule 10 would require all Market Entities (Covered
Entities and non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\922\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\923\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of non-Covered Entities) with respect to the annual
review.\924\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\925\
---------------------------------------------------------------------------
\922\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10. See also Sections II.B.1 and II.C. of this release (discussing
these proposed requirements in more detail).
\923\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also Sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\924\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also Sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\925\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10. See also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\926\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\926\ See paragraph (b) through (d) of proposed Rule 10 (setting
forth the requirements for Market Entities that meet the definition
of ``covered entity''); paragraph (e) of proposed Rule 10 (setting
forth the requirements for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\927\
---------------------------------------------------------------------------
\927\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
Section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission through the EDGAR system.\928\ The form would
elicit information about the significant cybersecurity incident and the
Covered Entity's efforts to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\928\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to publicly disclose summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\929\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's business internet website and, in the
case of Covered Entities that are carrying or introducing broker-
dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\929\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
[[Page 20325]]
pursuant to conditions in relevant exemption orders.\930\
---------------------------------------------------------------------------
\930\ See sections II.B.5. and II.C. of this release (discussing
these proposed requirements in more detail).
---------------------------------------------------------------------------
2. Form SCIR
Proposed Rule 10 would require Covered Entities to: (1) report and
update information about a significant cybersecurity incident; \931\
and (2) publicly disclose summary descriptions of their cybersecurity
risks and the significant cybersecurity incidents they experienced
during the current or previous calendar year.\932\ Parts I and II of
proposed Form SCIR would be used by Covered Entities, respectively, to
report and update information about a significant cybersecurity
incident and publicly disclose summary descriptions of their
cybersecurity risks and the significant cybersecurity incidents they
experienced during the current or previous calendar year.
---------------------------------------------------------------------------
\931\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
\932\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
3. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities, respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
Form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\933\ The proposed amendments would specify
that the Rule 10 Records must be retained for three years. In the case
of the written policies and procedures to address cybersecurity risks,
the record would need to be maintained until three years after the
termination of the use of the policies and procedures. In addition,
orders exempting certain clearing agencies from registering with the
Commission would be amended to establish preservation and maintenance
requirements for the Rule 10 Records that would apply to the exempt
clearing agencies subject to those orders.\934\ The amendments to the
orders would provide that the records need to be retained for five
years (consistent with Rules 13n-7 and 17a-1).\935\ In the case of the
written policies and procedures to address cybersecurity risks, the
record would need to be maintained until five years after the
termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\933\ See sections II.B.5. and II.C. of this release (discussing
these proposed amendments in more detail). Rule 17a-4 sets forth
record preservation and maintenance requirements for broker-dealers,
Rule 17ad-7 sets forth record preservation and maintenance
requirements for transfer agents, and Rule 18a-6 sets forth record
preservation and maintenance requirements for SBS Entities.
\934\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\935\ For the reasons discussed in section II.B.5.a. of this
release, the proposal would not amend Rules 13n-7 or 17a-1. As
explained in that section of the release, the existing requirements
of Rule 13n-7 (which applies to SBSDRs) and Rule 17a-1 (which
applies to registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges) will
require these Market Entities to retain the Rule 10 Records for five
years and, in the case of the written policies and procedures, for
five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
4. Substituted Compliance (Rule 3a71-6)
Paragraph (d)(1) of Rule 3a71-6 would be amended to add proposed
Rule 10 and Form SCIR to the list of Commission requirements eligible
for a substituted compliance determination.\936\ If adopted, this
amendment together with existing paragraph (d)(6) of Rule 3a71-6 would
permit eligible SBS Entities to file an application requesting that the
Commission make a determination that compliance with specified
requirements under a foreign regulatory system may satisfy the
requirements of proposed Rule 10, Form SCIR, and the related record
preservation requirements. As provided by Exchange Act Rule 0-13,\937\
which the Commission adopted in 2014,\938\ applications for substituted
compliance determinations must be accompanied by supporting
documentation necessary for the Commission to make the determination,
including information regarding applicable requirements established by
the foreign financial regulatory authority or authorities, as well as
the methods used by the foreign financial regulatory authority or
authorities to monitor and enforce compliance; applications should cite
to and discuss applicable precedent.\939\
---------------------------------------------------------------------------
\936\ See section II.D. of this release (discussing these
proposed amendments in more detail).
\937\ 17 CFR 240.0-13.
\938\ See SBS Entity Definitions Adopting Release, 79 FR at
47357-59.
\939\ See 17 CFR 240.0-13(e). In adopting Rule 0-13, the
Commission noted that because Rule 0-13 was a procedural rule that
did not provide any substituted compliance rights, ``collections of
information arising from substituted compliance requests, including
associated control numbers, [would] be addressed in connection with
any applicable substantive rulemakings that provide for substituted
compliance.'' See SBS Entity Definitions Adopting Release, 79 FR at
47366 n.778.
---------------------------------------------------------------------------
B. Proposed Use of Information
The proposed requirements to have written policies and procedures
to address cybersecurity risks, to document risk assessments and
significant cybersecurity incidents, to create a report or record of
the annual review of the policies and procedures, to provide immediate
notification and subsequent reporting of significant cybersecurity
incidents, to publicly disclose summary descriptions of cybersecurity
risks and significant cybersecurity incidents, and to preserve the
written policies and procedures, reports, and records would constitute
collection of information requirements under the PRA. Collectively,
these collections of information are designed to address cybersecurity
risk and the threat it poses to Market Entities and the U.S. securities
markets.
Market Entities would use the written policies and procedures, the
records required to be made pursuant to those policies and procedures,
and the report or record of the annual review of the policies and
procedures to address the specific cybersecurity risks to which they
are exposed. The Commission could use the written policies and
procedures, reports, and records to review Market Entities' compliance
with proposed Rule 10.
Market Entities would use the immediate written electronic
notifications to notify the Commission (and, in some cases, other
regulators) about significant cybersecurity incidents they experience
pursuant to proposed Rule 10. The Commission could use the immediate
written electronic notification to promptly begin to assess the
situation by, for example, when warranted, assessing the Market
Entity's operating status and engaging in discussions with the Market
Entity to understand better what steps it is taking to protect its
customers, counterparties, members, registrants, or users.
Covered Entities would use Part I of proposed Form SCIR to report
to the Commission (and, in some cases, other regulators) significant
cybersecurity incidents they experienced pursuant to proposed Rule 10.
The Commission could use the reports of significant cybersecurity
incidents filed using Part I of proposed Form SCIR to understand better
the nature and extent of a particular significant cybersecurity
incident and the efficacy of the Covered Entity's response to mitigate
the disruption and harm caused by the incident. The Commission staff
could use the reports to focus on the Covered Entity's operating status
and to facilitate their outreach to, and discussions with,
[[Page 20326]]
personnel at the Covered Entity who are addressing the significant
cybersecurity incident. In addition, the reporting would provide the
staff with a view into the Covered Entity's understanding of the scope
and impact of the significant cybersecurity incident. All of this
information would be used by the Commission and its staff in assessing
the significant cybersecurity incident impacting the Covered Entity.
Further, the Commission would be use the database of reports to assess
the potential cybersecurity risks affecting U.S. securities markets
more broadly. This information could be used to address future
significant cybersecurity incidents. For example, these reports could
assist the Commission in identifying patterns and trends across Covered
Entities, including widespread cybersecurity incidents affecting
multiple Covered Entities at the same time. Further, the reports could
be used to evaluate the effectiveness of various approaches to respond
to and recover from a significant cybersecurity incident.
Covered Entities would use Part II of proposed Form SCIR to
publicly disclose summary descriptions of their cybersecurity risks and
the significant cybersecurity incidents they experienced during the
current or previous calendar year pursuant to proposed Rule 10. These
disclosures would be used to provide greater transparency to customers,
counterparties, registrants, or members of the Covered Entity, or to
users of its services, about the Covered Entity's cybersecurity risk
profile. This information could be used by these persons to manage
their own cybersecurity risk and, to the extent they have choice,
select a Covered Entity with whom to transact or otherwise conduct
business. In addition, because the reports would be filed through
EDGAR, Covered Entities' customers, counterparties, members,
registrants, or users would be able to run search queries to compare
the disclosures of multiple Covered Entities. This would make it easier
for Commission staff and others to assess the cybersecurity risk
profiles of different types of Covered Entities and could facilitate
trend analysis by members of the public of significant cybersecurity
incidents.
Under the proposed amendment to Rule 3a71-6, the Commission would
use the information collected to evaluate requests for substituted
compliance with respect to proposed Rule 10, Form SCIR, and the related
record preservation requirements applicable to SBS Entities. Consistent
with Exchange Act Rule 0-13(h),\940\ the Commission would publish in
the Federal Register a notice that a complete application had been
submitted, and provide the public the opportunity to submit to the
Commission any information that relates to the Commission action
requested in the application, subject to appropriate requests for
confidential treatment being submitted pursuant to any applicable
provisions governing confidentiality under the Exchange Act.\941\
---------------------------------------------------------------------------
\940\ 17 CFR 240.0-13(h).
\941\ See section V.F of this release.
---------------------------------------------------------------------------
C. Respondents
The following table summarizes the estimated number of respondents
that would be subject to the proposed Rule 10, Form SCIR, and
recordkeeping burdens.
------------------------------------------------------------------------
Type of registrant Number
------------------------------------------------------------------------
Covered Broker-Dealers.................................. 1,541
Non-Covered Broker-Dealers.............................. 1,969
Clearing agencies and exempt clearing agencies.......... 16
MSRB.................................................... 1
National securities exchanges........................... 24
National securities associations........................ 1
SBS Entities............................................ 50
SBSDRs.................................................. 3
Transfer agents......................................... 353
---------------
Total Covered Entities.............................. 1,989
Total Non-Covered Broker-Dealers.................... 1,969
Total Respondents................................... 3,958
------------------------------------------------------------------------
The respondents subject to these collection of information
requirements include the following:
1. Broker-Dealers
Each broker-dealer registered with the Commission would be subject
to proposed Rule 10 as either a Covered Entity or a Non-Covered Broker-
Dealer. As of September 30, 2022, there were 3,510 broker-dealers
registered with the Commission.\942\ The Commission estimates that
1,541 of these broker-dealers would be Covered Entities under the
proposed rule because they fit within one or more of the following
categories: carrying broker-dealer; broker-dealer that introduces
customer accounts to a carrying broker-dealer on a fully disclosed
basis; broker-dealer with regulatory capital equal to or exceeding $50
million; broker-dealer with total assets equal to or exceeding $1
billion; broker-dealer that operates as a market maker under the
securities laws; or a broker-dealer that operates as an ATS.\943\ The
Commission estimates that 1,969 broker-dealers (i.e., the remaining
broker-dealers registered with/the Commission) would be Non-Covered
Broker-Dealers for purposes of the rules.
---------------------------------------------------------------------------
\942\ This estimate is derived from broker-dealer FOCUS filings
and ATS Form ATS-R quarterly reports as of September 30, 2022.
\943\ Id.
---------------------------------------------------------------------------
2. Clearing Agencies
With regard to clearing agencies, respondents under these rules
are: (1) nine registered clearing agencies; \944\ and (2) five exempt
clearing agencies.\945\ The Commission estimates for purposes of the
PRA that two additional entities may seek to register as a clearing
agency in the next three years, and so for purposes of this proposal
the Commission has assumed sixteen total
[[Page 20327]]
clearing agency and exempt clearing agency respondents.
---------------------------------------------------------------------------
\944\ The registered and active clearing agencies are: (1) DTC;
(2) FICC; (3) NSCC; (4) ICC; (5) ICEEU; (6) the Options Clearing
Corp.; and (7) LCH SA. The clearing agencies that are registered
with the Commission but conduct no clearance or settlement
operations are: (1) BSECC; and (2) SCCP.
\945\ The exempt clearing agencies that provide matching
services are: (1) DTCC ITP Matching U.S. LLC; (2) Bloomberg STP LLC;
(3) SS&C Technologies, Inc.; (4) Euroclear Bank SA/NV; and (5)
Clearstream Banking, S.A.
---------------------------------------------------------------------------
3. The MSRB
The sole respondent to the proposed collection of information for
the MSRB is the MSRB itself.
4. National Securities Exchanges and National Securities Associations
The respondents to the proposed collections of information for
national securities exchanges and national securities associations
would be the 24 national securities exchanges currently registered with
the Commission under section 6 of the Exchange Act,\946\ and the one
national securities association currently registered with the
Commission under section 15A of the Exchange Act.\947\
---------------------------------------------------------------------------
\946\ See 15 U.S.C. 78f. The national securities exchanges
registered with the Commission are: (1) BOX Options Exchange LLC;
(2) Cboe BZX Exchange, Inc.; (3) Cboe BYX Exchange, Inc.; (4) Cboe
C2 Exchange, Inc.; (5) Cboe EDGA Exchange, Inc.; (6) Cboe EDGX,
Inc.; (7) Cboe Exchange, Inc.; (8) Investors Exchange Inc.; (9)
Long-Term Stock Exchange, Inc.; (10) MEMX, LLC; (11) Miami
International Securities Exchange LLC; (12) MIAX PEARL, LLC; (13)
MIAX Emerald, LLC; (14) NASDAQ BX, Inc.; (15) NASDAQ GEMX, LLC; (16)
NASDAQ ISE, LLC; (17) NASDAQ MRX, LLC; (18) NASDAQ PHLX LLC; (19)
The NASDAQ Stock Market LLC; (20) New York Stock Exchange LLC; (21)
NYSE MKT LLC; (22) NYSE Arca, Inc.; (23) NYSE Chicago Stock
Exchange, Inc.; and (24) NYSE National, Inc.
\947\ See 15 U.S.C. 78o-3. The one national securities
association registered with the Commission is FINRA.
---------------------------------------------------------------------------
5. SBS Entities
As of January 4, 2023, 50 SBSDs have registered with the
Commission, while no MSBSPs have registered with the Commission.\948\
Of the 50 SBSDs that have registered with the Commission, 7 entities
are also broker-dealers.\949\
---------------------------------------------------------------------------
\948\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants, available at: https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants.
\949\ A Covered Entity that is both a broker-dealer and an SBS
Entity (which includes all seven of these broker-dealers) will have
burdens with respect to the proposed rule, Form SCIR, and
recordkeeping amendments as they apply to both its broker-dealer
business and its security-based swap business. Therefore, such
``dual-hatted'' entities will be counted as both Covered Entities
that are broker-dealers and as SBS Entities for purposes of the PRA.
---------------------------------------------------------------------------
Requests for a substituted compliance determination under Rule
3a71-6 with respect to the proposed Rule 10, Form SCIR, and the related
record preservation requirements may be filed by foreign financial
authorities, or by non-U.S. SBSDs or MSBSPs. The Commission had
previously estimated that there may be approximately 22 non-U.S.
entities that may potentially register as SBSDs, out of approximately
50 total entities that may register as SBSDs.\950\ Potentially all non-
U.S. SBSDs, or some subset thereof, may seek to rely on a substituted
compliance determination in connection with the proposed cybersecurity
risk management requirements.\951\ However, the Commission had expected
that the great majority of substituted compliance applications would be
submitted by foreign authorities \952\ given their expertise in
connection with the relevant substantive requirements, and in
connection with their supervisory and enforcement oversight with regard
to SBSDs and their activities.\953\ The Commission expected that very
few substituted compliance requests would come from SBS Entities.\954\
For purposes of PRA assessments, the Commission estimated that three
SBS Entities would submit such applications.\955\ Although, as of
January 4, 2023, 30 entities had identified themselves as a nonresident
SBSD in their application for registration with the Commission,\956\
the Commission has issued only one order in response to a request for
substituted compliance from potential registrants.\957\ The Commission
continues to believe that its estimate that three such entities will
submit applications remains appropriate for purposes of this PRA
assessment because applicants may file additional requests.
