U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule | Insights

I. Why This Matters

II. Analytic Considerations for Evaluating SEC Cybersecurity Proposals

III. Overlap and Differences Among the Proposals

IV. Regulation S-P Proposal

V. Rule 10 Proposal

VI. Reg SCI

VII. Comment Period

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed three rules related to cybersecurity and reopened the comment period for its Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Investment Advisers and Companies Proposed Rule).¹  The three newly proposed rules include the following:

1. Reg S-P: Amendments to Regulation S-P (Reg S-P) would enhance security obligations for the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents (S-P Covered Entities) to “provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.”²  The Commission unanimously approved the Regulation S-P Proposal, although certain Commissioners voiced concern over it.³
2. Rule 10 Proposal: A new cybersecurity…