Back to General Resources

SEC Open Meeting

U.S. Securities and Exchange Commission

Open Meeting

Wednesday, March 15, 2023

Topline

  • The Commission voted unanimously to approve amendments to rules under Regulation S-P, recordkeeping rules, and to annual privacy notice delivery provisions.
  • The Commission voted 3-2 in favor of the cybersecurity risk management rule.
  • The Commission voted 3-2 in favor of expanding the scope of entities subject to Regulation SCI.

Opening Statement

Gary Gensler, Chairman, Securities and Exchange Commission

Gensler opened the meeting by addressing the events of the past week. He noted the SEC staff is focused on identifying and prosecuting any misconduct that may impact the markets and capital. He added that the Commission’s staff are prepared to prosecute if their investigations find violations of securities laws. He also emphasized the SEC’s responsibility to help protect financial stability, adding that he is proud of the Commission’s current focus on resiliency projects. Finally, Gensler said history proves the Commission should continue its ongoing work to strengthen the guardrails of finance.

ITEM 1: Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

The Commission considered whether to propose amendments to rules under Regulation S-P to require broker dealers, investment companies, and investment advisers registered with the Commission to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. This includes procedures for providing timely notification to certain affected individuals. The Commission also considered whether to propose corresponding amendments to recordkeeping rules under the Securities Exchange Act of 1934, Investment Company Act of 1940, and Investment Advisers Act of 1940. The Commission also considered whether to propose amendments to conform annual privacy notice provisions to the terms of an exception provided by a statutory amendment in the Gramm-Leach-Bliley Act.

Staff Discussion

Thoreau Bartmann, Division of Investment Management

Bartmann explained that under current rules, broker dealers, investment companies, and registered investment advisers must adopt written policies and procedures to protect information and take the proper steps for the disposal of such information. He said this proposal would require broker dealers, investment companies, advisers, and all transfer agents registered with the SEC to adopt written policies and procedures for incident response programs, which would include procedures for timely notification to affected customers. Bartmann said advanced planning to create an incident response program is an important step to limit harmful impacts, noting this rule would create a federal minimum standard for covered institutions so all customers receive important information. Finally, he discussed the amendment’s requisite policies for safeguarding and properly disposing of customer records/information, noting both rules would be extended to apply to all transfer agents.

Aaron Ellias, Division of Investment Management

Ellias provided additional detail on the proposal. He stated that the covered entities must include procedures to assess the nature and scope of any incident and establish appropriate steps to contain and control the incident to prevent further access or use. Ellias added that covered entities must provide notice to individuals whose data was used without authorization, unless the institution determines that the information has not been and will not be used in a manner that will result in substantial harm or inconvenience. Additionally, he said the policies must be clear and conspicuous, and notices must be provided as soon as practicable but not later than 30 days after the institution becomes aware of the incident. Finally, Ellias said that the proposal aligns the safeguarding of personal information and disposal rules. He explained that the proposal defines customer information as any record containing nonpublic personal information about the customer of a financial institution, and it also broadens the group of customers protected.

James Wintering, Division of Trading and Markets

Wintering reiterated that the proposal would require covered institutions to make and maintain written record of compliance with safeguards and disposal rules. He noted this includes maintaining records and procedures in order to protect information and follow the proposed incident response programs. Wintering said the proposal would also require every covered institution to adopt and implement procedures to address the proper disposal of consumer/customer information. He noted that the safeguards rule does not currently apply to transfer agents, explaining the extension is necessary to protect security holders who could be harmed by unauthorized access to their data. Finally, Wintering said the proposal would ensure a minimum nationwide standard related to the notification of a data breach, regardless of where it occurs.

Jessica Wachter, SEC Chief Economist

Wachter said this proposal would benefit customers by positioning them to mitigate the effects of a data breach more effectively. She added institutions should invest more in safeguards, which would cause less data to be exposed in the first place. Wachter said institutions may choose to increase expenditures to avoid breaches, acknowledging these costs may be passed to consumers.

Commissioner Questions and Comments

Commissioner Peirce

Commissioner Peirce noted that investors want to know if their information is safe. She supported the proposal but cautioned that her support for the final rule will depend on the comments that are received. Peirce also expressed concern about the overlapping regulations being considered in today’s meeting. She said the rule should include a law enforcement exception to delay the alert when there is a valid law enforcement or national security concern. Peirce argued that rather than preempting or deferring state customer notification rules, the Commission is dancing around a problem it is creating. She also warned the rule’s reach is broader than it might appear at first glance. Peirce concluded that the rule’s proposed compliance period of one year does not seem reasonable.