---------------------------------------------------------------------------
\950\ See Proposed Rule Amendments and Guidance Addressing
Cross-Border Application of Certain Security-Based Swap
Requirements, Exchange Act Release No. 85823 (May 10, 2019), 84 FR
24206, 24253 (May 24, 2019). See also Security-Based Swap
Transactions Connected With a Non-U.S. Person's Dealing Activity
That Are Arranged, Negotiated, or Executed by Personnel Located in a
U.S. Branch or Office or in a U.S. Branch or Office of an Agent;
Security-Based Swap Dealer De Minimis Exception, Exchange Act
Release No. 77104 (Feb. 10, 2016), 81 FR 8597, 8605 (Feb. 19, 2016)
(``SBS Entity U.S. Activity Adopting Release''); Business Conduct
Standards Adopting Release, 81 FR at 30090, 30105; SBS Entity
Recordkeeping and Reporting Release, 84 FR at 68607-09; and Capital,
Margin, and Segregation Requirements Adopting Release, 84 FR at
43960-61.
\951\ Consistent with prior estimates, the Commission further
believes that there may up to five MSBSPs. See Registration Process
for Security-Based Swap Dealers and Major Security-Based Swap
Participants, Exchange Act Release No. 75611 (Aug. 5, 2015), 80 FR
48963, 48990 (Aug. 14, 2015) (``SBS Entity Registration Adopting
Release''); see also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30089, 30099. It is possible that some subset of
those entities will be non-U.S. MSBSPs that will seek to rely on
substituted compliance in connection with proposed Rule 10, Form
SCIR, and the related record preservation requirements.
\952\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097; SBS Entity Trade Acknowledgement and
Verification Adopting Release, 81 FR at 39832.
\953\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6384. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30090; SBS Entity Trade Acknowledgement and
Verification Adopting Release, 81 FR at 39832.
\954\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097, n.1582 and accompanying text; SBS Entity
Trade Acknowledgement and Verification Adopting Release, 81 FR at
39832.
\955\ Id. See also SBS Entity Recordkeeping and Reporting
Adopting Release, 84 FR at 68609; Capital, Margin, and Segregation
Requirements Adopting Release, 84 FR at 43967.
\956\ No entity has registered as an MSBSP. See List of
Registered Security-Based Swap Dealers and Major Security-Based Swap
Participants, available at: https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants (providing the list of registered
SBSDs and MSBSPs that was updated as of January 4, 2023).
\957\ See Order Granting Conditional Substituted Compliance in
Connection With Certain Requirements Applicable to Non-U.S.
Security-Based Swap Dealers Subject to Regulation in the Swiss
Confederation, Exchange Act Release No. 93284 (Oct. 8, 2021), 86 FR
57455 (Oct. 15, 2021) (File No. S7-07-21). The Commission's other
substituted compliance orders have been in response to requests from
foreign authorities; see https://www.sec.gov/tm/Jurisdiction-Specific-Apps-Orders-and-MOU.
---------------------------------------------------------------------------
6. SBSDRs
Two SBSDRs are currently registered with the Commission.\958\ The
Commission estimates for purposes of the PRA that one additional entity
may seek to register as an SBSDR in the next three years, and so for
purposes of this proposal the Commission has assumed three SBSDR
respondents.
---------------------------------------------------------------------------
\958\ The Commission approved the registration of two SBSDRs in
2021. The two registered SBSDRs are: (1) DTCC Data Repository
(U.S.), LLC; and (2) ICE Trade Vault, LLC.
---------------------------------------------------------------------------
7. Transfer Agents
The proposed rule would apply to every transfer agent as defined in
section 3(a)(25) of the Exchange Act that is registered or required to
be registered with an appropriate regulatory agency as defined in
section 3(a)(34)(B) of the Exchange Act. As of December 31, 2022, there
were 353 transfer agents that were either registered with the
Commission through Form TA-1 or registered with other appropriate
regulatory agencies.
D. Total Initial and Annual Reporting Burdens
As stated above, each requirement to disclose information, offer to
provide information, or adopt policies and procedures constitutes a
collection of information requirement under the PRA. The Commission
discusses below the collection of information burdens associated with
the proposed rule and rule amendment.
1. Proposed Rule 10
The Commission has made certain estimates of the burdens associated
with
[[Page 20328]]
the policies and procedures and review and report of the review
requirements of proposed Rule 10 applicable to Covered Entities solely
for the purpose of this PRA analysis.\959\ Table 1 below summarizes the
initial and ongoing annual burden and cost estimates associated with
the policies and procedures and review and report of the review
requirements.
---------------------------------------------------------------------------
\959\ These requirements are discussed in section II.B.1. of
this release.
Table 1--Rule 10 PRA Estimates--Cybersecurity Policies and Procedures and Review and Report of the Review Requirements for Covered Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal Internal annual
initial burden burden hours Wage rate \2\ Internal time Annual external
hours \1\ costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies and 50 \4\ 21.67 $462 (blended rate for compliance $10,011.54 \5\ $1,488
procedures \3\. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual review of policies and procedures and 0 \6\ 10 $462 (blended rate for compliance 4,620 \7\ 1,984
report of review. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered Entity.. ............... 31.67 .................................. 14,631.54 3,472
Number of Covered Entities...................... ............... x 1,989 .................................. x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual aggregate burden........... ............... 62,991.63 .................................. 29,102,133.06 6,905,808
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a 3-year period.
\2\ The Commission's estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry
and Financial Markets Association's Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (``SIFMA Wage Report'').
The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
\3\ These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with
respect to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
\4\ Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 21.67 hours is based on
the following calculation: ((50 initial hours/3) + 5 additional ongoing burden hours) = 21.67 hours.
\5\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\6\ The Commission estimates 10 additional ongoing burden hours.
\7\ This estimated burden is based on the estimated wage rate of $496/hour, for 4 hours, for outside legal services. See note 5 (regarding wage rates
with respect to external cost estimates).
The Commission has made certain estimates of the burdens associated
with the policies and procedures and review and record of the review
requirements of proposed Rule 10 applicable to Non-Covered Broker-
Dealers solely for the purpose of this PRA analysis.\960\ Table 2 below
summarizes the initial and ongoing annual burden and cost estimates
associated with the proposed rule's policies and procedures and review
and record of the review requirements for Non-Covered Broker-Dealers.
---------------------------------------------------------------------------
\960\ These requirements are discussed in section II.C. of this
release.
Table 2--Rule 10 PRA Estimates--Cybersecurity Policies and Procedures and Review and Record of the Review Requirements for Non-Covered Broker-Dealers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal Internal annual
initial burden burden hours Wage rate \2\ Internal time Annual external
hours \1\ costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies and 30 \4\ 15 $462 (blended rate for compliance $6,930 \5\ $1,488
procedures \3\. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual review of policies and procedures and 0 \6\ 6 $462 (blended rate for compliance 2,772 \7\ 992
report of review. attorney and assistant general
counsel).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Non-Covered ............... 21 .................................. 9,702 2,480
Broker-Dealer.
Number of Non-Covered Broker-Dealers............ ............... x 1,969 .................................. x 1,969 x 1,969
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual aggregate burden........... ............... 41,349 .................................. 19,103,238 4,883,120
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a 3-year period.
\2\ The Commission's estimates of the relevant wage rates are based on salary information for the securities industry compiled by Securities Industry
and Financial Markets Association's Office Salaries in the Securities Industry 2013, as modified by Commission staff for 2022 (``SIFMA Wage Report'').
The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
\3\ These estimates are based on an average. Some firms may have a lower burden in the case they will be evaluating exiting policies and procedures with
respect to any cybersecurity risks and/or incidents, while other firms may be creating new cybersecurity policies and procedures altogether.
\4\ Includes initial burden estimates annualized over a three-year period, plus 5 ongoing annual burden hours. The estimate of 15 hours is based on the
following calculation: ((30 initial hours/3) + 5 additional ongoing burden hours) = 15 hours.
\5\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\6\ The Commission estimates 6 additional ongoing burden hours.
\7\ This estimated burden is based on the estimated wage rate of $496/hour, for 2 hours, for outside legal services. See note 5 (regarding wage rates
with respect to external cost estimates).
[[Page 20329]]
The Commission has made certain estimates of the burdens associated
with the notification requirement of proposed Rule 10 applicable to
Market Entities solely for the purpose of this PRA analysis.\961\ Table
3 below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule's notification requirements
for Market Entities.
---------------------------------------------------------------------------
\961\ This requirement is discussed in section II.B.2.a. of this
release.
Table 3--Rule 10 PRA Estimates--Notification Requirements for Market Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Making a determination of significant 5 \1\ 4.67 x $353 (blended rate for $1,648.51 \2\ $1,488
cybersecurity incident and immediate notice assistant general counsel,
to the Commission. compliance manager and systems
analyst).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Market ............... 4.67 ............................... 1,648.51 1,488
Entity.
Number of Market Entities................... ............... x 3,958 ............................... x 3,958 x 3,958
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 18,483.86 ............................... 6,524,802.58 5,889,504
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 3 ongoing annual burden hours. The estimate of 4.67 hours is based on
the following calculation: ((5 initial hours/3) + 3 additional ongoing burden hours) = 4.67 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
The Commission has made certain estimates of the burdens associated
with the requirement of proposed Rule 10 that Covered Broker-Dealers
provide the disclosures that would need to made on Part II of proposed
Form SCIR requirements to their customers solely for the purpose of
this PRA analysis.\962\ Table 4 below summarizes the initial and
ongoing annual burden and cost estimates associated with the
requirement of proposed Rule 10 that Covered Broker-Dealers provide the
disclosures that would need to made on Part II of proposed Form SCIR
requirements to their customers.
---------------------------------------------------------------------------
\962\ These requirements are discussed in section II.B.3.b. of
this release.
Table 4--Rule 10 PRA Estimates--Additional Disclosure Requirements for Broker-Dealers That Are Covered Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED RULE 10 ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Delivery of disclosures to new customers.... \1\ 6.68 6.68 x $69 (general clerk)............ $460.92 $0
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual delivery of disclosures to existing \2\ 44.48 44.48 $69 (general clerk)............ 3,076.02 0
customers.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per broker- ............... 51.26 ............................... 3,536.94 ...............
dealer Covered Entities.
Number of broker-dealer Covered Entities.... ............... x 1,541 ............................... x 1,541 ...............
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 78,991.66 ............................... 5,450,424.54 ...............
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ The Commission estimates that a broker-dealer that isa Covered Entity will require no more than 0.02 hours to send the broker-dealer'srequired
disclosures to each new customer, or an annual burden of 6.68 hours perbroker-dealer. (0.02 hours per customer x 334 median number of new customers
per broker-dealer based on FOCUS Schedule I data as of December 31, 2022 = approximately 6.68 hours per broker-dealer.) The Commission notes that the
burden for preparing disclosures to customers is already incorporated into a separate burden estimate under other broker-dealer rules promulgated by
the Commission (e.g., 17 CFR 240.17a-3) and FINRA rules. The Commission expects that broker-dealers subject to this new disclosure requirement will
make their delivery of disclosures to new customers as part of an email or mailing they already send to new customers; therefore, the Commission
estimates that the additional burden will be adding a few pages to the email attachment or mailing.
\2\ The Commission estimates that, with a bulk mailing or email, a broker-dealer that is a Covered Entity will require no more than 0.02 hours to send
the broker-dealer's required disclosures to each existing customer, or an annual burden of 44.58 hours per broker-dealer. (0.02 hours per customer x
2,229 median number of customers per broker-dealer based on FOCUS Schedule I data as of December 31, 2022 = approximately 44.58 hours per broker-
dealer.) The Commission notes that the burden for preparing disclosures to customers is already incorporated into a separate burden estimate under
other broker-dealer rules promulgated by the Commission (e.g., 17 CFR 240.17a-3) and FINRA rules. The Commission expects that broker-dealers subject
to this new disclosure requirement will make their annual delivery to existing customers as part of an email or mailing of an account statement they
already send to customers; therefore, the Commission estimates that the additional burden will be adding a few pages to the email attachment or
mailing.
2. Form SCIR
The Commission has made certain estimates of the burdens associated
with filing the initial and amended Part I of Form SCIR under proposed
Rule 10 applicable to Covered Entities solely for the purpose of this
PRA analysis.\963\ Table 5 below summarizes the initial and ongoing
annual burden and cost estimates associated with filing proposed Form
SCIR.
---------------------------------------------------------------------------
\963\ These requirements are discussed in sections II.B.2. and
II.B.4. of this release.
[[Page 20330]]
Table 5--Part I of Form SCIR PRA Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED PART I OF FORM SCIR ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Filing out initial Part I of Form SCIR...... 3 \1\ 1.5 $431 (blended rate for $646.50 \2\ $496
assistant general counsel,
compliance manager).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Filing an amended Part I of SCIR............ 1 1 $431 (blended rate for 431 \3\ 496
assistant general counsel,
compliance manager).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered ............... 2.5 ............................... 1077.50 992
Entity.
Number of Covered Entity.................... ............... x 1,989 ............................... x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 4,972.5 ............................... 2,143,147.5 1,973,088
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 0.5 ongoing annual burden hours. The estimate of 1.5 hours is based on
the following calculation: ((3 initial hours/3) + 0.5 additional ongoing burden hours) = 1.5 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\3\ This estimated burden is based on the estimated wage rate of $496/hour, for 1 hour, for outside legal services.
The Commission has made certain estimates of the burdens associated
with filing the Part II of Form SCIR under proposed Rule 10 applicable
to Covered Entities solely for the purpose of this PRA analysis.\964\
Table 6 below summarizes the initial and ongoing annual burden and cost
estimates associated with the proposed rule's disclosure requirements
for Covered Entities.
---------------------------------------------------------------------------
\964\ These requirements are discussed in sections II.B.3. and
II.B.4. of this release.
Table 6--Part II of Form SCIR PRA Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Internal
initial burden Internal annual Wage rate Internal time Annual external
hours burden hours costs cost burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
PROPOSED PART II OF FORM SCIR ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Disclosure of significant cybersecurity 5 \1\ 3.67 x $375.33 per hour (blended rate $1,377.46 \2\ $1,488
incidents and cybersecurity risks on Part for assistant general counsel,
II of Form SCIR and posting form on website. senior compliance examiner and
compliance manager) \3\.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual burden per Covered ............... 3.67 ............................... 1,377.46 1,488
Entity.
