On March 15th, the SEC proposed a new rule and form as well as amendments to current recordkeeping rules that would strengthen the SEC’s ability to obtain data concerning significant cybersecurity incidents that affect market entities. The SEC is also proposing new rules regarding public disclosure requirements for covered entities that are intended to enhance transparency about the cybersecurity risks that may negatively impact the US securities markets. These disclosures would be in a structured data format.
The SEC’s proposed new rule and form would require all market entities (broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents) to:
comprehensively address cybersecurity risks through policies and procedures
provide timely notification to the SEC when a significant cybersecurity incident takes place, and, when deemed necessary, report detailed information to the SEC
provide for the public detailed reports that would improve transparency regarding cybersecurity risks and significant cybersecurity incidents
The SEC is proposing a new form, Form SCIR, through which covered entities would need to report significant cybersecurity incidents. The form would be submitted in a structured data language, such as XML or Inline XBRL.
The SEC has also suggesting amendments to current clearing agency exemption orders to require the retention of records that would need to be maintained under the proposed cybersecurity requirements. Relative to the proposed requirements, the SEC is proposing changesto address the potential availability of substituted compliance for security-based swap dealers and major security-based swap participants.
The proposal is open for public comment for 60 days after the date of publication of the proposing release in the Federal Register. To submit feedback, interested parties may use the SEC’s internet comment form or send an email to email@example.com with the File Number File No. S7-06-23 in the subject line.