Peirce asked multiple questions of the staff. First, she inquired about advice for a covered institution that gets caught between state obligations and those of the SEC. Bartmann referred her to the Division of Enforcement for an answer to the specific question, but also noted that entities could likely send one notice to satisfy both requirements. He also flagged that this is an issue they would like to hear about

from commenters. Peirce also asked if they are considering a longer compliance time for smaller entities, and Bartmann said there are requests for comment on this specific issue in the proposal. Finally, Peirce noted that banking regulators afford entities more discretion about when to issue a notice, and she asked if there is something about their approach that is not working. Bartmann replied that the release reflects a balanced approach to allow individuals to have notice and give affected individuals the ability to respond. He added that giving covered institutions greater discretion could jeopardize the ability of customers to respond, but noted the proposal does allow institutions to rebut if they find that there has not been any harm or is not a risk of harm.

Commissioner Crenshaw

Commissioner Crenshaw said that while the three proposals are related, each has a unique scope and purpose. She added that the three releases each should solicit comments on whether the implementation will have any duplication challenges. Crenshaw argued that it is the Commission’s imperative to impose rigorous requirements on SEC registrants, noting this proposal would add to the protections afforded by Regulation S-P in meaningful ways. She said having a minimum federal standard would ensure that customers in all states are notified in the event of an incident and highlighted her support for the proposal.

Commissioner Uyeda

Commissioner Uyeda noted each proposal places a significant focus on cybersecurity, but remarked the SEC has provided little analysis as to how the proposals interact with each other or mitigate cybersecurity risk in an integrated manner. He added he would have preferred to create a more unified approach to cybersecurity concerns. He said that the proposal’s requirements are a mixed bag, as some aspects are long overdue. Uyeda highlighted multiple concerns with the proposal, including the requirement that financial institutions notify individuals within 30 days. He explained that while customers should receive timely written notice in these incidents, all 50 states and other regulators have already adopted notification obligations, noting this added requirement may result in confusion. Additionally, Uyeda argued that the proposal could add more confusion unless there is a federally enacted data privacy law. He said the SEC’s kitchen sink approach raises concerns of duplicative policies and could cause multiple notifications to the Commission and consumers, but affirmed that he will support the effort to obtain public comment on this proposal.

Uyeda asked the staff about the effectiveness of customers receiving a notification every other day warning that their data could be compromised. Bartmann said that state legislatures have come to different conclusions about when a notice is needed, and noted the proposal asks for comment on whether the triggering obligations are correct.

Commissioner Lizarraga

Commissioner Lizarraga said the Commission must do everything in its power to enhance cybersecurity practices by market participants. He said the proposal will strengthen resiliency and increase investor confidence, noting the cybersecurity reforms being proposed are necessary and appropriate. He explained that these proposals will require market participants to adopt and implement effective procedures, including disclosures and notifications to customers if personal information is compromised. Lizarraga said this would result in market entities being more secure, with the ability to mitigate risk to themselves, their customers, and markets. Lizarraga also pointed out that consumers in states with stronger protections than those proposed by the federal minimum would not be harmed by this proposal, adding it would provide consistent notification to consumers regardless of state of residency.

Finally, Lizarraga affirmed this proposal strengthens cybersecurity in capital markets and increases investor protection.

Chair Gensler

Chair Gensler said he supports the proposed amendments, adding they will protect the privacy of customers’ financial data. He said the SEC needs to update these rules as the nature, sale, and impact of data breaches has transformed substantially, and investors would benefit from a financial privacy rule more modern than the AOL era. Gensler also noted that firms would need to monitor and detect when sensitive consumer data has been accessed, and covered firms would be required to properly safeguard and dispose of customer information. Finally, he noted that transfer agents maintain sensitive information, which makes it important for them to follow the same standards as other firms.

The item was approved unanimously.

ITEM 2: Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents

The Commission considered whether to propose a new rule and exemptive order amendments under the Exchange Act to require certain registrants to address cybersecurity risks through policies and procedures, notification and reporting to the Commission, public disclosure, and record retention. The proposed cybersecurity requirements would apply to broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.

Staff Discussion

David Saltiel, Division of Trading and Markets

Saltiel recommended the SEC propose a new rule under the Exchange Act to address cybersecurity risks. He explained the rule would apply to broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents, collectedly referred to as market entities. He discussed the increasing reliance of market entities on information systems to perform their functions has led them to become a target for threat actors. Saltiel added the interconnectedness of market entities increases the risk that a significant cybersecurity incident could cause widespread harm to U.S. securities markets. He warned all market entities must address cybersecurity risk, noting cybersecurity presents an increasing threat to the financial sector. He concluded the proposal would require market entities to implement measures to address cyber risk, enhance the SEC’s oversight, and increase transparency about cyber risks.