Number of Covered Entities.................. ............... x 1,989 ............................... x 1,989 x 1,989
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new aggregate annual burden....... ............... 7,299.63 ............................... 2,739,767.94 2,959,632
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a three-year period, plus 2 ongoing annual burden hours. The estimate of 3 hours is based on the
following calculation: ((5 initial hours/3) + 2 additional ongoing burden hours) = 3.67 hours.
\2\ This estimated burden is based on the estimated wage rate of $496/hour, for 3 hours, for outside legal services.
The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, take into account staff experience, a
variety of sources including general information websites, and adjustments for inflation.
\3\ The $375.33 wage rate reflects current estimates from the SIFMA Wage Report of the blended hourly rate for an assistant general counsel ($518),
senior compliance examiner ($264) and a compliance manager ($344). ($518 + $264 + $344)/3 = $375.33.
In addition, the requirement to file Form SCIR in EDGAR using a
form-specific XML may impose some compliance costs. Covered Entities
that are not otherwise required to file in EDGAR--for example, clearing
agencies, the MSRB, national securities associations, and national
securities exchanges, as well as any broker-dealer Covered Entities
that choose not to file Form X-17A-5 Part III or Form 17-H through the
EDGAR system, would need to complete Form ID to obtain the EDGAR-system
access codes that enable entities to file documents through the EDGAR
system.\965\ The Commission estimates that each filer that currently
does not have access to EDGAR would incur an initial, one-time burden
of 0.30 hours to complete and submit a Form ID.\966\ Therefore, the
Commission believes the one-time industrywide reporting burden
associated with the proposed requirements to file on
---------------------------------------------------------------------------
\965\ Form ID (OMB control number 3235-0328) must be completed
and filed with the Commission by all individuals, companies, and
other organizations who seek access to file electronically on EDGAR.
Accordingly, a filer that does not already have access to EDGAR must
submit a Form ID, along with the notarized signature of an
authorized individual, to obtain an EDGAR identification number and
access codes to file on EDGAR. The Commission currently estimates
that Form ID would take 0.30 hours to prepare, resulting in an
annual industry-wide burden of 17,199 hours. See Supporting
Statement for the Paperwork Reduction Act Information Collection
Submission for Form ID (Dec. 20 2021), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202112-3235-003.
\966\ The Commission does not estimate a burden for SBS Entities
since these firms have already filed Form ID so they can file Form
SBSE on EDGAR. Similarly, the Commission does not estimate a burden
for transfer agents since these firms already file their annual
report on Form TA-2 on EDGAR.
---------------------------------------------------------------------------
[[Page 20331]]
EDGAR is 4.8 hours for clearing agencies,\967\ 0.30 hours for the
MSRB,\968\ 7.5 hours for national securities exchanges and
associations; \969\ 0.9 hours for SBSDRs; \970\ and 242.4 hours for
Covered Broker-Dealers not already filing their annual audits on
EDGAR.\971\ In addition, the requirement to file Form SCIR using custom
XML (with which a Covered Entity would be able to comply by inputting
its disclosures into a fillable web form), the Commission estimates
each Covered Entity would incur an internal burden of 0.5 hours per
filing.\972\ Accordingly, the Commission estimates that Covered
Entities will collectively have an ongoing burden of 994.5 hours \973\
with respect to filing Form SCIR in custom XML.
---------------------------------------------------------------------------
\967\ 0.30 hours x 16 clearing agencies = 4.8 hours.
\968\ 0.30 hours x 1 MSRB = 0.30 hours.
\969\ 0.30 hours x (24 national securities exchanges and 1
national securities association) = 7.5 hours.
\970\ 0.30 hours x 3 SBSRs = 0.9 hours.
\971\ 0.30 hours x 808 Covered Broker-Dealers not already filing
on EDGAR = 242.4 hours.
\972\ This estimate would mirror the Commission's internal
burden hour estimate for a proposed custom XML requirement for
Schedules 13D and 13G. See Modernization of Beneficial Ownership
Reporting Release.
\973\ 1,989 Covered Entities x .5 hours = 994.5 hours.
---------------------------------------------------------------------------
3. Rules 17a-4, 17ad-7, 18a-6, and Clearing Agency Exemption Orders
(and Existing Rules 13n-7 and 17a-1)
The Commission has made certain estimates of the burdens associated
with the proposed record preservation requirements solely for the
purpose of this PRA analysis.\974\ Table 7 below summarizes the initial
and ongoing annual burden and cost estimates associated with the
additional recordkeeping requirements.
---------------------------------------------------------------------------
\974\ These requirements are discussed in sections II.B.5.a. and
II.C. of this release.
\975\ Given the general nature of the recordkeeping requirements
for national securities exchanges, national securities associations,
registered clearing agencies, and the MSRB under Rule 17a-1 (OMB
control number 3235-0208, Recordkeeping Rule for National Securities
Exchanges, National Securities Associations, Registered Clearing
Agencies, and the Municipal Securities Rulemaking Board) and for
SBSDRs under Rule 13n-7 (OMB control number 3235-0719, Security-
Based Swap Data Repository Registration, Duties, and Core Principles
and Form SDR), it is anticipated that the new recordkeeping
requirements proposed in this release would result in a one-time
nominal increase in burden per entity that would effectively be
encompassed by the existing burden estimates associated with these
existing rules as described in those collections of information.
Below, the Commission solicits comment regarding all of the PRA
estimates discussed in this release.
Table 7--PRA Estimates--Proposed Amendments to Rules 17a-4, 18a-6, and 17ad-7 and Clearing Agency Exemption
Orders (and Existing Rules 17a-1 and 13n-7) \975\
----------------------------------------------------------------------------------------------------------------
Annual
Internal annual Wage rate Internal time external cost
hour burden costs burden
----------------------------------------------------------------------------------------------------------------
PROPOSED ESTIMATES FOR RECORDKEEPING BURDENS
----------------------------------------------------------------------------------------------------------------
Retention of cybersecurity 1................. x $73.5............ $73.5 $0
policies and procedures. (blended rate for
general clerk
and compliance
clerk).
Total burden per Covered 1................. 73.5 0
Entity or Non-Covered
Broker-Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of written report 1................. x 73.5............. 73.5 0
documenting annual review. (blended rate for
general clerk
and compliance
clerk).
Total annual burden per Covered 1................. 73.5 0
Entity or Non-Covered Broker-
Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of copy of any Form 1................. x 73.5............. 73.5 0
SCIR or immediate notice to (blended rate for
the Commission. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity or Non-
Covered Broker-Dealer.
Total number of affected x 3,918........... x 3,918 0
entities.
Sub-total burden....... 3,918 hours....... 287,973 0
Retention of records 1................. x 73.5............. 73.5 0
documenting a cybersecurity (blended rate for
incident. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
Retention of records 1................. x 73.5............. 73.5 0
documenting a Covered Entity's (blended rate for
cybersecurity risk assessment. general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
Retention of copy of any public 1................. x 73.5............. 73.5 0
disclosures. (blended rate for
general clerk
and compliance
clerk).
Total annual burden per 1................. 73.5 0
Covered Entity.
Total number of affected x 1,949........... x 1,949 0
Covered Entities.
Sub-total burden....... 1,949 hours....... 143,251.50 0
[[Page 20332]]
Total annual aggregate 17,601 hours...... 1,293,673.5 0
burden of
recordkeeping
obligations.
----------------------------------------------------------------------------------------------------------------
4. Substituted Compliance--Rule 3a71-6
Rule 3a71-6 would require submission of certain information to the
Commission to the extent SBS Entities elect to request a substituted
compliance determination with respect to proposed Rule 10, Form SCIR,
and the related record preservation requirements. Consistent with
Exchange Act Rule 0-13, such applications must be accompanied by
supporting documentation necessary for the Commission to make the
determination, including information regarding applicable foreign
requirements, and the methods used by foreign authorities to monitor
and enforce compliance. If Rule 3a71-6 is amended as proposed, the
Commission expects that the majority of such requests will be made
during the first year following the effective date.
The Commission expects that the great majority of substituted
compliance applications will be submitted by foreign authorities, and
that very few substituted compliance requests will come from SBS
Entities. For purposes of this assessment, the Commission estimates
that three such SBS Entities will submit such an application.\976\
---------------------------------------------------------------------------
\976\ See SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389. See also SBS Entity Business Conduct Standards Adopting
Release, 81 FR at 30097, n.1582 and accompanying text; SBS Entity
Trade Acknowledgement and Verification Adopting Release, 81 FR at
39832; SBS Entity Recordkeeping and Reporting Adopting Release, 84
FR at 68609; Capital, Margin, and Segregation Requirements Adopting
Release, 84 FR at 43967.
---------------------------------------------------------------------------
The Commission has previously estimated that the paperwork burden
associated with filing a request for a substituted compliance
determination related to existing business conduct, supervision, chief
compliance officer, and trade acknowledgement and verification
requirements described in Rule 3a71-6(d)(1)-(3) was approximately 80
hours of in-house counsel time, plus $84,000 \977\ for the services of
outside professionals, and the paperwork burden estimate associated
with making a request for a substituted compliance determination
related to the existing recordkeeping and reporting requirements
described in Rule 3a71-6(d)(6) was approximately 80 hours of in-house
counsel time, plus $84,000 \978\ for the services of outside
professionals.\979\ To the extent that an SBS Entity files a request
for a substituted compliance determination in connection with Rule 10,
Form SCIR, the related record preservation requirements, and
requirements currently identified in Rule 3a71-6(d) as eligible for
substituted compliance determinations, the Commission believes that the
paperwork burden associated with the request would be greater than that
associated with a narrower request due to the need for more information
regarding the comparability of the relevant rules and the adequacy of
the associated supervision and enforcement practices. However, the
Commission believes that its prior paperwork burden estimate is
sufficient to cover a combined substituted compliance request that also
seeks a determination in connection with Rule 10, Form SCIR, and the
related record preservation requirements.\980\
---------------------------------------------------------------------------
\977\ Based on 200 hours of outside time x $420 per hour. This
estimated burden also includes the burden associated with making a
request for a substituted compliance determination related to the
portfolio reconciliation, portfolio compression, and trading
relationship documentation requirements described in Rule 3a71-
6(d)(7); see SBS Entity Risk Mitigation Adopting Release, 85 FR at
6389.
\978\ Based on 200 hours of outside time x $420 per hour.
\979\ See Supporting Statement for the Paperwork Reduction Act
Information Collection Submission for Exchange Act Rule 3a71-6 (June
10, 2021), available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202106-3235-008.
\980\ Although applicants may file requests for substituted
compliance determinations related multiple eligible requirements,
applicants may instead file requests for substituted compliance
determinations related to individual eligible requirements. As such,
the Commission's estimates reflect the total paperwork burden of
requests filed by (i) applicants that would be seeking a substituted
compliance determination related to Rule 10, Form SCIR, and the
related record preservation requirements combined with a request for
a substituted compliance determination related to other eligible
requirements, and (ii) applicants that previously filed requests for
substituted compliance determinations related to other eligible
requirements and would be seeking an additional substituted
compliance determination in connection with Rule 10, Form SCIR, and
the related record preservation requirements.
---------------------------------------------------------------------------
Nevertheless, the Commission is revising its estimate of the hourly
rate for outside professionals to $496, consistent with the other
paperwork burden estimates in this release. Therefore, the Commission
estimates that the total paperwork burden incurred by entities
associated with preparing and submitting a request for a substituted
compliance determination in connection with the proposed cybersecurity
risk management requirements applicable to SBS Entities would be
reflected in the estimated burden of a request for a substituted
compliance determination related to the business conduct, supervision,
chief compliance officer, trade acknowledgement and verification, and
the portfolio reconciliation, portfolio compression, and trading
relationship documentation requirements described in Rule 3a71-6(d)(1)-
(3) and (7) of approximately 80 hours of in-house counsel time, plus
$99,200 for the services of outside professionals,\981\ and the
paperwork burden associated with making a request for a substituted
compliance determination related to the recordkeeping and reporting
requirements described in Rule 3a71-6(d)(6) of approximately 80 hours
of in-house counsel time, plus $99,200 for the services of outside
professionals.\982\ This estimate results in an aggregate total one-
time paperwork burden associated with preparing and submitting requests
for substituted compliance determinations relating to the requirements
described in Rule 3a71-6(d)(1) through (3), (6) and (7), including the
proposed cybersecurity risk management requirements, of approximately
480 internal hours,\983\ plus $595,200 for the services of outside
professionals \984\ for all three requests.
---------------------------------------------------------------------------
\981\ Based on 200 hours of outside time x $496 per hour.
\982\ Based on 200 hours of outside time x $496 per hour.
\983\ (80 hours related to Rule 3a71-6(d)(1) through (3), (7)
plus 80 hours related to Rule 3a71-6(d)(6)) * 3 requests.
\984\ ($99,200 related to Rule 3a71-6(d)(1) through (3), (7)
plus $99,200 related to Rule 3a71-6(d)(6)) * 3 requests.
---------------------------------------------------------------------------
E. Collection of Information is Mandatory
The collections of information pursuant to proposed Rule 10, Form
SCIR, and the relevant recordkeeping
[[Page 20333]]
rules are mandatory, as applicable, for Market Entities. With respect
to Rule 3a71-6, the application for substituted compliance is mandatory
for all foreign financial regulatory authorities or SBS Entities that
seek a substituted compliance determination.
F. Confidentiality of Responses to Collection of Information
The Commission expects to receive confidential information in
connection with the collections of information. A Market Entity can
request confidential treatment of the information.\985\ If such
confidential treatment request is made, the Commission anticipates that
it will keep the information confidential subject to applicable
law.\986\
---------------------------------------------------------------------------
\985\ See 17 CFR 200.83. Information regarding requests for
confidential treatment of information submitted to the Commission is
available on the Commission's website at https://www.sec.gov/foia/howfo2.htm#privacy.
\986\ See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x (governing
the public availability of information obtained by the Commission).
---------------------------------------------------------------------------
With regard to Rule 3a71-6, the Commission generally will make
requests for a substituted compliance determination public, including
supporting documentation provided by the requesting party, subject to
requests for confidential treatment being submitted pursuant to any
applicable provisions governing confidentiality under the Exchange
Act.\987\ If confidential treatment is granted, the Commission would
keep such information confidential, subject to the provisions of
applicable law.\988\
---------------------------------------------------------------------------
\987\ See, e.g., 17 CFR 200.83; 17 CFR 240.24b-2; see also SBS
Entity Definitions Adopting Release, 79 FR at 47359.
\988\ See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x (governing
the public availability of information obtained by the Commission).
