Client Alert: Proposed SEC Amendments Will Require Regulated Companies to Scrutinize Cybersecurity Risks
As cyber-attacks and data breaches pose an increasing threat to market participants, the US Securities and Exchange Commission (“SEC”) has become increasingly focused on the cyber risks to the public and the market at large. Last week, the SEC proposed three separate proposals designed to increase the cybersecurity readiness of financial institutions: proposed amendments to Regulation S-P, proposed new requirements to address cybersecurity risks for certain market entities, and proposed new requirements to Regulation SCI.[1]
These proposed amendments and rules suggest that there is a growing fear that as financial institutions become more adept at collecting nonpersonal public information for business purposes, they are inviting a commensurate risk of having such information be targeted by bad actors. Thus, the SEC is requiring these institutions to have in place established policies and procedures that would allow them to react efficiently and quickly to remedy any cyber-attack and data breach and notify the impacted customers so that individuals can take further actions to protect themselves.
If adopted, these proposals have potential to change the ways in which financial institutions address cyber-attacks and data breaches and provide greater protection to customers’ nonpublic personal information. This alert summarizes the potential requirements
1. The proposed amended Regulation S-P now covers cyber-attacks and data breaches.
Currently, Regulation S-P does not address customer notifications after a cybersecurity incident. Under its safeguard rule, the regulation requires that covered institutions 1) provide notice to customers about its privacy policies and practices; 2) describe the conditions under which the financial institution can disclose nonpublic information about its customers; and 3) provide a way for customers to prevent the financial institution from disclosing that information.[2] Within the current policies and procedures, the covered institution provides a notice to its customers or consumers that accurately reflects its privacy policies and practices, including the type of customers’ nonpublic personal information that is collected and could be disclosed to third parties.[3] Furthermore, under its disposal rule, covered institutions that possess consumer information for business purposes must dispose of the information in a manner that protects the consumers from unauthorized access or use.[4]
The proposed amendments to Regulation S-P seek to specifically address incident response and victim notification when a covered institution is the victim of a cyber-attack. The SEC proposes a new requirement that covered institutions’ policies and procedures must include an incident response program to detect, respond to, and recover from unauthorized access and use of customer information.[5] Specifically, the incident response program should lay out the procedures to assess the nature and scope of the unauthorized access and the steps to contain and control the damage.[6] The SEC’s proposed amendment also requires covered institutions to ensure that their service providers have appropriate measures designed to protect against unauthorized access to or use of customer information.[7]
The proposed revisions to Regulation S-P also require the covered institution to have procedures to notify affected individuals whose sensitive customer information were accessed and used without authorization.[8] After becoming aware of the unauthorized access, the covered institutions will have 30 days to provide notice to affected customers.[9] The SEC’s proposed amendments also broadens the existing protections under Regulation S-P by applying the safeguard and disposal rules to 1) nonpublic personal information that a covered institution collects about its own customers and a covered institution receives from a third-party financial institution and 2) the existing covered institutions and any transfer agent registered with the SEC or another regulatory agency.[10]
Lastly, the proposed amendments would require covered institutions to maintain written records documenting compliance with Regulation S-P.[11]
2. New Proposed Rule requires Market Entities to have written policies and procedures to address cybersecurity risks.
The SEC has also proposed a new rule that will require all Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations and exchanges, and transfer agents, to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.[12] Market Entities are required to assess and review these policies on an annual basis and must either submit a report or maintain a record of the annual review.[13]
Within the Market Entities, the SEC has implemented additional stringent requirements for a select few financial institutions called Covered Entities who may be exposed to greater cybersecurity risks because of their influence and size within the financial markets. Within their policies and procedures addressing cybersecurity risks, Covered Entities must specifically include periodic assessments of cybersecurity risks, measures to monitor and prevent unauthorized access to Covered Entities’ information including overseeing the policies and procedures of their service providers, and procedures to detect, contain, and mitigate cybersecurity incidents.[14] And when a Covered Entity has a reasonable basis to conclude that a cybersecurity incident has occurred or is occurring, it must immediately notify the SEC of the incident.[15]
