Introduction
Any business worth their salt has read the cyber landscape of the last few years and shored up their digital defenses to protect against attacks. The practice of cybersecurity protection, however, is soon to transition from a best practice into a hard requirement after the U.S. Securities and Exchange Commission (SEC) recently proposed a comprehensive set of cybersecurity requirements that could have far-reaching implications for businesses across the financial sector. For organizations that have long relied on voluntary frameworks and internal best practices, this shift signals a new era of regulatory accountability.
These new rules encompass three key areas that we'll explore in greater detail below: the Cybersecurity Risk Management Rule, Regulation Systems Compliance and Integrity (SCI) Amendments, and Regulation S-P Amendments. Each of these pillars introduces specific obligations around risk assessment, incident response, customer notification, and reporting — obligations that will demand meaningful changes to how financial institutions manage and document their cybersecurity posture. This blog provides a description of each key area, the potential impact on financial institutions, and the enforcement risks businesses should be aware of when adopting these new policies.
The frequency and severity of cybersecurity attacks increases by the day. Although the SEC's proposed requirements may seem daunting, they're ultimately in the best interest of every institution. After all, the cost of implementing and maintaining these changes will be dwarfed by the financial loss — not to mention the reputational damage — that results from a cyberattack. Read on to stay up-to-speed and thoughtfully prepare for these regulatory changes to ensure the security and stability of your everyday operations.
The Cybersecurity Risk Management Rule is the meat and potatoes of the SEC's proposed requirements. Its ultimate goal is to establish a comprehensive cybersecurity framework for Market Entities and Covered Entities, including national securities exchanges and associations, registered and exempt clearing agencies, and SEC-registered entities that exceed certain thresholds — such as broker-dealers, investment advisers, and investment companies. For many of these organizations, this rule represents the first time cybersecurity practices will be formally mandated at the federal regulatory level.
The Risk Management Rule includes detailed guidelines designed to establish, maintain, and enforce policies and procedures to proactively address cybersecurity risks. Every year, businesses would be required to review and assess their policies and procedures, update and incorporate any changes in cybersecurity risks, and prepare a detailed report of their cybersecurity infrastructure. The recipe for this report is comprised of a long list of detailed ingredients including: periodic risk assessments; controls to minimize user-related risks and prevent unauthorized access; monitoring of information systems with detailed oversight of any service providers; and measures to detect, mitigate, and remediate threats and vulnerabilities.
One of the biggest points to note is that businesses would need to create detailed action plans that explain how their organization is equipped to detect, respond to, and recover from any cybersecurity incidents, along with thorough documentation for each step. The goal is to bolster proactive cybersecurity efforts to avoid attacks altogether. In the event, however, that an entity does fall victim to an attack, the Risk Management Rule also outlines reactive measures — including specific guidelines for notification and reporting that would require written notice to the SEC within 48 hours of an attack, covering information about the incident, the business' response, and a plan for recovery. As far as public disclosures, the Rule would require affected entities to fill out a specific form covering cybersecurity risks and any significant cybersecurity incidents that have occurred during the current or previous calendar years. Lastly, record-keeping has been more deeply defined and requires that businesses preserve all records related to cybersecurity compliance.
Regulation SCI and Regulation S-P Amendments: Expanding the Scope of Existing Protections
In addition to the new requirements detailed in the Cybersecurity Risk Management Rule, the SEC has also proposed amendments to two existing regulations in an effort to expand their scope: Regulation Systems Compliance and Integrity (aka Reg SCI) and Regulation S-P. Regulation SCI currently focuses on self-regulatory organizations, large alternative trading systems, plan processors, and certain clearing agencies. The proposed amendments intend to extend the rule to include registered broker-dealers that exceed specific asset or activity thresholds, registered security-based swap data repositories, and exempt clearing agencies — effectively casting a much wider regulatory net across the financial sector.