---------------------------------------------------------------------------
G. Retention Period for Recordkeeping Requirements
Rule 17a-4, as proposed to be amended, specifies the required
retention periods for records required to be made and preserved by a
broker-dealer, whether electronically or otherwise.\989\ Rule 17ad-7,
as proposed to be amended, specifies the required retention periods for
records required to be made and preserved by transfer agents, whether
electronically or otherwise.\990\ Rule 18a-6, as proposed to be
amended, specifies the required retention periods for records required
to be made and preserved by SBSDs or MSBSPs, whether electronically or
otherwise.\991\ All records required of certain of the Market Entities
pursuant to the proposed rule amendments must be retained for three
years.\992\ Existing Rule 17a-1 specifies the required retention
periods for records required to be made and preserved by national
securities exchanges, national securities associations, registered
clearing agencies, and the MSRB, whether electronically or
otherwise.\993\ Under the existing provisions of Rule 17a-1, registered
clearing agencies, the MSRB, national securities associations, and
national securities exchanges would be required to preserve at least
one copy of the Rule 10 Records for at least five years, the first two
years in an easily accessible place. Existing Rule 13n-7, which is not
proposed to be amended, specifies the required retention periods for
records required to be made and preserved by SBSDRs, whether
electronically or otherwise.\994\ Rule 13n-7 provides that the SBSDR
must keep the documents for a period of not less than five years, the
first two years in a place that is immediately available to
representatives of the Commission for inspection and examination.\995\
Finally, exempt clearing agencies are generally subject to conditions
that mirror certain of the recordkeeping requirements in Rule 17a-
1.\996\ Nonetheless, the Commission is proposing to amend the clearing
agency exemption orders to add a condition that each exempt clearing
agency must retain the Rule 10 Records for a period of at least five
years after the record is made or, in the case of the written policies
and procedures to address cybersecurity risks, for at least five years
after the termination of the use of the policies and procedures.
---------------------------------------------------------------------------
\989\ See Rule 17a-4, as proposed to be amended.
\990\ See Rule 17ad-7, as proposed to be amended.
\991\ See Rule 18a-6, as proposed to be amended.
\992\ See Rules 17a-4, 17A-d, and 18a-6, as proposed to be
amended.
\993\ See Rule 17a-1.
\994\ See Rule 13n-7.
\995\ See paragraph (b)(2) of Rule 13n-7.
\996\ See, e.g., BSTP SS&C Order, 80 FR at 75411 (conditioning
BSTP's exemption by requiring BSTP to, among other things, preserve
a copy or record of all trade details, allocation instructions,
central trade matching results, reports and notices sent to
customers, service agreements, reports regarding affirmation rates
that are sent to the Commission or its designee, and any complaint
received from a customer, all of which pertain to the operation of
its matching service and ETC service. BSTP shall retain these
records for a period of not less than five years, the first two
years in an easily accessible place).
---------------------------------------------------------------------------
H. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits
comment on the proposed collections of information in order to:
Evaluate whether the proposed collections of information
are necessary for the proper performance of the functions of the
Commission, including whether the information would have practical
utility;
Evaluate the accuracy of the Commission's estimates of the
burden of the proposed collections of information;
Determine whether there are ways to enhance the quality,
utility, and clarity of the information to be collected; and
Evaluate whether there are ways to minimize the burden of
the collection of information on those who respond, including through
the use of automated collection techniques or other forms of
information technology.
Persons submitting comments on the collection of information
requirements should direct them to the Office of Management and Budget,
Attention: Desk Officer for the Securities and Exchange Commission,
Office of Information and Regulatory Affairs, Washington, DC 20503, and
should also send a copy of their comments to Vanessa A. Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090, with reference to File Number S7-06-23.
Requests for materials submitted to OMB by the Commission with regard
to this collection of information should be in writing, with reference
to File Number S7-06-23 and be submitted to the Securities and Exchange
Commission, Office of FOIA/PA Services, 100 F Street NE, Washington, DC
20549-2736. As OMB is required to make a decision concerning the
collections of information between 30 and 60 days after publication, a
comment to OMB is best assured of having its full effect if OMB
receives it within 30 days of publication.
VI. Initial Regulatory Flexibility Act Analysis
The RFA requires the Commission, in promulgating rules, to consider
the impact of those rules on small entities.\997\ Section 603(a) of the
Administrative Procedure Act,\998\ as amended by the RFA, generally
requires the Commission to undertake a regulatory flexibility analysis
of all proposed rules to determine the impact of such rulemaking on
``small entities.'' \999\ Section 605(b) of the RFA states that this
requirement shall not apply to any proposed rule which, if adopted,
would not have a significant
[[Page 20334]]
economic impact on a substantial number of small entities.\1000\
---------------------------------------------------------------------------
\997\ See 5 U.S.C. 601 et seq.
\998\ 5 U.S.C. 603(a).
\999\ Section 601(b) of the RFA permits agencies to formulate
their own definitions of ``small entities.'' See 5 U.S.C. 601(b).
The Commission has adopted definitions for the term ``small entity''
for the purposes of rulemaking in accordance with the RFA. These
definitions, as relevant to this proposed rulemaking, are set forth
in Rule 0-10.
\1000\ See 5 U.S.C. 605(b).
---------------------------------------------------------------------------
The Commission has prepared the following Initial Regulatory
Flexibility Analysis (``IRFA'') in accordance with section 3(a) of the
RFA.\1001\ It relates to: (1) proposed Rule 10 under the Exchange Act;
(2) proposed Form SCIR; and (3) proposed amendments to Rules 17a-4,
17ad-7, and 18a-6 under the Exchange Act.\1002\
---------------------------------------------------------------------------
\1001\ 5 U.S.C. 603(a).
\1002\ The Commission is also certifying that that amendments to
Rule 3a71-6 will not have a significant economic impact on a
substantial number of small entities for purposes of the RFA. See
section VI.C.5. of this release.
---------------------------------------------------------------------------
A. Reasons for, and Objectives of, Proposed Action
The reasons for, and objectives of, the proposed rule and rule
amendments are discussed above.\1003\
---------------------------------------------------------------------------
\1003\ See sections I and II of this release.
---------------------------------------------------------------------------
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
Proposed Rule 10 would require all Market Entities (Covered
Entities and non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\1004\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\1005\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of non-Covered Entities) with respect to the annual
review.\1006\ Finally, all Market Entities would need to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\1007\
---------------------------------------------------------------------------
\1004\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10. See also sections II.B.1 and II.C. of this release (discussing
these proposed requirements in more detail).
\1005\ See paragraph (b)(2) of proposed Rule 10; paragraph
(e)(1) of proposed Rule 10. See also sections II.B.1.f. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1006\ See paragraph (b)(2) of proposed Rule 10; paragraph
(e)(1) of proposed Rule 10. See also sections II.B.1.f. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1007\ See paragraph (c)(1) of proposed Rule 10; paragraph
(e)(2) of proposed Rule 10. See also sections II.B.2.a. and II.C. of
this release (discussing these proposed requirements in more
detail).
---------------------------------------------------------------------------
Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\1008\ First, their cybersecurity risk management policies and
procedures would need to include the following elements:
---------------------------------------------------------------------------
\1008\ See paragraph (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e) of proposed Rule 10
(setting forth the requirements for Market Entities that do not meet
the definition of ``covered entity'').
---------------------------------------------------------------------------
Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversight of service providers that
receive, maintain, or process information, or are otherwise permitted
to access the Covered Entity's information systems;
Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\1009\
---------------------------------------------------------------------------
\1009\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of non-Covered Entities, as discussed in more detail below in
section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------
Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission through the EDGAR system.\1010\ The form would
elicit information about the significant cybersecurity incident and the
Covered Entity's efforts to respond to, and recover from, the incident.
---------------------------------------------------------------------------
\1010\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Third, Covered Entities would need to publicly disclose summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\1011\ The form would
need to be filed with the Commission through the EDGAR system and
posted on the Covered Entity's business internet website and, in the
case of Covered Entities that are carrying or introducing broker-
dealers, provided to customers at account opening and annually
thereafter.
---------------------------------------------------------------------------
\1011\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
pursuant to conditions in relevant exemption orders.\1012\
---------------------------------------------------------------------------
\1012\ See sections II.B.5. and II.C. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------
Collectively, these requirements are designed to address
cybersecurity risk and the threat it poses to Market Entities and the
U.S. securities markets. The written policies and procedures, the
records required to be made pursuant to those policies and procedures,
and the report or record of the annual review of the policies and
procedures would address the specific cybersecurity risks to which
Market Entities are exposed. The Commission could use these written
policies and procedures, reports, and records to review Market
Entities' compliance with proposed Rule 10.
The Commission could use the immediate written electronic
notification of significant cybersecurity incidents to promptly begin
to assess the situation by, for example, when warranted, assessing the
Market Entity's operating status and engaging in discussions with the
Market Entity to understand better what steps it is taking to protect
its customers, counterparties, members, registrants, or user. The
Commission could use the subsequent reports about the significant
cybersecurity incident filed by Covered Entities using Part I of
proposed Form SCIR to understand better the nature and extent of a
particular significant cybersecurity incident and the efficacy of the
Covered Entity's response to mitigate the disruption and harm caused by
the incident. The Commission staff could use the reports to focus on
the Covered Entity's operating status and to facilitate their outreach
to, and discussions with, personnel at the Covered Entity who are
addressing the significant cybersecurity incident. In
[[Page 20335]]
addition, the reporting would provide the staff with a view into the
Covered Entity's understanding of the scope and impact of the
significant cybersecurity incident. All of this information could be
used by the Commission and its staff in assessing the significant
cybersecurity incident impacting the Covered Entity. Further, the
Commission could be use the database of reports to assess the potential
cybersecurity risks affecting U.S. securities markets more broadly.
This information could be used to address future significant
cybersecurity incidents. For example, these reports could assist the
Commission in identifying patterns and trends across Covered Entities,
including widespread cybersecurity incidents affecting multiple Covered
Entities at the same time. Further, the reports could be used to
evaluate the effectiveness of various approaches to respond to and
recover from a significant cybersecurity incident.
The disclosures by Covered Entities on Part II of proposed Form
SCIR would be used to provide greater transparency to customers,
counterparties, registrants, or members of the Covered Entity, or to
users of its services, about the Covered Entity's cybersecurity risk
profile. This information could be used by these persons to manage
their own cybersecurity risk and, to the extent they have choice,
select a Covered Entity with whom to transact or otherwise conduct
business. In addition, because the reports would be filed through
EDGAR, Covered Entities' customers, counterparties, members,
registrants, or users would be able to run search queries to compare
the disclosures of multiple Covered Entities. This would make it easier
for Commission staff and others to assess the cybersecurity risk
profiles of different types of Covered Entities and could facilitate
trend analysis by members of the public of significant cybersecurity
incidents.
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
Rules 17a-4, 17ad-7, and 18a-6--which apply to broker-dealers,
transfer agents, and SBS Entities, respectively--would be amended to
establish preservation and maintenance requirements for the written
policies and procedures, annual reports, Parts I and II of proposed
form SCIR, and records required to be made pursuant to proposed Rule 10
(i.e., the Rule 10 Records).\1013\ The proposed amendments would
specify that the Rule 10 Records must be retained for three years. In
the case of the written policies and procedures to address
cybersecurity risks, the record would need to be maintained until three
years after the termination of the use of the policies and
procedures.\1014\ In addition, orders exempting certain clearing
agencies from registering with the Commission would be amended to
establish preservation and maintenance requirements for the Rule 10
Records that would apply to the exempt clearing agencies subject to
those orders.\1015\ The amendments would provide that the records need
to be retained for five years (consistent with Rules 13n-7 and 17a-
1).\1016\ In the case of the written policies and procedures to address
cybersecurity risks, the record would need to be maintained until five
years after the termination of the use of the policies and procedures.
The preservation of these records would make them available for
examination by the Commission and other regulators.
---------------------------------------------------------------------------
\1013\ See sections II.B.5. and II.C. of this release
(discussing these proposed amendments in more detail). Rule 17a-4
sets forth record preservation and maintenance requirements for
broker-dealers, Rule 17ad-7 sets forth record preservation and
maintenance requirements for transfer agents, and Rule 18a-6 sets
forth record preservation and maintenance requirements for SBS
Entities.
\1014\ See proposed amendments to Rule 17a-4.
\1015\ See section II.B.5. of this release (discussing these
proposed amendments in more detail).
\1016\ For the reasons discussed in section II.B.5.a. of this
release, the proposal would not amend Rules 13n-7 or 17a-1. As
explained in that section of the release, the existing requirements
of Rule 13n-7 (which applies to SBSDRs) and Rule 17a-1 (which
applies to registered clearing agencies, the MSRB, national
securities associations, and national securities exchanges) will
require these Market Entities to retain the Rule 10 Records for five
years and, in the case of the written policies and procedures, for
five years after the termination of the use of the policies and
procedures.
---------------------------------------------------------------------------
B. Legal Basis
The Commission is proposing Rule 10 and Form SCIR under the
Exchange Act, as well as amendments to Rules 17a-4, 17ad-7, and 18a-6
under the Exchange Act, under the following authorities under the
Exchange Act: (1) Sections 15, 17, and 23 for broker-dealers (15 U.S.C.
78o, 78q, and 78w); (2) Sections 17, 17A, and 23 for clearing agencies
(15 U.S.C. 78q, 17q-1, and 78w(a)(1)); (3) Sections 15B, 17, and 23 for
the MSRB (15 U.S.C. 78o-4, 78q(a), and 78w); (4) Sections 6(b), 11A,
15A, 17, and 23 for national securities exchanges and national
securities associations (15 U.S.C. 78f, 78k-1, 78o-3, and 78w); (5)
Sections 15F, 23, and 30(c) for SBS Entities (15 U.S.C. 78o-10, 78w,
and 78dd(c)); (6) Sections 13 and 23 for SBSDRs (15 U.S.C. 78m and
78w); and (7) Sections 17a, 17A, and 23 for transfer agents (78q, 17q-
1, and 78w).
C. Small Entities Subject to Proposed Rule, Form SCIR, and
Recordkeeping Rule Amendments
As discussed above, the Commission estimates that a total of
approximately 1,989 Covered Entities (consisting of 1,541 broker-
dealers, 16 clearing agencies, the MSRB, 25 total national securities
exchanges and national securities associations, 50 SBS Entities, 3
SBSDRs, and 353 transfer agents) and 1,969 Non-Covered Broker-Dealers
would be subject to the new cybersecurity requirements and related
recordkeeping requirements as a result of: (1) proposed Rule 10 under
the Exchange Act; (2) proposed Form SCIR; and (3) proposed amendments
to Rules 17a-4, 17ad-7, and 18a-6 under the Exchange Act. The number of
these firms that may be considered ``small entities'' are discussed
below.
1. Broker-Dealers
For purposes of Commission rulemaking, a small entity includes,
when used with reference to a broker-dealer, a broker-dealer that: (1)
had total capital (net worth plus subordinated liabilities) of less
than $500,000 on the date in the prior fiscal year as of which its
audited financial statements were prepared pursuant to Rule 17a-5(d)
under the Exchange Act, or, if not required to file such statements, a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the last day of the preceding
fiscal year (or in the time that it has been in business, if shorter);
and (2) is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\1017\
---------------------------------------------------------------------------
\1017\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
Based on FOCUS Report data, the Commission estimates that as of
September 30, 2022, approximately 764 broker-dealers total (195 broker-
dealers that are Covered Entities and 569 broker-dealers that are Non-
Covered Broker-Dealers) that might be deemed small entities for
purposes of this analysis.
2. Clearing Agencies
For the purposes of Commission rulemaking, a small entity includes,
when used with reference to a clearing agency, a clearing agency that:
(1) compared, cleared, and settled less than $500 million in securities
transactions during the preceding fiscal year; (2) had less than $200
million of funds and securities in its custody or control at all times
during the preceding fiscal year (or at any time that it has been in
business, if shorter); and (3) is not
[[Page 20336]]
affiliated with any person (other than a natural person) that is not a
small business or small organization.\1018\
---------------------------------------------------------------------------
\1018\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently registered with the Commission, the Commission
preliminarily believes that such entities exceed the thresholds
defining ``small entities'' set out above. While other clearing
agencies may emerge and seek to register as clearing agencies, the
Commission preliminarily does not believe that any such entities would
be ``small entities'' as defined in Exchange Act Rule 0-10.