3. Expanding Regulation SCI to cover additional financial institutions.
Regulation SCI was implemented to require Systems Compliance and Integrity (SCI) entities to have comprehensive policies and procedures reasonably designed to ensure their technology infrastructures that support securities market functions have the capacity, integrity, resiliency, availability, and security adequate to operate effectively in the market.[16] Examples of such policies and procedures are periodic stress testing of the systems, business continuity and disaster recover planning, and reviewing and testing to identify vulnerabilities.[17]
The current version of Regulation SCI applies to self-regulatory organizations, such as national securities exchanges, registered clearing agencies, and registered securities associations. The proposed amendment would expand Regulation SCI to also include registered security-based swap data repositories, certain broker-dealers registered with the Commission under Section 15(b), and all clearing agencies exempted from registration.[18] Furthermore, the proposed amendment would also require an SCI entity to have policies and procedures regarding oversight of third-party providers and a program to prevent unauthorized access to the SCI systems and information.[19]
Implications.
The proposed amendments and new rule reveal that the SEC is aware of the growing reliance financial institutions have on third parties and service providers. It is perfectly rational to delegate to vendors and contractors everyday business activities, but such reliance may expose financial institutions to greater access points and vulnerabilities to cyber-attacks because the third-party service providers could have access to the financial institutions’ data. Therefore, under the new proposals, the SEC is placing the onus on financial institutions to ensure that their policies and procedures addressing cybersecurity risks and data breaches cover their third-party service providers. Going forward, financial institutions may need to be even more careful about which service providers they contract with because third-party cyber deficiencies could implicate SEC scrutiny for those financial institutions.
If adopted, the new proposals represent a sweeping change to requirements for financial institutions and increase the stakes and potential liability for covered institutions. The stark reality is that every institution under the covered proposed amendments is susceptible to an attack at any time and any cybersecurity incident may lead to litigation, investigation, and crisis management. If these proposals are adopted, the chance of the SEC using its enforcement powers to identify alleged deficiencies in a cybersecurity program would increase. Thus, in addition to focusing on compliance with the new contours of the proposals, financial institutions should use these amendments as an opportunity to review and refine their procedures for preventing and handling data breaches.
These proposed amendments and rules suggest that there is a growing fear that as financial institutions become more adept at collecting nonpersonal public information for business purposes, they are inviting a commensurate risk of having such information be targeted by bad actors. Thus, the SEC is requiring these institutions to have in place established policies and procedures that would allow them to react efficiently and quickly to remedy any cyber-attack and data breach and notify the impacted customers so that individuals can take further actions to protect themselves.
If adopted, these proposals have potential to change the ways in which financial institutions address cyber-attacks and data breaches and provide greater protection to customers’ nonpublic personal information. This alert summarizes the potential requirements
1. The proposed amended Regulation S-P now covers cyber-attacks and data breaches.
Currently, Regulation S-P does not address customer notifications after a cybersecurity incident. Under its safeguard rule, the regulation requires that covered institutions 1) provide notice to customers about its privacy policies and practices; 2) describe the conditions under which the financial institution can disclose nonpublic information about its customers; and 3) provide a way for customers to prevent the financial institution from disclosing that information.[2] Within the current policies and procedures, the covered institution provides a notice to its customers or consumers that accurately reflects its privacy policies and practices, including the type of customers’ nonpublic personal information that is collected and could be disclosed to third parties.[3] Furthermore, under its disposal rule, covered institutions that possess consumer information for business purposes must dispose of the information in a manner that protects the consumers from unauthorized access or use.[4]
The proposed amendments to Regulation S-P seek to specifically address incident response and victim notification when a covered institution is the victim of a cyber-attack. The SEC proposes a new requirement that covered institutions’ policies and procedures must include an incident response program to detect, respond to, and recover from unauthorized access and use of customer information.[5] Specifically, the incident response program should lay out the procedures to assess the nature and scope of the unauthorized access and the steps to contain and control the damage.[6] The SEC’s proposed amendment also requires covered institutions to ensure that their service providers have appropriate measures designed to protect against unauthorized access to or use of customer information.[7]
The proposed revisions to Regulation S-P also require the covered institution to have procedures to notify affected individuals whose sensitive customer information were accessed and used without authorization.[8] After becoming aware of the unauthorized access, the covered institutions will have 30 days to provide notice to affected customers.[9] The SEC’s proposed amendments also broadens the existing protections under Regulation S-P by applying the safeguard and disposal rules to 1) nonpublic personal information that a covered institution collects about its own customers and a covered institution receives from a third-party financial institution and 2) the existing covered institutions and any transfer agent registered with the SEC or another regulatory agency.[10]
Lastly, the proposed amendments would require covered institutions to maintain written records documenting compliance with Regulation S-P.[11]
