Understanding the SEC’s Proposed Cybersecurity Rule for Broker-Dealers and Other Entities

The U.S. Securities and Exchange Commission (SEC) has introduced a proposed rule (Release No. 34-97142) aimed at strengthening the cybersecurity framework for broker-dealers, clearing agencies, and other regulated entities. The rule addresses increasing cybersecurity risks by requiring organizations to implement formal cybersecurity risk management policies and procedures, report incidents, and disclose cybersecurity risks and incidents publicly. A significant part of this proposal is the introduction of the Security Incident Cyber Reporting (SCIR) form, which formalizes how cybersecurity incidents are reported to the SEC. This article provides a detailed overview of the proposed rule, explores how broker-dealers can update their recordkeeping processes to comply with the new requirements, identifies which functions in the NIST Cybersecurity Framework the rule aligns with, and offers use cases and examples of technology that organizations can use to maintain compliance.

Key Elements of the Proposed Cybersecurity Rule

The proposed rule introduces several key requirements that aim to enhance cybersecurity protocols across regulated entities. These include:

1. Cybersecurity Risk Management Policies and Procedures: Entities are required to adopt comprehensive cybersecurity risk management policies tailored to their operations. These policies should cover risk assessment, protection of systems, incident detection, and response strategies.
2. Incident Notification Requirements: Entities must notify the SEC of any significant cybersecurity incident within 48 hours through the newly introduced SCIR form. This prompt reporting will allow the SEC to monitor and mitigate systemic risks to the financial markets.
3. Public Disclosures: The rule mandates that entities disclose significant cybersecurity risks and incidents in their public filings, including details on the impact of such incidents and their remediation efforts.
4. Recordkeeping: Entities will be required to maintain records of their cybersecurity policies, procedures, and incident reports. These records must be accessible and provided to the SEC upon request, ensuring compliance and accountability.

Introduction of the SCIR Form

The Security Incident Cyber Reporting (SCIR) form represents a major element of the proposed rule. This form standardizes how significant cybersecurity incidents are reported to the SEC and is designed to ensure a uniform reporting process across all regulated entities. The SCIR form will collect detailed information on:

• Nature of the Incident: Organizations must describe the type of incident (e.g., data breach, denial of service, unauthorized access).
• Impact of the Incident: The form requires entities to assess the potential or actual impact of the incident on the organization and its customers.
• Mitigation Steps: Entities must report the steps taken to mitigate the incident and any measures implemented to prevent future occurrences.

This form must be submitted within 48 hours of discovering a significant incident, providing the SEC with real-time insights into potential cybersecurity threats facing the financial sector.

Updating Recordkeeping Processes to Comply with the Rule

Broker-dealers and other entities affected by the proposed rule must update their recordkeeping processes to ensure compliance. The rule emphasizes the need to maintain accessible and comprehensive records of cybersecurity policies, incident response plans, and reports. Here’s a process that broker-dealers can implement to update their recordkeeping:

1. Adopt a Centralized Cybersecurity Recordkeeping System: Broker-dealers should implement a digital recordkeeping system that centralizes all relevant documents, including cybersecurity policies, incident response plans, audit logs, and incident reports. This system must be secure, with role-based access controls to ensure only authorized personnel can access sensitive information.
2. Automate Incident Reporting: To comply with the SCIR form’s 48-hour notification requirement, broker-dealers can implement automation tools that trigger alerts when cybersecurity incidents occur. These tools should also auto-generate preliminary incident reports, ensuring that key information is captured immediately following an incident.
3. Regular Audits and Updates: The proposed rule requires that cybersecurity policies and procedures be continuously updated to reflect evolving threats. Broker-dealers should conduct regular audits to ensure that their cybersecurity frameworks are up to date and compliant with the latest regulations. Any updates should be documented and stored in the recordkeeping system.
4. Establish Clear Documentation Guidelines: Broker-dealers must establish clear guidelines for documenting cybersecurity incidents, including how and when to update incident reports and who is responsible for each step in the incident response process.
5. Utilize Data Retention Tools: Leveraging tools such as Google Workspace’s Vault or Office 365’s compliance features can help broker-dealers maintain the long-term retention of documents. These tools allow for secure archiving, tagging of relevant records, and easy retrieval during an SEC audit or inquiry.