Consequently, the Commission certifies that the proposed rule and form
would not, if adopted, have a significant economic impact on a
substantial number of small entities.
3. The MSRB
The Commission's rules do not define ``small business'' or ``small
organization'' for purposes of entities like the MSRB. The MSRB does
not fit into one of the categories listed under the Commission rule
that provides guidelines for a defined group of entities to qualify as
a small entity for purposes of Commission rulemaking under the
RFA.\1019\ The RFA in turn, refers to the Small Business Administration
(``SBA'') in providing that the term ``small business'' is defined as
having the same meaning as the term ``small business concern'' under
section 3 of the Small Business Act.\1020\ The SBA provides a
comprehensive list of categories with accompanying size standards that
outline how large a business concern can be and still qualify as a
small business.\1021\ The industry categorization that appears to best
fit the MSRB under the SBA table is Professional Organization. The SBA
defines a Professional Organization as an entity having average annual
receipts of less than $15 million. Within the MSRB's 2021 Annual Report
the organization reported total revenue exceeding $35 million for
fiscal year 2021.\1022\ The Report also stated that the organization's
total revenue for fiscal year 2020 exceeded $47 million.\1023\ The
Commission is using the SBA's definition of small business to define
the MSRB for purposes of the RFA and has concluded that the MSRB is not
a ``small entity.'' Consequently, the Commission certifies that the
proposed rule and form would not, if adopted, have a significant
economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\1019\ See Rule 0-10.
\1020\ See 5 U.S.C. 601(3).
\1021\ See 13 CFR 121.201. See also SBA, Table of Small Business
Size Standards Marched to North American Industry Classification
System Codes, available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (outlining the list of small business
size standards within 13 CFR 121.201).
\1022\ See MSRB, 2021 Annual Report, 16, available at https://msrb.org/-/media/Files/Resources/MSRB-2021-Annual-Report.ashx.
\1023\ Id.
---------------------------------------------------------------------------
4. National Securities Exchanges and National Securities Associations
For the purposes of Commission rulemaking, and with respect to the
national securities exchanges, the Commission has defined a ``small
entity'' as an exchange that has been exempt from the reporting
requirements of Rule 601 of Regulation NMS and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization.\1024\ None of the national securities exchanges
registered under section 6 of the Exchange Act that would be subject to
the proposed rule and form is a ``small entity'' for purposes of the
RFA.
---------------------------------------------------------------------------
\1024\ See paragraph (e) of Rule 0-10.
---------------------------------------------------------------------------
There is only one national securities association (FINRA), and the
Commission has previously stated that it is not a small entity as
defined by 13 CFR 121.201.\1025\ Consequently, the Commission certifies
that the proposed rule and form would not, if adopted, have a
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\1025\ See, e.g., Securities Exchange Act Release No. 62174 (May
26, 2010), 75 FR 32556, 32605 n.416 (June 8, 2010) (``FINRA is not a
small entity as defined by 13 CFR 121.201.'').
---------------------------------------------------------------------------
5. SBS Entities
For purposes of Commission rulemaking, a small entity includes: (1)
when used with reference to an ``issuer'' or a ``person,'' other than
an investment company, an ``issuer'' or ``person'' that, on the last
day of its most recent fiscal year, had total assets of $5 million or
less; \1026\ or (2) a broker-dealer with total capital (net worth plus
subordinated liabilities) of less than $500,000 on the date in the
prior fiscal year as of which its audited financial statements were
prepared pursuant to Rule 17a-5(d) under the Exchange Act,\1027\ or, if
not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last day of the preceding fiscal year (or in the time that it
has been in business, if shorter); and is not affiliated with any
person (other than a natural person) that is not a small business or
small organization.\1028\
---------------------------------------------------------------------------
\1026\ See paragraph (a) of Rule 0-10.
\1027\ 17 CFR 240.17a-5(d).
\1028\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
With respect to SBS Entities, based on feedback from market
participants and our information about the security-based swap markets,
and consistent with our position in prior rulemakings arising out of
the Dodd-Frank Act, the Commission continues to believe that: (1) the
types of entities that will engage in more than a de minimis amount of
dealing activity involving security-based swaps--which generally would
be large financial institutions--would not be ``small entities'' for
purposes of the RFA, and (2) the types of entities that may have
security-based swap positions above the level required to be MSBSPs
would not be ``small entities'' for purposes of the RFA.\1029\
---------------------------------------------------------------------------
\1029\ See, e.g., SBS Entity Risk Mitigation Adopting Release,
85 FR at 6411; SBS Entity Registration Adopting Release, 80 FR at
49013; Recordkeeping and Reporting Requirements for Security-Based
Swap Dealers, Major Security-Based Swap Participants, and Broker-
Dealers; Capital Rule for Certain Security-Based Swap Dealers,
Exchange Act Release No. 71958 (Apr. 17, 2014), 79 FR 25193, 25296-
97 and n.1441 (May 2, 2014); Further Definition Release, 77 FR at
30743.
---------------------------------------------------------------------------
Consequently, the Commission certifies that with respect to SBS
Entities the proposed rule and form (as well as the amendments to Rule
3a71-6) would not, if adopted, have a significant economic impact on a
substantial number of small entities.
6. SBSDRs
For purposes of Commission rulemaking regarding SBSDRs, a small
entity includes: (1) when used with reference to an ``issuer'' or a
``person,'' other than an investment company, an ``issuer'' or
``person'' that, on the last day of its most recent fiscal year, had
total assets of $5 million or less; \1030\ or (2) a broker-dealer with
total capital (net worth plus subordinated liabilities) of less than
$500,000 on the date in the prior fiscal year as of which its audited
financial statements were prepared pursuant to Rule 17a-5(d) under the
Exchange Act,\1031\ or, if not required to file such statements, a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the last day of the preceding
fiscal year (or in the time that it has been in business, if shorter);
and is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\1032\
---------------------------------------------------------------------------
\1030\ See paragraph (a) of Rule 0-10.
\1031\ 17 CFR 240.17a-5(d).
\1032\ See paragraph (c) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the SBSDRs
currently registered with the Commission, and consistent with the
Commission's prior
[[Page 20337]]
rulemakings,\1033\ the Commission preliminarily believes that such
entities exceed the thresholds defining ``small entities'' set out
above. While other SBSDRs may emerge and seek to register as SBSDRs,
the Commission preliminarily does not believe that any such entities
would be ``small entities'' as defined in Exchange Act Rule 0-10.
Consequently, the Commission certifies that the proposed rule and form
would not, if adopted, have a significant economic impact on a
substantial number of small entities.
---------------------------------------------------------------------------
\1033\ See, e.g., SBSDR Adopting Release, 80 FR at 14548-49
(stating that ``[i]n the Proposing Release, the Commission stated
that it did not believe that any persons that would register as
SBSDRs would be considered small entities. The Commission stated
that it believed that most, if not all, SBSDRs would be part of
large business entities with assets in excess of $5 million and
total capital in excess of $500,000. As a result, the Commission
certified that the proposed rules would not have a significant
impact on a substantial number of small entities and requested
comments on this certification. The Commission did not receive any
comments that specifically addressed whether Rules 13n-1 through
13n-12 and Form SBSDR would have a significant economic impact on
small entities. Therefore, the Commission continues to believe that
Rules 13n-1 through 13n-12 and Form SBSDR will not have a
significant economic impact on a substantial number of small
entities. Accordingly, the Commission hereby certifies that,
pursuant to 5 U.S.C. 605(b), Rules 13n-1 through 13n-12, Form SBSDR
will not have a significant economic impact on a substantial number
of small entities'').
---------------------------------------------------------------------------
7. Transfer Agents
For purposes of Commission rulemaking, Exchange Act Rule 0-10(h)
provides that the term small business or small organization shall, when
used with reference to a transfer agent, mean a transfer agent that:
(1) received less than 500 items for transfer and less than 500 items
for processing during the preceding six months (or in the time that it
has been in business, if shorter); (2) transferred items only of
issuers that would be deemed ``small businesses'' or ``small
organizations'' as defined in this section; and (3) maintained master
shareholder files that in the aggregate contained less than 1,000
shareholder accounts or was the named transfer agent for less than
1,000 shareholder accounts at all times during the preceding fiscal
year (or in the time that it has been in business, if shorter); and (4)
is not affiliated with any person (other than a natural person) that is
not a small business or small organization under this section.\1034\ As
of March 31, 2022, the Commission estimates there were 158 transfer
agents that were considered small organizations. Our estimate is based
on the number of transfer agents that reported a value of fewer than
1,000 for items 4(a) and 5(a) on Form TA-2 for the 2021 annual
reporting period (which was required to be filed by March 31,
2022).\1035\
---------------------------------------------------------------------------
\1034\ See paragraph (h) of Rule 0-10.
\1035\ Item 4(a) on Form TA-2 requires each transfer agent to
provide the number of items received for transfer during the
reporting period. Item 5(a) on Form TA-2 requires each transfer
agent to provide its total number of individual securityholder
accounts, including accounts in the Direct Registration System
(DRS), dividend reinvestment plans and/or direct purchase plans as
of December 31.''
---------------------------------------------------------------------------
D. Reporting, Recordkeeping, and Other Compliance Requirements
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
The proposed requirements under proposed Rule 10 and Parts I and II
of proposed Form SCIR, including compliance and recordkeeping
requirements, are summarized in this IRFA.\1036\ The burdens on
respondents, including those that are small entities, are discussed
above in the Commission's economic analysis and PRA analysis.\1037\
They also are discussed below.
---------------------------------------------------------------------------
\1036\ See section VI.A. of this release. See also section II of
this release (discussing the requirements of proposed Rule 10 and
Parts I and II of proposed Form SCIR in more detail).
\1037\ See sections IV and V of this release (setting forth the
Commission's economic analysis and PRA analysis, respectively).
---------------------------------------------------------------------------
As discussed above, there are approximately 764 small entity
broker-dealers. 195 of these broker-dealers would be Covered Entities
and 569 of these broker-dealers would be Non-Covered Broker-Dealers
under proposed Rule 10. In addition, there are approximately 158 small
entity transfer agents, all of which would be Covered Entities
(resulting in a total of 353 small entities that would be Covered
Entities). The total number of small entity broker-dealers or transfer
agents that would be subject to the requirements of proposed Rule 10 as
either Covered Entities or Non-Covered Broker-Dealers is 922.
The requirements under proposed Rule 10 to implement and review
certain policies and procedures would result in costs to these small
entities. For Covered Entities, this would create a new annual burden
of approximately 31.67 hours per firm, or 11,179.51 hours in aggregate
for small entities. The Commission therefore expects the annual
monetized aggregate cost to small entities to be $5,164,933.62.\1038\
For Non-Covered Broker-Dealers, the requirements would create a new
annual burden of approximately 21 hours per firm, or 11,949 hours in
aggregate for small entities. The Commission therefore expects the
annual monetized aggregate cost to small entities to be
$5,520,438.\1039\
---------------------------------------------------------------------------
\1038\ $29,102,133.06 total cost x (353 small entities/1,989
total entities) = $5,164,933.62.
\1039\ $19,103,238 total cost x (569 small entities/1,969 total
entities) = $5,520,438.
---------------------------------------------------------------------------
In addition, there are approximately 922 small entities that would
be subject to the notification requirements of proposed Rule 10. The
requirement to make a determination regarding a significant
cybersecurity incident and immediate notice to the Commission would
create a new annual burden of approximately 4.67 hours per Market
Entity, or 4,305.74 hours in aggregate for small entities. The
Commission therefore expects the annual monetized aggregate cost to
small entities associated with the proposed notification requirement
under Rule 10 to be $1,519,926.22.\1040\ The 353 small entities that
would be Covered Entities would also be subject to the requirements to
file Part I of proposed Form SCIR. This would create a new annual
burden of approximately 2.5 hours per Covered Entity, or 882.5 hours in
aggregate for small entities. The Commission therefore expects the
annual monetized aggregate cost to small entities associated with Part
I of proposed Form SCIR to be $380,357.50.\1041\
---------------------------------------------------------------------------
\1040\ $6,524,802.58 total cost x (922 small entities/3,958
total entities) = $1,519,926.22.
\1041\ $2,143,147.5 total cost x (353 small entities/1,989 total
entities) = $380,357.50.
---------------------------------------------------------------------------
In addition, the approximately 353 small entities that are Covered
Entities would be subject to the disclosure requirements of proposed
Rule 10. These 353 small entities would be required to make certain
public disclosures on Part II of proposed Form SCIR. This would create
a new annual burden of approximately 3.67 hours per Covered Entity, or
1,295.51 hours in aggregate for small entities. The Commission
therefore expects the annual monetized aggregate cost to small entities
associated with Part II of proposed Form SCIR to be $486,243.38.\1042\
---------------------------------------------------------------------------
\1042\ $2,739,767.94 total cost x (353 small entities/1,989
total entities) = $486,243.38.
---------------------------------------------------------------------------
Furthermore, the requirement to file Form SCIR using a form-
specific XML may impose some compliance costs for entities not already
required to file in EDGAR. Because all transfer agents are already
required to file in EDGAR their annual reports on Form TA-2, no small
entity transfer agent will incur an additional burden for filing their
public disclosures in EDGAR. Assuming all 195 small broker-dealers that
are Covered Entities do not already file in EDGAR, the requirement to
file the public disclosures in EDGAR would create an initial, one-time
burden of
[[Page 20338]]
approximately 0.30 hours per Covered Entity, or 58.5 hours in aggregate
for small entities, to complete and submit a Form ID. In addition, the
requirement to file Form SCIR using custom XML (with which a Covered
Entity would be able to comply by inputting its disclosures into a
fillable web form) would create an ongoing burden of 0.5 hours per
filing, or 176.5 hours for all small entities collectively.
As discussed above, there are approximately 195 small entity
broker-dealers that would be subject to the additional disclosure
requirements under proposed Rule 10 for customers of Covered Broker-
Dealers. This would create a new annual burden of approximately 51.26
hours per Covered Entity, or 9,995.7 hours in aggregate for small
entities. The Commission therefore expects the annual monetized
aggregate cost to small entities associated with the proposed
disclosure requirements for Covered Broker-Dealers to be
$689,703.30.\1043\
---------------------------------------------------------------------------
\1043\ $5,450,424.54 total cost x (195 small entities/1,541
total entities) = $689,703.30.
---------------------------------------------------------------------------
2. Rules 17a-4, 17ad-7, and 18a-6
The proposed amendments to Rules 17a-4, 17ad-7, and 18a-6 would
impose certain recordkeeping requirements, which--with respect to 17a-4
and 17ad-7--includes requirements for those that are small
entities.\1044\ The proposed amendments are discussed above in
detail,\1045\ and the requirements and the burdens on respondents,
including those that are small entities, are discussed above in the
economic analysis and PRA, respectively.\1046\
---------------------------------------------------------------------------
\1044\ See section VI.A.3. of this release.