2. New Proposed Rule requires Market Entities to have written policies and procedures to address cybersecurity risks.
The SEC has also proposed a new rule that will require all Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations and exchanges, and transfer agents, to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.[12] Market Entities are required to assess and review these policies on an annual basis and must either submit a report or maintain a record of the annual review.[13]
Within the Market Entities, the SEC has implemented additional stringent requirements for a select few financial institutions called Covered Entities who may be exposed to greater cybersecurity risks because of their influence and size within the financial markets. Within their policies and procedures addressing cybersecurity risks, Covered Entities must specifically include periodic assessments of cybersecurity risks, measures to monitor and prevent unauthorized access to Covered Entities’ information including overseeing the policies and procedures of their service providers, and procedures to detect, contain, and mitigate cybersecurity incidents.[14] And when a Covered Entity has a reasonable basis to conclude that a cybersecurity incident has occurred or is occurring, it must immediately notify the SEC of the incident.[15]
3. Expanding Regulation SCI to cover additional financial institutions.
Regulation SCI was implemented to require Systems Compliance and Integrity (SCI) entities to have comprehensive policies and procedures reasonably designed to ensure their technology infrastructures that support securities market functions have the capacity, integrity, resiliency, availability, and security adequate to operate effectively in the market.[16] Examples of such policies and procedures are periodic stress testing of the systems, business continuity and disaster recover planning, and reviewing and testing to identify vulnerabilities.[17]
The current version of Regulation SCI applies to self-regulatory organizations, such as national securities exchanges, registered clearing agencies, and registered securities associations. The proposed amendment would expand Regulation SCI to also include registered security-based swap data repositories, certain broker-dealers registered with the Commission under Section 15(b), and all clearing agencies exempted from registration.[18] Furthermore, the proposed amendment would also require an SCI entity to have policies and procedures regarding oversight of third-party providers and a program to prevent unauthorized access to the SCI systems and information.[19]
Implications.
The proposed amendments and new rule reveal that the SEC is aware of the growing reliance financial institutions have on third parties and service providers. It is perfectly rational to delegate to vendors and contractors everyday business activities, but such reliance may expose financial institutions to greater access points and vulnerabilities to cyber-attacks because the third-party service providers could have access to the financial institutions’ data. Therefore, under the new proposals, the SEC is placing the onus on financial institutions to ensure that their policies and procedures addressing cybersecurity risks and data breaches cover their third-party service providers. Going forward, financial institutions may need to be even more careful about which service providers they contract with because third-party cyber deficiencies could implicate SEC scrutiny for those financial institutions.
If adopted, the new proposals represent a sweeping change to requirements for financial institutions and increase the stakes and potential liability for covered institutions. The stark reality is that every institution under the covered proposed amendments is susceptible to an attack at any time and any cybersecurity incident may lead to litigation, investigation, and crisis management. If these proposals are adopted, the chance of the SEC using its enforcement powers to identify alleged deficiencies in a cybersecurity program would increase. Thus, in addition to focusing on compliance with the new contours of the proposals, financial institutions should use these amendments as an opportunity to review and refine their procedures for preventing and handling data breaches.
[1] Sarah Jarvis, “Divided SEC Advances Trio Of Cybersecurity Rule Proposals,” Law360 (Mar 15, 2023) https://www.law360.com/articles/1586347/divided-sec-advances-trio-of-cybersecurity-rule-proposals.