Alignment with the NIST Cybersecurity Framework

The SEC’s proposed cybersecurity rule aligns with several key functions of the NIST Cybersecurity Framework (CSF), a widely adopted standard for managing cybersecurity risk. Specifically, the rule intersects with the following NIST CSF functions:

1. Identify: The rule’s requirement for entities to adopt formal cybersecurity risk management policies directly aligns with the Identify function of the CSF, which emphasizes understanding and managing cybersecurity risks to systems, assets, and data.
2. Protect: The rule’s mandate to establish policies that safeguard systems and detect incidents corresponds with the Protect function of the CSF, which focuses on implementing safeguards to ensure the delivery of critical infrastructure services.
3. Detect: The rule’s emphasis on timely incident detection aligns with the Detect function, which stresses the development of appropriate activities to identify cybersecurity events.
4. Respond: The SCIR form’s incident reporting requirements map to the Respond function of the CSF, which involves developing and implementing actions to address detected cybersecurity incidents.
5. Recover: The proposed rule’s focus on mitigation steps for cybersecurity incidents also aligns with the Recover function, which emphasizes the recovery of services and systems affected by cybersecurity incidents.

Use Cases: Leveraging Technology to Maintain Compliance

Entities affected by the proposed rule will need to adopt various technological solutions to ensure compliance with the new requirements. Below are several use cases and examples of technology that can be used to meet these obligations:

1. Incident Detection and Reporting with SIEM Tools: Broker-dealers can use Security Information and Event Management (SIEM) platforms, such as Splunk or Microsoft Sentinel, to detect and analyze cybersecurity incidents in real-time. These tools aggregate data from multiple sources and provide comprehensive dashboards for monitoring security events. Automated alerts can be set up to notify IT teams of significant incidents, allowing for prompt reporting via the SCIR form.
2. Documenting Cybersecurity Policies with Google Workspace or Office 365: Entities can leverage Google Workspace or Microsoft Office 365 for documenting and updating cybersecurity policies. Both platforms provide collaboration features, version control, and secure storage. Additionally, Google Workspace’s Vault and Office 365’s Compliance Manager help organizations archive important documents, manage access controls, and comply with record retention requirements.
3. Automating Incident Response with SOAR Solutions: Security Orchestration, Automation, and Response (SOAR) tools like Palo Alto Networks Cortex XSOAR or IBM Resilient can help broker-dealers automate incident response processes. These platforms allow for predefined workflows that guide response teams through each step of handling a cybersecurity incident, ensuring that all relevant details are documented and reported to the SEC within the required 48-hour window.
4. Data Encryption and Secure Access with Google Cloud or Microsoft Azure: To protect sensitive financial and customer data, broker-dealers can utilize cloud platforms like Google Cloud or Microsoft Azure for encrypted data storage and secure access controls. These platforms offer end-to-end encryption, multi-factor authentication, and regular security audits, ensuring that critical systems remain protected from unauthorized access.
5. Public Disclosure of Cybersecurity Risks Using Investor Portals: Entities that need to disclose cybersecurity risks and incidents publicly can use secure investor portals to communicate with stakeholders. For example, broker-dealers using Nasdaq’s Boardvantage or Diligent’s Governance Cloud can ensure that disclosures are made securely, while also providing stakeholders with real-time updates on incident response efforts.

Conclusion

The SEC’s proposed cybersecurity rule represents a critical step toward improving the resilience of the financial sector against cyber threats. Broker-dealers, clearing agencies, and other regulated entities must take immediate action to ensure compliance with the new requirements, including adopting robust cybersecurity policies, enhancing incident detection and response capabilities, and updating recordkeeping processes. By leveraging modern technology solutions such as SIEM tools, cloud storage, and automation platforms, these organizations can not only comply with the proposed rule but also strengthen their overall cybersecurity posture in an increasingly complex threat landscape.