In line with the Risk Management Rule outlined above, the Reg-SCI amendments would introduce new requirements that seek to further bolster cybersecurity defenses, such as oversight of third-party providers, expanded business continuity plans, comprehensive disaster recovery plans, detailed measures for preventing unauthorized access, increased frequency of penetration testing, and additional reporting requirements to the Commission. These enhancements reflect the SEC's recognition that cybersecurity risk extends well beyond an organization's own walls and into the networks of vendors and service providers that support critical market infrastructure.
On the other hand, the SEC's proposed amendments to Regulation S-P (also known as the "Safeguards Rule") require brokers, dealers, investment companies, and investment advisers to adopt written policies and procedures to safeguard customer records and information. They also introduce new requirements such as an incident response program that detects, responds to, and recovers from unauthorized access or use of customer information. In the event of a data breach involving sensitive customer information, affected entities would be required to notify their affected customers. The scope of information covered by the Safeguards Rule would also be expanded to include all customer information, and the rule would be extended to transfer agents registered with the SEC or another appropriate regulatory agency. Finally, covered institutions would need to maintain written records that document their compliance with the safeguards and disposal rules. Together, these proposed amendments to existing regulations — along with the introduction of the Cybersecurity Risk Management Rule — indicate a significant expansion in the SEC's management of cybersecurity and system integrity.
If these amendments go into effect, they would represent a significant expansion of the SEC's oversight of the cybersecurity and system integrity of regulated entities. Existing regulations tend to focus on specific risks, such as protecting customer information under Regulation S-P or preventing identity theft under Regulation S-ID. They also target specific markets, generally larger-scale participants, like the entities covered by Regulation SCI. The new rules, however — which introduce SEC-mandated incident response requirements — aim to dictate more comprehensive cybersecurity programs that cover a wider range of market participants.
The shorter story is that there is a far greater level of detail required than ever before. As industry analysts have noted, these amendments introduce numerous new terms and concepts that organizations will need to learn and adopt. They also impose standardized notices and disclosures via new forms that will need to be filed with the commission. The first thought most C-suite executives will have when reviewing the over 1,200 total pages of new guidance and explanation is that all of these proposals will — to put it bluntly — cost more money. The SEC, however, aims to assuage these fears by detailing how cost estimates are likely significantly lower than expected, with only $14,531.54 per Covered Entity in average internal costs and $3,472 per Covered Entity in external costs. Compared to the financial and reputational cost of a cybersecurity attack, that's a great deal.
Overall, covered entities should expect far greater scrutiny of their overall cybersecurity health and practices, and for the SEC to more frequently enforce cases involving policy and procedure requirements. While these new amendments would require more upfront work and costs for organizations to better bolster their cyber defenses, those efforts will ultimately help prevent far costlier cybersecurity attacks — and costly enforcement cases from the SEC if an organization is not in good standing. The message is clear: investing in cybersecurity compliance today is a strategic imperative that will pay dividends in resilience, trust, and regulatory standing tomorrow.
The Takeaway for IT Buyers
In short, these proposed cybersecurity rules are a significant expansion of the SEC's regulatory oversight and have the potential to impact a broad range of market participants. As these rules introduce more stringent requirements and standards for managing cybersecurity risks — from the sweeping Cybersecurity Risk Management Rule to the expanded Regulation SCI and Regulation S-P amendments — businesses must stay informed and be prepared to act in order to remain in compliance. The financial sector is entering a new chapter of cybersecurity accountability, and the organizations that prepare now will be the ones best positioned to thrive.
By partnering with an experienced cybersecurity provider like Derive Technologies, businesses can ensure they are well-equipped to navigate the complex landscape of evolving regulations by implementing robust, tailored security measures that meet the unique needs of their organization. Derive's deep expertise in enterprise security, data management, and IT infrastructure means our team understands not only the technical requirements of compliance but also the strategic approach needed to embed cybersecurity into every layer of your operations.
Don't leave your cybersecurity to chance. Reach out to Derive Technologies today to learn more about how our team of experts can help improve your cybersecurity practices and better protect your business from ever-evolving cyber threats. Whether you need to build a comprehensive incident response plan, strengthen your data protection framework, or prepare for the SEC's new reporting obligations, Derive is mobilized and ready to help you stay secure, compliant, and ahead of the curve.