[2] Securities Exchange Commission, 65 Fed. Reg. 400334, 40362 (Jun. 29, 2000).
[3] Id. at 40366.
[4] Securities Exchange Commission, 69 Fed. Reg. 71329, 71322 (Dec. 8, 2004).
[5] Sec. Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, at 19 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
[6] Id. at 25, 28.
[7] Id. 34-35
[8] Id. at 20.
[9] Id. at 58.
[10] Id. at 78, 81.
[11] Id. at 93.
[12] Sec. Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, at 10, 52 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[13] Id. at 56.
[14] Id. at 102.
[15] Id. at 139-40.
[16] Sec. Exch. Comm’n, Regulation Systems Compliance and Integrity, at 17 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
[17] Id.
[18] Id. at 28.
[19] Id. at 104, 123.
Footnotes
[1] Sarah Jarvis, “Divided SEC Advances Trio Of Cybersecurity Rule Proposals,” Law360 (Mar 15, 2023) https://www.law360.com/articles/1586347/divided-sec-advances-trio-of-cybersecurity-rule-proposals.
[2] Securities Exchange Commission, 65 Fed. Reg. 400334, 40362 (Jun. 29, 2000).
[3] Id. at 40366.
[4] Securities Exchange Commission, 69 Fed. Reg. 71329, 71322 (Dec. 8, 2004).
[5] Sec. Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, at 19 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
[6] Id. at 25, 28.
[7] Id. 34-35
[8] Id. at 20.
[9] Id. at 58.
[10] Id. at 78, 81.
[11] Id. at 93.
[12] Sec. Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, at 10, 52 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[13] Id. at 56.
[14] Id. at 102.
[15] Id. at 139-40.
[16] Sec. Exch. Comm’n, Regulation Systems Compliance and Integrity, at 17 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
[17] Id.
[18] Id. at 28.
[19] Id. at 104, 123.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
As cyber-attacks and data breaches pose an increasing threat to market participants, the US Securities and Exchange Commission (“SEC”) has become increasingly focused on the cyber risks to the public and the market at large. Last week, the SEC proposed three separate proposals designed to increase the cybersecurity readiness of financial institutions: proposed amendments to Regulation S-P, proposed new requirements to address cybersecurity risks for certain market entities, and proposed new requirements to Regulation SCI.[1]
These proposed amendments and rules suggest that there is a growing fear that as financial institutions become more adept at collecting nonpersonal public information for business purposes, they are inviting a commensurate risk of having such information be targeted by bad actors. Thus, the SEC is requiring these institutions to have in place established policies and procedures that would allow them to react efficiently and quickly to remedy any cyber-attack and data breach and notify the impacted customers so that individuals can take further actions to protect themselves.
If adopted, these proposals have potential to change the ways in which financial institutions address cyber-attacks and data breaches and provide greater protection to customers’ nonpublic personal information. This alert summarizes the potential requirements
1. The proposed amended Regulation S-P now covers cyber-attacks and data breaches.
Currently, Regulation S-P does not address customer notifications after a cybersecurity incident. Under its safeguard rule, the regulation requires that covered institutions 1) provide notice to customers about its privacy policies and practices; 2) describe the conditions under which the financial institution can disclose nonpublic information about its customers; and 3) provide a way for customers to prevent the financial institution from disclosing that information.[2] Within the current policies and procedures, the covered institution provides a notice to its customers or consumers that accurately reflects its privacy policies and practices, including the type of customers’ nonpublic personal information that is collected and could be disclosed to third parties.[3] Furthermore, under its disposal rule, covered institutions that possess consumer information for business purposes must dispose of the information in a manner that protects the consumers from unauthorized access or use.[4]
The proposed amendments to Regulation S-P seek to specifically address incident response and victim notification when a covered institution is the victim of a cyber-attack. The SEC proposes a new requirement that covered institutions’ policies and procedures must include an incident response program to detect, respond to, and recover from unauthorized access and use of customer information.[5] Specifically, the incident response program should lay out the procedures to assess the nature and scope of the unauthorized access and the steps to contain and control the damage.[6] The SEC’s proposed amendment also requires covered institutions to ensure that their service providers have appropriate measures designed to protect against unauthorized access to or use of customer information.[7]
The proposed revisions to Regulation S-P also require the covered institution to have procedures to notify affected individuals whose sensitive customer information were accessed and used without authorization.[8] After becoming aware of the unauthorized access, the covered institutions will have 30 days to provide notice to affected customers.[9] The SEC’s proposed amendments also broadens the existing protections under Regulation S-P by applying the safeguard and disposal rules to 1) nonpublic personal information that a covered institution collects about its own customers and a covered institution receives from a third-party financial institution and 2) the existing covered institutions and any transfer agent registered with the SEC or another regulatory agency.[10]
Lastly, the proposed amendments would require covered institutions to maintain written records documenting compliance with Regulation S-P.[11]
