Home/Federal/Federal Register/2023-05767

Proposed Rule2023-05767

Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

April 5, 2023

Issuing agencies

Securities and Exchange Commission

Abstract

The Securities and Exchange Commission ("Commission") is proposing a new rule and form and amendments to existing recordkeeping rules to require broker-dealers, clearing agencies, major security- based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents to address cybersecurity risks through policies and procedures, immediate notification to the Commission of the occurrence of a significant cybersecurity incident and, as applicable, reporting detailed information to the Commission about a significant cybersecurity incident, and public disclosures that would improve transparency with respect to cybersecurity risks and significant cybersecurity incidents. In addition, the Commission is proposing amendments to existing clearing agency exemption orders to require the retention of records that would need to be made under the proposed cybersecurity requirements. Finally, the Commission is proposing amendments to address the potential availability to security-based swap dealers and major security-based swap participants of substituted compliance in connection with those requirements.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 65 (Wednesday, April 5, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 65 (Wednesday, April 5, 2023)]
[Proposed Rules]
[Pages 20212-20354]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-05767]

[[Page 20211]]

Vol. 88

Wednesday,

No. 65

April 5, 2023

Part II

Securities and Exchange Commission

-----------------------------------------------------------------------

17 CFR Parts 232, 240, 242, et al.

Cybersecurity Risk Management Rule for Broker-Dealers, Clearing
Agencies, Major Security-Based Swap Participants, the Municipal
Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-
Based Swap Dealers, and Transfer Agents; Proposed Rule

Federal Register / Vol. 88, No. 65 / Wednesday, April 5, 2023 /
Proposed Rules

[[Page 20212]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 232, 240, 242 and 249

[Release No. 34-97142; File No. S7-06-23]
RIN 3235-AN15

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing a new rule and form and amendments to existing recordkeeping
rules to require broker-dealers, clearing agencies, major security-
based swap participants, the Municipal Securities Rulemaking Board,
national securities associations, national securities exchanges,
security-based swap data repositories, security-based swap dealers, and
transfer agents to address cybersecurity risks through policies and
procedures, immediate notification to the Commission of the occurrence
of a significant cybersecurity incident and, as applicable, reporting
detailed information to the Commission about a significant
cybersecurity incident, and public disclosures that would improve
transparency with respect to cybersecurity risks and significant
cybersecurity incidents. In addition, the Commission is proposing
amendments to existing clearing agency exemption orders to require the
retention of records that would need to be made under the proposed
cybersecurity requirements. Finally, the Commission is proposing
amendments to address the potential availability to security-based swap
dealers and major security-based swap participants of substituted
compliance in connection with those requirements.

DATES: Comments should be received on or before June 5, 2023.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

<bullet> Use the Commission's internet comment form (<a href="https://www.sec.gov/rules/submitcomments.htm">https://www.sec.gov/rules/submitcomments.htm</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#354740595018565a5858505b4146754650561b525a43"><span class="__cf_email__" data-cfemail="750700191058161a1818101b0106350610165b121a03">[email&#160;protected]</span></a>. Please include
File Number S7-06-23 on the subject line.

Paper Comments

<bullet> Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number S7-06-23. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="https://www.sec.gov/rules/proposed.shtml">https://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.

FOR FURTHER INFORMATION CONTACT: Randall W. Roy, Deputy Associate
Director and Nina Kostyukovsky, Special Counsel, Office of Broker-
Dealer Finances (with respect to the proposed cybersecurity rule and
form and the aspects of the proposal unique to broker-dealers); Matthew
Lee, Assistant Director and Stephanie Park, Senior Special Counsel,
Office of Clearance and Settlement (with respect to aspects of the
proposal unique to clearing agencies and security-based swap data
repositories); John Guidroz, Assistant Director and Russell Mancuso,
Special Counsel, Office of Derivatives Policy (with respect to aspects
of the proposal unique to major security-based swap participants and
security-based swap dealers); Michael E. Coe, Assistant Director and
Leah Mesfin, Special Counsel, Office of Market Supervision (with
respect to aspects of the proposal unique to national securities
associations and national securities exchanges); Moshe Rothman,
Assistant Director, Office of Clearance and Settlement (with respect to
aspects of the proposal unique to transfer agents) at (202) 551-5500,
Division of Trading and Markets; and Dave Sanchez, Director, Adam
Wendell, Deputy Director, and Adam Allogramento, Special Counsel,
Office of Municipal Securities (with respect to aspects of the proposal
unique to the Municipal Securities Rulemaking Board) at (202) 551-5680,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549-7010.

SUPPLEMENTARY INFORMATION: The Commission is proposing to add the
following new rule and form under the Securities Exchange Act of 1934
(``Exchange Act''): (1) 17 CFR 242.10 (``Rule 10''); and (2) 17 CFR
249.642 (``Form SCIR''). The Commission also is proposing related
amendments to the following rules: (1) 17 CFR 232.101; (2) 17 CFR
240.3a71-6; (3) 17 CFR 240.17a-4; (4) 17 CFR 240.17Ad-7; (5) 17 CFR
240.18a-6; and (6) 17 CFR 240.18a-10. Further, the Commission is
proposing to amend certain orders that exempt clearing agencies from
registration.

------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Regulation S-T............................ Sec. 232.101
Rule 3a71-6............................... Sec. 240.3a71-6
Rule 17a-4................................ Sec. 240.17a-4
Rule 17Ad-7............................... Sec. 240.17Ad-7
Rule 18a-6................................ Sec. 240.18a-6
Rule 18a-10............................... Sec. 240.18a-10
Rule 10................................... Sec. 242.10
Form SCIR................................. Sec. 249.624
------------------------------------------------------------------------

Table of Contents

I. Introduction
A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets
1. In General
2. Critical Operations of Market Entities Are Exposed to
Cybersecurity Risk
B. Overview of the Proposed Cybersecurity Requirements
II. Discussion of Proposed Cybersecurity Rule
A. Definitions
1. ``Covered Entity''
2. ``Cybersecurity Incident''
3. ``Significant Cybersecurity Incident''
4. ``Cybersecurity Threat''
5. ``Cybersecurity Vulnerability''
6. ``Cybersecurity Risk''
7. ``Information''
8. ``Information Systems''
9. ``Personal Information''
10. Request for Comment
B. Proposed Requirements for Covered Entities
1. Cybersecurity Risk Management Policies and Procedures
2. Notification and Reporting of Significant Cybersecurity
Incidents
3. Disclosure of Cybersecurity Risks and Incidents
4. Filing Parts I and II of Proposed Form SCIR in EDGAR Using a
Structured Data Language

[[Page 20213]]

5. Recordkeeping
C. Proposed Requirements for Non-Covered Broker-Dealers
1. Cybersecurity Policies and Procedures, Annual Review,
Notification, and Recordkeeping
2. Request for Comment
D. Cross-Border Application of the Proposed Cybersecurity
Requirements to SBS Entities
1. Background on the Cross-Border Application of Title VII
Requirements
2. Proposed Entity-Level Treatment
3. Availability of Substituted Compliance
E. Amendments to Rule 18a-10
1. Proposal
2. Request for Comment
F. Market Entities Subject to Regulation SCI, Regulation S-P,
Regulation ATS, and Regulation S-ID
1. Discussion
2. Request for Comment
G. Cybersecurity Risk Related to Crypto Assets
III. General Request for Comment
IV. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Cybersecurity Risks and Current Relevant Regulations
2. Market Structure
D. Benefits and Costs of Proposed Rule 10, Form SCIR, and Rule
Amendments
1. Benefits and Costs of the Proposals to the U.S. Securities
Markets
2. Policies and Procedures and Annual Review Requirements for
Covered Entities
3. Regulatory Reporting of Cybersecurity Incidents by Covered
Entities
4. Public Disclosure of Cybersecurity Risks and Significant
Cybersecurity Incidents
5. Record Preservation and Maintenance by Covered Entities
6. Policies and Procedures, Annual Review, Immediate
Notification of Significant Cybersecurity Incidents, and Record
Preservation Requirements for Non-Covered Broker-Dealers
7. Substituted Compliance for Non-U.S. SBS Entities
E. Effects on Efficiency, Competition, and Capital Formation
F. Reasonable Alternatives
1. Alternatives to the Policies and Procedures Requirements of
Proposed Rule 10
2. Alternatives to the Requirements of Proposed Form SCIR and
Related Notification and Disclosure Requirements of Proposed Rule 10
3. General Request for Comment
V. Paperwork Reduction Act Analysis
A. Summary of Collections of Information
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
4. Substituted Compliance (Rule 3a71-6)
B. Proposed Use of Information
C. Respondents
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Total Initial and Annual Reporting Burdens
1. Proposed Rule 10
2. Form SCIR
3. Rules 17a-4, 17ad-7, 18a-6, and Clearing Agency Exemption
Orders (and Existing Rules 13n-7 and 17a-1)
4. Substituted Compliance (Rule 3a71-6)
E. Collection of Information is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Retention Period for Recordkeeping Requirements
H. Request for Comment
VI. Initial Regulatory Flexibility Act Analysis
A. Reasons for, and Objectives of, Proposed Action
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
B. Legal Basis
C. Small Entities Subject to Proposed Rule, Form SCIR, and
Recordkeeping Rule Amendments
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
D. Reporting, Recordkeeping, and Other Compliance Requirements
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, and 18a-6
E. Duplicative, Overlapping, or Conflicting Federal Rules
1. Proposed Rule 10 and Parts I and II of Proposed Form SCIR
2. Rules 17a-4, 17ad-7, 18a-6 and Clearing Agency Exemption
Orders
F. Significant Alternatives
1. Broker-Dealers
2. Clearing Agencies
3. The MSRB
4. National Securities Exchanges and National Securities
Associations
5. SBS Entities
6. SBSDRs
7. Transfer Agents
G. Request for Comment
VII. Small Business Regulatory Enforcement Fairness Act
VIII. Statutory Authority

I. Introduction

A. Cybersecurity Risk Poses a Threat the U.S. Securities Markets

1. In General
Cybersecurity risk has been described as ``an effect of uncertainty
on or within information and technology.'' \1\ This risk can lead to
``the loss of confidentiality, integrity, or availability of
information, data, or information (or control) systems and [thereby to]
potential adverse impacts to organizational operations (i.e., mission,
functions, image, or reputation) and assets, individuals, other
organizations, and the Nation.'' \2\ The U.S. Financial Stability
Oversight Counsel (``FSOC'') in its 2021 annual report stated that a
destabilizing cybersecurity incident could potentially threaten the
stability of the U.S. financial system through at least three channels:
---------------------------------------------------------------------------

\1\ See the National Institute of Standards and Technology
(``NIST''), U.S. Department of Commerce, Computer Security Resource
Center Glossary, available at <a href="https://csrc.nist.gov/glossary">https://csrc.nist.gov/glossary</a> (``NIST
Glossary'') (definition of ``cybersecurity risk''). The NIST
Glossary consists of terms and definitions extracted verbatim from
NIST's cybersecurity and privacy-related publications (i.e., Federal
Information Processing Standards (FIPS), NIST Special Publications
(SPs), and NIST Internal/Interagency Reports (IRs)) and from the
Committee on National Security Systems (CNSS) Instruction CNSSI-
4009. The NIST Glossary may be expanded to include relevant terms in
external or supplemental sources, such as applicable laws and
regulations. The Cybersecurity Enhancement Act of 2014 (``CEA'')
updated the role of NIST to include identifying and developing
cybersecurity risk frameworks for voluntary use by critical
infrastructure owners and operators. The CEA required NIST to
identify ``a prioritized, flexible, repeatable, performance based,
and cost-effective approach, including information security measures
and controls that may be voluntarily adopted by owners and operators
of critical infrastructure to help them identify, assess, and manage
cyber risks.'' See 15 U.S.C. 272(e)(1)(A)(iii). In response, NIST
has published the Framework for Improving Critical Infrastructure
Cybersecurity (``NIST Framework''). See also NIST, Integrating
Cybersecurity and Enterprise Risk Management (ERM) (Oct. 2020),
available at <a href="https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf">https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf</a> (``All types of organizations, from corporations to
federal agencies, face a broad array of risks. For federal agencies,
the Office of Management and Budget (OMB) Circular A-11 defines risk
as `the effect of uncertainty on objectives'. The effect of
uncertainty on enterprise mission and business objectives may then
be considered an `enterprise risk' that must be similarly managed .
. . Cybersecurity risk is an important type of risk for any
enterprise.'') (footnotes omitted).
\2\ See NIST Glossary (definition of ``cybersecurity risk'').
See also The Board of the International Organization of Securities
Commissions (``IOSCO''), Cyber Security in Securities Markets--An
International Perspective (Apr. 2016), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD528.pdf</a> (``IOSCO
Cybersecurity Report'') (``In essence, cyber risk refers to the
potential negative outcomes associated with cyber attacks. In turn,
cyber attacks can be defined as attempts to compromise the
confidentiality, integrity and availability of computer data or
systems.'') (footnote omitted).
---------------------------------------------------------------------------

<bullet> First, the incident could disrupt a key financial service
or utility for which there is little or no substitute. This could
include attacks on central banks; exchanges; sovereign and subsovereign
creditors, including U.S. state and local governments; custodian banks;
payment clearing and settlement systems; or other firms or services
that lack substitutes or are sole service providers.
<bullet> Second, the incident could compromise the integrity of
critical

[[Page 20214]]

data. Accurate and usable information is critical to the stable
functioning of financial firms and the system; if such data is
corrupted on a sufficiently large scale, it could disrupt the
functioning of the system. The loss of such data also has privacy
implications for consumers and could lead to identity theft and fraud,
which in turn could result in a loss of confidence.
<bullet> Third, a cybersecurity incident that causes a loss of
confidence among a broad set of customers or market participants could
cause customers or participants to question the safety or liquidity of
their assets or transactions, and lead to significant withdrawal of
assets or activity.\3\
---------------------------------------------------------------------------

\3\ FSOC, Annual Report (2021), at 168, available at <a href="https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf">https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf</a> (``FSOC
2021 Annual Report'').
---------------------------------------------------------------------------

The U.S. securities markets are part of the Financial Services
Sector, one of the sixteen critical infrastructure sectors ``whose
assets, systems, and networks, whether physical or virtual, are
considered so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination
thereof.'' \4\ These markets are over $100 trillion in total size, and
more than a trillion dollars' worth of transactions flow through them
each day. For example, the market capitalization of the U.S. equities
market was valued at $49 trillion as of the first quarter of 2022,\5\
and as of May 2022, the average daily trading dollar volume in the U.S.
equities market was $659 billion.\6\ The market capitalization of the
U.S. fixed income market was valued at $52.9 trillion as of the fourth
quarter of 2021,\7\ and as of May 2022, the average daily trading
dollar volume in the U.S. fixed income market was $897.8 billion.\8\
---------------------------------------------------------------------------

\4\ Cybersecurity and Infrastructure Security Agency (``CISA''),
U.S. Department of Homeland Security, Critical Infrastructure
Sectors, available at <a href="https://www.cisa.gov/critical-infrastructure-sectors">https://www.cisa.gov/critical-infrastructure-sectors</a>. See also Presidential Policy Directive--Critical
Infrastructure Security and Resilience, Presidential Policy
Directive, PPD-21 (Feb. 12 2013).
\5\ See Securities Industry and Financial Markets Association
(``SIFMA''), Research Quarterly: Equities (Apr. 27, 2022), available
at <a href="https://www.sifma.org/resources/research/research-quarterly-equities/">https://www.sifma.org/resources/research/research-quarterly-equities/</a>.
\6\ See SIFMA, US Equity and Related Statistics (June 1, 2022),
available at <a href="https://www.sifma.org/resources/research/us-equity-and-related-securities-statistics/">https://www.sifma.org/resources/research/us-equity-and-related-securities-statistics/</a>.
\7\ See SIFMA, Research Quarterly: Fixed Income--Outstanding
(Mar. 14, 2022), available at <a href="https://www.sifma.org/resources/research/research-quarterly-fixed-income-outstanding/">https://www.sifma.org/resources/research/research-quarterly-fixed-income-outstanding/</a>.
\8\ See SIFMA, US Fixed Income Securities Statistics (June 9,
2022), available at <a href="https://www.sifma.org/resources/research/us-fixed-income-securities-statistics/">https://www.sifma.org/resources/research/us-fixed-income-securities-statistics/</a>.
---------------------------------------------------------------------------

The sizes of these markets are indicative of the central role they
play in the U.S. economy in terms of the flow of capital, including the
savings of individual investors who are increasingly relying on them
to, for example, build wealth to fund their retirement, purchase a
home, or pay for college for themselves or their family. Therefore, it
is critically important to the U.S. economy, investors, and capital
formation that the U.S. securities markets function in a fair, orderly,
and efficient manner.\9\
---------------------------------------------------------------------------

\9\ The Commission's tripartite mission is to: (1) protect
investors; (2) maintain, fair, orderly, and efficient markets; and
(3) facilitate capital formation. See, e.g., Commission, Our Goals,
available at <a href="https://www.sec.gov/our-goals">https://www.sec.gov/our-goals</a>.
---------------------------------------------------------------------------