\1045\ See sections II.B.5. and II.C. of this release
\1046\ See sections IV and V of the release.
---------------------------------------------------------------------------
There are approximately 353 small entities that would be subject to
the proposed amendments to Rules 17a-4 and 17ad-7 as Covered Entities.
As discussed above in the PRA analysis in section V, the proposed
amendments to Rules 17a-4 and 17ad-7 would require Market Entities to
retain certain copies of documents required under proposed Rule 10, and
would create a new annual burden of approximately 6 hours per entity,
or 2,118 hours in aggregate for small entities. The Commission
therefore expects the annual monetized aggregate cost to small entities
associated with the proposed amendments would be $155,673.\1047\
---------------------------------------------------------------------------
\1047\ $877,149 total cost x (353 small entities/1,989 total
entities) = $155,673.
---------------------------------------------------------------------------
As discussed above, there are approximately 569 small entity
broker-dealers that would be subject to the proposed amendments to Rule
17a-4 as Non-Covered Broker-Dealers. As discussed above in the PRA
analysis, in section V, the proposed amendments to Rule 17a-4 would
require Market Entities to retain certain copies of documents required
under proposed Rule 10, which would create a new annual burden of
approximately 3 hours per entity, or 1,707 hours in aggregate for small
entities. The Commission therefore expects the annual monetized
aggregate cost to small entities associated with the proposed
amendments would be $125,464.50.\1048\
---------------------------------------------------------------------------
\1048\ $434,164.50 total cost x (569 small entities/1,969 total
entities) = $125,464.50.
---------------------------------------------------------------------------
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
As discussed above certain broker-dealers--including an operator of
an ATS--and transfer agents would be small entities. Proposed Rule 10
would require all Market Entities to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks, and, at least annually, review and assess
the design and effectiveness of these policies and procedures.\1049\ As
discussed earlier, broker-dealers are subject to Regulation S-P and
Regulation S-ID.\1050\ In addition, ATSs that trade certain stocks
exceeding specific volume thresholds are subject to Regulation SCI.
Further, an ATS is subject to Regulation ATS. Transfer agents
registered with the Commission (but not transfer agents registered with
another appropriate regulatory agency) are subject to the Regulation S-
P Disposal Rule.\1051\ Transfer agents also may be subject to
Regulation S-ID if they are ``financial institutions'' or
``creditors.'' \1052\
---------------------------------------------------------------------------
\1049\ See paragraphs (b)(1) and (e)(1) of proposed Rule 10
(requiring Covered Entities and Non-Covered Broker-Dealers,
respectively, to have policies and procedures to address their
cybersecurity risks); sections II.B.1. and II.C.1. of this release
(discussing the requirements of paragraphs (b)(1) and (e)(1) of
proposed Rule 10 in more detail).
\1050\ See section IV.C.1.b.i. of this release (discussing
current relevant regulations applicable to broker-dealers).
\1051\ See section IV.C.1.b.v. of this release (discussing
current relevant regulations applicable to transfer agents).
\1052\ See 17 CFR 248.201 and 202. The scope of Regulation S-ID
includes any financial institution or creditor, as defined in the
Fair Credit Reporting Act (15 U.S.C. 1681) that is required to be
``registered under the Securities Exchange Act of 1934.'' See 17 CFR
248.201(a).
---------------------------------------------------------------------------
As discussed earlier, these other regulations have provisions that
require policies and procedures that address certain cybersecurity
risks.\1053\ However, the policies and procedures requirements of
proposed Rule 10 are intended to differ in scope and purpose from those
other regulations, and because the policies and procedures required
under proposed Rule 10 are consistent with the existing and proposed
requirements of those other regulations that pertain to cybersecurity.
---------------------------------------------------------------------------
\1053\ See section II.F.1.c. of this release.
---------------------------------------------------------------------------
Proposed Rule 10 would require all Market Entities to give the
Commission immediate written electronic notice of a significant
cybersecurity incident upon having a reasonable basis to conclude that
the significant cybersecurity incident has occurred or is
occurring.\1054\ Covered Entities--in addition to providing the
Commission with immediate written electronic notice of a significant
cybersecurity incident--would need to report and update information
about the significant cybersecurity incident by filing Part I of
proposed Form SCIR with the Commission.\1055\ Recently, the OCC,
Federal Reserve Board, and FDIC adopted a new rule that would require
certain banking organizations to notify the appropriate banking
regulator of any cybersecurity incidents within 36 hours of discovering
an incident.\1056\ Certain transfer agents are banking organizations
and, therefore, may be required to provide notification to the
Commission and other regulators under proposed Rule 10 and to their
banking regulator under this new rule if they experience a significant
cybersecurity incident.\1057\ However, the burdens of providing these
notices are minor and each requirement is designed to alert separate
regulators who have oversight responsibilities with respect to transfer
agents about cybersecurity incidents that could adversely impact the
transfer agent.
---------------------------------------------------------------------------
\1054\ See paragraph (c)(1) of proposed Rule 10; paragraph
(e)(2) of proposed Rule 10. See also sections II.B.2.a. and II.C. of
this release (discussing these proposed requirements in more
detail).
\1055\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
\1056\ See section IV.C.1.d. of this release (discussing this
requirement in more detail).
\1057\ Similarly, to the extent that a Covered Entity is subject
to NFA rules, there may be overlapping notification requirements.
See NFA Interpretive Notice 9070--NFA Compliance Rules 2-9, 2-36 and
2-49: Information Systems Security Programs (effective March 1,
2016; April 1, 2019 and September 30, 2019) available at https://www.nfa.futures.org/rulebook/rules.aspx?RuleID=9070&Section=9.
---------------------------------------------------------------------------
Proposed Rule 10 would require a Covered Entity to make two types
of public disclosures relating to cybersecurity on Part II of proposed
[[Page 20339]]
Form SCIR.\1058\ Covered Entities would be required to make the
disclosures by filing Part II of proposed Form SCIR on EDGAR and
posting a copy of the filing on their business internet websites.\1059\
In addition, a Covered Entity that is either a carrying or introducing
broker-dealer would be required to provide a copy of the most recently
filed Part II of Form SCIR to a customer as part of the account opening
process. Thereafter, the carrying or introducing broker-dealer would
need to provide the customer with the most recently filed form
annually. Regulation SCI requires that SCI entities disseminate
information to their members, participants, or customers (as
applicable) regarding SCI events, including systems intrusions.\1060\
---------------------------------------------------------------------------
\1058\ See paragraph (d)(1) of proposed Rule 10.
\1059\ See section II.B.3.b. of this release (discussing these
proposed requirements in more detail).
\1060\ See 17 CFR 242.1002(c).
---------------------------------------------------------------------------
Consequently, a Covered Entity would, if it experiences a
``significant cybersecurity incident,'' be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business internet
website, and, in the case of a carrying or introducing broker-dealer,
by sending the disclosure to its customers using the same means that
the customer elects to receive account statements. Moreover, if Covered
Entity is an SCI entity and the significant cybersecurity incident is
or would be an SCI event under the current or proposed requirements of
Regulation SCI, the Covered Entity also could be required to
disseminate certain information about the SCI event to certain of its
members, participants, or customers (as applicable).
As discussed above, proposed Rule 10 and Regulation SCI require
different types of information to be disclosed. In addition, the
disclosures, for the most part, would be made to different persons: (1)
the public at large in the case of proposed Rule 10; \1061\ and (2)
affected members, participants, or customers (as applicable) of the SCI
entity in the case of Regulation SCI. For these reasons, the Commission
proposes to apply the disclosure requirements of proposed Rule 10 to
Covered Entities even if they would be subject to the disclosure
requirements of Regulation SCI.
---------------------------------------------------------------------------
\1061\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
---------------------------------------------------------------------------
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption Orders
As part of proposed Rule 10, the Commission is proposing
corresponding amendments to the books and records rules for Market
Entities. There are no duplicative, overlapping, or conflicting Federal
rules with respect to the proposed amendments to Rules 17a-4, 17ad-7,
18a-6 and clearing agency exemption orders.
F. Significant Alternatives
The RFA directs the Commission to consider significant alternatives
that would accomplish our stated objectives, while minimizing any
significant adverse effect on small entities.
1. Broker-Dealers
As discussed above, the proposal would apply to all registered
broker-dealers. Under the proposal, the following broker-dealers would
be Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customer accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS. Broker-dealers that do not fit into at least one of
these categories would not be Covered Entities (i.e., they would be
Non-Covered Broker-Dealers). As discussed earlier, Covered Entities
would be subject to additional requirements under proposed Rule
10.\1062\
---------------------------------------------------------------------------
\1062\ See paragraphs (b), (c), and (d) of proposed Rule 10
(setting forth the requirements for Covered Entities); paragraph (e)
of proposed Rule 10 (setting forth the requirements for Non-Covered
Broker-Dealers).
---------------------------------------------------------------------------
Of the 1,541 broker-dealers that would be Covered Entities,
approximately 195 are considered small entities. All but one of these
small entities are broker-dealers that introduce their customer
accounts to a carrying broker-dealer on a fully disclosed basis. The
remaining small entity broker-dealer is an operator of an ATS. The
Commission considered the following alternatives for small entities
that are Covered Broker-Dealers in relation to the proposal: (1)
differing compliance or reporting requirements that take into account
the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting
requirements under the proposed rule for such small entities; (3) the
use of design rather than performance standards; and (4) an exemption
from coverage of the proposed rule, or any part thereof, for such small
entities.
Regarding the first and fourth alternatives, the Commission decided
not to include differing requirements or exemptions for introducing
broker-dealers, regardless of size, and therefore, they would be
Covered Entities under the proposed rule. This decision was based on a
number of considerations.\1063\ For example, introducing broker-dealers
are a conduit to their customers' accounts at the carrying broker-
dealer and have access to information and trading systems of the
carrying broker-dealer. Consequently, a cybersecurity incident at an
introducing firm could directly harm the introducing firm's customers
to the extent it causes them to lose access to the systems allowing
them to view and transact in their securities accounts at the carrying
broker-dealer. Further, a significant cybersecurity incident at an
introducing broker-dealer could spread to the carrying broker-dealer
given the information systems that connect the two firms. These
connections also may make introducing broker-dealers attractive targets
for threat actors seeking to access the information systems of the
carrying broker-dealer to which the introducing broker-dealer is
connected. In addition, introducing broker-dealers may store personal
information about their customers on their information systems or be
able to access this information on the carrying broker-dealer's
information systems. If this information is accessed or stolen by
unauthorized users, it could result in harm (e.g., identity theft or
conversion of financial assets) to many individuals, including retail
investors.
---------------------------------------------------------------------------
\1063\ See section II.A.1.b. of this release (discussing why
introducing broker-dealers would be Covered Entities in more
detail).
---------------------------------------------------------------------------
The Commission decided not to include differing requirements or
exemptions for broker-dealers that operate an ATS, regardless of size,
and therefore, they would be Covered Entities under the proposed rule.
This decision was based on a number of considerations.\1064\ The
Commission also decided to include all broker-dealers, regardless of
size, that operate an ATS as Covered Entities in the proposed rule
because ATSs have become increasingly important venues for trading
securities in a fast and automated manner. ATSs perform
[[Page 20340]]
exchange functions to bring together buyers and sellers using limit
order books and order types. These developments have made ATSs
significant sources of orders and trading interest for securities. ATSs
use data feeds, algorithms, and connectivity to perform their
functions. In this regard, ATSs rely heavily on information systems,
including to connect to other Market Entities such as other broker-
dealers and principal trading firms. A significant cyber security
incident that disrupts a broker-dealer that operates as an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent the ATS provides liquidity to the market for those
securities. Further, a significant cybersecurity incident at an ATS
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. This could cause a cascading effect
where a significant cybersecurity incident initially impacting an ATS
spreads to other Market Entities causing major disruptions to the U.S.
securities markets. In addition, ATS are connected to a number of
different Market Entities through information systems, including
national securities exchanges and other broker-dealers. Therefore, they
create and are exposed to cybersecurity risk through the channels of
these information systems.
---------------------------------------------------------------------------
\1064\ See section II.A.1.b. of this release (discussing why
broker-dealers that operate an ATS would be Covered Entities in more
detail).
---------------------------------------------------------------------------
Regarding the second alternative, the Commission believes the
current proposal is clear and that further clarification,
consolidation, or simplification of the compliance requirements is not
necessary for small entities that are introducing broker-dealers or
broker-dealers that operate as ATSs. As discussed above, proposed Rule
10 would require Covered Entities to establish, maintain, and enforce
written cybersecurity policies and procedures that are reasonably
designed to address their cybersecurity risks and that specifically
address: (1) risk assessment; (2) user security and access; (3)
information protection; (4) cybersecurity threat and vulnerability
management; and (5) cybersecurity incident response and recovery.\1065\
It also would require Covered Entities to conduct an annual review and
assessment of these policies and procedures and produce a report
documenting the review and assessment. Further, the proposed rule would
require them to provide immediate notification and subsequent reporting
of significant cybersecurity incidents and to publicly disclose summary
descriptions of their cybersecurity risks and, if applicable, summary
descriptions of their significant cybersecurity incidents.\1066\ The
proposed rule would provide clarity in the existing regulatory
framework regarding cybersecurity and serve as an explicit requirement
for firms to establish, maintain, and enforce comprehensive
cybersecurity programs to their address cybersecurity risks, provide
information to the Commission about the significant cybersecurity
incidents they experience, and publicly disclose information about
their cybersecurity risks and significant cybersecurity incidents.
---------------------------------------------------------------------------
\1065\ See paragraph (b) of proposed Rule 10. See also section
II.B.1. of this release (discussing these requirements in more
detail).
\1066\ See paragraphs (c) and (d) of proposed Rule 10. See also
sections II.B.2. through II.B.4. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Regarding the third alternative, the Commission determined to use
performance standards rather than design standards. Although the
proposed rule requires Covered Entities to implement policies and
procedures that are reasonably designed and that must include certain
elements, the Commission does not place certain conditions or
restrictions on how to establish, maintain, and enforce such policies
and procedures. The general elements required to be included in the
policies and procedures are designed to enumerate the core areas that
firms would need to address when adopting, implementing, reassessing
and updating their cybersecurity policies and procedures.
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
The remaining 569 small entity broker-dealers registered would not
be Covered Entities. These firms are not conduits to their customer
accounts at a carrying broker-dealer. These firms also do not perform
exchange-like functions such as offering limit order books and other
order types, like an ATS would. As such, these firms are subject to
differing compliance, reporting, and disclosure requirements that take
into account the resources available to the entities. For example,
these firms are subject to simplified requirements concerning their
cybersecurity policies and procedures and annual review.\1067\ In
addition, these firms are exempted from the cybersecurity reporting and
disclosure requirements that apply to Covered Entities.
---------------------------------------------------------------------------
\1067\ Non-Covered Broker-Dealers that are small entities are
not, however, altogether exempted from the policies and procedures
requirements because having appropriate cybersecurity policies and
procedures in place would help address any cybersecurity risks and
incidents that occur at the broker-dealer and help protect broker-
dealers and their customers from greater risk of harm. The
Commission anticipates that these benefits should apply to customers
of smaller firms as well as larger firms. Non-Covered Broker-Dealers
are also not exempted from the requirement to provide the Commission
with immediate written electronic notice of a significant
cybersecurity incident affecting the entity.