2. New Proposed Rule requires Market Entities to have written policies and procedures to address cybersecurity risks.
The SEC has also proposed a new rule that will require all Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations and exchanges, and transfer agents, to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.[12] Market Entities are required to assess and review these policies on an annual basis and must either submit a report or maintain a record of the annual review.[13]
Within the Market Entities, the SEC has implemented additional stringent requirements for a select few financial institutions called Covered Entities who may be exposed to greater cybersecurity risks because of their influence and size within the financial markets. Within their policies and procedures addressing cybersecurity risks, Covered Entities must specifically include periodic assessments of cybersecurity risks, measures to monitor and prevent unauthorized access to Covered Entities’ information including overseeing the policies and procedures of their service providers, and procedures to detect, contain, and mitigate cybersecurity incidents.[14] And when a Covered Entity has a reasonable basis to conclude that a cybersecurity incident has occurred or is occurring, it must immediately notify the SEC of the incident.[15]
3. Expanding Regulation SCI to cover additional financial institutions.
Regulation SCI was implemented to require Systems Compliance and Integrity (SCI) entities to have comprehensive policies and procedures reasonably designed to ensure their technology infrastructures that support securities market functions have the capacity, integrity, resiliency, availability, and security adequate to operate effectively in the market.[16] Examples of such policies and procedures are periodic stress testing of the systems, business continuity and disaster recover planning, and reviewing and testing to identify vulnerabilities.[17]
The current version of Regulation SCI applies to self-regulatory organizations, such as national securities exchanges, registered clearing agencies, and registered securities associations. The proposed amendment would expand Regulation SCI to also include registered security-based swap data repositories, certain broker-dealers registered with the Commission under Section 15(b), and all clearing agencies exempted from registration.[18] Furthermore, the proposed amendment would also require an SCI entity to have policies and procedures regarding oversight of third-party providers and a program to prevent unauthorized access to the SCI systems and information.[19]
Implications.
The proposed amendments and new rule reveal that the SEC is aware of the growing reliance financial institutions have on third parties and service providers. It is perfectly rational to delegate to vendors and contractors everyday business activities, but such reliance may expose financial institutions to greater access points and vulnerabilities to cyber-attacks because the third-party service providers could have access to the financial institutions’ data. Therefore, under the new proposals, the SEC is placing the onus on financial institutions to ensure that their policies and procedures addressing cybersecurity risks and data breaches cover their third-party service providers. Going forward, financial institutions may need to be even more careful about which service providers they contract with because third-party cyber deficiencies could implicate SEC scrutiny for those financial institutions.
If adopted, the new proposals represent a sweeping change to requirements for financial institutions and increase the stakes and potential liability for covered institutions. The stark reality is that every institution under the covered proposed amendments is susceptible to an attack at any time and any cybersecurity incident may lead to litigation, investigation, and crisis management. If these proposals are adopted, the chance of the SEC using its enforcement powers to identify alleged deficiencies in a cybersecurity program would increase. Thus, in addition to focusing on compliance with the new contours of the proposals, financial institutions should use these amendments as an opportunity to review and refine their procedures for preventing and handling data breaches.
These proposed amendments and rules suggest that there is a growing fear that as financial institutions become more adept at collecting nonpersonal public information for business purposes, they are inviting a commensurate risk of having such information be targeted by bad actors. Thus, the SEC is requiring these institutions to have in place established policies and procedures that would allow them to react efficiently and quickly to remedy any cyber-attack and data breach and notify the impacted customers so that individuals can take further actions to protect themselves.