The fair, orderly, and efficient operation of the U.S. securities
markets depends on different types of entities performing various
functions to support, among other things, disseminating market
information, underwriting securities issuances, making markets in
securities, trading securities, providing liquidity to the securities
markets, executing securities transactions, clearing and settling
securities transactions, financing securities transactions, recording
and transferring securities ownership, maintaining custody of
securities, paying dividends and interest on securities, repaying
principal on securities investments, supervising regulated market
participants, and monitoring market activities. Collectively, these
functions are performed by entities regulated by the Commission:
broker-dealers, broker-dealers that operate an alternative trading
system (``ATS''), clearing agencies, major security-based swap
participants (``MSBSPs''), the Municipal Securities Rulemaking Board
(``MSRB''), national securities associations, national securities
exchanges, security-based swap data repositories (``SBSDRs''),
security-based swap dealers (``SBSDs'' or collectively with MSBSPs,
``SBS Entities''), and transfer agents (collectively, ``Market
Entities'').\10\
---------------------------------------------------------------------------

\10\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------

To perform their functions, Market Entities rely on an array of
electronic information, communication, and computer systems (or similar
systems) (``information systems'') and networks of interconnected
information systems. While Market Entities have long relied on
information systems to perform their various functions, the
acceleration of technical innovation in recent years has exponentially
expanded the role these systems play in the U.S. securities
markets.\11\ This expansion has been driven by the greater efficiencies
and lower costs that can be achieved through the use of information
systems.\12\ It also has been driven by newer entrants (financial
technology (Fintech) firms) that have developed business models that
rely heavily on information systems (e.g., applications on mobile
devices) to provide services to investors and other participants in the
securities markets and more established Market Entities adopting the
use of similar technologies.\13\ The COVID-19 pandemic also has
contributed to the greater reliance on information systems.\14\
---------------------------------------------------------------------------

\11\ See, e.g., Bank of International Settlements, Erik Feyen,
Jon Frost, Leonardo Gambacorta, Harish Natarajan, and Mathew Saal,
Fintech and the digital transformation of financial services:
implications for market structure and public policy, BIS Papers No.
117 (July 2021), available at <a href="https://www.bis.org/publ/bppdf/bispap117.pdf">https://www.bis.org/publ/bppdf/bispap117.pdf</a> (``BIS Papers 117'') (``Significant technology
advances have taken place in two key areas that have contributed to
the current wave of technology-based finance:'' Increased
connectivity . . . [and] Low-cost computing and data storage . .
.'').
\12\ Id. (``Technology has reduced the costs of, and need for,
much of the traditional physical infrastructure that drove fixed
costs for the direct financial services provider . . . Financial
intermediaries can reduce marginal costs through technology-enabled
automation and `straight through' processing, which are accelerating
with the expanded use of data and [artificial intelligence]-based
processes. Digital innovation can also help to overcome spatial
(geographical) barriers, and even to bridge differences across legal
jurisdictions . . .''). See also United Nations, Office for Disaster
Risk Reduction, Constantine Toregas and Joost Santos, Cybersecurity
and its cascading effect on societal systems (2019), available at
<a href="https://www.undrr.org/publication/cybersecurity-and-its-cascading-effect-societal-systems">https://www.undrr.org/publication/cybersecurity-and-its-cascading-effect-societal-systems</a> (``Cybersecurity and its Cascading Effect on
Societal Systems'') (``Modern society has benefited from the
additional efficiency achieved by improving the coordination across
interdependent systems using information technology (IT) solutions.
IT systems have significantly contributed to enhancing the speed of
communication and reducing geographic barriers across consumers and
producers, leading to a more efficient and cost-effective exchange
of products and services across an economy.'').
\13\ BIS Papers 117 (``Internet and mobile technology have
rapidly increased the ability to transfer information and interact
remotely, both between businesses and directly to the consumer.
Through mobile and smartphones, which are near-ubiquitous,
technology has increased access to, and the efficiency of, direct
delivery channels and promises lower-cost, tailored financial
services . . . Incumbents large and small are embracing digital
transformation across the value chain to compete with fintechs and
big techs. Competitive pressure on traditional financial
institutions may force even those that are lagging to transform or
risk erosion of their customer base, income, and margins.'').
\14\ Id. (``The COVID-19 pandemic has accelerated the digital
transformation. In particular, the need for digital connectivity to
replace physical interactions between consumers and providers, and
in the processes that produce financial services, will be even more
important as economies, financial services providers, businesses and
individuals navigate the pandemic and the eventual post-COVID-19
world.''). See also McKinsey & Company, How Covid-19 has pushed
companies over the technology tipping point--and transformed
business forever (Oct. 5, 2020), available at <a href="https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever#/">https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever#/</a> (noting that due to
the COVID-19 pandemic, ``companies have accelerated the digitization
of their customer and supply-chain interactions and of their
internal operations by three to four years [and] the share of
digital or digitally enhanced products in their portfolios has
accelerated by a shocking seven years'').

---------------------------------------------------------------------------

[[Page 20215]]

This increased reliance on information systems by Market Entities
has caused a corresponding increase in their cybersecurity risk.\15\
This risk can be caused by the actions of external threat actors,
including organized or individual threat actors seeking financial gain,
nation states conducting espionage operations, or individuals engaging
in protest, acting on grudges or personal offenses, or seeking
thrills.\16\ Internal threat actors (e.g., disgruntled employees or
employees seeking financial gain) also can be sources of cybersecurity
risk.\17\ Threat actors may target Market Entities because they handle
financial assets or proprietary information about financial assets and
transactions.\18\ In addition to threat actors, errors of employees,
service providers, or business partners can create cybersecurity risk
(e.g., mistakenly exposing confidential or personal information by, for
example, sending it through an unencrypted email to unintended
recipients).\19\
---------------------------------------------------------------------------

\15\ See, e.g., Financial Services Information Sharing and
Analysis Center (``FS-ISAC''), Navigating Cyber 2022 (Mar. 2022),
available at: <a href="http://www.fsisac.com/navigatingcyber2022-report">www.fsisac.com/navigatingcyber2022-report</a> (detailing
cyber threats that emerged in 2021 and predictions for 2022); Danny
Brando, Antonis Kotidis, Anna Kovner, Michael Lee, and Stacey L.
Schreft, Implications of Cyber Risk for Financial Stability, FEDS
Notes, Washington: Board of Governors of the Federal Reserve System
(May 12, 2022), available at <a href="https://doi.org/10.17016/2380-7172.3077">https://doi.org/10.17016/2380-7172.3077</a>
(``Implications of Cyber Risk for Financial Stability'') (``Cyber
risk in the financial system has grown over time as the system has
become more digitized, as evidenced by the increase in cyber
incidents. That growth has brought to light unique features of cyber
risk and the potentially greater scope for cyber events to affect
financial stability.''); United States Government Accountability
Office (``GAO''), Critical Infrastructure Protection: Treasury Needs
to Improve Tracking of Financial Sector Cybersecurity Risk
Mitigation Efforts, GAO-20-631 (Sept. 2020), available at <a href="https://www.gao.gov/assets/gao-20-631.pdf">https://www.gao.gov/assets/gao-20-631.pdf</a> (``GAO Cybersecurity Report'')
(``The federal government has long identified the financial services
sector as a critical component of the nation's infrastructure. The
sector includes commercial banks, securities brokers and dealers,
and providers of the key financial systems and services that support
these functions. Altogether, the sector holds about $108 trillion in
assets and faces a variety of cybersecurity-related risks. Key risks
include (1) an increase in access to financial data through
information technology service providers and supply chain partners;
(2) a growth in sophistication of malware--software meant to do
harm--and (3) an increase in interconnectivity via networks, the
cloud, and mobile applications.''); Cybersecurity and its Cascading
Effect on Societal Systems (``Nonetheless, IT dependence has also
exposed critical infrastructure and industry systems to a myriad of
cyber security risks, ranging from accidental causes, technological
glitches, to malevolent willful attacks.'').
\16\ See, e.g., Verizon, Data Breach Investigations Report
(2022) available at <a href="https://www.verizon.com/business/resources/Tba/reports/dbir/2022-data-breach-investigations-report-dbir.pdf">https://www.verizon.com/business/resources/Tba/reports/dbir/2022-data-breach-investigations-report-dbir.pdf</a>
(``Verizon DBIR'') (finding that 73% of the data breaches analyzed
in the report were caused by external actors). The Verizon DBIR is
an annual report that analyzes cyber security incidents (defined as
a security event that compromises the integrity, confidentiality or
availability of an information asset) and breaches (defined as an
incident that results in the confirmed disclosure--not just
potential exposure--of data to an unauthorized party). To perform
the analysis, data about the cybersecurity incidents included in the
report are catalogued using the Vocabulary for Event Recording and
Incident Sharing (VERIS). VERIS is a set of metrics designed to
provide a common language for describing security incidents in a
structured and repeatable manner. More information about VERIS is
available at: <a href="http://veriscommunity.net/index.html">http://veriscommunity.net/index.html</a>. See also
Microsoft, Microsoft Digital Defense Report (Oct. 2021), available
at <a href="https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi">https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi</a>
(``Microsoft Report'') (``The last year has been marked by
significant historic geopolitical events and unforeseen challenges
that have changed the way organizations approach daily operations.
During this time, nation state actors have largely maintained their
operations at a consistent pace while creating new tactics and
techniques to evade detection and increase the scale of their
attacks'').
\17\ See, e.g., Verizon DBIR (finding that 18% of the data
breaches analyzed in the report were caused by internal actors). But
see id. (``Internal sources accounted for the fewest number of
incidents (18 percent), trailing those of external origin by a ratio
of four to one. The relative infrequency of data breaches attributed
to insiders may be surprising to some. It is widely believed and
commonly reported that insider incidents outnumber those caused by
other sources. While certainly true for the broad range of security
incidents, our caseload showed otherwise for incidents resulting in
data compromise. This finding, of course, should be considered in
light of the fact that insiders are adept at keeping their
activities secret.'').
\18\ See, e.g., GAO Cybersecurity Report (``The financial
services sector faces significant risks due to its reliance on
sophisticated technologies and information systems, as well as the
potential monetary gain and economic disruption that can occur by
attacking the sector''); IOSCO Cybersecurity Report (``[T]he
financial sector is one of the prime targets of cyber attacks. It is
easy to understand why: the sector is `where the money is' and it
can represent a nation or be a symbol of capitalism for some
politically motivated activists.'').
\19\ See Verizon DBIR (finding that error (defined as anything
done (or left undone) incorrectly or inadvertently) as one of action
types leading to cybersecurity incidents and breaches).
---------------------------------------------------------------------------

Another factor increasing the cybersecurity risk to Market Entities
is the growing sophistication of the tactics, techniques, and
procedures employed by threat actors.\20\ This trend is further
exacerbated by the ability of threat actors to purchase tools to engage
in cyber-crime.\21\ Threat actors employ a number of tactics to cause
harmful cybersecurity incidents.\22\ One tactic is the use of malicious
software (``malware'') that is uploaded into a computer system and used
by threat actors to compromise the confidentiality of information
stored or operations performed (e.g., monitoring key strokes) on the
system or the integrity or availability of the system (e.g., command
and control attacks where a threat actor is able to infiltrate a system
to install malware to enable it to remotely send commands to infected
devices).\23\ There are a number of different forms of malware,
including adware, botnets, rootkit, spyware, Trojans, viruses, and
worms.\24\
---------------------------------------------------------------------------

\20\ See, e.g., Bank of England, CBEST Intelligence-Led Testing:
Understanding Cyber Threat Intelligence Operations (Version 2.0),
available at <a href="https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf">https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf</a> (``Bank of England CBEST
Report'') (``The threat actor community, once dominated by amateur
hackers, has expanded to include a broad range of professional
threat actors, all of whom are strongly motivated, organised and
funded. They include: state-sponsored organisations stealing
military, government and commercial intellectual property; organised
criminal gangs committing theft, fraud and money laundering which
they perceive as low risk and high return; non-profit hacktivists
and for-profit mercenary organisations attempting to disrupt or
destroy their own or their client's perceived enemies.''); Microsoft
Report (``Sophisticated cybercriminals are also still working for
governments conducting espionage and training in the new
battlefield'').
\21\ See, e.g., Microsoft Report (``Through our investigations
of online organized crime networks, frontline investigations of
customer attacks, security and attack research, nation state threat
tracking, and security tool development, we continue to see the
cybercrime supply chain consolidate and mature. It used to be that
cybercriminals had to develop all the technology for their attacks.
Today they rely on a mature supply chain, where specialists create
cybercrime kits and services that other actors buy and incorporate
into their campaigns. With the increased demand for these services,
an economy of specialized services has surfaced, and threat actors
are increasing automation to drive down their costs and increase
scale.'').
\22\ See, e.g., Financial Industry Regulatory Authority
(``FINRA''), Common Cybersecurity Threats, available at:
<a href="http://www.finra.org/rules-guidance/guidance/common-cybersecurity-threats">www.finra.org/rules-guidance/guidance/common-cybersecurity-threats</a>
(``FINRA Common Cybersecurity Threats'') (summarizing common
cybersecurity threats faced by broker-dealers to include phishing,
imposter websites, malware, ransomware, distributed denial-of-
service attacks, and vendor breaches, among others).
\23\ See CISA, Malware Tip Card, available at <a href="https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf">https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf</a> (``CISA
Malware Tip Card'') (``Malware, short for ``malicious software,''
includes any software (such as a virus, Trojan, or spyware) that is
installed on your computer or mobile device. The software is then
used, usually covertly, to compromise the integrity of your device.
Most commonly, malware is designed to give attackers access to your
infected computer. That access may allow others to monitor and
control your online activity or steal your personal information or
other sensitive data.'').
\24\ See, e.g., CISA Malware Tip Card (``Adware [is] a type of
software that downloads or displays unwanted ads when a user is
online or redirects search requests to certain advertising websites.
Botnets [are] networks of computers infected by malware and
controlled remotely by cybercriminals, usually for financial gain or
to launch attacks on websites or networks. Many botnets are designed
to harvest data, such as passwords, Social Security numbers, credit
card numbers, and other personal information . . . Rootkit [is] a
type of malware that opens a permanent ``back door'' into a computer
system. Once installed, a rootkit will allow additional viruses to
infect a computer as various hackers find the vulnerable computer
exposed and compromise it. Spyware [is] a type of malware that
quietly gathers a user's sensitive information (including browsing
and computing habits) and reports it to unauthorized third parties.
Trojan [is] a type of malware that disguises itself as a normal file
to trick a user into downloading it in order to gain unauthorized
access to a computer. Virus [is] a program that spreads by first
infecting files or the system areas of a computer or network
router's hard drive and then making copies of itself. Some viruses
are harmless, others may damage data files, and some may destroy
files entirely. Worm [is] a type of malware that replicates itself
over and over within a computer.'').

