No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

SEC Proposes Slate of New Cybersecurity Regulations. Is Your Firm Ready?

Rules aimed at beefing up consumer protections

by Baker Donelson
May 3, 2023
in Cybersecurity, Financial Services
cybersecurity abstract fingerprints

The SEC is continuing its focus on cybersecurity regulations by announcing three new proposed rules and re-opening the comment period on an additional proposed rule from last year. Each of the proposed rules focuses on entities in the financial sector, including broker-dealers, investment advisers, investment companies and other entities regulated by the SEC. A trio of experts from Baker Donelson — Matthew G. White, Alexander F. Koskey and Michael G. McLaughlin — explain the proposals and offer best-practice guidance.

Proposed new SEC regulations would, among other things, require regulated entities to formally adopt policies and procedures for responding to cyber incidents, expand the scope of information subject to the rules to include information received from third-party financial institutions and implement new requirements for reporting cyber incidents to both customers and regulators. 

Regulation S-P

The SEC’s proposed amendments to Regulation S-P would require the following of broker-dealers, registered investment advisers and investment companies.

  • Create an incident response program: Entities would be required to adopt written policies and procedures that address unauthorized access to, or use of, customer information, including procedures for notifying individuals affected by an incident. The proposed rule would also require regulated entities to notify affected individuals within 30 days after becoming aware that unauthorized access has occurred.
  • Expand scope for new “customer information” term: The proposed rule would require regulated entities to apply safeguards to records containing “nonpublic personal information” that they collect, both about their own customers and that they receive from third-party financial institutions. 
  • Records disposal, documentation and transfer agents: The proposal would also make several other amendments to Regulation S-P, including requiring enhanced procedures for disposing of consumer report information, extending the application of the safeguards provisions to transfer agents and requiring covered entities to maintain written records documenting compliance with the proposed amended rules.
hourglass
Compliance

Time’s Almost Up: Are You Ready for the SEC’s New Marketing Rule?

by Harriet Christie
September 21, 2022

The SEC’s marketing rule came into effect May 4, 2021. Since then, registered investment advisers (RIAs) have had an 18-month transition period — until Nov. 4, 2022 — to fully adhere to its updated regulations.

Read moreDetails

Cyber policies for securities markets

Another proposal by the SEC would require these actions by entities including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers and transfer agents, collectively referred to as market entities:

  • Establish and maintain written policies and procedures: Market entities would be required to establish, maintain, and enforce written policies and procedures to address cybersecurity risks.  This would include periodic assessments of cyber risks associated with information systems and maintaining written risk assessments.
  • Incident response procedures: The proposed rule would also require market entities to implement measures and procedures to detect and respond to cybersecurity incidents, including written documentation of the response and recovery from an incident.
  • Reporting to the SEC and public disclosures: Market entities would have to report “significant cybersecurity incidents” to the SEC by filing a proposed Part I Form SCIR. If covered entities have reasonable grounds to believe that a significant cybersecurity incident has taken place or is in progress, they must instantly notify the commission in writing. Furthermore, they must submit Part I of a new Form SCIR within 48 hours, which will be kept confidentially on EDGAR and contain thorough details about the incident. They must also continuously update this form if any substantial changes occur.

Expansion of Reg SCI

The third proposal would provide several updates to Regulation Systems Compliance and Integrity (SCI), including new specifications for required policies and procedures, as well as expanding the scope of covered entities. This includes the following, without limitation.

  • Expanded scope of SCI entities: The proposed rule would expand the definition of SCI entities to include (1) registered security-based swap data repositories; (2) all clearing agencies that are exempt from registration; and (3) certain large broker-dealers — in particular, those that exceed a total assets threshold or a transaction activity threshold. 
  • New requirements for policies and procedures: The proposal also includes additional provisions requiring that a covered entity’s policies and procedures include a written inventory and classification of all SCI systems and programs for life cycle management; prevention of unauthorized access to such systems and management and oversight of certain third-party providers, including some cloud service providers.
  • Expansion of notification events and other requirements: The proposed amendments would also expand the events that would trigger immediate notification to the SEC; update the rule’s annual SCI review and its business continuity and disaster recovery testing requirements; and update certain of the regulation’s recordkeeping provisions.

Reopened comment period

Finally, the SEC announced that the comment period was reopened for a rule proposed last year relating to cybersecurity risk management and cybersecurity-related disclosures for registered investment advisers, registered investment companies and business development companies. The proposed rule would, among other things, require adopting written cybersecurity policies, reporting cyber incidents to the SEC and publicly disclosing significant incidents through brochures and registration statements.

