The SEC Proposed Cybersecurity Infrastructure Rules and New Disclosure Requirements
29 Pages Posted: 14 Aug 2023 Last revised: 3 Nov 2023
Date Written: August 9, 2023
In addition to regulation of securities market issuers, the Securities & Exchange Commission (SEC) is also responsible for regulation of those entities that provide the networks, either electronic or physical, that enable the functioning of our securities markets. On February 9, 2022, the Commission published a Release for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies containing proposals that, if adopted, would establish a new cybersecurity incident reporting and disclosure regime and require registered investment advisers (“advisers”) and investment companies (“funds”) to implement policies and procedures designed to address cyber risks. The comment period for this proposed rule was reopened on March 15, 2023 as File No. S7-04-22. As a result, during March 2023, the SEC had several proposed several rules relating to strengthening disclosures by certain market participants. Because each of these proposed rules relate to the ongoing cybersecurity threat, our comments are applicable to each. One of these proposed rules requires “broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, ‘Market Entities’) to address their cybersecurity risks.” SEC Chairman Gary Gensler states that “cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.” Then, on July 26, 2023, the SEC “adopted final rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports.”
This Article proceeds in seven parts. First, we demonstrate that the danger posed by cybersecurity threat continues at an alarming pace. Second, we elaborate to show that cyber threat endangers all segments of society due to the increasing technological connectivity of all parties. Third, we discuss the Commission’s proposed new rules. Fourth, we look at some of the representative comments already received. Fifth, we register our support and thanks to Chairman Gensler and the staff for their hard work required to strengthen our nation’s coordinated support for increased cybersecurity. Sixth, is a discussion of new public company cybersecurity disclosure rules adopted on July 26, 2023. And last, we conclude. We believe that our Article contributes to the understanding of major novel contemporary issues facing securities markets participants and issuers.
Keywords: artificial intelligence, AI, broker-dealers, clearing agencies, corporate governance, cybersecurity, financial services, internet-of-things, IoT, market entities, municipal securities, national securities associations, national securities exchanges, national security, public company cybersecurity di
JEL Classification: G14, G18, G20, G38, K22, M15, M48, O33
Suggested Citation: Suggested Citation