The Securities and Exchange Commission announced proposed rules Wednesday that would require broker-dealers, clearing agencies and other financial services providers to implement procedures to boost their ability to manage cybersecurity risks.
The providers would be required to conduct annual reviews of the effectiveness of the policies and make disclosures to the SEC about significant cybersecurity incidents. Broker dealers would also need to disclose information to investors about cybersecurity risks and major incidents.
The proposed rules are part of a wider effort by the SEC to bolster cyber resilience in the financial services sector amid a rise in ransomware and software supply chain attacks that have targeted major companies and critical infrastructure providers in recent years.
The financial sector is increasingly dependent on interconnectivity to conduct transactions and officials say the reliance on technology has made the industry more vulnerable to malicious threat activity.
“Market entities across our capital markets increasingly rely on complex and ever evolving information systems,” SEC Chair Gary Gensler said in a statement. “Those that seek to harm these systems have become more sophisticated as well: in their tactics, techniques and procedures.”
The proposed changes were met with fierce opposition from some other members of SEC leadership.
Commissioner Hester Peirce acknowledged the threat posed by malicious cyber actors, but said the proposed changes represent an overreach.
“The onerous regulatory framework we are instead proposing, with a complicated reporting regime that is disproportionate to any reasonable need we have for immediate data, shows that we envision a quite different role for ourselves,” Peirce said in a statement.
A 60-day public comment period will open after the regulations are published on the Federal Register.
The SEC also reopened public comments for cybersecurity risk and disclosure changes involving investment advisers and business development firms.
