SEC proposes new cybersecurity requirements for broker-dealers

A divided SEC released a proposal Wednesday designed to strengthen broker-dealer defenses against online attacks.

The Securities and Exchange Commission voted, 3-2, to put out for public comment a proposed new rule that would require brokers, clearing agencies, major swaps operations and other entities to establish written policies and procedures to address cybersecurity threats.

Under the proposal, brokerages would have to assess cyber risks periodically and put in place measures to protect the firm’s information systems from unauthorized access and to detect, respond and recover from cyberbreaches, according to an SEC fact sheet.

The 500-page proposal would require brokers immediately to report cyber incidents to the SEC and then follow up with more detailed information about its response within 48 hours. It also would mandate that firms make summary public disclosures annually about cyber risks and attacks over the previous year.

The measure is the first cybersecurity rule the SEC has proposed for brokers. It follows a similar cybersecurity proposal last year for investment advisors. The commission voted Wednesday to extend the comment period on the advisor proposal, which originally closed in April 2022. The new comment period will run for 60 days after a notice is published in the Federal Register.

The broker proposal will be open for public comment for 60 days after it is published in the Federal Register. The SEC might modify the proposal based on the public input before promulgating a final rule.

SEC Chairman Gary Gensler said the sophistication, scale and impact of cyber risks have increased significantly, necessitating stronger fortification against breaches.

“Investors, issuers and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age,” Gensler said at an SEC open meeting. “This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”

Gensler and the two other Democratic SEC commissioners — Caroline Crenshaw and Jaime Lizárraga — voted in favor of releasing the proposal. The two Republican commissioners — Hester Peirce and Mark Uyeda — voted against putting it out for comment.

Peirce said the proposal puts the SEC in the position of punishing brokerages for cyberattacks rather than helping them recover from them.

“The commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers.,” Peirce said at the open meeting.

She also expressed concern about the disclosure requirements, which she said could put brokerages in “legal peril” and “could serve as a road map for cybercriminals.”

Uyeda had misgivings about the mandate for brokerages to report cyber incidents immediately.

“These prescriptive deadlines can do more harm than good,” Uyeda said.

All five commissioners voted in favor of releasing for public comment a separate proposal that would require broker-dealers, investment companies, registered investment advisers and transfer agents to notify clients and customers of data breaches that could expose them to identity theft or other harm.

The SEC also approved Wednesday releasing for public comment a proposal to strengthen the security of the financial markets’ technological infrastructure.