New SEC Rule 10 to lift the lid on cybersecurity risk

The U.S. SEC has published proposals for new Rule 10, which would introduce cybersecurity requirements for all "covered entities" including new immediate reporting requirements in the event of significant cybersecurity incidents.

20 March 2023 5 mins read
by Jennie Clarke

Cybersecurity and cyber resilience have reappeared on the compliance priority list this month, with a slew of messaging, rule changes, and other action from global regulators and governing bodies.

Over the course of March 2023, the White House has published its long-awaited National Cybersecurity Strategy, the European Central Bank (ECB) has announced a stress test for cyber resilience, and this week the Securities and Exchange Commission (SEC) has unveiled proposed new Rule 10 to address cybersecurity risks in the U.S. securities markets.

Why is the SEC proposing new cybersecurity Rule 10?

The landscape for cybersecurity is constantly evolving and regulatory rules must adapt to ensure that the risk of harm to financial organisations is mitigated.

The financial services sector is a critical infrastructure sector which, according to the Cybersecurity and Infrastructure Security Agency, is “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Despite this, the financial services sector continues to face ever-evolving threats from “cyber threat actors” who are using increasingly sophisticated techniques to carry out harmful cybersecurity incidents. With this in mind, the SEC’s new rules will oblige firms to take greater steps to protect their organizations and customers from the harms caused by cybersecurity incidents.

How will Rule 10 apply?

Proposed Rule 10 will apply to all market entities, who for the purpose of the rule are defined as “covered entities”, other than some small broker dealers.

An evolving approach to risk in written policies

The new Rule sets out a host of significant changes to how these covered entities manage cybersecurity risk, not least by asking for a more proactive consideration of the evolving risk landscape.

Under Rule 10, covered entities must establish, maintain, and enforce written policies and procedures that are designed to address cybersecurity risks. In particular, Rule 10 would require firms to review the design and effectiveness of their policies and procedures with a focus on whether they have suitably adapted to meet changing cybersecurity risk. This means that policies and procedures must not be stagnant, but rather be living, breathing documents that are constantly reconsidered.

Under Rule 10, firms must also implement measures that enable them to detect, mitigate, and remediate cybersecurity threats, as well as measures that monitor systems for events such as unauthorized access or use.

Immediate reporting where things go wrong

As well as adjusting firms’ attitudes towards emerging threats, Rule 10 creates a new reporting requirement where, in the event that a significant cybersecurity incident occurs, firms will need to provide the SEC with “immediate” electronic notice. As well as this, firms will be expected to implement measures that empower them to respond to and recover from cybersecurity incidents, and keep written logs of how this is operated.

Increased transparency for cyber risk

In order to adequately disclose information about emerging cyber risk, the new Rule 10 introduces a new form, proposed Form SCIR, part 1 of which must be filed with the SEC after any significant cybersecurity incident. Part 2 of FORM SCIR is a public-facing document, obliging firms to publicly disclose summaries of their cybersecurity risks and any significant cybersecurity incidents experienced over the course of the calendar year.

Form SCIR serves as a tool for transparency, giving regulators greater oversight of the inner-workings of regulated industries’ cyber exposure, and providing investors with key information about the viability of a firm’s cybersecurity program. This befits a wider industry trend towards increased transparency to empower investors in their financial decision making, with increasing disclosure expectations on firms – from compensation packages, diversity metrics, and carbon outputs. This is also true of proposed changes to Regulation S-P, which has been mooted in the same week.

Third party oversight within Rule 10

As well as implementing measures to oversee their own information systems and protect them from unauthorized use, the SEC’s new Rule 10 expands expectations so that firms will be expected to oversee “service providers that receive, maintain, or process information” or are permitted to access the firm’s information systems. This confirms that covered entities will continue to be responsible for cybersecurity mitigation, even where their information is sitting with third parties.

In other cybersecurity news…

In other cybersecurity-related news, the SEC has reopened the comment period for proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for investment advisers that were initially proposed in February 2022. The initial comment period had ended on April 11, 2022, but has been reopened until 60 days after the March 15, 2023 date of publication of the reopening release in the Federal Register.

How should firms react to new cybersecurity proposals?

At present, the SEC’s proposals – as the name would suggest – are not yet in force or enforceable. However, this does not mean that firms should not be acting now. Regulatory proposals are indicative of future industry focus, and serve as a useful motivation for financial services to take stock of their current approaches.

In order to outpace the regulator for Rule 10, firms should take time to evaluate their current cybersecurity policies, procedures, systems and controls – as well as those of their third-party vendors. How would current approaches stand up to regulatory scrutiny? And how would investors react if you were asked to disclose information about your current exposure to cyber risk today?

Global Relay has long been the trusted provider of compliant communication solutions. We have an unwavering commitment to cybersecurity, with the credentials and reputation to show it.