---------------------------------------------------------------------------

[[Page 20216]]

A second tactic is a variation of malware known as ``ransomware.''
\25\ In this scheme, the threat actor encrypts the victim's data making
it unusable and then demands payment to decrypt it.\26\ Ransomware
schemes have become more prevalent with the widespread adoption and use
of crypto assets.\27\ It is a common tactic used against the financial
sector.\28\ Commission staff has observed that this tactic has
increasingly been employed against certain Market Entities.\29\
---------------------------------------------------------------------------

\25\ See CISA, Ransomware 101, available at <a href="https://www.cisa.gov/stopransomware/ransomware-101">https://www.cisa.gov/stopransomware/ransomware-101</a> (``Ransomware is an ever-
evolving form of malware designed to encrypt files on a device,
rendering any files and the systems that rely on them unusable.
Malicious actors then demand ransom in exchange for decryption.
Ransomware actors often target and threaten to sell or leak
exfiltrated data or authentication information if the ransom is not
paid. In recent years, ransomware incidents have become increasingly
prevalent among the Nation's state, local, tribal, and territorial
(SLTT) government entities and critical infrastructure
organizations.'').
\26\ See, e.g., Federal Bureau of Investigation (``FBI''),
internet Crime Report (2021), available at <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf</a> (``FBI internet Crime
Report'') (``Ransomware is a type of malicious software, or malware,
that encrypts data on a computer, making it unusable. A malicious
cyber criminal holds the data hostage until the ransom is paid. If
the ransom is not paid, the victim's data remains unavailable. Cyber
criminals may also pressure victims to pay the ransom by threatening
to destroy the victim's data or to release it to the public.'').
\27\ See, e.g., Institute for Security and Technology, Combating
Ransomware: A Comprehensive Framework For Action: Key
Recommendations from the Ransomware Task Force (Apr. 2021),
available at <a href="https://securityandtechnology.org/ransomwaretaskforce/report">https://securityandtechnology.org/ransomwaretaskforce/report</a> (``The explosion of ransomware as a lucrative criminal
enterprise has been closely tied to the rise of Bitcoin and other
cryptocurrencies, which use distributed ledgers, such as blockchain,
to track transactions.'').
\28\ See, e.g., FBI internet Crime Report (stating that it
received 649 complaints that indicated organizations in the sixteen
U.S. critical infrastructure sectors were victims of a ransomware
attack, with the financial sector being the source of the second
largest number of complaints).
\29\ See, Office of Compliance, Inspections and Examinations
(now the Division of Examinations (``EXAMS'')), Commission, Risk
Alert, Cybersecurity: Ransomware Alert (July 10, 2020), available at
<a href="https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf</a> (``EXAMS
Ransomware Risk Alert'') (observing an apparent increase in
sophistication of ransomware attacks on Commission registrants,
including broker-dealers). Any staff statements represent the views
of the staff. They are not a rule, regulation, or statement of the
Commission. Furthermore, the Commission has neither approved nor
disapproved their content. These staff statements, like all staff
statements, have no legal force or effect: they do not alter or
amend applicable law; and they create no new or additional
obligations for any person.
---------------------------------------------------------------------------

Another group of tactics are various social engineering schemes. In
a social engineering attack, the threat actor uses social skills to
convince an individual to provide access or information that can be
used to access an information system.\30\ ``Phishing'' is a variation
of a social engineering attack in which an email is used to convince an
individual to provide information (e.g., personal or account
information or log-in credentials) that can be used to gain
unauthorized access to an information system.\31\ Threat actors also
use websites to perform phishing attacks.\32\ ``Spear phishing'' is a
variation of phishing that targets a specific individual or group.\33\
``Vishing'' and ``smishing'' are variations of social engineering that
use phone communications or text messages, respectively, for this
purpose.\34\ These social engineering tactics also are used to deceive
the recipient of an electronic communication (e.g., an email or text
message) to open a link or attachment in the communication that uploads
malware on to the recipient's information systems.\35\
---------------------------------------------------------------------------

\30\ See, e.g., CISA, Security Tip (ST04-014)--Avoiding Social
Engineering and Phishing Attacks, available at <a href="https://www.cisa.gov/uscert/ncas/tips/ST04-014">https://www.cisa.gov/uscert/ncas/tips/ST04-014</a> (``CISA Security Tip (ST04-014)'').
\31\ See, e.g., CISA Security Tip (ST04-014); Microsoft Report
(``Phishing is the most common type of malicious email observed in
our threat signals. These emails are designed to trick an individual
into sharing sensitive information, such as usernames and passwords,
with an attacker. To do this, attackers will craft emails using a
variety of themes, such as productivity tools, password resets, or
other notifications with a sense of urgency to lure a user to click
on a link.'').
\32\ See, e.g., Microsoft Report (``The phishing web pages used
in these attacks may utilize malicious domains, such as those
purchased and operated by the attacker, or compromised domains,
where the attacker abuses a vulnerability in a legitimate website to
host malicious content. The phishing sites frequently copy well-
known, legitimate login pages, such as Office 365 or Google, to
trick users into inputting their credentials. Once the user inputs
their credentials, they will often be redirected to a legitimate
final site--such as the real Office 365 login page--leaving the user
unaware that actors have obtained their credentials. Meanwhile, the
entered credentials are stored or sent to the attacker for later
abuse or sale.'').
\33\ See, e.g., U.S. Office of the Director of National
Intelligence, Spear Phishing and Common Cyber Attacks, available at
<a href="https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf">https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf</a> (``ODNI Spear Phishing
Alert'') (``A spear phishing attack is an attempt to acquire
sensitive information or access to a computer system by sending
counterfeit messages that appear to be legitimate. `Spear phishing'
is a type of phishing campaign that targets a specific person or
group and often will include information known to be of interest to
the target, such as current events or financial documents. Like
other social engineering attacks, spear phishing takes advantage of
our most basic human traits, such as a desire to be helpful, provide
a positive response to those in authority, a desire to respond
positively to someone who shares similar tastes or views, or simple
curiosity about contemporary news and events.'').
\34\ See, e.g., CISA Security Tip (ST04-014).
\35\ See, e.g., ODNI Spear Phishing Alert (``The goal of spear
phishing is to acquire sensitive information such as usernames,
passwords, and other personal information. When a link in a phishing
email is opened, it may open a malicious site, which could download
unwanted information onto a user's computer. When the user opens an
attachment, malicious software may run which could compromise the
security posture of the host. Once a connection is established, the
attacker is able to initiate actions that could compromise the
integrity of your computer, the network it resides on, and data.'').
---------------------------------------------------------------------------

In addition to malware and social engineering, threat actors may
try to circumvent or thwart the information system's logical security
mechanisms (i.e., to ``hack'' the system).\36\ There are many
variations of hacking.\37\ One tactic is a ``brute force'' attack in
which the threat actor attempts to determine an unknown value (e.g.,
log-in credentials) using an automated process that tries a large
number of possible values.\38\ The Commission staff has observed that a
variation of this tactic has increasingly been employed by threat
actors against certain Market Entities to access their customers'
accounts.\39\ The ability of

[[Page 20217]]

threat actors to hack into information systems can be facilitated by
vulnerabilities in information systems, including for example the
software run on the systems.\40\
---------------------------------------------------------------------------

\36\ See Verizon DBIR (definition of ``hacking''); see also NIST
Glossary (defining a ``hacker'' as an ``unauthorized user who
attempts to or gains access to an information system'').
\37\ See, e.g., Web Application Security Consortium, WASC Threat
Classification: Version 2.00 (1/1/2010), available at <a href="https://projects.webappsec.org/f/WASC-TC-v2_0.pdf">https://projects.webappsec.org/f/WASC-TC-v2_0.pdf</a> (``WASC Classification
Report'').
\38\ See, e.g., WASC Classification Report (``The most common
type of a brute force attack in web applications is an attack
against log-in credentials. Since users need to remember passwords,
they often select easy to memorize words or phrases as passwords,
making a brute force attack using a dictionary useful. Such an
attack attempting to log-in to a system using a large list of words
and phrases as potential passwords is often called a `word list
attack' or a `dictionary attack.' '').
\39\ See EXAMS, Commission, Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf</a> (``EXAMS Safeguarding Client Accounts
Risk Alert'') (``The Office of Compliance Inspections and
Examinations (`OCIE') has observed in recent examinations an
increase in the number of cyber-attacks against SEC-registered
investment advisers (`advisers') and brokers and dealers (`broker-
dealers,' and together with advisers, `registrants' or `firms')
using credential stuffing. Credential stuffing is an automated
attack on web-based user accounts as well as direct network login
account credentials. Cyber attackers obtain lists of usernames,
email addresses, and corresponding passwords from the dark web and
then use automated scripts to try the compromised user names and
passwords on other websites, such as a registrant's website, in an
attempt to log in and gain unauthorized access to customer
accounts.'').
\40\ See, e.g., CISA, Alert (AA22-117A): 2021 Top Routinely
Exploited Vulnerabilities, available at <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-117a">https://www.cisa.gov/uscert/ncas/alerts/aa22-117a</a> (``CISA 2021 Vulnerability Report'')
(``Globally, in 2021, malicious cyber actors targeted internet-
facing systems, such as email servers and virtual private network
(VPN) servers, with exploits of newly disclosed vulnerabilities. For
most of the top exploited vulnerabilities, researchers or other
actors released proof of concept (POC) code within two weeks of the
vulnerability's disclosure, likely facilitating exploitation by a
broader range of malicious actors. To a lesser extent, malicious
cyber actors continued to exploit publicly known, dated software
vulnerabilities--some of which were also routinely exploited in 2020
or earlier. The exploitation of older vulnerabilities demonstrates
the continued risk to organizations that fail to patch software in a
timely manner or are using software that is no longer supported by a
vendor.''). To address this risk, CISA maintains a Known Exploited
Vulnerability (KEV) catalogue that identifies known vulnerabilities.
See, e.g., CISA, Reducing The Significant Risk of Known Exploited
Vulnerabilities, available at <a href="https://www.cisa.gov/known-exploited-vulnerabilities">https://www.cisa.gov/known-exploited-vulnerabilities</a> (``CISA strongly recommends all organizations review
and monitor the KEV catalog and prioritize remediation of the listed
vulnerabilities to reduce the likelihood of compromise by known
threat actors.'').
---------------------------------------------------------------------------

Threat actors also cause harmful cybersecurity incidents through
denial-of-service (``DoS'') attacks.\41\ This type of attack may
involve botnets or compromised servers sending ``junk'' data or
messages to an information system that a Market Entity uses to provide
services to investors, market participants, or other Market Entities
causing the system to fail or be unable to process operations in a
timely manner. DoS attacks are a commonly used tactic.\42\
---------------------------------------------------------------------------

\41\ See CISA, Security Tip (ST04-015)--Understanding Denial-of-
Service Attacks, available at <a href="https://www.cisa.gov/uscert/ncas/tips/ST04-015">https://www.cisa.gov/uscert/ncas/tips/ST04-015</a> (``A denial-of-service (DoS) attack occurs when legitimate
users are unable to access information systems, devices, or other
network resources due to the actions of a malicious threat actor.
Services affected may include email, websites, online accounts
(e.g., banking), or other services that rely on the affected
computer or network. A denial-of-service condition is accomplished
by flooding the targeted host or network with traffic until the
target cannot respond or simply crashes, preventing access for
legitimate users. DoS attacks can cost an organization both time and
money while their resources and services are inaccessible.'').
\42\ See Verizon DBIR (finding that DoS attacks represented 46%
of the total cybersecurity incidents analyzed).
---------------------------------------------------------------------------

The tactics, techniques, and procedures employed by threat actors
can impact the information systems a Market Entity operates directly
(e.g., a web application or email system).\43\ They also can adversely
impact the Market Entity and its information systems through its
connection to information systems operated by third-parties such as
service providers (e.g., cloud service providers), business partners,
customers, counterparties, members, registrants, or users.\44\ Further,
the tactics, techniques, and procedures employed by threat actors can
adversely impact the Market Entity and its information systems through
its connection to information systems operated by utilities or central
platforms to which the Market Entity is connected (e.g., a securities
exchange, securities trading platform, securities clearing agency, or a
payment processor).\45\
---------------------------------------------------------------------------

\43\ See, e.g., Verizon DBIR (finding that the top assets
breached in cyber security incidents are servers hosting web
applications and emails, and stating that because they are
``internet-facing'' they ``provide a useful venue for attackers to
slip through the organization's `perimeter' '').
\44\ See, e.g., Ponemon Institute LLC, The Cost of Third-Party
Cybersecurity Risk Management (Mar. 2019), available at <a href="https://info.cybergrx.com/ponemon-report">https://info.cybergrx.com/ponemon-report</a> (``Third-party breaches remain a
dominant security challenge for organizations, with over 63% of
breaches linked to a third party.'').
\45\ See, e.g., Financial Markets Authority, New Zealand, Market
Operator Obligations Targeted Review--NZX (January 2021), available
at <a href="https://www.fma.govt.nz/assets/Reports/Market-Operator-Obligations-Targeted-Review-NZX.pdf">https://www.fma.govt.nz/assets/Reports/Market-Operator-Obligations-Targeted-Review-NZX.pdf</a> (``New Zealand FMA Report'')
(describing an August 2020 cybersecurity incident at New Zealand's
only regulated financial product market that caused a trading halt
of approximately four days).
---------------------------------------------------------------------------

If cybersecurity risk materializes into a significant cybersecurity
incident, a Market Entity may lose its ability to perform a key
function causing harm to the Market Entity, investors, or other market
participants. Moreover, given the interconnectedness of Market
Entities' information systems, a significant cybersecurity incident at
one Market Entity has the potential to spread to other Market Entities
in a cascading process that could cause widespread disruptions
threatening the fair, orderly, and efficient operation of the U.S.
securities markets.\46\ Further, the disruption of a Market Entity that
provides critical services to other Market Entities through connected
information systems could cause cascading disruptions to those other
Market Entities to the extent they cannot obtain those critical
services from another source.\47\
---------------------------------------------------------------------------

\46\ See, e.g., Implications of Cyber Risk for Financial
Stability (``Cyber shocks can lead to losses hitting many firms at
the same time because of correlated risk exposures (sometimes called
the popcorn effect), such as when firms load the same malware-
infected third-party software update.''); The Bank for International
Settlements, Committee on Payments and Market Infrastructures
(``CPMI'') and IOSCO, Guidance on cyber resilience for financial
market infrastructures (June 2016), available at <a href="https://www.bis.org/cpmi/publ/d146.pdf">https://www.bis.org/cpmi/publ/d146.pdf</a> (``[T]here is a broad range of entry
points through which a [financial market intermediary (``FMI'')]
could be compromised. As a result of their interconnectedness, cyber
attacks could come through an FMI's participants, linked FMIs,
service providers, vendors and vendor products . . . . Because an
FMI's systems and processes are often interconnected with the
systems and processes of other entities within its ecosystem, in the
event of a large-scale cyber incident it is possible for an FMI to
pose contagion risk (i.e., propagation of malware or corrupted data)
to, or be exposed to contagion risk from, its ecosystem.'').
\47\ See, e.g., Implications of Cyber Risk for Financial
Stability (``And the interconnectedness of the financial system
means that an event at one or more firms may spread to others (the
domino effect). For example, a cyber event at a single bank can
disrupt the bank's ability to send payments and have cascading
effects on other banks' liquidity and operations.'').
---------------------------------------------------------------------------

A significant cybersecurity incident also can result in
unauthorized access to and use of personal, confidential, or
proprietary information.\48\ In the case of personal information, this
can cause harm to investors and others whose personal information was
accessed or used (e.g., identity theft).\49\ This could lead to theft
of investor assets. In the case of confidential or proprietary
information, this can cause harm to the business of the person whose
proprietary information was accessed or used (e.g., public exposure of
trading positions or business strategies) or provide the unauthorized
user with an unfair advantage over other market participants (e.g.,
trading based on confidential business information). Unauthorized
access to proprietary information also can lead to theft of a Market
Entity's valuable intellectual property.
---------------------------------------------------------------------------

\48\ See, e.g., Bank of England CBEST Report (``One class of
targeted attack is Computer Network Exploitation (CNE) where the
goal is to steal (or exfiltrate) confidential information from the
target. This is effectively espionage in cyberspace or, in
information security terms, compromising confidentiality.'').
\49\ The NIST Glossary defines ``identity fraud or theft'' as
``all types of crime in which someone wrongfully obtains and uses
another person's personal data in some way that involves fraud or
deception, typically for economic gain.''
---------------------------------------------------------------------------

Cybersecurity incidents affecting Market Entities can cause
substantial harm to other market participants, including investors. For
example, significant cybersecurity incidents caused by malware can
cause the loss of the Market Entity's data, or the data of other market
participants.\50\ These

[[Page 20218]]

incidents also can lead to business disruptions that are not just
costly to the Market Entity but also the other market participants that
rely on the Market Entity's services.
---------------------------------------------------------------------------

\50\ CISA, Cyber Essentials Starter Kit--The Basics for Building
a Culture of Cyber Readiness (Spring 2021), available at <a href="https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf">https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf</a> (``CISA
Cyber Essentials Starter Kit'') (``Malware is designed to spread
quickly. A lack of defense against it can completely corrupt,
destroy or render your data inaccessible.'').
---------------------------------------------------------------------------

A Market Entity also may incur substantial remediation costs due to
a significant cybersecurity incident.\51\ For example, the incident may
result in reimbursement to other market participants for cybersecurity-
related losses and payment for their use of identity protection
services. A Market Entity's failure to protect itself adequately
against a significant cybersecurity incident also may increase its
insurance premiums. In addition, a significant cybersecurity incident
may expose a Market Entity to litigation costs (e.g., to defend
lawsuits brought by individuals whose personal information was stolen),
regulatory scrutiny, reputational damage, and, if a result of a
compliance failure, penalties. Finally, a sufficiently severe
significant cybersecurity incident could cause the failure of a Market
Entity. Given the interconnectedness of Market Entities, a significant
cybersecurity incident that degrades or disrupts the critical functions
of one Market Entity could cause harm to other Market Entities (e.g.,
by cutting off their access to a critical service such as securities
clearance or by exposing them to the same malware that degraded or
disrupted the critical functions of the first Market Entity). This
could lead to market-wide outages that compromise the fair, orderly,
and efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------

\51\ See, e.g., IBM Security, Cost of Data Breach Report 2022,
available at <a href="https://www.ibm.com/security/data-breach">https://www.ibm.com/security/data-breach</a> (noting the
average cost of a data breach in the financial industry is $5.97
million); FBI internet Crime Report (noting that cybercrime victims
lost approximately $6.9 billion in 2021).
---------------------------------------------------------------------------

For these reasons, the Commission is proposing new rule
requirements that are designed to protect the U.S. securities markets
and investors in these markets from the threat posed by cybersecurity
risks.\52\
---------------------------------------------------------------------------

