As part of a continuing concern with modernizing regulations to match advancing technological threats, the Securities and Exchange Commission (SEC) announced on March 15, 2023, a package of proposed policies designed to help harden the financial system against hacking, data theft and system failure.
The SEC’s five members were due to vote on three proposals which govern:
- How broker-dealers address hacking incidents and protect consumer data
- How stock exchanges and transaction clearing houses and others deemed critical to national economic security gird themselves from system failure and cyber-intrusion
These policies add to measures introduced since last year to counter what officials say are mounting dangers to public companies and investors. The three proposals introduce the following:
- Handling and safeguarding of personal customer information
- Broker-dealers and money managers would be required to maintain programs to detect and respond to unauthorized data access and to notify affected customers within 30 days
- The design and implementation of cybersecurity policies and procedures to better prepare for future cyber threats along with notification requirement
- Broker-dealers, securities exchanges and others would be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” incidents.
- Extending the requirement of Regulation SCI to additional entities and strengthening certain requirements on oversight of third-party service providers
- The proposal would expand the number of stock exchanges, registered clearing agencies and others covered by 2014’s “Systems Compliance and Integrity” regulation requiring operators to build systems robust enough to support market activities. The proposal would also require such operators to oversee services from cloud computing providers to be certain they match the rule’s requirements governing system resiliency.
The notice requirements have garnered some criticism due to concerns that these prescriptive deadlines on regulatory filings could demand the immediate attention of managers while in the midst of responding to a critical cyber event. Proponents recognize many states already have notification rules and this proposal could create a federal baseline.
Insurance implications
- For financial institutions regulated by the SEC, ensure regulatory coverage is part of your cyber insurance program. Typically, coverage for regulatory actions is included within the security and privacy liability insuring agreements. Such coverage will generally provide for the defense of regulatory actions, which often includes enforcement actions, and investigative subpoenas.
- In order to be more resilient when faced with a cybersecurity incident and be a better risk when either first procuring or renewing your cyber insurance policy, be sure to have a detailed cybersecurity response plan as required by the above-referenced SEC proposals, which may include:
- The designation of a responsible individual for cybersecurity
- The placement of appropriate privileged access controls
- Employee training, drills and exercises
- The implementation of technical and physical security controls
- Adequate record keeping and documentation procedures
Conclusion
Managing cyber related vulnerabilities should be part of the operational resilience strategy of every financial institution. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. All cyber insurers now are requiring businesses meet specific cybersecurity standards to be eligible to purchase and renew cyber insurance. WTW can assist you in tailoring a cyber risk management solution and coverage to suit your risk profile and business needs.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