Randall Roy, Division of Trading and Markets

Roy emphasized the importance of market entities protecting their systems from cybersecurity risks. He said the proposed rule would require all market entities to implement written policies and procedures that are reasonably designed to address cyber risk and review these policies annually. Roy pledged this is not a one size fits all approach, noting the policies and procedures should be tailored to the scope and nature of each entity’s business and risk. He said all market entities would be required to provide the SEC with immediate written electronic notice of a significant cybersecurity incident. Roy noted these reporting requirements would improve the SEC’s ability to assess and avoid significant cyber incidents. He also highlighted the proposal’s disclosure requirements, explaining market entities would need to publicly disclose significant cybersecurity incidents, thus providing greater transparency about their level of risk. Roy concluded by noting that the proposal seeks to avoid disclosures that could further increase cybersecurity risks.

Jessica Wachter, SEC Chief Economist

Wachter discussed how the proposal would define covered and non-covered entities, noting covered entities would face additional requirements. She said the list of covered entities reflects the diversity of markets. Wachter emphasized the severity of potential losses from a cybersecurity attack. She testified the mandated policies and procedures would enable entities to better fend off cyberattacks. Wachter concluded market forces could lead to under investment in cyber, adding these proposals would lead to better protection for customers.

Commissioner Questions and Comments

Commissioner Peirce

Commissioner Peirce discussed the increasing reliance of markets on technology, which has heightened the need for entities to shore up their cyber defenses to minimize the consequences of cyberattacks. She said the proposed rule suggests the Commission decided to be an enforcer and reflects the Commission’s hunger for data. Peirce discussed the important, positive role the SEC has in assisting market participants in defending themselves against cyber criminals, adding a reasonable reporting framework could facilitate that role. She classified this proposal as an onerous framework with a complicated reporting regime, noting the rule is not a serious proposal to make securities markets more secure, but a rule to enhance the SEC’s year-end statistics.

Peirce said the SEC should not imply that the occurrence of a cyber incident suggests customers should stop interacting with a firm. She added the broadness of the proposal will make implementation incredibly challenging. Peirce added the proposal’s requirements would make it harder for smaller entities to work with external service providers. She concluded she is unable to support the proposal.

Peirce said the proposal’s aggressive reporting deadlines were cause for concern, and asked what the SEC intends to do with the reports. Roy said the reports will help the SEC understand not only the incident itself, but how the incident impacts the entity, its customers, and its members. Roy added the reports will also allow the SEC to develop a database of information that could be used to spot trends.

Commissioner Crenshaw

Commissioner Crenshaw said the threat of cyberattacks on the U.S. financial system keeps her up at night. She noted cybersecurity risks have grown as attacks have increased in sophistication. Crenshaw discussed the risk of harm cyberattacks pose to investors, including retail investors. She said robust cybersecurity risk management practices are critical, noting this rule would apply to key market entities. Crenshaw emphasized her support for the proposal.

Commissioner Uyeda

Commissioner Uyeda noted the proposal would require covered entities to comply with new reporting requirements, adding the proposal should have taken prior comments into account. He noted the proposal lands in the same place as the IM rulemaking from February 2022. Uyeda acknowledged cybersecurity is an incredibly important topic for our markets and economy as a whole but said there must be a clear regulatory framework to address cybersecurity. He added the SEC’s spaghetti on the wall approach would conflict and weaken current protections. Uyeda concluded his preferable approach would have been a set of coordinated rules and said he could not support the proposal.

Commissioner Lizarraga

Commissioner Lizarraga said the proposal establishes a practical framework that would require various market entities to adopt and implement policies and procedures to address cybersecurity, including record keeping requirements. He added the proposal would require public disclosure and notification to the Commission of significant cybersecurity risks, which would provide investors and other participants with relevant information about cyber-attacks and data breaches. Lizarraga concluded by stating the threats market entities face are constantly evolving, adding today’s proposal would require entities to take reasonable steps to protect their information systems from cyber risks.

Chair Gensler

Chair Gensler discusses the proposal’s requirement of the adoption of written policies and procedures to address cybersecurity risk across five areas, notification of significant cyber incidents, and disclosure to the public of risk that could materially affect them. Gensler added that the proposal concerns a broad array of firms’ information systems, which is critical. Finally, he noted that the Commission separately voted to reopen public comment periods on similar cybersecurity enhancements for investment companies and managers.