---------------------------------------------------------------------------
2. Clearing Agencies
For the reasons stated above, this requirement is not applicable to
clearing agencies.
3. The MSRB
For the reasons stated above, this requirement is not applicable to
the MSRB.
4. National Securities Exchanges and National Securities Associations
For the reasons stated above, this requirement is not applicable to
national securities exchanges and national securities associations.
5. SBS Entities
For the reasons stated above, this requirement is not applicable to
SBS Entities.
6. SBSDRs
For the reasons stated above, this requirement is not applicable to
SBSDRs.
7. Transfer Agents
The proposed rule would apply to every transfer agent as defined in
section 3(a)(25) of the Exchange Act that is registered or required to
be registered with an appropriate regulatory agency as defined in
section 3(a)(34)(B) of the Exchange Act. As of December 31, 2022, there
were 353 transfer agents that were either registered with the
Commission through Form TA-1 or registered with
[[Page 20341]]
other appropriate regulatory agencies through Form TA-2. As of March
31, 2022, the Commission estimates there were 158 transfer agents that
were considered small organizations.
The Commission considered the following alternatives for small
organizations that are transfer agents in relation to the proposal: (1)
differing compliance or reporting requirements that take into account
the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting
requirements under the proposed rule for such small entities; (3) the
use of design rather than performance standards; and (4) an exemption
from coverage of the proposed rule, or any part thereof, for such small
entities.
Regarding the first and fourth alternatives, the Commission decided
not to include differing requirements or exemptions for transfer
agents, regardless of size, and therefore, they would be Covered
Entities under the proposed rule. This decision was based on a number
of considerations.\1068\ A transfer agents engage on behalf of an
issuer of securities or on behalf of itself as an issuer of securities
in (among other functions): (1) tracking, recording, and maintaining
the official record of ownership of each issuer's securities; (2)
canceling old certificates, issuing new ones, and performing other
processing and recordkeeping functions that facilitate the issuance,
cancellation, and transfer of those securities; (3) facilitating
communications between issuers and registered securityholders; and (4)
making dividend, principal, interest, and other distributions to
securityholders. Their core recordkeeping systems provide a direct
conduit to their issuer clients' master records that document and, in
many instances provide the legal underpinning for, registered
securityholders' ownership of the issuer's securities. If these
functions were disrupted, investors might not be able to transfer
ownership of their securities or receive dividends and interest due on
their securities positions.
---------------------------------------------------------------------------
\1068\ See section II.A.1.c. of this release (discussing why
transfer agents would be Covered Entities in more detail).
---------------------------------------------------------------------------
Transfer agents store proprietary information about securities
ownership and corporate actions. A significant cybersecurity incident
at a transfer agent could lead to the improper use of this information
to harm securities holders (e.g., public exposure of confidential
financial information) or provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential business information). Transfer agents also may store
personal information including names, addresses, phone numbers, email
addresses, employers, employment history, bank and specific account
information, credit card information, transaction histories, securities
holdings, and other detailed and individualized information related to
the transfer agents' recordkeeping and transaction processing on behalf
of issuers. Threat actors breaching the transfer agent's information
systems could use this information to steal identities or financial
assets of the persons to whom this information pertains. They also
could sell it to other threat actors.
Regarding the second alternative, the Commission is not proposing
further clarification, consolidation, or simplification of the
compliance requirements for small organizations that are transfer
agents. As discussed above, proposed Rule 10 would require Covered
Entities to establish, maintain, and enforce written cybersecurity
policies and procedures that are reasonably designed to address their
cybersecurity risks and that specifically address: (1) risk assessment;
(2) user security and access; (3) information protection; (4)
cybersecurity threat and vulnerability management; and (5)
cybersecurity incident response and recovery.\1069\ It also would
require Covered Entities to conduct an annual review and assessment of
these policies and procedures and produce a report documenting the
review and assessment. Further, the proposed rule would require them to
provide immediate notification and subsequent reporting of significant
cybersecurity incidents and to publicly disclose summary descriptions
of their cybersecurity risks and, if applicable, summary descriptions
of their significant cybersecurity incidents.\1070\ The proposed rule
would provide clarity in the existing regulatory framework regarding
cybersecurity and serve as an explicit requirement for firms to
establish, maintain, and enforce comprehensive cybersecurity programs
to their address cybersecurity risks, provide information to the
Commission about the significant cybersecurity incidents they
experience, and publicly disclose information about their cybersecurity
risks and significant cybersecurity incidents.
---------------------------------------------------------------------------
\1069\ See paragraph (b) of proposed Rule 10. See also section
II.B.1. of this release (discussing these requirements in more
detail).
\1070\ See paragraphs (c) and (d) of proposed Rule 10. See also
sections II.B.2. through II.B.4. of this release (discussing these
requirements in more detail).
---------------------------------------------------------------------------
Regarding the third alternative, the proposed rule requires Covered
Entities to implement policies and procedures that are reasonably
designed and that must include certain elements. However, the proposed
rule does not place certain conditions or restrictions on how to
establish, maintain, and enforce such policies and procedures. The
general elements required to be included in the policies and procedures
are designed to enumerate the core areas that firms would need to
address when adopting, implementing, reassessing and updating their
cybersecurity policies and procedures.
The policies and procedures that would be required by proposed Rule
10--because they would need to address the Covered Entity's
cybersecurity risks--generally should be tailored to the nature and
scope of the Covered Entity's business and address the Covered Entity's
specific cybersecurity risks. Thus, proposed Rule 10 is not intended to
impose a one-size-fits-all approach to addressing cybersecurity risks.
In addition, cybersecurity threats are constantly evolving and measures
to address those threats continue to evolve. Therefore, proposed Rule
10 is designed to provide Covered Entities with the flexibility to
update and modify their policies and procedures as needed so that that
they continue to be reasonably designed to address the Covered Entity's
cybersecurity risks over time.
G. Request for Comment
The Commission encourages written comments on the matters discussed
in this IRFA. The Commission solicits comment on the number of small
entities subject to the proposed Rule 10, Form SCIR, and proposed
amendments to Rules 3a71-6, 17a-4, 18a-6, and 17ad-7. The Commission
also solicits comment on the potential effects discussed in this
analysis; and whether this proposal could have an effect on small
entities that have not been considered. The Commission requests that
commenters describe the nature of any effect on small entities and
provide empirical data to support the extent of such effect. Such
comments will be placed in the same public file as comments on the
proposed rule and form and associated amendments. Persons wishing to
submit written comments should refer to the instructions for submitting
comments located at the front of this release.
[[Page 20342]]
VII. Small Business Regulatory Enforcement Fairness Act
For purposes of the Small Business Regulatory Enforcement Fairness
Act of 1996, or ``SBREFA,'' the Commission must advise OMB whether a
proposed regulation constitutes a ``major'' rule. Under SBREFA, a rule
is considered ``major'' where, if adopted, it results in or is likely
to result in (1) an annual effect on the economy of $100 million or
more; (2) a major increase in costs or prices for consumers or
individual industries; or (3) significant adverse effects on
competition, investment or innovation. The Commission requests comment
on the potential effect of the proposed amendments on the U.S. economy
on an annual basis; any potential increase in costs or prices for
consumers or individual industries; and any potential effect on
competition, investment or innovation. Commenters are requested to
provide empirical data and other factual support for their views to the
extent possible.
VIII. Statutory Authority
The Commission is proposing new Rule 10 (17 CFR 242.10) and Form
SCIR (17 CFR 249.624) and amending Regulation S-T (17 CFR 232.101),
Rule 3a71-6 (17 CFR 240.3a71-6), Rule 17a-4 (17 CFR 240.17a-4), Rule
17ad-7 (17 CFR 240.17ad-7), Rule 18a-6 (17 CFR 18a-6), and Rule 18a-10
(17 CFR 240.18a-10) under the Commission's rulemaking authority set
forth in the following sections of the Exchange Act: (1) sections 15,
17, and 23 for broker-dealers (15 U.S.C. 78o, 78q, and 78w); (2)
sections 17, 17A, and 23 for clearing agencies (15 U.S.C. 78q, 17q-1,
and 78w(a)(1)); (3) sections 15B, 17 and 23 for the MSRB (15 U.S.C.
78o-4, 78q(a), and 78w); (4) sections 6(b), 11A, 15A, 17, and 23 for
national securities exchanges and national securities associations (15
U.S.C. 78f, 78k-1, 78o-3, and 78w); (5) sections 15F, 23, and 30(c) for
SBS Entities (15 U.S.C. 78o-10, 78w, and 78dd(c)); (6) sections 13 and
23 for SBSDRs (15 U.S.C. 78m and 78w); and (7) sections 17a, 17A, and
23 for transfer agents (78q, 17q-1, and 78w).
List of Subjects in 17 CFR Part 232, 240, 242 and 249
Brokers, Confidential business information, Reporting and
recordkeeping requirements, Securities, Security-based swaps, Security-
based swap dealers, Major security-based swap participants.
Text of Proposed Rules and Rule Amendments
For the reasons set out in the preamble, the Commission is
proposing to amend title 17, chapter II of the Code of Federal
Regulations as follows:
PART 232--REGULATION S-T--GENERAL RULES AND REGULATIONS FOR
ELECTRONIC FILINGS
0
1. The general authority citation for part 232 is revised to read as
follows:
Authority: 15 U.S.C. 77c, 77f, 77g, 77h, 77j, 77s(a), 77z-3,
77sss(a), 78c(b), 78l, 78m, 78n, 78o(d), 78o-10, 78w(a), 78ll, 80a-
6(c), 80a-8, 80a-29, 80a-30, 80a-37, 80b-4, 80b-10, 80b-11, 7201 et
seq.; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
0
2. Section Sec. 232.101 is amended by revising paragraph (a)(1)(xxx)
and adding paragraph (a)(1)(xxxi) to read as follows:
Sec. 232.101 Mandated electronic submissions and exceptions.
(a) * * *
(1) * * *
(xxx) Documents filed with the Commission pursuant to section 33 of
the Investment Company Act (15 U.S.C. 80a-32); and
(xxxi) Form SCIR (Sec. 249.624 of this chapter).
* * * * *
PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF
1934
0
3. The authority citation for part 240 continues to read, in part, as
follows:
Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3,
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f,
78g, 78i, 78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78n-1, 78o, 78o-4,
78o-10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78ll, 78mm, 80a-20,
80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, and 7201 et. seq., and
8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350;
Pub. L. 111-203, 939A, 124 Stat. 1376 (2010); and Pub. L. 112-106,
sec. 503 and 602, 126 Stat. 326 (2012), unless otherwise noted.
* * * * *
0
4. Section 240.3a71-6 is amended by revising paragraph (d)(1) to read
as follows:
Sec. 240.3a71-6 Substituted compliance for security-based swap
dealers and major security-based swap participants.
* * * * *
(d) * * *
(1) Business conduct, supervision, and risk management. The
business conduct and supervision requirements of sections 15F(h) and
(j) of the Act (15 U.S.C. 78o-10(h) and (j)) and Sec. Sec. 240.15Fh-3
through 15Fh-6 (other than the antifraud provisions of section
15F(h)(4)(A) of the Act and Sec. 240.15Fh-4(a), and other than the
provisions of sections 15F(j)(3) and 15F(j)(4)(B) of the Act), and the
requirements of Sec. 242.10 of this chapter and Form SCIR (Sec.
249.624 of this chapter); provided, however, that prior to making such
a substituted compliance determination the Commission intends to
consider whether the information that is required to be provided to
counterparties pursuant to the requirements of the foreign financial
regulatory system, the counterparty protections under the requirements
of the foreign financial regulatory system, the mandates for
supervisory systems under the requirements of the foreign financial
regulatory system, and the duties imposed by the foreign financial
regulatory system, are comparable to those associated with the
applicable provisions arising under the Act and its rules and
regulations.
* * * * *
0
5. Section 240.17a-4 is amended by adding paragraph (e)(13) to read as
follows:
Sec. 240.17a-4 Records to be preserved by certain exchange members,
brokers and dealers.
* * * * *
(e) * * *
(13)(i) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) or Sec. 242.10(e)(1) of
this chapter until three years after the termination of the use of the
policies and procedures;
(ii) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(iii) The written documentation of the occurrence of a
cybersecurity incident pursuant to Sec. 242.10(b)(1)(v)(B) of this
chapter, including any documentation related to any response and
recovery from such an incident, for three years;
(iv) The written report of the annual review required to be
prepared pursuant to Sec. 242.10(b)(2)(ii) of this chapter or the
record of the annual review required pursuant to Sec. 240.10(e)(1) for
three years;
(v) A copy of any notice transmitted to the Commission pursuant to
Sec. 242.10(c)(1) or Sec. 240.10(e)(2) of this chapter or any Part I
of Form SCIR filed with the Commission pursuant to Sec. 242.10(c)(2)
of this chapter for three years; and
(vi) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 242.10(d) of this chapter for three years.
* * * * *
0
6. Redesignate Sec. 240.17Ad-7 as Sec. 240.17ad-7.
[[Page 20343]]
0
7. Newly redesignated Sec. 240.17ad-7 is amended by revising the
section heading, and adding paragraph (j) to read as follows:
Sec. 240.17ad-7 (Rule 17Ad-7) Record retention.
* * * * *
(j)(1) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) of this chapter until
three years after the termination of the use of the policies and
procedures;
(2) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(3) The written documentation of the occurrence of a cybersecurity
incident pursuant to Sec. 242.10(b)(1)(v)(B) of this chapter,
including any documentation related to any response and recovery from
such an incident, for three years;
(4) The written report of the annual review required to be prepared
pursuant to Sec. 242.10(b)(2)(ii) of this chapter for three years;
(5) A copy of any notice transmitted to the Commission and any ARA
pursuant to Sec. 242.10(c)(1) of this chapter or any Part I of Form
SCIR filed with the Commission pursuant to Sec. 240.2.10(c)(2) for
three years; and
(6) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 240.2.10(d) for three years.
0
8. Section 240.18a-6 is amended by adding paragraph (d)(6) to read as
follows:
Sec. 240.18a-6 Records to be preserved by certain security-based
swap dealers and major security-based swap participants
* * * * *
(d) * * *
(6)(i) The written policies and procedures required to be adopted
and implemented pursuant to Sec. 242.10(b)(1) of this chapter until
three years after the termination of the use of the policies and
procedures;
(ii) The written documentation of any risk assessment pursuant to
Sec. 242.10(b)(1)(i)(B) of this chapter for three years;
(iii) The written documentation of the occurrence of a
cybersecurity incident pursuant to Sec. 242.10(b)(1)(v)(B) of this
chapter, including any documentation related to any response and
recovery from such an incident, for three years;
(iv) The written report of the annual review required to be
prepared pursuant to Sec. 242.10(b)(2)(ii) of this chapter for three
years;
(v) A copy of any notice transmitted to the Commission pursuant to
Sec. 242.10(c)(1) of this chapter or any Part I of Form SCIR filed
with the Commission pursuant to Sec. 242.10(c)(2) of this chapter for
three years; and
(vi) A copy of any Part II of Form SCIR filed with the Commission
pursuant to Sec. 242.10(d) of this chapter for three years.