\52\ The Commission has pending proposals to address
cybersecurity risk with respect to investment advisers, investment
companies, and public companies. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies, Release Nos. 33-11028, 34-94917, IA-
5956, IC-34497 (Feb. 9, 2022) [87 FR 13524, (Mar. 9, 2022)]
(``Investment Management Cybersecurity Release''); Cybersecurity
Risk Management, Strategy, Governance, and Incident Disclosure,
Release Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022) [87 FR
16590 (Mar. 23, 2022)]. In addition, as discussed in more detail
below in section II.F. of this release, the Commission is proposing
to amend Regulation SCI (17 CFR 242.1000 through 1007) and
Regulation S-P (17 CFR 248.1 through 248.30) concurrent with this
release. See Regulation Systems Compliance and Integrity, Release
No. 34-97143 (Mar. 15, 2023) (File No. S7-07-23) (``Regulation SCI
2023 Proposing Release''); Regulation S-P: Privacy of Consumer
Financial Information and Safeguarding Customer Information, Release
Nos. 34-97141, IA-6262, IC-34854 (Mar. 15, 2023) (File No. S7-05-23)
(``Regulation S-P 2023 Proposing Release''). The Commission
encourages commenters to review the proposals with respect to
Regulation SCI and Regulation S-P to determine whether they might
affect their comments on this proposing release. See also section
II.F. of this release (seeking specific comment on how the proposals
in this release would interact with Regulation SCI and Regulation S-
P as they currently exist and would be amended). Further, the
Commission has reopened the comment period for the Investment
Management Cybersecurity Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Regulation SCI 2023
Proposing Release and the Regulation S-P 2023 Proposing Release that
the Commission should consider in connection with the Investment
Management Cybersecurity Release. See Cybersecurity Risk Management
for Investment Advisers, Registered Investment Companies, and
Business Development Companies; Reopening of Comment Period, Release
Nos. 33-11167, 34-97144, IA-6263, IC-34855 (Mar. 15, 2023), [88 FR
16921 (Mar. 31, 2023)]. The Commission encourages commenters to
review the Investment Management Cybersecurity Release and the
comments on that proposal to determine whether they might affect
their comments on this proposing release. The comments on the
Investment Management Cybersecurity Release are available at:
<a href="https://www.sec.gov/comments/s7-04-22/s70422.htm">https://www.sec.gov/comments/s7-04-22/s70422.htm</a>. Lastly, the
Commission also proposed rules and amendments regarding an
investment adviser's obligations with respect to outsourcing certain
categories of ``covered functions,'' including cybersecurity. See
Outsourcing by Investment Advisers, Release No. IA-6176 (Oct. 26,
2022), [87 FR 68816 (Nov. 16, 2022)]. The Commission encourages
commenters to review that proposal to determine whether it might
affect comments on this proposing release.
---------------------------------------------------------------------------

2. Critical Operations of Market Entities Are Exposed to Cybersecurity
Risk
The fair, orderly, and efficient operation of the U.S. securities
markets depends on Market Entities performing various functions without
disruption. Market Entities rely on information systems and networks of
interconnected information systems to perform their functions. This
exposes them to the harms that can be caused by threat actors using the
tactics, techniques, and procedures discussed above (among others) and
by errors of employees or third-party service providers (among others).
The GAO has stated that the primary cybersecurity risks identified by
financial sector firms are: (1) internal actors; \53\ (2) malware; \54\
(3) social engineering; \55\ and (4) interconnectivity.\56\ As
discussed below, a significant cybersecurity incident can cause serious
harm to Market Entities and others who use their services or are
connected to them through information systems and, if severe enough,
negatively impact the fair, orderly, and efficient operations of the
U.S. securities markets.
---------------------------------------------------------------------------

\53\ See GAO Cybersecurity Report (``Risks due to insider
threats involve careless, poorly trained, or disgruntled employees
or contractors hired by an organization who may intentionally or
inadvertently introduce vulnerabilities or malware into information
systems. Insiders may not need a great deal of knowledge about
computer intrusions because their knowledge of a target system often
allows them to gain unrestricted access to cause damage to the
system or to steal system data. Results of insider threats can
include data destruction and account compromise.'').
\54\ Id. (``The risk of malware exploits impacting the
[financial] sector has increased as malware exploits have grown in
sophistication'').
\55\ Id. (``The financial services sector is at risk due to
social engineering attacks, which include a broad range of malicious
activities accomplished through human interaction that enable
attackers to gain access to sensitive data by convincing a
legitimate, authorized user to give them their credentials and/or
other personal information'').
\56\ Id. (``Interconnectivity involves interdependencies
throughout the financial services sector and the sharing of data and
information via networks, the cloud, and mobile applications.
Organizations in the financial services sector utilize data
aggregation hubs and cloud service providers, and new financial
technologies such as algorithms based on consumers' data and risk
preferences to provide digital services for investment and financial
advice.'').
---------------------------------------------------------------------------

a. Common Uses of Information Systems by Market Entities
Market Entities need accurate and accessible books and records,
among other things, to manage and conduct their operations, manage and
mitigate their risks, monitor the progress of their business, track
their financial condition, prepare financial statements, prepare
regulatory filings, and prepare tax returns. Increasingly, these
records are made and preserved on information systems.\57\ These
recordkeeping information systems also store personal, confidential,
and proprietary business information about the Market Entity and its
customers, counterparties, members, registrants, or users.
---------------------------------------------------------------------------

\57\ Some Market Entities may store certain or all of their
records in paper format. This discussion pertains to recordkeeping
systems that store records electronically on information systems.
---------------------------------------------------------------------------

The complexity and scope of these books and records systems ranges
from ones used by large Market Entities that comprise networks of
systems that track thousands of different types of daily transactions
(e.g., securities trades and movements of assets) to ones used by small
Market Entities comprising off-

[[Page 20219]]

the-shelf accounting software and computer files on a desktop computer.
In either case, the impact on the confidentiality, integrity, or
availability of the information system being compromised as a
consequence of a significant cybersecurity incident can be devastating
to the Market Entity and its customers, counterparties, members,
registrants or users. For example, it could cause the Market Entity to
cease operations or allow threat actors to use personal information
about the customers of the Market Entity to steal their identities.
Market Entities also use information systems so that their
employees can communicate with each other and with external persons.
These include email, text messaging, and virtual meeting applications.
The failure of these information systems as a result of a significant
cybersecurity incident can seriously disrupt the Market Entity's
ability to carry out its functions. Moreover, these outward facing
information systems are vectors that threat actors use to cause harmful
cybersecurity incidents by, for example, tricking an employee through
social engineering into downloading malware in an attachment to an
email.
b. Broker-Dealers
Broker-dealers perform a number of functions in the U.S. securities
markets, including underwriting the issuance of securities for publicly
and privately held companies, making markets in securities, brokering
securities transactions, dealing securities, operating an ATS,
executing securities transactions, clearing and settling securities
transactions, and maintaining custody of securities for investors. Some
broker-dealers may perform multiple functions; whereas others may
perform a single function. Increasingly, these functions are performed
through the use of information systems. For example, broker-dealers use
information systems to connect to securities exchanges, ATSs, and other
securities markets in order to transmit purchase and sell orders.
Broker-dealers also use information systems to connect to clearing
agencies or clearing broker-dealers to transmit securities settlement
instructions and transfer funds. They use information systems to
communicate and transact with other broker-dealers. In addition, they
use information systems to provide securities services to investors,
including information systems that investors use to access their
securities accounts and transmit orders to purchase or sell securities.
Depending on the functions undertaken by a broker-dealer, a
significant cybersecurity incident could affect customers, including
retail investors. For example, a significant cybersecurity incident
could result in the broker-dealer experiencing a systems outage, which
in turn could leave customers unable to purchase or sell securities
held in their account and the broker-dealer unable to trade for itself.
In addition, broker-dealers maintain records and information related to
their customers that include personal information, such as names,
addresses, phone numbers, employer information, tax identification
information, bank information, and other detailed and individualized
information related to broker-dealer obligations under applicable
statutory and regulatory provisions.\58\ If personal information held
by a broker-dealer is accessed or stolen by unauthorized users, it
could result in harm (e.g., identity theft or conversion of financial
assets) to many individuals, including retail investors.
---------------------------------------------------------------------------

\58\ See, e.g., 17 CFR 240.17a-3(a)(17) (requiring broker-
dealers to make account records of the customer's or owner's name,
tax identification number, address, telephone number, date of birth,
employment status, annual income, net worth, and the account's
investment objectives). Broker-dealers also must comply with
relevant anti-money laundering (AML) laws, rules, orders, and
guidance. See, e.g., Commission, Anti-Money Laundering (AML) Source
Tool for Broker-Dealers, (May 16, 2022), available at <a href="https://www.sec.gov/about/offices/ocie/amlsourcetool">https://www.sec.gov/about/offices/ocie/amlsourcetool</a>.
---------------------------------------------------------------------------

Further, a significant cybersecurity incident at a broker-dealer
could provide a gateway for threat actors to attack the self-regulatory
organizations (``SROs'')--such as national securities exchanges and
registered clearing agencies--ATSs, and other broker-dealers to which
the firm is connected through information systems and networks of
interconnected information systems.\59\ This could cause a cascading
effect where a significant cybersecurity incident initially impacting
one broker-dealer spreads to other Market Entities. Moreover, the
information systems that link a broker-dealer to other Market Entities,
its customers, and other service providers are vectors that expose the
broker-dealer to cybersecurity risk arising from threats that originate
in information systems outside the broker-dealer's control.
---------------------------------------------------------------------------

\59\ Section 3(a)(26) of the Exchange Act defines a self-
regulatory organization as any national securities exchange,
registered securities association, registered clearing agency, or
(with limitations) the MSRB. See 15 U.S.C. 78c(a)(26).
---------------------------------------------------------------------------

In addition, some broker-dealers operate ATSs. An ATS is a trading
system for securities that meets the definition of ``exchange'' under
federal securities laws but is not required to register with the
Commission as a national securities exchange if it complies with the
conditions to an exemption provided under Regulation ATS, which
includes registering as a broker-dealer.\60\ Registering as a broker-
dealer requires becoming a member of an SRO, such as FINRA, and
membership in FINRA subjects an ATS to FINRA's rules and oversight.
Since Regulation ATS was adopted in 1998, ATSs' operations have
increasingly relied on complex automated systems to bring together
buyers and sellers for various securities, which include--for example--
electronic limit order books and auction mechanisms. These developments
have made ATSs significant sources of orders and trading interest for
securities. ATSs employ information systems to accept, store, and match
orders pursuant to pre-programmed methods and to communicate the
execution of these orders for trade reporting purposes and for
clearance and settlement of the transactions. ATSs, in particular ATSs
that are ``NMS Stock ATSs,'' \61\ use information systems to connect to
various trading centers in order to receive market data that ATSs use
to price and execute orders that are entered on the ATS. A significant
cyber security incident could disrupt the ATS's critical infrastructure
and significantly impede the ability of the ATS to (among other
things): (1) receive market data; (2) accept, price, and match orders;
or (3) report transactions. This, in turn, could negatively impact the
ability of ATS subscribers to trade and execute the orders of their
investors or purchase certain securities at favorable or predictable
prices or in a timely manner to the extent the ATS provides

[[Page 20220]]

liquidity to the market for those securities.
---------------------------------------------------------------------------

\60\ 17 CFR 242.300 through 242.304. Exchange Act Rule 3a1-
1(a)(2) exempts from the definition of ``exchange'' under Section
3(a)(1) of the Exchange Act an organization, association, or group
of persons that complies with Regulation ATS. See 17 CFR 240.3a1-
1(a)(2). Regulation ATS requires an ATS to, among other things,
register as a broker-dealer, file a Form ATS with the Commission to
notice its operations, and establish written safeguards and
procedures to protect subscribers' confidential trading information.
See 17 CFR 242.301(b)(1), (2), and (10), respectively. The broker-
dealer operator of the ATS controls all aspects of the ATS's
operations and is legally responsible for its operations and for
ensuring that the ATS complies with applicable federal securities
laws and the rules and regulations thereunder, including Regulation
ATS. See Regulation of NMS Stock Alternative Trading Systems,
Exchange Act Release No. 83663 (July 18, 2018) [83 FR 38768, 38819-
20 (Aug. 7, 2018)] (``Regulation of NMS Stock Alternative Trading
Systems Release'').
\61\ See 17 CFR 242.300(k) (defining the term ``NMS Stock
ATS'').
---------------------------------------------------------------------------

c. Clearing Agencies
Clearing agencies are broadly defined in the Exchange Act and
undertake a variety of functions.\62\ An entity that meets the
definition of a ``clearing agency'' is required to register with the
Commission or obtain from the Commission an exemption from registration
prior to performing the functions of a clearing agency.\63\
---------------------------------------------------------------------------

\62\ See 15 U.S.C. 78c(a)(23)(A).
\63\ See 15 U.S.C. 78q-1(b); 17 CFR 240.17Ab2-1.
---------------------------------------------------------------------------

Two common functions of registered clearing agencies are operating
as a central counterparty (``CCP'') or a central securities depository
(``CSD''). Registered clearing agencies that provide these services are
``covered clearing agencies'' under Commission regulations.\64\ A CCP
acts as the buyer to every seller and the seller to every buyer,
providing a trade guaranty with respect to transactions submitted for
clearing by the clearing agency's participants.\65\ A CSD acts as a
depository for handling securities, whereby all securities of a
particular class or series of any issuer deposited within the system
are treated as fungible. Market Entities may use a CSD to transfer,
loan, or pledge securities by bookkeeping entry without the physical
delivery of certificates. A CSD also may permit or facilitate the
settlement of securities transactions more generally.\66\ Currently,
all clearing agencies registered with the Commission that are actively
providing clearance and settlement services are covered clearing
agencies.\67\
---------------------------------------------------------------------------

\64\ See 17 CFR 240.17Ad-22. See also Standards for Covered
Clearing Agencies, Exchange Act Release No. 78961 (Sept. 28, 2016)
[81 FR 70786, 70793 (Oct. 13, 2016)] (``CCA Standards Adopting
Release''). As discussed below, some clearing agencies operate
pursuant to Commission exemptions from registration.
\65\ See 17 CFR 240.17Ad-22 (``Rule 17Ad-22''); Definition of
``Covered Clearing Agency'', Exchange Act Release No. 88616 (Apr. 9,
2020) [85 FR 28853, 28855-56 (May 14, 2020)] (``CCA Definition
Adopting Release'').
\66\ See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad-22; CCA
Definition Adopting Release, 81 FR at 28856.
\67\ The active covered clearing agencies are: (1) The
Depository Trust Company (``DTC''); (2) Fixed Income Clearing
Corporation (``FICC''); (3) National Securities Clearing Corporation
(``NSCC''); (4) Intercontinental Exchange, Inc. (``ICE'') Clear
Credit LLC (``ICC''); (5) ICE Clear Europe Limited (``ICEEU''); (6)
The Options Clearing Corporation (``Options Clearing Corp.''); and
(7) LCH SA. Certain clearing agencies are registered with the
Commission but are not covered clearing agencies. See CCA Standards
Adopting Release, 81 FR at 70793. In particular, although subject to
paragraph (d) of Rule 17Ad-22, the Boston Stock Exchange Clearing
Corporation (``BSECC'') and Stock Clearing Corporation of
Philadelphia (``SCCP'') are currently registered with the Commission
as clearing agencies but conduct no clearance or settlement
operations. See Self-Regulatory Organizations; The Boston Stock
Clearing Corporation; Notice of Filing and Immediate Effectiveness
of Proposed Rule Change To Amend the Articles of Organization and
By-Laws, Exchange Act Release No. 63629 (Jan. 3, 2011) [76 FR 1473,
1474 (Jan. 10, 2011)] (``BSECC Notice''); Self-Regulatory
Organizations; Stock Clearing Corporation of Philadelphia; Notice of
Filing and Immediate Effectiveness of Proposed Rule Change Relating
to the Suspension of Certain Provisions Due to Inactivity, Exchange
Act Release No. 63268 (Nov. 8, 2010) [75 FR 69730, 69731 (Nov. 15,
2010)] (``SCCP Notice'').
---------------------------------------------------------------------------

Registered clearing agencies also are SROs under section 19 of the
Exchange Act, and their proposed rules are subject to Commission review
and published for notice and comment. While certain types of proposed
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
Additionally, section 17A(b)(1) of the Exchange Act provides the
Commission with authority to exempt a clearing agency or any class of
clearing agencies (``exempt clearing agencies'') from any provision of
section 17A or the rules or regulations thereunder.\68\ An exemption
may be effected by rule or order, upon the Commission's own motion or
upon application, and conditionally or unconditionally.\69\ The
Commission has provided exemptions from registration as a clearing
agency for clearing agencies that provide matching services.\70\
Matching services centrally match trade information between a broker-
dealer and its institutional customer. The Commission also has provided
exemptions for non-U.S. clearing agencies to perform the functions of a
clearing agency with respect to transactions of U.S. participants
involving U.S. government and agency securities.\71\
---------------------------------------------------------------------------

