SEC advances new cybersecurity, consumer privacy rule proposals

Quick Take

  • The SEC voted on Wednesday morning to propose rules and changes that would bolster information consumers receive about data breaches and heightened cybersecurity disclosures. 
  • An SEC official said that those two proposals wouldn’t necessarily be a carve-in or carve-out of crypto. 

The Securities and Exchange Commission advanced new rule proposals and changes to bolster requirements for cybersecurity, privacy and tech infrastructure that officials said could encompass cryptocurrencies. 

The five-member commission met on Wednesday morning on issues relating to cybersecurity, the privacy of consumer financial information and technology infrastructure, such as cloud services.  

If the rules go forward without significant changes from adoption, they would require brokers-dealers, investment companies, registered investment advisers and transfer agents to tell people when they have been affected by data breaches. A current rule requires “covered firms” to let customers know about how they use their financial information, but there is no requirement now to let them know about breaches, SEC Chair Gary Gensler said. 

“Critically, firms would need to help customers understand how to protect themselves from harm that might result from the breach,” Gensler said.  

The SEC also will vote on whether to propose a new rule requiring broker-dealers, clearinghouses and other entities to have written policies to address their cybersecurity risks. It would require market entities, excluding smaller broker-dealers to disclose to the public a description summarizing cybersecurity risks that could “materially affect the entity” and also “significant cybersecurity incidents in the current or previous calendar year,” Gensler said. 

“I believe such disclosure would help investors make informed decisions when deciding to which firms they might entrust their finances, data, and personal information,” Gensler said.  

Market entities and capital markets rely on “complex and ever-evolving information systems,” Gensler said, adding that they are systems owned or used by the entity. 

Those two proposals don't include a special carve-in or carve-out for crypto, according to an SEC official. To the extent that information systems interact with crypto, that would be covered by the cybersecurity changes, the official said.  

The last proposal would broaden Reg SCI to include the largest broker dealers, swap data repositories and certain exempt clearinghouses while bulking up policies.

Regulation SCI was adopted in 2014 to strengthen the tech infrastructure of U.S. securities markets. The rule currently applies to national securities exchanges, among others. An SEC official said if a national securities exchange is trading crypto securities, then the rule would apply.  

UPDATE: With information on the vote. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.