SEC advances new cybersecurity, consumer privacy rule proposals

Quick Take

  • The SEC voted on Wednesday morning to propose rules and changes that would bolster information consumers receive about data breaches and heightened cybersecurity disclosures. 
  • An SEC official said that those two proposals wouldn’t necessarily be a carve-in or carve-out of crypto. 

The Securities and Exchange Commission advanced new rule proposals and changes to bolster requirements for cybersecurity, privacy and tech infrastructure that officials said could encompass cryptocurrencies. 

The five-member commission met on Wednesday morning on issues relating to cybersecurity, the privacy of consumer financial information and technology infrastructure, such as cloud services.  

If the rules go forward without significant changes from adoption, they would require brokers-dealers, investment companies, registered investment advisers and transfer agents to tell people when they have been affected by data breaches. A current rule requires “covered firms” to let customers know about how they use their financial information, but there is no requirement now to let them know about breaches, SEC Chair Gary Gensler said. 

“Critically, firms would need to help customers understand how to protect themselves from harm that might result from the breach,” Gensler said.  

The SEC also will vote on whether to propose a new rule requiring broker-dealers, clearinghouses and other entities to have written policies to address their cybersecurity risks. It would require market entities, excluding smaller broker-dealers to disclose to the public a description summarizing cybersecurity risks that could “materially affect the entity” and also “significant cybersecurity incidents in the current or previous calendar year,” Gensler said. 


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“I believe such disclosure would help investors make informed decisions when deciding to which firms they might entrust their finances, data, and personal information,” Gensler said.  

Market entities and capital markets rely on “complex and ever-evolving information systems,” Gensler said, adding that they are systems owned or used by the entity. 

Those two proposals don't include a special carve-in or carve-out for crypto, according to an SEC official. To the extent that information systems interact with crypto, that would be covered by the cybersecurity changes, the official said.  

The last proposal would broaden Reg SCI to include the largest broker dealers, swap data repositories and certain exempt clearinghouses while bulking up policies.

Regulation SCI was adopted in 2014 to strengthen the tech infrastructure of U.S. securities markets. The rule currently applies to national securities exchanges, among others. An SEC official said if a national securities exchange is trading crypto securities, then the rule would apply.  

UPDATE: With information on the vote. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Sarah is a reporter at The Block covering policy, regulation and legal happenings. Before, Sarah was a reporter with CQ Legal writing about securities regulation, which is where she first started reporting on crypto. Sarah has also written for The Bond Buyer and American Banker, among other finance-related publications. She graduated from the University of Missouri and earned a degree in print and digital journalism. Sarah is based in Washington D.C., and is an avid coffee lover. You can follow her on Twitter @ForTheWynn.


To contact the editors of this story:
Madhu Unnikrishnan at
[email protected]
Larry DiTore at
[email protected]