SEC readies cybersecurity rules for capital market stakeholders
The Securities and Exchange Commission (SEC) is drafting rules to fortify cybersecurity at the country’s publicly listed companies, exchange and other capital market participants especially now that pandemic-induced lockdowns have hastened the migration of fund flows to digital platforms.
A draft memorandum circular was released on Dec. 16 seeking to require all securities market participants—including broker-dealers, assets managers, transfer agents and self-regulatory organizations (SROs)—to adopt best practices in dealing with cybersecurity risks.
These include the identification of critical assets, information and systems, adoption of organizational or technical measures to protect information systems, as well as the formulation of a response plan and recovery plan in the event of cybersecurity breaches.
Based on the framework, all regulated entities will be required to create an information security group (InfoSec group), which will be distinct from its existing information technology group, and appoint a chief information security officer.
The InfoSec group will be in charge of formulating and enforcing an enterprise information security policy, issue-specific security policies and system-specific policies, along with an employee security education, training and awareness program, risk management program and contingency programs.
The draft rules also state that regulated entities must implement policies and procedures that will protect the privacy of their clients’ personal information, and notify them of instances when failure to protect such information occur. SROs are further instructed to disclose their institutional privacy policy to clients.
Regulated entities must conduct a regular review of their cybersecurity framework to ensure they continue to be appropriate to manage adverse impacts of cyber risks and information technology risks on their business.
The InfoSec group and/or senior management of the regulated entity must then report the results of the regular review to the SEC, as frequent as may be deemed necessary.
Publicly listed companies, on the other hand, are required to make a full, accurate, and timely disclosure of financial results, risk, and other information which are material to investors’ decisions.
Risk factors—such as reasons why the issuer is subject to cyber risk, as well as the source and nature of the cyber risk—must also be disclosed in the registration statement of a publicly listed entity. In addition, they must consider discussing the cost of ongoing cybersecurity efforts as well as the costs and other consequences of cybersecurity incidents, among others, in the management discussion and analysis.
The draft guidelines also require companies and their directors, officers and other corporate insiders to be mindful of complying with insider trading-related laws when handling information on cybersecurity risks and incidents.
Self-regulatory organizations and other entities with a secondary license from the SEC, including brokers and dealers, exchanges, transfer agents, clearing agencies and securities depositories, will be mandated to work together with the SEC to protect investor privacy and strengthen trading systems’ infrastructure.
Administrative sanctions, in addition to those already provided by law and other existing regulations, are likewise proposed to strengthen enforcement of the proposed framework.
The guidelines are being drafted in accordance with the government’s 12-point National Security Agenda, which seeks to pursue and advance cybersecurity to protect the country from computer-generated/cyberattacks that may adversely impact the economy.
All interested parties have until Jan. 31, 2021, to submit their comments and inputs to the SEC’s market and securities regulation department.