Chairman Gensler, Commissioner Crenshaw, and Commissioner Lizarraga voted in favor of the proposal. Commissioners Peirce and Uyeda voted against. The proposal was approved by a vote of 3-2.

ITEM 3: Regulation Systems Compliance and Integrity (Regulation SCI)

The Commission considered whether to propose amendments to Regulation SCI under the Exchange Act to expand the scope of entities subject to Regulation SCI and to update certain provisions of Regulation SCI.

Staff Discussion

David Saltiel, Division of Trading and Markets

Saltiel discussed the Division of Trading and Markets recommendations for updates to Regulation SCI, which would expand its scope to include certain additional types of market participants and strengthen its rules to address evolving technological vulnerabilities. He noted the proposal would expand the definition of an SCI entity to include registered broker dealers exceeding a size threshold, registered security-based data swap repositories, and additional exempt clearing agencies. He concluded the proposal would strengthen requirements on SCI entities and update Regulation SCI for today’s technology landscape.

Heidi Pilpel, Division of Trading and Markets

Pilpel discussed the Division of Trading and Markets recommendation that the SEC expand the definition of SCI entities to include entities the Division believes play an additional role in securities markets. She suggested amending the SCI broker dealer definition and discussed the transaction activity threshold, which would apply to broker dealers that transacted 10% or more of the average daily volume. She said the Division also recommends Regulation SCI to include all clearing agencies, and provisions to update the cybersecurity section of SCI. Pilpel said the proposal would expand the definition of systems intrusion and cover a broader range of unauthorized activity. She concluded by discussion the proposal’s express requirement that SCI entities have a program for initial and periodic review of contracts with third party systems.

Jessica Wachter, SEC Chief Economist

Wachter said the proposed amendments would strengthen the requirements of Regulation SCI. She added the overall cost would be limited, because SCI remains targeted to entities that play a significant role in securities markets.

Commissioner Questions and Comments

Commissioner Peirce

Commissioner Peirce said this proposed expansion is an example of micromanagement, adding that large financial firms already have incentives to do what the rule is proposing. She noted several aspects of the proposal suggest it could turn into compliance theater. Peirce said the proposal’s projected costs are staggering, and that she is unable to support it.

Peirce asked staff why they think that Regulation SCI has been a success so far. Saltiel said Regulation SCI provided the Commission with more visibility and SCI entities with more accountability.

Commissioner Crenshaw

Commissioner Crenshaw discussed the Commission’s 2014 adoption of Regulation SCI, which established the first comprehensive framework of SEC oversight of the tech systems that comprise modern markets, with the goal of strengthening them and improving their resilience. She added markets have demonstrated resilience in recent years, which many observers have credited, at least in part, to Regulation SCI. Crenshaw said Regulation SCI has been a mostly unsung hero of market disruptions that did not occur. She noted markets continue to evolve and increase in their complexity and interconnectedness. Crenshaw concluded by highlighting her support for the proposal.

Commissioner Uyeda

Commissioner Uyeda said the proposal would result in unnecessary costs. He added by issuing the proposal, the Commission is assuming it is best positioned to directly oversee registrant’s technologies. Uyeda said he finds this assumption questionable. He concluded he can’t support the proposal.

Uyeda asked if broker dealers would limit their activity to avoid hitting the proposal’s threshold, and if that would impact liquidity. Wachter said a change in activity is always a concern when thresholds are imposed, and that cost to markets is considered. She added an SCI entity is by definition a large and important entity, noting there is reason to include broker dealers in that classification.

Commissioner Lizarraga

Commissioner Lizarraga said he is pleased to support the proposal.

Chair Gensler

Chair Gensler said he is pleased to support the proposal, noting its consistency with the SEC’s goal of maintaining orderly markets. He noted the proposed amendments would promote market security and sustainability. Gensler discussed how rapidly technology has changed since Regulation SCI was implemented, citing dramatic increases in the digitalization of markets. He said it is appropriate to broaden Regulation SCI to include key market participants. Gensler noted the largest broker dealers play a significant role in our markets, and a technological event impacting them would disrupt our market’s operations. He said it is too important to not require the largest broker dealers to meet Regulation SCI requirements. Gensler also said the proposal’s thresholds were selected carefully, calling the proposal a measured approach that takes an incremental expansion and benefits investors and issuers.

Chairman Gensler, Commissioner Crenshaw, and Commissioner Lizarraga voted in favor of the proposal. Commissioners Peirce and Uyeda voted against. The proposal was approved by a vote of 3-2.

For more information on this meeting, please click here.

For an archive of past SIFMA hearing coverage, please click here.