The US Securities and Exchange Commission (SEC) has proposed new cybersecurity rules for companies in the US stock market, with the aim of increasing regulation of digital risk.
The proposals would require market entities to report significant cybersecurity incidents to the SEC, document policies and procedures for addressing cybersecurity threats and disclose incidents. Additionally, SEC acknowledged that financial sector companies already spend heavily on cybersecurity but suggested that risk continues to outpace security budgets.
The proposals would also require broker-dealers, investment companies and advisers to notify customers within 30 days in the event of a data breach involving sensitive information. Another proposal would expand and update the Regulation Systems Compliance and Integrity rules to include third-party risk management programmes.
Republican Commissioner Hester M. Peirce criticised the proposals, saying that they would “open market entities to legal risk” and suggesting that they were aimed at boosting year-end enforcement statistics rather than making markets more secure.
The Biden administration has made clear its intention to increase regulatory requirements in cybersecurity following a ransomware wave that exposed vulnerabilities in key critical infrastructure operators. The White House published a national cybersecurity strategy earlier in the month that outlined its plans to increase regulatory authority.
The SEC proposals will undergo a public comment period before being put to another round of commissioner voting.
The proposed cybersecurity rules highlight the increasing concern of US regulators about the private sector’s management of digital risk.
While some have criticised the proposals as too complex and punitive, others argue that such measures are necessary to protect against cyber threats that continue to outpace security budgets and pose a significant risk to financial stability.