\68\ 15 U.S.C. 78q-1(b)(1). See also 15 U.S.C. 78mm (providing
the Commission with general exemptive authority).
\69\ See 15 U.S.C. 78q-1(b)(1). The Commission's exercise of
authority to grant exemptive relief must be consistent with the
public interest, the protection of investors, and the purposes of
Section 17A of the Exchange Act, including the prompt and accurate
clearance and settlement of securities transactions and the
safeguarding of securities and funds.
\70\ See Global Joint Venture Matching Services--US, LLC; Order
Granting Exemption from Registration as a Clearing Agency, Exchange
Act Release No. 44188 (Apr. 17, 2001) [66 FR 20494 (Apr. 23, 2001)]
(granting an exemption to provide matching services to Global Joint
Venture Matching Services US LLC, now known as DTCC ITP Matching
U.S. LLC) (``DTCC ITP Matching Order''); Bloomberg STP LLC; SS&C
Technologies, Inc.; Order of the Commission Approving Applications
for an Exemption From Registration as a Clearing Agency, Exchange
Act Release No. 76514 (Nov. 25, 2015) [80 FR 75388 (Dec. 1, 2015)]
(granting an exemption to provide matching services to each of
Bloomberg STP LLC and SS&C Technologies, Inc.) (``BSTP SS&C
Order''). In addition, on July 1, 2011, the Commission published a
conditional, temporary exemption from clearing agency registration
for entities that perform certain post-trade processing services for
security-based swap transactions. See Order Pursuant to Section 36
of the Securities Exchange Act of 1934 Granting Temporary Exemptions
From Clearing Agency Registration Requirements Under Section 17A(b)
of the Exchange Act for Entities Providing Certain Clearing Services
for Security-Based Swaps, Exchange Act Release No. 34-64796 (July 1,
2011) [76 FR 39963 (July 7, 2011)]. The order facilitated the
Commission's identification of entities that operate in that area
and that accordingly may fall within the clearing agency definition.
Recently, the Commission indicated that the 2011 Temporary Exemption
may no longer be necessary. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 34-94615 (Apr. 6, 2022) [87
FR 28872, 28934 (May 11, 2022)] (stating that the ``Commission
preliminarily believes that, if it adopts a framework for the
registration of [security-based swap execution facilities
(``SBSEFs'')], the 2011 Temporary Exemption would no longer be
necessary because entities carrying out the functions of SBSEFs
would be able to register with the Commission as such, thereby
falling within the exemption from the definition of `clearing
agency' in existing Rule 17Ad-24.'').
\71\ See Euroclear Bank SA/NV; Order of the Commission Approving
an Application To Modify an Existing Exemption From Clearing Agency
Registration, Exchange Act Release No. 79577 (Dec. 16, 2016) [81 FR
93994 (Dec. 22, 2016)] (providing an exemption to Euroclear Bank SA/
NV (successor in name to Morgan Guaranty Trust Company of NY))
(``Euroclear Bank Order''); Self-Regulatory Organizations; Cedel
Bank; Order Approving Application for Exemption From Registration as
a Clearing Agency, Exchange Act Release No. Release No. 38328 (Feb.
24, 1997) [62 FR 9225 (Feb. 28, 1997)] (providing an exemption to
Clearstream Banking, S.A. (successor in name to Cedel Bank, societe
anonyme, Luxembourg)) (``Clearstream Banking Order''). Furthermore,
pursuant to the Commission's statement on CCPs in the European Union
(``EU'') authorized under the European Markets Infrastructure
Regulation (``EMIR''), an EU CCP may request an exemption from the
Commission where it has determined that the application of
Commission requirements would impose unnecessary, duplicative, or
inconsistent requirements in light of EMIR requirements to which it
is subject. See Statement on Central Counterparties Authorized under
the European Markets Infrastructure Regulation Seeking to Register
as a Clearing Agency or to Request Exemptions from Certain
Requirements Under the Securities Exchange Act of 1934, Exchange Act
Release No. 34-90492 (Nov. 23, 2020) [85 FR 76635, 76639 (Nov. 30,
2020)], <a href="https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf">https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf</a> (stating that in seeking an exemption, an EU CCP
could provide ``a self-assessment . . . [to] explain how the EU
CCP's compliance with EMIR corresponds to the requirements in the
Exchange Act and applicable SEC rules thereunder, such as Rule 17Ad-
22 and Regulation SCI.'').
---------------------------------------------------------------------------

Registered and exempt clearing agencies rely on information systems
to perform the functions described above. Given their central role, the
information systems operated by clearing agencies are critical to the
operations of the U.S. securities markets. For registered clearing
agencies, in particular, these information systems include those that
set and calculate margin obligations and other charges, perform netting
and calculate payment obligations, facilitate the movement of funds and
securities, or effectuate end-of-day settlement.

[[Page 20221]]

Certain exempt clearing agencies (e.g., Euroclear and Clearstream) may
provide CSD functions like covered clearing agencies while other exempt
clearing agencies (e.g., DTCC ITP) may not provide such functions.
Nonetheless, any entity that falls within the definition of a clearing
agency centralizes technology functions in a manner that increases its
potential to become a single point of failure in the case of a
significant cybersecurity incident.\72\
---------------------------------------------------------------------------

\72\ See generally Board of Governors of the Federal Reserve
System (``Federal Reserve Board''), Commission, Commodity Futures
Trading Commission (``CFTC''), Risk Management of Designated
Clearing Entities (July 2011), available at <a href="https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf">https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf</a> (report to the Senate
Committees on Banking, Housing, and Urban Affairs and Agriculture,
Nutrition, and Forestry and the House Committees on Financial
Services and Agriculture stating that a designated clearing entity
(``DCE'') ``faces two types of non-financial risks--operational and
legal--that may disrupt the functioning of the DCE. . . . DCEs face
operational risk from both internal and external sources, including
human error, system failures, security breaches, and natural or man-
made disasters.'').
---------------------------------------------------------------------------

The technology behind clearing agency information systems is
subject to growing innovation and interconnectedness, with multiple
clearing agencies sharing links among their systems and with the
systems of other Market Entities. This growing interconnectivity means
that a significant cybersecurity incident at a registered clearing
agency could, for example, prevent it from acting timely to carry out
its functions, which, in turn, could negatively impact other Market
Entities that utilize the clearing agency's services.\73\ Further, a
significant cybersecurity incident at a registered or exempt clearing
agency could provide a gateway for threat actors to attack the members
of the clearing agency and other financial institutions that connect to
it through information systems. Moreover, the information systems that
link the clearing agency to its members are vectors that expose the
clearing agency to cybersecurity risk.
---------------------------------------------------------------------------

\73\ See also EXAMS, Commission, Staff Report on the Regulation
of Clearing Agencies (Oct. 1, 2020), available at <a href="https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf">https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf</a> (staff
stating that ``consolidation among providers of clearance and
settlement services concentrates clearing activity in fewer
providers and has increased the potential for providers to become
single points of failure.'').
---------------------------------------------------------------------------

The records stored by clearing agencies on their information
systems include proprietary information about their members, including
confidential business information (e.g., information about the
financial condition of the members used by the clearing agency to
manage credit risk). Each clearing agency also is required to keep all
records made or received by it in the course of its business and in the
conduct of its self-regulatory activity. A significant cybersecurity
incident at a clearing agency could lead to the improper use of this
information to harm the members (e.g., public exposure of confidential
financial information) or provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential business information). Moreover, a disruption to a
registered clearing agency's operations as a result of a significant
cybersecurity incident could interfere with its ability to perform its
responsibilities as an SRO (e.g., interrupting its oversight of
clearing member activities for compliance with its rules and the
federal securities laws), and, therefore, materially impact the fair,
orderly, and efficient functioning of the U.S. securities markets.
d. The Municipal Securities Rulemaking Board
The MSRB is an SRO that serves as a regulator of the U.S. municipal
securities market with a mandate to protect municipal securities
investors, municipal entities, obligated persons, and the public
interest.\74\ Pursuant to the Exchange Act, the MSRB shall propose and
adopt rules with respect to transactions in municipal securities
effected by broker-dealers and municipal securities dealers and with
respect to advice provided to or on behalf of municipal entities or
obligated persons by broker-dealers, municipal securities dealers, and
municipal advisors with respect to municipal financial products, the
issuance of municipal securities, and solicitations of municipal
entities or obligated persons undertaken by broker-dealers, municipal
securities dealers, and municipal advisors.\75\ Pursuant to the
Exchange Act, the MSRB's rules shall be designed to prevent fraudulent
and manipulative acts and practices, to promote just and equitable
principles of trade, to foster cooperation and coordination with
persons engaged in regulating, clearing, settling, processing,
information with respect to, and facilitating transactions in municipal
securities and municipal financial products, to remove impediments to
and perfect the mechanism of a free and open market in municipal
securities and municipal products, and in general, to protect
investors, municipal entities, obligated persons, and the public
interest.\76\ As an SRO, the MSRB's proposed rules are subject to
Commission review and published for notice and comment. While certain
types of proposed rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------

\74\ See 15 U.S.C. 78o-4. Information about the MSRB and its
functions is available at: <a href="http://www.msrb.org">www.msrb.org</a>.
\75\ See 15.U.S.C. 78o-4(b)(2).
\76\ See 15.U.S.C. 78o-4(b)(2)(C).
---------------------------------------------------------------------------

The MSRB relies on information systems to carry out its mission
regulating broker-dealers, municipal securities dealers, and municipal
advisors. For example, the MSRB operates the Electronic Municipal
Market Access website (``EMMA''). EMMA provides transparency to the
U.S. municipal bond market by disclosing free information on virtually
all municipal bond offerings, including real-time trade prices, bond
disclosure documents, and certain market statistics.\77\ The MSRB also
provides data to the Commission, broker-dealer examining authorities,
and banking supervisors to assist in their examination and enforcement
efforts involving participants in the municipal securities markets. The
MSRB also maintains other data on the U.S. municipal securities
markets. This data can be used by the public and others to understand
better these markets. The MSRB is also required to keep all records
made or received by it in the course of its business and in the conduct
of its self-regulatory activity.
---------------------------------------------------------------------------

\77\ Broker-dealers, and municipal securities dealers that trade
municipal securities are subject to transaction reporting
obligations under MSRB Rule G-14. EMMA, established by the MSRB in
2009, is currently designated by the Commission as the official
repository of municipal securities disclosure providing the public
with free access to relevant municipal securities data, and is the
central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires broker-dealers and municipal securities dealers to submit
transaction data to the MSRB within 15 minutes of trade execution,
and such near real-time post-trade transaction data can be accessed
through the MSRB's EMMA website.
---------------------------------------------------------------------------

A significant cybersecurity incident could disrupt the operation of
EMMA and could negatively impact the fair, orderly, and efficient
operation of the U.S. municipal securities market. For example, the
loss or corruption of transparent price information could cause
investors to stop purchasing or selling municipal securities or
negatively impact the ability of investors to liquidate or purchase
municipal securities at favorable or predictable prices or in a timely
manner. In addition, the unauthorized access or use of personal or
proprietary

[[Page 20222]]

information of the persons who are registered with the MSRB could cause
them harm through identity theft or the disclosure of confidential
business information.
Further, a significant cybersecurity incident impacting the MSRB
could provide a gateway for threat actors to attack registrants that
connect to the MRSB through information systems and networks of
interconnected information systems. Moreover, the information systems
that link the MSRB to its registrants are vectors that expose the MSRB
to cybersecurity risk.
e. National Securities Associations
A national securities association is an SRO created to regulate
broker-dealers and the off-exchange broker-dealer market.\78\
Currently, FINRA is the only national securities association registered
under section 15A of the Exchange Act. As a national securities
association, FINRA must have rules for its members that, among other
things, are designed to prevent fraudulent and manipulative acts and
practices, to promote just and equitable principles of trade, to foster
cooperation and coordination with persons engaged in regulating,
clearing, settling, or processing information with respect to (and
facilitating transactions in) securities, to remove impediments to and
perfect the mechanism of a free and open market and a national market
system, and, in general, to protect investors and the public
interest.\79\ FINRA's rules also must provide for discipline of its
members for violations of any provision of the Exchange Act, Exchange
Act rules, the rules of the MSRB, or its own rules.\80\ A national
securities association is an SRO under section 19 of the Exchange Act,
and its proposed rules are subject to Commission review and are
published for notice and comment. While certain types of proposed FINRA
rules are effective upon filing, others are subject to Commission
approval before they can go into effect.
---------------------------------------------------------------------------

\78\ See 15 U.S.C. 78o-3(a); Exemption for Certain Exchange
Members, Exchange Act Release No. 95388 (July 29, 2022) [87 FR 49930
(Aug. 12, 2022)] (proposing amendments to national securities
association membership exemption for certain exchange members).
\79\ See 15 U.S.C. 78o-3(b)(6).
\80\ See 15 U.S.C. 78o-3(b)(7).
---------------------------------------------------------------------------

FINRA also performs other functions of vital importance to the U.S.
securities markets. It developed and operates the Trade Reporting and
Compliance Engine (``TRACE''), which facilitates the mandatory
reporting of over-the-counter transactions in eligible fixed-income
securities.\81\ In addition, FINRA operates the Trade Reporting
Facility (``TRF''). FINRA members report over-the-counter transactions
in national market system (``NMS'') stocks to the TRF, which are then
included in publicly disseminated consolidated equity market data
pursuant to an NMS plan.\82\ Further, pursuant to plans declared
effective by the Commission under Exchange Act Rule 17d-2 (``Rule 17d-
2''),\83\ FINRA frequently acts as the sole SRO with regulatory
responsibility with respect to certain applicable laws, rules, and
regulations for its members that are also members of other SROs (e.g.,
national securities exchanges).\84\ Some of these Rule 17d-2 plans
facilitate the conduct of market-wide surveillance, including for
insider trading.\85\ The disruption of these FINRA activities by a
significant cybersecurity incident could interfere with its ability to
carry out its regulatory responsibilities (e.g., disclosing
confidential information pertaining to its surveillance of trading
activity), and, therefore, materially impact the fair, orderly, and
efficient functioning of the U.S. securities markets.
---------------------------------------------------------------------------

\81\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730. This rule requires FINRA members
to report transactions in TRACE-Eligible Securities, which the rule
defines to include a range of fixed-income securities.
\82\ In addition, FINRA operates the Alternative Display
Facility (``ADF''), which allows members to display quotations and
report trades in NMS stocks. Although there are currently no users
of the ADF, FINRA has issued a pre-quotation notice advising that a
new participant intends to begin using the ADF, subject to
regulatory approval. See Self-Regulatory Organizations; Financial
Industry Regulatory Authority, Inc.; Notice of Filing of a Proposed
Rule Change Relating to Alternative Display Facility New Entrant,
Exchange Act Release No. 96550 (Dec. 20, 2022) [87 FR 79401 (Dec.
27, 2022)].
\83\ 17 CFR 240.17d-2. Pursuant to a plan declared effective by
the Commission under Rule 17d-2, the Commission relieves an SRO of
those regulatory responsibilities allocated by the plan to another
SRO.
\84\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amended Plan for the Allocation
of Regulatory Responsibilities Between the Financial Industry
Regulatory Authority, Inc. and MEMX LLC, Exchange Act Release No.
96101 (Oct. 18, 2022) [87 FR 64280 (Oct. 24, 2022)].
\85\ See, e.g., Program for Allocation of Regulatory
Responsibilities Pursuant to Rule 17d-2; Notice of Filing and Order
Approving and Declaring Effective an Amendment to the Plan for the
Allocation of Regulatory Responsibilities Among Cboe BZX Exchange,
Inc., Cboe BYX Exchange, Inc., NYSE Chicago, Inc., Cboe EDGA
Exchange, Inc., Cboe EDGX Exchange, Inc., Financial Industry
Regulatory Authority, Inc., MEMX LLC, MIAX PEARL, LLC, Nasdaq BX,
Inc., Nasdaq PHLX LLC, The Nasdaq Stock Market LLC, NYSE National,
Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca,
Inc., Investors' Exchange LLC, and Long-Term Stock Exchange, Inc.
Relating to the Surveillance, Investigation, and Enforcement of
Insider Trading Rules, Exchange Act Release No. 89972 (Sept. 23,
2020) [85 FR 61062 (Sept. 29, 2020)].
---------------------------------------------------------------------------

FINRA uses other information systems to perform its
responsibilities as an SRO. For example, it operates a number of
information systems that its members use to make regulatory
filings.\86\ These systems include the FINRA's eFOCUS system through
which its broker-dealer members file periodic (monthly or quarterly)
confidential financial and operational reports.\87\ FINRA Gateway is
another information system that it uses as a compliance portal for its
members to file and access information. A disruption of FINRA's
business operations caused by a significant cybersecurity incident
could disrupt its ability to carry out its responsibilities as an SRO
(e.g., by disrupting its oversight of broker-dealer activities for
compliance with its rules and the federal securities laws or its review
of broker-dealers' financial condition), and could therefore materially
impact the fair, orderly, and efficient functioning of the U.S.
securities markets.
---------------------------------------------------------------------------