If adopted, these proposals have potential to change the ways in which financial institutions address cyber-attacks and data breaches and provide greater protection to customers’ nonpublic personal information. This alert summarizes the potential requirements
1. The proposed amended Regulation S-P now covers cyber-attacks and data breaches.
Currently, Regulation S-P does not address customer notifications after a cybersecurity incident. Under its safeguard rule, the regulation requires that covered institutions 1) provide notice to customers about its privacy policies and practices; 2) describe the conditions under which the financial institution can disclose nonpublic information about its customers; and 3) provide a way for customers to prevent the financial institution from disclosing that information.[2] Within the current policies and procedures, the covered institution provides a notice to its customers or consumers that accurately reflects its privacy policies and practices, including the type of customers’ nonpublic personal information that is collected and could be disclosed to third parties.[3] Furthermore, under its disposal rule, covered institutions that possess consumer information for business purposes must dispose of the information in a manner that protects the consumers from unauthorized access or use.[4]
The proposed amendments to Regulation S-P seek to specifically address incident response and victim notification when a covered institution is the victim of a cyber-attack. The SEC proposes a new requirement that covered institutions’ policies and procedures must include an incident response program to detect, respond to, and recover from unauthorized access and use of customer information.[5] Specifically, the incident response program should lay out the procedures to assess the nature and scope of the unauthorized access and the steps to contain and control the damage.[6] The SEC’s proposed amendment also requires covered institutions to ensure that their service providers have appropriate measures designed to protect against unauthorized access to or use of customer information.[7]
The proposed revisions to Regulation S-P also require the covered institution to have procedures to notify affected individuals whose sensitive customer information were accessed and used without authorization.[8] After becoming aware of the unauthorized access, the covered institutions will have 30 days to provide notice to affected customers.[9] The SEC’s proposed amendments also broadens the existing protections under Regulation S-P by applying the safeguard and disposal rules to 1) nonpublic personal information that a covered institution collects about its own customers and a covered institution receives from a third-party financial institution and 2) the existing covered institutions and any transfer agent registered with the SEC or another regulatory agency.[10]
Lastly, the proposed amendments would require covered institutions to maintain written records documenting compliance with Regulation S-P.[11]
2. New Proposed Rule requires Market Entities to have written policies and procedures to address cybersecurity risks.
The SEC has also proposed a new rule that will require all Market Entities, including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations and exchanges, and transfer agents, to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.[12] Market Entities are required to assess and review these policies on an annual basis and must either submit a report or maintain a record of the annual review.[13]
Within the Market Entities, the SEC has implemented additional stringent requirements for a select few financial institutions called Covered Entities who may be exposed to greater cybersecurity risks because of their influence and size within the financial markets. Within their policies and procedures addressing cybersecurity risks, Covered Entities must specifically include periodic assessments of cybersecurity risks, measures to monitor and prevent unauthorized access to Covered Entities’ information including overseeing the policies and procedures of their service providers, and procedures to detect, contain, and mitigate cybersecurity incidents.[14] And when a Covered Entity has a reasonable basis to conclude that a cybersecurity incident has occurred or is occurring, it must immediately notify the SEC of the incident.[15]
3. Expanding Regulation SCI to cover additional financial institutions.
Regulation SCI was implemented to require Systems Compliance and Integrity (SCI) entities to have comprehensive policies and procedures reasonably designed to ensure their technology infrastructures that support securities market functions have the capacity, integrity, resiliency, availability, and security adequate to operate effectively in the market.[16] Examples of such policies and procedures are periodic stress testing of the systems, business continuity and disaster recover planning, and reviewing and testing to identify vulnerabilities.[17]
The current version of Regulation SCI applies to self-regulatory organizations, such as national securities exchanges, registered clearing agencies, and registered securities associations. The proposed amendment would expand Regulation SCI to also include registered security-based swap data repositories, certain broker-dealers registered with the Commission under Section 15(b), and all clearing agencies exempted from registration.[18] Furthermore, the proposed amendment would also require an SCI entity to have policies and procedures regarding oversight of third-party providers and a program to prevent unauthorized access to the SCI systems and information.[19]
Implications.