* * * * *
0
9. Section 240.18a-10 is amended by adding paragraph (g) to read as
follows:
Sec. 240.18a-10 Alternative compliance mechanism for security-based
swap dealers that are registered as swap dealers and have limited
security-based swap activities
* * * * *
(g) The provisions of this section do not apply to the record
maintenance and preservation requirements Sec. 240.18a-6(d)(6)(i)
through (vi).
PART 242--REGULATIONS M, SHO, ATS, AC, NMS, AND SBSR AND CUSTOMER
MARGIN REQUIREMENTS FOR SECURITY FUTURES
0
10. The general authority citation for part 242 is revised to read as
follows:
Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2),
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78o-
10, 78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a-23, 80a-29,
and 80a-37.
0
11. Section 242.10 is added to read as follows:
Sec. 242.10 Cybersecurity requirements.
(a) Definitions: For purposes of this section:
(1) Covered entity means:
(i) A broker or dealer registered with the Commission that:
(A) Maintains custody of cash and securities for customers or other
brokers or dealers and is not exempt from the requirements of Sec.
240.15c3-3 of this chapter;
(B) Introduces customer accounts on a fully disclosed basis to
another broker or dealer described in paragraph (a)(1)(i)(A) of this
section;
(C) Has regulatory capital equal to or exceeding $50 million;
(D) Has total assets equal to or exceeding $1 billion;
(E) Is a market maker under the Securities Exchange Act of 1934 (15
U.S.C. 78a, et seq.) (``Act'') or the rules thereunder (which includes
a broker or dealer that operates pursuant to Sec. 240.15c3-1(a)(6) of
this chapter) or is a market maker under the rules of a self-regulatory
organization of which the broker or dealer is a member; or
(F) operates an alternative trading system as defined in Sec.
242.300(a) or operates an NMS Stock ATS as defined in Sec. 242.300(k).
(ii) A clearing agency (registered or exempt) under section
3(a)(23)(A) of the Act.
(iii) A major security-based swap participant registered pursuant
to section 15F(b) of the Act.
(iv) The Municipal Securities Rulemaking Board.
(v) A national securities association registered under section 15A
of the Act.
(vi) A national securities exchange registered under section 6 of
the Act.
(vii) A security-based swap data repository under section 3(a)(75)
of the Act.
(viii) A security-based swap dealer registered pursuant to section
15F(b) of the Act.
(ix) A transfer agent as defined in section 3(a)(25) of the Act
that is registered or required to be registered with an appropriate
regulatory agency as defined in section 3(a)(34)(B) of the Act
(hereinafter also ``ARA'').
(2) Cybersecurity incident means an unauthorized occurrence on or
conducted through a market entity's information systems that
jeopardizes the confidentiality, integrity, or availability of the
information systems or any information residing on those systems.
(3) Cybersecurity risk means financial, operational, legal,
reputational, and other adverse consequences that could result from
cybersecurity incidents, cybersecurity threats, and cybersecurity
vulnerabilities.
(4) Cybersecurity threat means any potential occurrence that may
result in an unauthorized effort to affect adversely the
confidentiality, integrity, or availability of a market entity's
information systems or any information residing on those systems.
(5) Cybersecurity vulnerability means a vulnerability in a market
entity's information systems, information system security procedures,
or internal controls, including, for example, vulnerabilities in their
design, configuration, maintenance, or implementation that, if
exploited, could result in a cybersecurity incident.
(6) Information means any records or data related to the market
entity's business residing on the market entity's information systems,
including, for example, personal information received, maintained,
created, or processed by the market entity.
(7) Information systems means the information resources owned or
used by the market entity, including, for example, physical or virtual
infrastructure controlled by the information resources, or components
thereof, organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of the
[[Page 20344]]
covered entity's information to maintain or support the covered
entity's operations.
(8) Market Entity means a ``covered entity'' as defined in this
section and a broker or dealer registered with the Commission that is
not a ``covered entity'' as defined in this section.
(9) Personal information means any information that can be used,
alone or in conjunction with any other information, to identify a
person, including, but not limited to, name, date of birth, place of
birth, telephone number, street address, mother's maiden name, Social
Security number, government passport number, driver's license number,
electronic mail address, account number, account password, biometric
records, or other non-public authentication information.
(10) Significant cybersecurity incident means a cybersecurity
incident, or a group of related cybersecurity incidents, that:
(i) Significantly disrupts or degrades the ability of the market
entity to maintain critical operations; or
(ii) Leads to the unauthorized access or use of the information or
information systems of the market entity, where the unauthorized access
or use of such information or information systems results in or is
reasonably likely to result in:
(A) Substantial harm to the market entity; or
(B) Substantial harm to a customer, counterparty, member,
registrant, or user of the market entity, or to any other person that
interacts with the market entity.
(b)(1) Cybersecurity policies and procedures. A covered entity must
establish, maintain, and enforce written policies and procedures that
are reasonably designed to address the covered entity's cybersecurity
risks, including policies and procedures that:
(i)(A) Risk assessment. Require periodic assessments of
cybersecurity risks associated with the covered entity's information
systems and information residing on those systems, including requiring
the covered entity to:
(1) Categorize and prioritize cybersecurity risks based on an
inventory of the components of the covered entity's information systems
and information residing on those systems and the potential effect of a
cybersecurity incident on the covered entity; and
(2) Identify the covered entity's service providers that receive,
maintain, or process information, or are otherwise permitted to access
the covered entity's information systems and any of the covered
entity's information residing on those systems, and assess the
cybersecurity risks associated with the covered entity's use of these
service providers.
(B) Require written documentation of the risk assessments.
(ii) User security and access. Require controls designed to
minimize user-related risks and prevent unauthorized access to the
covered entity's information systems and the information residing on
those systems, including:
(A) Requiring standards of behavior for individuals authorized to
access the covered entity's information systems and the information
residing on those systems, such as an acceptable use policy;
(B) Identifying and authenticating individual users, including but
not limited to implementing authentication measures that require users
to present a combination of two or more credentials for access
verification;
(C) Establishing procedures for the timely distribution,
replacement, and revocation of passwords or methods of authentication;
(D) Restricting access to specific information systems of the
covered entity or components thereof and the information residing on
those systems solely to individuals requiring access to the systems and
information as is necessary for them to perform their responsibilities
and functions on behalf of the covered entity; and
(E) Securing remote access technologies.
(iii) Information protection. (A) Require measures designed to
monitor the covered entity's information systems and protect the
information residing on those systems from unauthorized access or use,
based on a periodic assessment of the covered entity's information
systems and the information that resides on the systems that takes into
account:
(1) The sensitivity level and importance of the information to the
covered entity's business operations;
(2) Whether any of the information is personal information;
(3) Where and how the information is accessed, stored and
transmitted, including the monitoring of information in transmission;
(4) The information systems' access controls and malware
protection; and
(5) The potential effect a cybersecurity incident involving the
information could have on the covered entity and its customers,
counterparties, members, or users, including the potential to cause a
significant cybersecurity incident.
(B) Require oversight of service providers that receive, maintain,
or process the covered entity's information, or are otherwise permitted
to access the covered entity's information systems and the information
residing on those systems, pursuant to a written contract between the
covered entity and the service provider, through which the service
providers are required to implement and maintain appropriate measures,
including the practices described in paragraphs (b)(1)(i) through (v)
of this section, that are designed to protect the covered entity's
information systems and information residing on those systems.
(iv) Cybersecurity threat and vulnerability management. Require
measures designed to detect, mitigate, and remediate any cybersecurity
threats and vulnerabilities with respect to the covered entity's
information systems and the information residing on those systems;
(v) Cybersecurity incident response and recovery. (A) Require
measures designed to detect, respond to, and recover from a
cybersecurity incident, including policies and procedures that are
reasonably designed to ensure:
(1) The continued operations of the covered entity;
(2) The protection of the covered entity's information systems and
the information residing on those systems;
(3) External and internal cybersecurity incident information
sharing and communications; and
(4) The reporting of significant cybersecurity incidents pursuant
to paragraph (c) of this section.
(B) Require written documentation of any cybersecurity incident,
including the covered entity's response to and recovery from the
cybersecurity incident.
(2) Annual Review. A covered entity must, at least annually:
(i) Review and assess the design and effectiveness of the
cybersecurity policies and procedures required by paragraph (b)(1) of
this section, including whether the policies and procedures reflect
changes in cybersecurity risk over the time period covered by the
review; and
(ii) Prepare a written report that describes the review, the
assessment, and any control tests performed, explains their results,
documents any cybersecurity incident that occurred since the date of
the last report, and discusses any material changes to the policies and
procedures since the date of the last report.
(c) Notification and reporting of significant cybersecurity
incidents--(1) Immediate notice. A covered entity must give the
Commission immediate
[[Page 20345]]
written electronic notice of a significant cybersecurity incident upon
having a reasonable basis to conclude that the significant
cybersecurity incident has occurred or is occurring. The notice must
identify the covered entity, state that the notice is being given to
alert the Commission of a significant cybersecurity incident impacting
the covered entity, and provide the name and contact information of an
employee of the covered entity who can provide further details about
the significant cybersecurity incident. The notice also must be given
to:
(i) In the case of a broker or dealer, the examining authority of
the broker or dealer; and
(ii) In the case of a transfer agent, the ARA of the transfer
agent.
(2) Report. (i) A covered entity must report a significant
cybersecurity incident, promptly, but no later than 48 hours, upon
having a reasonable basis to conclude that the significant
cybersecurity incident has occurred or is occurring by filing Part I of
Form SCIR with the Commission electronically through the Electronic
Data Gathering, Analysis, and Retrieval System (``EDGAR system'') in
accordance with the EDGAR Filer Manual, as defined in Rule 11 of
Regulation S-T (17 CFR 232.11), and Part I of Form SCIR must be filed
in accordance with the requirements of Regulation S-T.
(ii) A covered entity must file an amended Part I of Form SCIR with
the Commission electronically through the EDGAR system in accordance
with the EDGAR Filer Manual, as defined in Rule 11 of Regulation S-T
(17 CFR 232.11), and Part I of Form SCIR must be filed in accordance
with the requirements of Regulation S-T promptly, but no later than 48
hours after each of the following circumstances:
(A) Any information previously reported to the Commission on Part I
of Form SCIR pertaining to a significant cybersecurity incident
becoming materially inaccurate;
(B) Any new material information pertaining to a significant
cybersecurity incident previously reported to the Commission on Part I
of Form SCIR being discovered;
(C) A significant cybersecurity incident is resolved; or
(D) An internal investigation pertaining to a significant
cybersecurity incident is closed.
(iii)(A) If the covered entity is a broker or dealer, it must
promptly transmit a copy of each Part I of Form SCIR it files with the
Commission to its examining authority; and
(B) If the covered entity is a transfer agent, it must promptly
transmit a copy of each Part I of Form SCIR it files with the
Commission to its ARA.
(d) Disclosure of cybersecurity risks and incidents--(1) Content of
the disclosure--(i) Cybersecurity risks. A covered entity must provide
a summary description of the cybersecurity risks that could materially
affect the covered entity's business and operations and how the covered
entity assesses, prioritizes, and addresses those cybersecurity risks.
(ii) Significant cybersecurity incidents. A covered entity must
provide a summary description of each significant cybersecurity
incident that has occurred during the current or previous calendar
year. The description of each significant cybersecurity incident must
include the following information to the extent known:
(A) The person or persons affected;
(B) The date the incident was discovered and whether it is ongoing;
(C) Whether any data was stolen, altered, or accessed or used for
any other unauthorized purpose;
(D) The effect of the incident on the covered entity's operations;
and
(E) Whether the covered entity, or service provider, has remediated
or is currently remediating the incident.
(2) Methods of disclosure. A covered entity must make the
disclosures required pursuant to paragraph (d)(1) of this section by:
(i) Filing Part II of Form SCIR with the Commission electronically
through the EDGAR system in accordance with the EDGAR Filer Manual, as
defined in Rule 11 of Regulation S-T (17 CFR 232.11), and in accordance
with the requirements of Regulation S-T; and
(ii) Posting a copy of the Part II of Form SCIR most recently filed
pursuant to paragraph (d)(2)(i) of this section on an easily accessible
portion of its business internet website that can be viewed by the
public without the need of entering a password or making any type of
payment or providing any other consideration.
(3) Additional methods of disclosure required for certain brokers
or dealers. In addition to the method of disclosure required by
paragraph (d)(2) of this section, a broker or dealer described in
paragraph (a)(1)(i) or (ii) of this section must provide a copy of the
Part II of Form SCIR most recently filed pursuant to paragraph
(d)(2)(i) of this section to a customer as part of the account opening
process and, thereafter, annually and as required by paragraph (d)(4)
of this section using the same means that the customer elects to
receive account statements.
(4) Disclosure updates. The covered entity must promptly provide an
updated disclosure through the methods required by paragraphs (d)(2)
and (3) of this section if the information required to be disclosed
pursuant to paragraphs (d)(1)(i) or (ii) of this section materially
changes, including, in the case of paragraph (d)(1)(ii) of this
section, after the occurrence of a new significant cybersecurity
incident or when information about a previously disclosed significant
cybersecurity incident materially changes.
(e) Requirements for brokers or dealers that are not covered
entities. (1) A broker or dealer that is not a ``covered entity'' as
defined in this section must establish, maintain, and enforce written
policies and procedures that are reasonably designed to address the
cybersecurity risks of the broker or dealer taking into account the
size, business, and operations of the broker or dealer. The broker or
dealer must annually review and assess the design and effectiveness of
the cybersecurity policies and procedures, including whether the
policies and procedures reflect changes in cybersecurity risk over the
time period covered by the review. The broker or dealer must make a
written record that documents the steps taken in performing the annual
review and the conclusions of the annual review.
(2) A broker or dealer that is not a ``covered entity'' as defined
in this section must give the Commission immediate written electronic
notice of a significant cybersecurity incident upon having a reasonable
basis to conclude that the significant cybersecurity incident has
occurred or is occurring. The notice must identify the broker or
dealer, state that the notice is being given to alert the Commission of
a significant cybersecurity incident impacting the broker or dealer,
and provide the name and contact information of an employee of the
broker or dealer who can provide further details about the significant
cybersecurity incident. The notice also must be given to the examining
authority of the broker or dealer.
* * * * *
PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934
0
12. The authority citation for part 249 continues to read, in part, as
follows:
Authority: 15 U.S.C. 78a, et seq., unless otherwise noted.
* * * * *
0
13. Section 249.624 is added to read as follows:
[[Page 20346]]
Sec. 249.624 Form SCIR.
Form SCIR shall be filed by a covered entity to report a
significant cybersecurity incident pursuant to the requirements of 17
CFR 242.10.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP05AP23.000
[[Page 20347]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.001
[[Page 20348]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.002
[[Page 20349]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.003
[[Page 20350]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.004
[[Page 20351]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.005
[[Page 20352]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.006
[[Page 20353]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.007
[[Page 20354]]
[GRAPHIC] [TIFF OMITTED] TP05AP23.008
[FR Doc. 2023-05767 Filed 4-4-23; 8:45 am]
BILLING CODE 8011-01-C