\86\ Further information about these filing systems is available
at: <a href="https://www.finra.org/filing-reporting/regulatory-filing-systems">https://www.finra.org/filing-reporting/regulatory-filing-systems</a>.
\87\ The eFOCUS system provides firms with the capability to
electronically submit their Financial and Operational Combined
Uniform Single (FOCUS) Reports to FINRA. FINRA member broker-dealers
are required to prepare and submit FOCUS reports pursuant to
Exchange Rule 17a-5 (17 CFR 240.17a-5) (``Rule 17a-5'') and FINRA's
FOCUS Report filing plan. See, e.g., Self-Regulatory Organizations;
Notice of Filing and Order Granting Accelerated Approval of Proposed
Rule Change by the National Association of Securities Dealers, Inc.
Relating to the Association's FOCUS Filing Plan, Exchange Act
Release No. 36780, (Jan. 26, 1996) [61 FR 3743 (Feb. 1, 1996)].
---------------------------------------------------------------------------

Further, a significant cybersecurity incident at FINRA could
provide a gateway for threat actors to attack members that connect to
it through information systems and networks of interconnected
information systems. Moreover, the information systems that link FINRA
to its members are vectors that expose FINRA to cybersecurity risk.
Additionally, the records stored by FINRA on its information
systems include proprietary information about its members, including
confidential business information (e.g., information about the
operational and financial condition of its broker-dealer members) and
confidential personal information about registered persons affiliated
with member firms. FINRA also is required to keep all records made or
received by it in the course of its business and in the conduct of its
self-regulatory activity. A significant cybersecurity incident at FINRA
could lead to the improper use of this information to harm the members

[[Page 20223]]

(e.g., public exposure of confidential financial information) or their
registered persons (e.g., public exposure of personal information).
Further, it could provide the unauthorized user with an unfair
advantage over other market participants (e.g., trading based on
confidential financial information about its members).
f. National Securities Exchanges
Under the Exchange Act, an ``exchange'' is any organization,
association, or group of persons, whether incorporated or
unincorporated, that constitutes, maintains, or provides a market place
or facilities for bringing together purchasers and sellers of
securities or for otherwise performing with respect to securities the
functions commonly performed by a stock exchange (as that term is
generally understood), and includes the market place and the market
facilities maintained by that exchange.\88\ Section 5 of the Exchange
Act \89\ requires an organization, association, or group of persons
that meets the definition of ``exchange'' under section 3(a)(1) of the
Exchange Act, unless otherwise exempt, to register with the Commission
as a national securities exchange pursuant to section 6 of the Exchange
Act. Registered national securities exchanges also are SROs, and must
comply with regulatory requirements applicable to both national
securities exchanges and SROs.\90\ Section 6 of the Exchange Act
requires, among other things, that the rules of a national securities
exchange be designed to prevent fraudulent and manipulative acts and
practices; to promote just and equitable principles of trade; to foster
cooperation and coordination with persons engaged in facilitating
transactions in securities; to remove impediments to, and perfect the
mechanism of, a free and open market and a national market system; and,
in general, to protect investors and the public interest; and that the
rules of a national securities exchange not be designed to permit
unfair discrimination between customers, issuers, brokers, or
dealers.\91\ As SROs under section 19 of the Exchange Act, the proposed
rules of national securities exchanges are subject to Commission review
and are published for notice and comment.\92\ While certain types of
proposed exchange rules are effective upon filing, others are subject
to Commission approval before they can go into effect.
---------------------------------------------------------------------------

\88\ See 15 U.S.C. 78c(a)(1). Exchange Act Rule 3b-16 (``Rule
3b-16'') defines terms used in the statutory definition of
``exchange'' under section 3(a)(1) of the Exchange Act. Under
paragraph (a) of Rule 3b-16, an organization, association, or group
of persons is considered to constitute, maintain, or provide such a
marketplace or facilities if they ``[b]ring[ ] together the orders
for securities of multiple buyers and sellers'' and use
``established non-discretionary methods (whether by providing a
trading facility or by setting rules) under which such orders
interact with each other, and the buyers and sellers entering such
orders agree to the terms of a trade.'' See 17 CFR 240.3b-16(a). In
January 2022, the Commission: (1) proposed amendments to Rule 3b-16
to include systems that offer the use of non-firm trading interest
and provide communication protocols to bring together buyers and
sellers of securities; (2) re-proposed amendments to Regulation ATS
for ATSs that trade government securities or repurchase and reverse
repurchase agreements on government securities; (3) re-proposed
amendments to Regulation SCI to apply to ATSs that meet certain
volume thresholds in U.S. Treasury securities or in a debt security
issued or guaranteed by a U.S. executive agency or government-
sponsored enterprise; and (4) proposed amendments to, among other
things, Form ATS-N, Form ATS-R, Form ATS, and the fair access rule
under Regulation ATS. See Amendments Regarding the Definition of
``Exchange'' and Alternative Trading Systems (ATSs) That Trade U.S.
Treasury and Agency Securities, National Market System (NMS) Stocks,
and Other Securities, Exchange Act Release No. 94062 (Jan. 26, 2022)
[87 FR 15496 (Mar. 18, 2022)] (``Amendments Regarding the Definition
of `Exchange' and ATSs Release''). The Commission encourages
commenters to review that proposal with respect to ATSs and the
comments on that proposal to determine whether they might affect
comments on this proposing release.
\89\ 15 U.S.C. 78e.
\90\ See, e.g., 15 U.S.C. 78f and 78s.
\91\ See 15 U.S.C. 78f(b)(5).
\92\ See 15 U.S.C. 78s.
---------------------------------------------------------------------------

National securities exchanges use information systems to operate
their marketplaces and facilities for bringing together purchasers and
sellers of securities. In particular, national securities exchanges
rely on automated, complex, and interconnected information systems for
trading, routing, market data, regulatory, and surveillance purposes.
They also use information systems to connect to members, other national
securities exchanges, plan processors, and clearing agencies to
facilitate order routing, trading, trade reporting, and the clearing of
securities transactions. They also provide quotation, trade reporting,
and regulatory information to the securities information processors to
ensure that current market data information is available to market
participants.\93\ A significant cyber security incident at a national
securities exchange could disrupt or disable its ability to provide
these market functions, causing broader disruptions to the securities
markets.\94\ For example, a significant cyber security incident could
severely impede the ability to trade securities, or could disrupt the
public dissemination of consolidated market data, impacting investors
and the maintenance of fair, orderly, and efficient markets. In
addition, the information systems that link national securities
exchanges to their members are vectors that expose the exchange to
cybersecurity risk.
---------------------------------------------------------------------------

\93\ The national securities exchanges will provide quotation,
trade reporting, and regulatory information to competing
consolidators and self-aggregators after the market data
infrastructure rules have been implemented. See Market Data
Infrastructure, Exchange Act Release No. 90610 (Dec. 9, 2020) [86 FR
18596 (Apr. 9, 2021)] (``MDI Adopting Release''). In July 2012, the
Commission adopted Rule 613 of Regulation NMS, which required
national securities exchanges and national securities associations
(the ``Participants'') to jointly develop and submit to the
Commission a national market system plan to create, implement, and
maintain a consolidated audit trail (the ``CAT''). See Consolidated
Audit Trail, Exchange Act Release No. 67457 (July 18, 2012) [77 FR
45722 (Aug. 1, 2012)]; 17 CFR 242.613. In November 2016, the
Commission approved the national market system plan required by Rule
613 (the ``CAT NMS Plan''). See Joint Industry Plan; Order Approving
the National Market System Plan Governing the Consolidated Audit
Trail, Exchange Act Release No. 78318 (Nov. 15, 2016) [81 FR 84696
(Nov. 23, 2016)] (the ``CAT NMS Plan Approval Order''). The
Participants conduct the activities related to the CAT in a Delaware
limited liability company, Consolidated Audit Trail, LLC (the
``Company''). The Participants jointly own on an equal basis the
Company. As such, the CAT's Central Repository is a facility of each
of the Participants. See CAT NMS Plan Approval Order, 81 FR at
84758. It would also qualify as an ``information system'' of each
national securities exchange and each national securities
association under proposed Rule 10. FINRA CAT, LLC--a wholly-owned
subsidiary of FINRA--has entered into an agreement with the Company
to act as the plan processor for the CAT. However, because the CAT
System is operated by FINRA CAT, LLC on behalf of the national
securities exchanges and FINRA, the Participants remain ultimately
responsible for the performance of the CAT and its compliance with
any statutes, rules, and regulations. The goal of the CAT NMS Plan
is to create a modernized audit trail system that provides
regulators with more timely access to a more comprehensive set of
trading data, thus enabling regulators to more efficiently and
effectively analyze and reconstruct broad-based market events,
conduct market analysis in support of regulatory decisions, and to
conduct market surveillance, investigations, and other enforcement
activities. The CAT accepts data that are submitted by the
Participants and broker-dealers, as well as data from certain market
data feeds like SIP and OPRA.
\94\ See, e.g., New Zealand FMA Report (describing an August
2020 cybersecurity incident at New Zealand's only regulated
financial product market that caused a trading halt of approximately
four days).
---------------------------------------------------------------------------

Similarly, proprietary market data systems of exchanges are widely
used and relied upon by a wide swath of market participants for
detailed information about quoting and trading activity on an exchange.
A significant cybersecurity incident that disrupts the availability or
integrity of these feeds could have a significant impact on the trading
of securities because market participants may withdraw from trading
without access to current quotation and trade information. This could
interfere with the maintenance of fair, orderly, and efficient markets.
National securities exchanges also use information systems to
perform their

[[Page 20224]]

responsibilities as SROs. In particular, exchanges employ market-
regulation systems to assist with obligations such as enforcing their
rules and the federal securities laws with respect to their members. A
disruption of a national securities exchange's business operations
caused by a significant cybersecurity incident could disrupt its
ability to carry out its regulatory responsibilities as an SRO and,
therefore, materially impact the fair, orderly, and efficient
functioning of the U.S. securities markets.
Each exchange also is required to keep all records made or received
by it in the course of its business and in the conduct of its self-
regulatory activity. The records stored by national securities
exchanges on their information systems include proprietary information
about their members, including confidential business information (e.g.,
information about the financial condition of their members). The
records also include information relating to trading, routing, market
data, and market surveillance, among other areas.\95\ A significant
cybersecurity incident at a national securities exchange could lead to
the improper use of this information to harm exchange members (e.g.,
public exposure of confidential financial information) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).
---------------------------------------------------------------------------

\95\ For example, as discussed above, the national securities
exchanges and FINRA jointly operate the CAT System, which collects
and stores information relating market participants, and their order
and trading activities.
---------------------------------------------------------------------------

g. Security-Based Swap Data Repositories
Title VII of the Dodd-Frank Wall Street Reform and Consumer
Protection Act (``Title VII of the Dodd-Frank Act''), enacted in 2010,
provided for a comprehensive, new regulatory framework for swaps and
security-based swaps, including regulatory reporting and public
dissemination of transactions in security-based swaps.\96\ In 2015, the
Commission established a regulatory framework for SBSDRs to provide
improved transparency to regulators and help facilitate price discovery
and efficiency in the SBS market.\97\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the security-based swap market,\98\ thereby supporting
the Dodd-Frank Act's goal of public dissemination for all security-
based swaps to enhance price discovery to market participants.\99\ The
collection and dissemination of security-based swap data by SBSDRs
provide transparency in the security-based swap market for regulators
and market participants.
---------------------------------------------------------------------------

\96\ Public Law 111-203, 124 Stat. 1376 (2010), section 761(a)
(adding Exchange Act section 3(a)(75) (defining SBSDR)) and section
763(i) (adding Exchange Act section 13(n) (establishing a regulatory
regime for SBSDRs)).
\97\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 74246 (Feb.
11, 2015) [80 FR 14438 (Mar. 19, 2015)] (``SBSDR Adopting
Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Exchange Act Release No. 74244
(Feb. 11, 2015) [80 FR 14563 (Mar. 19, 2015)] (``SBSR Adopting
Release'').
\98\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\99\ See, e.g., SBSDR Adopting Release, 80 FR at 14604.
---------------------------------------------------------------------------

In addition, as centralized repositories for security-based swap
transaction data that is used by regulators, SBSDRs provide an
important infrastructure assisting relevant authorities in performing
their market oversight.\100\ Data maintained by SBSDRs can assist
regulators in addressing market abuses, performing supervision, and
resolving issues and positions if an institution fails.\101\ SBSDRs are
required to collect and maintain accurate security-based swap
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\102\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic details.
---------------------------------------------------------------------------

\100\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010) [75 FR 77306, 77307 (Dec. 10, 2010)], corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'') (``The data maintained by an [SBSDR] may also
assist regulators in (i) preventing market manipulation, fraud, and
other market abuses; (ii) performing market surveillance, prudential
supervision, and macroprudential (systemic risk) supervision; and
(iii) resolving issues and positions after an institution fails.'').
\101\ See SBSDR Proposing Release at 77307.
\102\ See SBSDR Adopting Release, 80 FR at 14440 (stating that
``[SBSDRs] are required to collect and maintain accurate [security-
based swap] transaction data so that relevant authorities can access
and analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
---------------------------------------------------------------------------

SBSDRs use information systems to perform these functions,
including to disseminate market data and provide price transparency in
the security-based swap market. They also use information systems to
operate centralized repositories for security-based swap data for use
by regulators. These information systems provide an important market
infrastructure that assists relevant authorities in performing their
market oversight.\103\ As discussed above, data maintained by SBSDRs
may, for example, assist regulators in addressing market abuses,
performing supervision, and resolving issues and positions if an
institution fails.
---------------------------------------------------------------------------

\103\ See Committee on Payments and Settlement Systems
(``CPSS''), Technical Committee of IOSCO, Principles for financial
markets intermediaries (Apr. 2012), available at <a href="https://www.bis.org/cpmi/publ/d101a.pdf">https://www.bis.org/cpmi/publ/d101a.pdf</a> (``FMI Principles'') (Principle for
financial markets intermediaries (``PFMI'') 1.14 stating that ``[b]y
centralising the collection, storage, and dissemination of data, a
well-designed [trade repository (``TR'')] that operates with
effective risk controls can serve an important role in enhancing the
transparency of transaction information to relevant authorities and
the public, promoting financial stability, and supporting the
detection and prevention of market abuse.''). In 2014, the CPSS
became the Committee on Payments and Market Infrastructures
(``CPMI'').
---------------------------------------------------------------------------

SBSDRs are subject to certain cybersecurity risks that if realized
could impede their ability to meet the goals set out in Title VII of
the Dodd-Frank Act and the Commission's rules.\104\ For example, SBSDRs
process and disseminate trade data using information systems. If these
information systems suffer from a significant cybersecurity incident,
public access to timely and reliable trade data for the derivatives
markets could potentially be compromised.\105\ Also, if the data stored
at an SBSDR is corrupted by a threat actor through a cybersecurity
attack, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, SBSDRs

[[Page 20225]]

use information systems to receive and maintain personal, confidential,
and proprietary information and data. The unauthorized use or access of
this information could be used to create unfair business or trading
advantages and, in the case of personal information, to steal
identities.
---------------------------------------------------------------------------

\104\ See SBSDR Adopting Release, 80 FR at 14450 (``[SBSDRs]
themselves are subject to certain operational risks that may impede
the ability of [SBSDRs] to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\105\ See FMI Principles (PFMI 1.14, Box 1 stating that ``[t]he
primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------

Further, a significant cybersecurity incident at an SBSDR could
provide a gateway for threat actors to attack Market Entities and
others that connect to it through information systems. Moreover, the
links established between an SBSDR and other entities, including
unaffiliated clearing agencies and other SBSDRs, are vectors that
expose the SBSDR to cybersecurity risk arising from threats that
originate in information systems outside the SBSDR's control.\106\
---------------------------------------------------------------------------

\106\ See FMI Principles (PFMI at 3.20.20 stating that ``[a] TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT and
related resources. A TR can establish links with another TR or with
another type of FMI. Such links may expose the linked [financial
market infrastructures (``FMIs'')] to additional risks if not
properly designed. Besides legal risks, a link to either another TR
or to another type of FMI may involve the potential spillover of
operational risk. The mitigation of operational risk is particularly
important because the information maintained by a TR can support
bilateral netting and be used to provide services directly to market
participants, service providers (for example, portfolio compression
service providers), and other linked FMIs.''). The CPMI and IOSCO
issued guidance for cyber resilience for FMIs, including CSDs,
securities settlement systems (``SSSs''), CCPs, and trade
repositories. See CPMI-IOSCO, Guidance on cyber resilience for
financial market infrastructures (June 2016), available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf</a>; see also CPMI-
IOSCO, Implementation monitoring of the PFMI: Level 3 assessment on
Financial Market Infrastructures' Cyber Resilience (Nov. 2022),
available at <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf">https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf</a> (presenting the results of an assessment of the state
of cyber resilience (as of February 2021) of FMIs from 29
jurisdictions that participated in the exercise in 2020 to 2022).
---------------------------------------------------------------------------

h. SBS Entities
The SBS Entities covered by the proposed rulemaking are SBSDs and
MSBSPs. An SBSD generally refers to any person who: (1) holds itself
out as a dealer in security-based swaps; (2) makes a market in
security-based swaps; (3) regularly enters into security-based swaps
with counterparties as an ordinary course of business for its own
account; or (4) engages in any activity causing it to be commonly known
in the trade as a dealer or market maker in security-based swaps.\107\
An SBSD does not, however, include a person that enters into security-
based swaps for such person's own account, either individually or in a
fiduciary capacity, but not as a part of regular business.\108\
---------------------------------------------------------------------------