The proposed amendments and new rule reveal that the SEC is aware of the growing reliance financial institutions have on third parties and service providers. It is perfectly rational to delegate to vendors and contractors everyday business activities, but such reliance may expose financial institutions to greater access points and vulnerabilities to cyber-attacks because the third-party service providers could have access to the financial institutions’ data. Therefore, under the new proposals, the SEC is placing the onus on financial institutions to ensure that their policies and procedures addressing cybersecurity risks and data breaches cover their third-party service providers. Going forward, financial institutions may need to be even more careful about which service providers they contract with because third-party cyber deficiencies could implicate SEC scrutiny for those financial institutions.
If adopted, the new proposals represent a sweeping change to requirements for financial institutions and increase the stakes and potential liability for covered institutions. The stark reality is that every institution under the covered proposed amendments is susceptible to an attack at any time and any cybersecurity incident may lead to litigation, investigation, and crisis management. If these proposals are adopted, the chance of the SEC using its enforcement powers to identify alleged deficiencies in a cybersecurity program would increase. Thus, in addition to focusing on compliance with the new contours of the proposals, financial institutions should use these amendments as an opportunity to review and refine their procedures for preventing and handling data breaches.
[1] Sarah Jarvis, “Divided SEC Advances Trio Of Cybersecurity Rule Proposals,” Law360 (Mar 15, 2023) https://www.law360.com/articles/1586347/divided-sec-advances-trio-of-cybersecurity-rule-proposals.
[2] Securities Exchange Commission, 65 Fed. Reg. 400334, 40362 (Jun. 29, 2000).
[3] Id. at 40366.
[4] Securities Exchange Commission, 69 Fed. Reg. 71329, 71322 (Dec. 8, 2004).
[5] Sec. Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, at 19 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
[6] Id. at 25, 28.
[7] Id. 34-35
[8] Id. at 20.
[9] Id. at 58.
[10] Id. at 78, 81.
[11] Id. at 93.
[12] Sec. Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, at 10, 52 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[13] Id. at 56.
[14] Id. at 102.
[15] Id. at 139-40.
[16] Sec. Exch. Comm’n, Regulation Systems Compliance and Integrity, at 17 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
[17] Id.
[18] Id. at 28.
[19] Id. at 104, 123.
Footnotes
[1] Sarah Jarvis, “Divided SEC Advances Trio Of Cybersecurity Rule Proposals,” Law360 (Mar 15, 2023) https://www.law360.com/articles/1586347/divided-sec-advances-trio-of-cybersecurity-rule-proposals.
[2] Securities Exchange Commission, 65 Fed. Reg. 400334, 40362 (Jun. 29, 2000).
[3] Id. at 40366.
[4] Securities Exchange Commission, 69 Fed. Reg. 71329, 71322 (Dec. 8, 2004).
[5] Sec. Exch. Comm’n, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, at 19 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
[6] Id. at 25, 28.
[7] Id. 34-35
[8] Id. at 20.
[9] Id. at 58.
[10] Id. at 78, 81.
[11] Id. at 93.
[12] Sec. Exch. Comm’n, Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, at 10, 52 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97142.pdf.
[13] Id. at 56.
[14] Id. at 102.
[15] Id. at 139-40.
[16] Sec. Exch. Comm’n, Regulation Systems Compliance and Integrity, at 17 (proposed Mar. 15, 2023), https://www.sec.gov/rules/proposed/2023/34-97143.pdf.
[17] Id.
[18] Id. at 28.
[19] Id. at 104, 123.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026
Publications
In Employee Relations Law Journal: What Happens When ERISA Disability Deadlines Slip
Partner Joseph Torres along with Associates Emma O'Connor and Christopher LeWarne, authored an article for the Employee Relations Law Journal analyzing a significant Fourth Circuit decision with substantial consequences for ERISA disability plan administrators.
June 23, 2026