On March 15, 2023, the Securities and Exchange Commission (SEC) proposed a new rule, Rule 10, to address cybersecurity risk in the U.S. securities markets. Cybersecurity is a growing and significant concern to the U.S. Securities Market because the Market Entities are interconnected, therefore, if there is a significant cybersecurity incident it can have a detrimental effect on multiple Market Entities simultaneously.
The proposed rule and amendments require all Market Entities to:
- Implement policies and procedures to address cybersecurity risk
- Review and assess the design and effectiveness of their cybersecurity policies and procedures
- Notify the SEC and the public about significant cybersecurity incidents
This proposed rule increases the SEC’s oversight and ability to assess the cybersecurity of the U.S. Securities Market. This includes greater transparency about the cybersecurity risks, Market Entities cybersecurity preparedness and improve disclosures of incidents to reduce risk exposure. Within the last two years the SEC has increasingly focused on cybersecurity including risk management by public organizations, investment advisers and companies; as well as disclosure controls and procedures. In this post we review Rule 10 and some ways that Market Entities can meet the proposed rule.
Market Entities include “broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.”
What is the SEC Proposed Rule 10?
The new proposed rule 10 can be divided into two primary areas, risk management policies and procedures and disclosure of security events and strategies.
Cybersecurity Risk Management Policies and Procedures:
Market Entities are required to establish, maintain, and enforce written policies and procedures designed to address their cybersecurity risk. These documents must include:
- Cybersecurity risk assessments.
- Controls that ensure user security and access controls, prevent unauthorized access and secure remote access technologies.
- Protect information, first by determining the sensitivity of the information including PII, where and how this information is accessed, stored, and transmitted.
- Evaluation of the cybersecurity threat and vulnerability management that mitigates and remediates threats.
- Cybersecurity incident response and recovery written documentation of the incident, response, and recovery.
Incident Discolure Proposed Amendments:
The rule includes requirements for the notification and reporting of significant cybersecurity incidents to the commission. Market Entities have to provide immediate notice, within 48 hours, of a significant cybersecurity incident on Part I of the proposed SCIR Form. These filings reported to the commission are considered confidential.
Public disclosure of cybersecurity incidents is made through Part II of the proposed Form SCIR. This disclosure must be in easily understood English and include a summary description of the cybersecurity incidents. These incident reports should be up-to-date. A final requirement is that all Market Entities keep records in line with the specific requirements.
In summary, the regulations require that Market Entities cybersecurity is current and that there is greater transparency and reporting of cybersecurity incidents.
How the Proposed SEC Rules Affect Market Entities
Rising costs and consequences of cybersecurity events, the SEC revealed that the average loss in financial services was $18.3 million, per company per cybersecurity incident. Given the interconnectedness of Market Entities, this has the potential to spread and increase across the network. Therefore, it is important that market entities ensure they have procedures and plans in place to prevent cybersecurity incidents.
Rule 10 is designed to ensure that Market Entities are taking the necessary measures to protect themselves and secure their sensitive data such as locating and protecting sensitive PII and PHI data. There is also an increasing emphasis on greater transparency about cybersecurity incidents with clearly defined reporting requirements that are publicly viewable.
Why Meeting the Risk Management Policies and Procedures is Difficult
Defining the controls to meet the proposed cybersecurity rules is relatively simple, however, actually implementing the corresponding regulations is more complicated. This is because the implementation of security policies and data access controls are performed by data engineering and DevOps teams who have their own priorities and objectives. The situation is further complicated when sensitive PHI and PII data is dispersed across various data stores each with its own security features.
The division between authorization and authentication results in:
- A risky possibility that data engineers and DevOps frustrated by spending their time managing data access controls grant blanket access leading to users with over privileged access. This significantly increases the organization’s risk exposure and can result in security incidents.
- DevOps and data engineering teams spend too much time managing access to data and security requirements only because they are the admins of the system. This increases admin costs through a cumbersome ticketing system and reduces morale as these individuals would prefer to work on their own core projects.
- Reduced productivity since data is delayed in a backlog of permission and access tickets. For Market Entities, time is of the essence and waiting for data can result in significant losses or lost opportunities.
- Failure to meet the SEC’s cybersecurity regulations.
SEC Proposed Rule 10 with Satori
Satori can help relieve some of the pressure of meeting proposed Rule 10, particularly:
- An organization’s policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
Satori’s Data Security Platform provides secure and automated access to data that enable the management of cybersecurity risks and streamlines the process of implementing these procedures, regardless of how widely dispersed the data.
Satori’s automated and secured access to data:
- Reduces the risk of a data breach because data classification is continuous and automatic and everyone accesses data on a need-to-know and just-in-time basis. Satori’s automated data classification enables your organization to discover sensitive data without relying on manual scans and applies automated security policies on newly discovered sensitive PII or PHI data. Coupled with self-service data access workflows that are automated so that authorized users can access sensitive data only when required. This just-in-time access is automatically revoked after the specified time.
- Reduces data engineering and DevOps teams’ workload since they don’t have to deal with tickets and unplanned security or privacy projects. Automating access leaves these teams with more time to focus on value-generating projects.
- Full visibility and control over access to data through detailed access and audit logs regarding sensitive PHI, PII, or financial data that is spread across all data stores. In conjunction with Satori’s Access Manager which combines and analyzes access and security controls into a single plane. This ensures that organizations can easily view who has used which access control policies and easily update and change access permission.
Satori’s Data Security Platform can help Market Entities prepare for the SEC Proposed Rule 10. The ability to develop and implement security policies and controls ensures that your organization reduces its risk and financial exposure, further the ability to move data quickly and securely is vital to Market Entities and can significantly impact the entities profitability.
To learn more about how Satori can help with Propose Rule 10
- Book a Demo with one of our experts.
- Read: Managing Access to Data Just Got a Whole Lot Easier
- Read: Access Control: The Dementor of Data Engineering