\107\ See 15 U.S.C. 78c(a)(71); 17 CFR 240.3a71-1 et seq.
\108\ See 15 U.S.C. 78c(a)(71)(C); 17 CFR 240.3a71-1(b).
---------------------------------------------------------------------------

An MSBSP generally includes any person that is not a security-based
swap dealer and that satisfies one of the following three alternative
statutory tests: (1) it maintains a ``substantial position'' in
security-based swaps, excluding positions held for hedging or
mitigating commercial risk and positions maintained by any employee
benefit plan (or any contract held by such a plan) for the primary
purpose of hedging or mitigating any risk directly associated with the
operation of the plan, for any of the major security-based swap
categories determined by the Commission; (2) its outstanding security-
based swaps create substantial counterparty exposure that could have
serious adverse effects on the financial stability of the U.S. banking
system or financial markets; or (3) it is a ``financial entity'' that
is ``highly leveraged'' relative to the amount of capital it holds (and
that is not subject to capital requirements by an appropriate federal
banking agency) and maintains a ``substantial position'' in outstanding
security-based swaps in any major category as determined by the
Commission.\109\ Currently, there are no MSBSPs registered with the
Commission.
---------------------------------------------------------------------------

\109\ See 15 U.S.C. 78c(a)(67); 17 CFR 240.3a67-1 et seq.
---------------------------------------------------------------------------

SBS Entities play (or, in the case of MSBSPs, could play) a
critical role in the U.S. security-based swap market.\110\ SBS Entities
rely on information systems to transact in security-based swaps with
other market participants, to receive and deliver collateral, to create
and maintain books and records, and to obtain market information to
update books and records, and manage risk.
---------------------------------------------------------------------------

\110\ Currently, this role is fulfilled by SBSDs, given there
are no MSBSPs registered with the Commission.
---------------------------------------------------------------------------

A disruption to an SBS Entity's operations caused by a significant
cybersecurity incident could have a large negative impact on the U.S.
security-based swap market given the concentration of dealers in this
market. Further, a disruption in the security-based swap market could
negatively impact the broader securities markets by, for example,
causing participants to liquidate positions related to, or referenced
by, the impacted security-based swaps to mitigate losses to
participants' positions or portfolios or due to loss of trading
confidence. A disruption in the security-based swap market also could
negatively impact the broader securities markets by causing
participants to liquidate the collateral margining the security-based
swaps for similar reasons or to cover margin calls. The consequences of
a business disruption to an SBS Entity's functions--such as those that
may be caused by a significant cybersecurity incident--may be amplified
because, unlike many other securities transactions, securities-based
swap transactions give rise to an ongoing obligation between
transaction counterparties during the life of the transaction.\111\
This means that each counterparty bears the risk of its counterparty's
ability to perform under the terms of a security-based swap until the
transaction is terminated. A disruption of an SBS Entity's normal
business activities because of a significant cybersecurity incident
could produce spillover or contagion by negatively affecting the
willingness or the ability of market participants to extend credit to
each other, and could substantially reduce liquidity and valuations for
particular types of financial instruments.\112\ The security-based swap
market is large \113\ and thus a disruption of an SBS Entity's
operations due to a significant cybersecurity incident could negatively
impact sectors of the U.S. economy.\114\
---------------------------------------------------------------------------

\111\ See Further Definition of ``Swap Dealer,'' ``Security-
Based Swap Dealer,'' ``Major Swap Participant,'' ``Major Security-
Based Swap Participant'' and ``Eligible Contract Participant'',
Exchange Act Release No. 66868 (Apr. 27, 2012) [77 FR 30596, 30616-
17 (May 23, 2012)] (``Further Definition Release'') (noting that
``[i]n contrast to a secondary market transaction involving equity
or debt securities, in which the completion of a purchase or sale
transaction can be expected to terminate the mutual obligations of
the parties to the transaction, the parties to a security-based swap
often will have an ongoing obligation to exchange cash flows over
the life of the agreement'').
\112\ See Cross-Border Security-Based Swap Activities; Re-
Proposal of Regulation SBSR and Certain Rules and Forms Relating to
the Registration of Security-Based Swap Dealers and Major Security-
Based Swap Participants, Exchange Act Release No. 69490 (May 1,
2013) [78 FR 30967, 30980-81 (May 23, 2013)] (``Cross-Border
Proposing Release'').
\113\ See, e.g., Commission, Report on Security-Based Swaps
Pursuant to Section 13(m)(2) of the Securities Exchange Act of 1934
(July 15, 2022) available at <a href="https://www.sec.gov/files/report-on-security-based-swaps-071522.pdf">https://www.sec.gov/files/report-on-security-based-swaps-071522.pdf</a>.
\114\ See Cross-Border Proposing Release, 78 FR at 30972 (``The
Dodd-Frank Act was enacted, among other reasons, to promote the
financial stability of the United States by improving accountability
and transparency in the financial system. The 2008 financial crisis
highlighted significant issues in the over-the-counter (`OTC')
derivatives markets, which . . . are capable of affecting
significant sectors of the U.S. economy.'') (footnotes omitted).
---------------------------------------------------------------------------

Further, a significant cybersecurity incident at an SBS Entity
could provide a gateway for threat actors to attack the exchanges,
SBSDRs, clearing agencies, counterparties, and other SBS Entities to

[[Page 20226]]

which the firm is connected through information systems and networks of
interconnected information systems. Moreover, the information systems
that link SBS Entities to other Market Entities are vectors that expose
the SBS Entity to cybersecurity risk arising from threats that
originate in information systems outside the SBS Entity's control. SBS
Entities also store proprietary and confidential information about
their counterparties on their information systems, including financial
information they use to perform credit analysis. A significant
cybersecurity incident at an SBS Entity could lead to the improper use
of this information to harm the counterparties (e.g., public exposure
of confidential financial information) or provide the unauthorized user
with an unfair advantage over other market participants (e.g., trading
based on confidential business information).
i. Transfer Agents
A transfer agent is any person who engages on behalf of an issuer
of securities or on behalf of itself as an issuer of securities in
(among other functions): (1) tracking, recording, and maintaining the
official record of ownership of each issuer's securities; (2) canceling
old certificates, issuing new ones, and performing other processing and
recordkeeping functions that facilitate the issuance, cancellation, and
transfer of those securities; (3) facilitating communications between
issuers and registered securityholders; and (4) making dividend,
principal, interest, and other distributions to securityholders.\115\
To perform these functions, transfer agents maintain records and
information related to securityholders that may include names,
addresses, phone numbers, email addresses, employers, employment
history, bank and specific account information, credit card
information, transaction histories, securities holdings, and other
detailed and individualized information related to the transfer agents'
recordkeeping and transaction processing on behalf of issuers. With
advances in technology and the expansion of book-entry ownership of
securities, transfer agents today increasingly rely on technology and
automation to perform the core recordkeeping, processing, and transfer
services described above, including the use of computer systems to
store, access, and process the information related to securityholders
they maintain on behalf of issuers. A significant cybersecurity
incident that impacts these systems could cause harm to investors by,
for example, preventing the transfer agent from transferring ownership
of securities or preventing investors from receiving dividend,
interest, or principal payments.
---------------------------------------------------------------------------

\115\ See Transfer Agent Regulations, Exchange Act Release No.
76743 (Dec. 22, 2015) [80 FR 81948, 81949 (Dec. 31, 2015)].
---------------------------------------------------------------------------

Further, a significant cybersecurity incident at a transfer agent
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. Moreover, the information systems
that link transfer agents to other Market Entities expose the transfer
agent to cybersecurity risk arising from threats that originate in
information systems outside the transfer agent's control. The records
stored by transfer agents on their information systems include
proprietary information about securities ownership and corporate
actions. A significant cybersecurity incident at a transfer agent could
lead to the improper use of this information to harm securities holders
(e.g., public exposure of their confidential financial information or
the use of that information to steal their identities) or provide the
unauthorized user with an unfair advantage over other market
participants (e.g., trading based on confidential business
information).

B. Overview of the Proposed Cybersecurity Requirements

As discussed above, the U.S. securities markets are part of the
critical infrastructure of the United States.\116\ In this regard, they
play a central role in the U.S. economy in terms of facilitating the
flow of capital, including the savings of individual investors. The
fair, orderly, and efficient operation of the U.S. securities markets
depends on Market Entities being able to perform their critical
functions, and Market Entities are increasingly relying on information
systems and interconnected networks of information systems to perform
these functions. These information systems are targets of threat
actors. Moreover, Market Entities--as financial institutions--are
choice targets for threat actors seeking financial gain or to inflict
economic harm. Further, threat actors are using increasingly
sophisticated and constantly evolving tactics, techniques, and
procedures to attack information systems. In addition to threat actors,
cybersecurity risk also can be caused by the errors of employees,
service providers, or business partners. The interconnectedness of
Market Entities increases the risk that a significant cybersecurity
incident can simultaneously impact multiple Market Entities causing
harm to the U.S. securities markets.
---------------------------------------------------------------------------

\116\ See section I.A. of this release (discussing cybersecurity
risk and how critical operations of Market Entities are exposed to
cybersecurity risk).
---------------------------------------------------------------------------

For these reasons, it is critically important that Market Entities
take steps to protect their information systems and the information
residing on those systems from cybersecurity risk. A Market Entity that
fails to do so is more vulnerable to succumbing to a significant
cybersecurity incident. As discussed above, a significant cybersecurity
incident can cause serious harm not only to the Market Entity but also
to its customers, counterparties, members, registrants, or users, or to
any other market participants (including other Market Entities) that
interact with the Market Entity. Therefore, it is vital to the U.S.
securities markets and the participants in those markets that all
Market Entities address cybersecurity risk, which, as discussed above,
is increasingly threatening the financial sector.
Consequently, the Commission is proposing new Rule 10 and new Form
SCIR to require that Market Entities address cybersecurity risks, to
improve the Commission's ability to obtain information about
significant cybersecurity incidents impacting Market Entities, and to
improve transparency about the cybersecurity risks that can cause
adverse impacts to the U.S. securities markets.\117\ Under proposed
Rule 10, certain broker-dealers, the MSRB, and all clearing agencies,
national securities associations, national securities exchanges,
SBSDRs, SBS Entities, and transfer agents would be defined as a
``covered entity'' (collectively, ``Covered Entities'').\118\
---------------------------------------------------------------------------

\117\ In designing the requirements of proposed Rule 10, the
Commission considered several cybersecurity sources (which are cited
in the relevant sections below), including the NIST Framework, the
NIST Glossary, and CISA's Cyber Essentials Starter Kit (information
about CISA's Cyber Essentials Starter Kit is available at: <a href="https://www.cisa.gov/publication/cisa-cyber-essentials">https://www.cisa.gov/publication/cisa-cyber-essentials</a>). The Commission also
considered definitions in relevant federal statutes including the
Federal Information Security Modernization Act of 2014, Public Law
113-283 (Dec. 18, 2014); 44 U.S.C. 3551 et seq. (``FISMA'') and the
Cyber Incident Reporting for Critical Infrastructure Act of 2022,
H.R. 2471, 117th Cong. (2021-2022); 6 U.S.C. 681 et seq.
(``CIRCIA'').
\118\ The following broker-dealers would be Covered Entities:
(1) broker-dealers that maintain custody of securities and cash for
customers or other broker-dealers (``carrying broker-dealers''); (2)
broker-dealers that introduce their customer accounts to a carrying
broker-dealer on a fully disclosed basis (``introducing broker-
dealers''); (3) broker-dealers with regulatory capital equal to or
exceeding $50 million; (4) broker-dealers with total assets equal to
or exceeding $1 billion; (5) broker-dealers that operate as market
makers; and (6) broker-dealers that operate an ATS (sometimes
collectively referred to as ``Covered Broker-Dealers''). Broker-
dealers that do not fall into one of these six categories (sometimes
collectively referred to as ``Non-Covered Entities'' or ``Non-
Covered Broker-Dealers'') would not be Covered Entities for the
purposes of proposed Rule 10. See also section II.A.1.b. of this
release (discussing the categories of broker-dealers that would be
``Covered Entities'' in greater detail).

---------------------------------------------------------------------------

[[Page 20227]]

Proposed Rule 10 would require all Market Entities (Covered
Entities and Non-Covered Entities) to establish, maintain, and enforce
written policies and procedures that are reasonably designed to address
their cybersecurity risks.\119\ All Market Entities also, at least
annually, would be required to review and assess the design and
effectiveness of their cybersecurity policies and procedures, including
whether the policies and procedures reflect changes in cybersecurity
risk over the time period covered by the review.\120\ They also would
be required to prepare a report (in the case of Covered Entities) and a
record (in the case of Non-Covered Entities) with respect to the annual
review. CISA states that organizations should ``approach cyber as
business risk.'' \121\ Like other business risks (e.g., market, credit,
or liquidity risk), cybersecurity risk can be addressed through
policies and procedures that are reasonably designed to manage the
risk. Finally, all Market Entities would need to give the Commission
immediate written electronic notice of a significant cybersecurity
incident upon having a reasonable basis to conclude that the
significant cybersecurity incident has occurred or is occurring.\122\
---------------------------------------------------------------------------

\119\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Market Entities that meet the
definition of ``covered entity''); paragraph (e)(1) of proposed Rule
10 (setting forth the requirements for Market Entities that are not
Covered Entities (i.e., Non-Covered Broker-Dealers)). See also
sections II.B.1. and II.C. of this release (discussing these
proposed requirements in more detail). As discussed in sections
II.F. and IV.C.1.b. of this release, certain categories of Market
Entities are subject to existing requirements to address aspects of
cybersecurity risk or that may relate to cybersecurity. These other
requirements, however, do not address cybersecurity risk as
directly, broadly, or comprehensively as the requirements of
proposed Rule 10.
\120\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10. See also sections II.B.1.f. and II.C. of this
release (discussing these proposed requirements in more detail).
\121\ See CISA Cyber Essentials Starter Kit (``Ask yourself what
type of impact would be catastrophic to your operations? What
information if compromised or breached would cause damage to
employees, customers, or business partners? What is your level of
risk appetite and risk tolerance? Raising the level of awareness
helps reinforce the culture of making informed decisions and
understanding the level of risk to the organization.'').
\122\ See paragraph (c)(1) of proposed Rule 10; paragraph (e)(2)
of proposed Rule 10. See also sections II.B.2.a. and II.C. of this
release (discussing these proposed requirements in more detail).
---------------------------------------------------------------------------

Market Entities that meet the definition of ``covered entity''
would be subject to certain additional requirements under proposed Rule
10.\123\ First, as discussed in more detail below, the written policies
and procedures that Covered Entities would need to establish, maintain,
and enforce would need to include the following elements:
---------------------------------------------------------------------------

\123\ Compare paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities), with
paragraph (e) of proposed Rule 10 (setting forth the requirements
for Non-Covered Entities).
---------------------------------------------------------------------------

<bullet> Periodic assessments of cybersecurity risks associated
with the Covered Entity's information systems and written documentation
of the risk assessments;
<bullet> Controls designed to minimize user-related risks and
prevent unauthorized access to the Covered Entity's information
systems;
<bullet> Measures designed to monitor the Covered Entity's
information systems and protect the Covered Entity's information from
unauthorized access or use, and oversee service providers that receive,
maintain, or process information, or are otherwise permitted to access
the Covered Entity's information systems;
<bullet> Measures to detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities with respect to the Covered
Entity's information systems; and
<bullet> Measures to detect, respond to, and recover from a
cybersecurity incident and written documentation of any cybersecurity
incident and the response to and recovery from the incident.\124\
---------------------------------------------------------------------------

\124\ See sections II.B.1.a. through II.B.1.e. of this release
(discussing these proposed requirements in more detail). In the case
of Non-Covered Entities, as discussed in more detail below in
section II.C. of this release, the design of the cybersecurity risk
management policies and procedures would need to take into account
the size, business, and operations of the broker-dealer. See
paragraph (e) of proposed Rule 10.
---------------------------------------------------------------------------

Second, Covered Entities--in addition to providing the Commission
with immediate written electronic notice of a significant cybersecurity
incident--would need to report and update information about the
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission.\125\ The form would elicit information about
the significant cybersecurity incident and the Covered Entity's efforts
to respond to, and recover from, the incident.
---------------------------------------------------------------------------

\125\ See sections II.B.2. and II.B.4. of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------

Third, Covered Entities would need to disclose publicly summary
descriptions of their cybersecurity risks and the significant
cybersecurity incidents they experienced during the current or previous
calendar year on Part II of proposed Form SCIR.\126\ The form would
need to be filed with the Commission and posted on the Covered Entity's
business internet website. Covered Entities that are carrying or
introducing broker-dealers also would need to provide the form to
customers at account opening, when information on the form is updated,
and annually.
---------------------------------------------------------------------------

\126\ See sections II.B.3. and II.B.4.of this release
(discussing these proposed requirements in more detail).
---------------------------------------------------------------------------

Covered Entities and Non-Covered Entities would need to preserve
certain records relating to the requirements of proposed Rule 10 in
accordance with amended or existing recordkeeping requirements
applicable to them or, in the case of exempt clearing agencies,
pursuant to conditions in relevant exemption orders.\127\
---------------------------------------------------------------------------

\127\ See sections II.B.5. and II.C. of this release (discussing
these proposed requirements in more detail).
---------------------------------------------------------------------------

Finally, the Commission is proposing amendments to address the
potential availability of substituted compliance to non-U.S. SBS
Entities with respect to the proposed cybersecurity requirements.\128\
---------------------------------------------------------------------------

\128\ See sections II.D. of this release (discussing these
proposed amendments in more detail).
---------------------------------------------------------------------------

In developing the proposed requirements summarized above with
regard to SBSDRs and SBS Entities, the Commission consulted and
coordinated with the CFTC and the prudential regulators in accordance
with section 712(a)(2) of Title VII of the Dodd-Frank Act. In
accordance with section 752 of Title VII of the Dodd-Frank Act, the
Commission has consulted and coordinated with foreign regulatory
authorities through Commission staff participation in numerous
bilateral and multilateral discussions with foreign regulatory
authorities addressing the regulation of OTC derivatives markets.