Are you ready? Incident response planning and best practices

One of the primary areas of focus in all these rule proposals would be requirements for covered entities to respond to and report cybersecurity incidents. This also includes requirements that covered entities have written incident response plans. While having an incident response plan has been a “best practice” for some time, the SEC’s proposals would potentially subject the contents of that plan to regulatory scrutiny.

It is, therefore, critically important for covered entities to focus on creating, developing, and refining their written incident response plans. This is not only an exercise of potential regulatory compliance, but also imperative to address the fluid landscape of cyber threats to protect the company and its customers.  Covered entities must also include testing that plan through tabletop exercises and evaluating how to respond to wide-ranging incident variants. Covered entities must be proactive in taking steps to ensure they are prepared to respond to a cyber event.

The time to plan is not while under attack.

In evaluating your incident response plan, several critical considerations include:

  • Who is part of your response team? Do you have representatives from the appropriate divisions? This should include not just your IT team, but also stakeholders from throughout the organization, including legal, public relations, human resources, operations, and representatives of the C-suite.
  • How will you classify the severity of an incident? This will largely depend on how your most critical assets and operations are affected by an incident. How does your response differ depending on the severity of an incident?
  • Who has to be notified internally and when? It is critically important to control information about an incident due to the effect it can have on liability and potential class-action lawsuits. Incident response plans have to include notification procedures for management, boards, and customer-facing personnel.
  • When do you need to notify regulators and/or law enforcement? Cybersecurity reporting regulations and statutes are constantly changing and can vary significantly among geographic regions and sectors. That means incident response plans have to be updated regularly and reviewed by competent legal counsel to ensure compliance in the event of an incident.
  • What other third parties must be involved to contain and control the incident? Vetting and retaining competent outside legal counsel, insurers, forensic vendors, e-discovery firms, and/or marketing/PR providers before any incident will allow for an efficient and timely response and recovery.
  • When do you need to notify customers? All 50 states, various federal and industry-specific regulations, and international legal frameworks mandate individual notification requirements. Depending on the scope of the incident, each of these requirements may have to be taken into consideration and incorporated into your incident response plan.

These are some basic considerations to help you start thinking about how to create an incident response plan. Organizations must think through and address a host of considerations in developing their incident response plans. The time to develop these plans is before an incident occurs. Having a well-developed, current, and comprehensive response plan can make all the difference if and when an actual data incident occurs, and — if the proposed rules are passed — would also be a regulatory requirement.

Matthew G. White, a shareholder in the Memphis office of Baker Donelson, advises clients on a wide variety of cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP/US, CIPP/E) and a Certified Information Privacy Manager (CIPM). 
 Alexander F. Koskey, a shareholder in Baker Donelson’s Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on a wide range of data privacy, regulatory and compliance, and litigation matters.
Michael G. McLaughlin is an associate in Baker Donelson’s Washington, D.C. office and a member of the government relations and public policy group.  McLaughlin served in the U.S. Navy in multiple postings worldwide, most recently as chief of counterintelligence and human intelligence for the Cyber National Mission Force. 

Tags: SEC
Previous Post

From the Villain to the Hero: How Rate Swaps Could Have Prevented Latest Banking Crisis

Next Post

Health Equity: Board Directors’ Most Important ESG Measure

Baker Donelson

Baker Donelson

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 22 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia and Washington, D.C.

Related Posts

disruption concept logs split

The Devil You Know …

by Carrie Pallardy
June 4, 2025

With compliance processes driven largely by regulatory requirements, the financial services sector could be forgiven for breathing a sigh of...

sec building sign

What to Expect From Atkins-Led SEC

by Jaclyn Jaeger
May 6, 2025

Former Bush-era commissioner returns with mission to streamline regulations and enhance capital markets

news roundup new

Bang for the Buck: Regulators Pivot to Fewer But Higher-Value Enforcement Actions

by Staff and Wire Reports
April 11, 2025

CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your...

freshly picked cherries

Fair Dealing or Foul Play? Preventing Trade Allocation Pitfalls

by Chris Hoyle and Howard Scheck
March 18, 2025

Investment advisers face heightened scrutiny of their allocation practices as regulators deploy advanced analytics to detect favoritism

Next Post
someone getting a shot

Health Equity: Board Directors’ Most Important ESG Measure

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights