I. Why This Matters
II. Analytic Considerations for Evaluating SEC Cybersecurity Proposals
III. Overlap and Differences Among the Proposals
IV. Regulation S-P Proposal
V. Rule 10 Proposal
VI. Reg SCI
VII. Comment Period
On March 15, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed three rules related to cybersecurity and reopened the comment period for its Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Investment Advisers and Companies Proposed Rule).1 The three newly proposed rules include the following:
- Reg S-P: Amendments to Regulation S-P (Reg S-P) would enhance security obligations for the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents (S-P Covered Entities) to “provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.”2 The Commission unanimously approved the Regulation S-P Proposal, although certain Commissioners voiced concern over it.3
- Rule 10 Proposal: A new cybersecurity…