II. Discussion of Proposed Cybersecurity Rule

A. Definitions

Proposed Rule 10 would define a number of terms for the purposes of
its requirements.\129\ These definitions also would be used for the
purposes of Parts

[[Page 20228]]

I and II of proposed Form SCIR.\130\ The defined terms are intended to
tailor the risk management, notification, reporting, and disclosure
requirements of proposed Rule 10 to the distinctive aspects of
cybersecurity risk as compared with other risks Market Entities face
(e.g., market, credit, or liquidity risk).\131\
---------------------------------------------------------------------------

\129\ See paragraph (a) of proposed Rule 10.
\130\ See sections II.B.2. and II.B.3. of this release
(discussing Parts I and II of proposed Form SCIR in more detail).
\131\ See paragraphs (a)(2) through (9) of proposed Rule 10
(defining, respectively, the terms ``cybersecurity incident,''
``cybersecurity risk,'' ``cybersecurity threat,'' ``cybersecurity
vulnerability,'' ``information,'' ``information systems,''
``personal information,'' and ``significant cybersecurity
incident'').
---------------------------------------------------------------------------

1. ``Covered Entity''
a. Market Entities That Meet the Definition of ``Covered Entity'' Would
Be Subject to Additional Requirements
Proposed Rule 10 would define the term ``covered entity'' to
identify the types of Market Entities that would be subject to certain
additional requirements under the rule.\132\ As discussed above,
proposed Rule 10 would require all Market Entities to establish,
maintain, and enforce written policies and procedures that are
reasonably designed to address their cybersecurity risks.\133\ All
Market Entities also, at least annually, would be required to review
and assess the design and effectiveness of their cybersecurity risk
management policies and procedures, including whether the policies and
procedures reflect changes in cybersecurity risk over the time period
covered by the review.\134\ They also would be required to prepare a
report (in the case of Covered Entities) or a record (in the case of
Non-Covered Entities) with respect to the annual review. Further, all
Market Entities would need to give the Commission immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\135\ As discussed above, Market
Entities use information systems that expose them to cybersecurity risk
and that risk is increasing due to the interconnectedness of the
information systems and the sophistication of the tactics used by
threat actors. Therefore, regardless of their function,
interconnectedness, or size, all Market Entities would be subject to
these requirements designed to address cybersecurity risks.
---------------------------------------------------------------------------

\132\ See paragraphs (a)(1)(i) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities''). A Market
Entity that falls within the definition of ``covered entity'' for
purposes of proposed Rule 10 may not necessarily meet the definition
of a ``covered entity'' for purposes of certain federal statutes,
such as, but not limited to, CIRCIA and any regulations promulgated
thereunder. CIRCIA, among other things, requires the Director of
CISA to issue and implement regulations defining the term ``covered
entity'' and requiring covered entities to report covered cyber
incidents and ransom payments as the result of ransomware attacks to
CISA in certain instances.
\133\ See paragraph (b)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(1) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity,'' which, as discussed above, would
be certain smaller broker-dealers).
\134\ See paragraph (b)(2) of proposed Rule 10; paragraph (e)(1)
of proposed Rule 10.
\135\ See paragraph (c)(1) of proposed Rule 10 (setting forth
the requirement for Market Entities that meet the definition of
``covered entity''); paragraph (e)(2) of proposed Rule 10 (setting
forth the requirement for Market Entities that do not meet the
definition of ``covered entity'').
---------------------------------------------------------------------------

Market Entities that are Covered Entities would be subject to
certain additional requirements under proposed Rule 10.\136\ In
particular, they would be required to: (1) include certain elements in
their cybersecurity risk management policies and procedures; \137\ (2)
file Part I of proposed Form SCIR with the Commission and, for some
Covered Entities, other regulators to report information about a
significant cybersecurity incident; \138\ and (3) make public
disclosures on Part II of proposed Form SCIR about their cybersecurity
risks and the significant cybersecurity incidents they experienced
during the current or previous calendar year.\139\
---------------------------------------------------------------------------

\136\ See paragraphs (b) through (d) of proposed Rule 10
(setting forth the requirements for Covered Entities); paragraph (e)
of proposed Rule 10 (setting forth the requirements for Non-Covered
Entities). As discussed above, Covered Entities would need to
prepare a report with respect to their review and assessment of the
policies and procedures. See paragraph (b)(2) of proposed Rule 10.
Non-Covered Entities would need to make a record with the respect to
the annual review and assessment of their policies and procedures.
See paragraph (e) of proposed Rule 10.
\137\ See paragraphs (b)(1)(i) through (v) of proposed Rule 10.
\138\ See paragraph (c)(2) of proposed Rule 10. See also
paragraph (a)(10) of proposed Rule 10 (defining the term
``significant cybersecurity risk'').
\139\ See paragraph (d) of proposed Rule 10.
---------------------------------------------------------------------------

In determining which Market Entities would be Covered Entities
subject to the additional requirements, the Commission considered: (1)
how the type of Market Entity supports the fair, orderly, and efficient
operation of the U.S. securities markets and the consequences if that
type of Market Entity's critical functions were disrupted or degraded
by a significant cybersecurity incident; (2) the harm that could befall
investors, including retail investors, if that type of Market Entity's
functions were disrupted or degraded by a significant cybersecurity
incident; (3) the extent to which that type of Market Entity poses
cybersecurity risk to other Market Entities through information system
connections, including the number of connections; (4) the extent to
which the that type of Market Entity would be an attractive target for
threat actors; and (5) the personal, confidential, and proprietary
business information about the type of Market Entity and other persons
(e.g., investors) stored on the Market Entity's information systems and
the harm that could be caused if that information was accessed or used
by threat actors.
b. Broker-Dealers
The following broker-dealers registered with the Commission would
be Covered Entities: (1) broker-dealers that maintain custody of
securities and cash for customers or other broker-dealers (i.e.,
carrying broker-dealers); (2) broker-dealers that introduce their
customers' accounts to a carrying broker-dealer on a fully disclosed
basis (i.e., introducing broker-dealers); \140\ (3) broker-dealers with
regulatory capital equal to or exceeding $50 million; (4) broker-
dealers with total assets equal to or exceeding $1 billion; (5) broker-
dealers that operate as market makers; and (6) broker-dealers that
operate an ATS. Thus, under proposed Rule 10, these six categories of
broker-dealers would be subject to the additional requirements.\141\
All other types of

[[Page 20229]]

broker-dealers would not meet the definition of Covered Entity.\142\
---------------------------------------------------------------------------

\140\ When a broker-dealer introduces a customer to a carrying
broker-dealer on a fully disclosed basis, the carrying broker-dealer
knows the identity of the customer and holds cash and securities in
an account for the customer that identifies the customer as the
accountholder. This is distinguishable from a broker-dealer that
introduces its customers to another carrying broker-dealer on an
omnibus basis. In this scenario, the carrying broker-dealer does not
know the identities of the customers and holds their cash and
securities in an account that identifies the broker-dealer
introducing the customers on an omnibus basis as the accountholder.
A broker-dealer that introduces customers to another broker-dealer
on an omnibus basis is, itself, a carrying broker-dealer for
purposes of the Commission's financial responsibility rules,
including, the broker-dealer net capital and customer protection
rules. See, e.g., 17 CFR 240.15c3-1 and 17 CFR 240.15c3-3. This
category of broker-dealer would be a carrying broker-dealer for
purposes of proposed Rule 10 and therefore subject to the rule's
requirements for Covered Entities.
\141\ See paragraphs (a)(1)(i)(A) through (F) of proposed Rule
10. Certain of the definitions in proposed Rule 10 would be used for
the purposes of the requirements in the rule for broker-dealers that
are not Covered Entities. Specifically, paragraph (e)(1) of proposed
Rule 10 would require broker-dealers that are not Covered Entities
to establish, maintain, and enforce written policies and procedures
that are reasonably designed to address the cybersecurity risks of
the broker-dealer taking into account the size, business, and
operations of the broker-dealer. The term ``cybersecurity risk'' is
defined in paragraph (a)(3) of proposed Rule 10 and that definition
incorporates the terms ``cybersecurity incident,'' ``cybersecurity
threat,'' and ``cybersecurity vulnerability,'' which are defined,
respectively, in paragraphs (a)(2), (a)(4), and (a)(5) of proposed
Rule 10. In addition, paragraph (e)(2) of proposed Rule 10 would
require broker-dealers that are not Covered Entities to provide
immediate written electronic notice to the Commission and their
examining authority if they experience a ``significant cybersecurity
incident'' as that term is defined in the rule. Therefore, paragraph
(a)(8) of proposed Rule 10 would define the term ``market entity''
to mean a Covered Entity and a broker-dealer registered with the
Commission that is not a Covered Entity. Further, the definitions in
proposed Rule 10 would refer to ``market entities'' (rather than
``covered entities'') in order to not limit the application of these
definitions to paragraphs (b) through (d) of proposed Rule 10, which
set forth the requirements for Covered Entities (but not for Non-
Covered Entities).
\142\ As discussed below in section IV.C.2. of this release, of
the 3,510 broker-dealers registered with the Commission as of the
third quarter of 2022, 1,541 would meet the definition of ``covered
entity'' under proposed Rule 10, leaving 1,969 broker-dealers as
Non-Covered Entities.
---------------------------------------------------------------------------

The first category of broker-dealers included as Covered Entities
would be carrying broker-dealers. Specifically, proposed Rule 10 would
define ``covered entity'' to include any broker-dealer that maintains
custody of cash and securities for customers or other broker-dealers
and is not exempt from the requirements of Exchange Act Rule 15c3-3
(i.e., a carrying broker-dealer).\143\ Some carrying broker-dealers are
large in terms of their assets and dealing activities or the number of
their accountholders. For example, they may engage in a variety of
order handling, trading, and/or clearing activities, and thereby play a
significant role in U.S. securities markets, often through multiple
business lines and/or in multiple asset classes. Consequently, if their
critical functions were disrupted or degraded by a significant
cybersecurity incident it could have a potential negative impact on the
U.S. securities markets by, for example, reducing liquidity in the
markets or sectors of the markets due to the firm's inability to
continue dealing and trading activities. A broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the inability to execute a trade within a
reasonable amount of time. Further, some carrying broker-dealers hold
millions of accounts for investors. If a significant cybersecurity
incident prevented this investor-base from accessing the securities
markets, it could impact liquidity as well.
---------------------------------------------------------------------------

\143\ See paragraph (a)(1)(i)(A) of proposed Rule 10. See also
17 CFR 240.15c3-3 (``Rule 15c3-3''). Rule 15c3-3 sets forth
requirements for broker-dealers that maintain custody of customer
securities and cash that are designed to protect those assets and
ensure their prompt return to the customers.
---------------------------------------------------------------------------

Also, the dealing activities of carrying broker-dealers may make
them attractive targets for threat actors seeking to access proprietary
and confidential information about the broker-dealer's trading
positions and strategies to use for financial advantage. In addition,
the size and financial resources of carrying broker-dealers may make
them attractive targets for threat actors employing ransomware schemes.
Because carrying broker-dealers hold cash and securities for
customers and other broker-dealers, a significant cybersecurity
incident could put these assets in peril or make them unavailable. For
example, a significant cybersecurity incident could cause harm to the
investors that own these assets--including retail investors--if it
causes the investors to lose access to their securities accounts (and,
therefore, the ability to purchase or sell securities), causes the
failure of the carrying broker-dealer (which could tie up the assets in
a liquidation proceeding under the Securities Investor Protection Act),
or, in the worst case, results in the assets being stolen. The fact
that carrying broker-dealers hold cash and securities for investors
also may make them attractive targets for threat actors seeking to
steal those assets through hacking the accounts or using stolen
credentials and log-in information. In addition, carrying broker-
dealers with large numbers of customers might be attractive targets for
threat actors because of the volume of personal information they
maintain. Threat actors may seek to access and download this
information in order to sell it to other threat actors. If this
information is accessed or stolen by threat actors, it could result in
harm (e.g., identity theft or conversion of financial assets) to many
individuals, including retail investors. Carrying broker-dealers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges,
clearing agencies, and other broker-dealers (including introducing
broker-dealers).
The second category of broker-dealers included as Covered Entities
would be introducing broker-dealers.\144\ These broker-dealers
introduce customer accounts on a fully disclosed basis to a carrying
broker-dealer. In this arrangement, the carrying broker-dealer knows
the identities of the fully disclosed customers and maintains custody
of their securities and cash. The introducing broker-dealer typically
interacts directly with the customers by, for example, making
securities recommendations and accepting their orders to purchase or
sell securities. An introducing broker-dealer must enter into an
agreement with a carrying broker-dealer to which it introduces customer
accounts on a fully disclosed basis.\145\
---------------------------------------------------------------------------

\144\ See paragraph (a)(1)(i)(B) of proposed Rule 10.
\145\ See FINRA Rule 4311. Pursuant to FINRA requirements, the
carrying agreement must specify the responsibilities of the carrying
broker-dealer and the introducing broker-dealer, including, at a
minimum, the responsibilities for: (1) opening and approving
accounts; (2) accepting of orders; (3) transmitting of orders for
execution; (4) executing of orders; (5) extending credit; (6)
receiving and delivering of funds and securities; (7) preparing and
transmitting confirmations; (8) maintaining books and records; and
(9) monitoring of accounts. See FINRA Rule 4311(c)(1).
---------------------------------------------------------------------------

These broker-dealers would be included as Covered Entities because
they are a conduit to their customers' accounts at the carrying broker-
dealer and have access to information and trading systems of the
carrying broker-dealer. Consequently, a significant cybersecurity
incident could harm their customers to the extent it causes the
customers to lose access to their securities accounts at the carrying
broker-dealer. Further, a significant cybersecurity incident at an
introducing broker-dealer could spread to the carrying broker-dealer
given the information systems that connect the two firms. These
connections also may make introducing broker-dealers attractive targets
for threat actors seeking to access the information systems of the
carrying broker-dealer to which the introducing broker-dealer is
connected.
In addition, introducing broker-dealers may store personal
information about their customers on their information systems or be
able to access this information on the carrying broker-dealer's
information systems. The fact that they store this information also may
make them attractive targets for threat actors seeking to use the
information to steal identities or assets, or to sell the personal
information to other bad actors who will seek to use it for these
purposes.
The third category of broker-dealers included as Covered Entities
would be broker-dealers that have regulatory capital equal to or
exceeding $50 million.\146\ Regulatory capital is the total capital of
the broker-dealer plus allowable subordinated liabilities of the
broker-dealer and is reported on the FOCUS reports broker-dealers file

[[Page 20230]]

pursuant to Rule 17a-5.\147\ The fourth category would be a broker-
dealer with total assets equal to or exceeding $1 billion.\148\ The $50
million and $1 billion thresholds are modeled on the thresholds that
trigger enhanced recordkeeping and reporting requirements for certain
broker-dealers pursuant to Exchange Act Rules 17h-1T and 17h-2T.\149\
---------------------------------------------------------------------------

\146\ See paragraph (a)(1)(i)(C) of proposed Rule 10.
\147\ See 17 CFR 240.17a-5; Form X-17A-5, Line Item 3550.
\148\ See paragraph (a)(1)(i)(D) of proposed Rule 10.
\149\ See 17 CFR 240.17h-1T and 17h-1T. See also Order Under
Section 17(h)(4) of the Securities Exchange Act of 1934 Granting
Exemption from Rule 17h-1T and Rule 17h-2T for Certain Broker-
Dealers Maintaining Capital, Including Subordinated Debt of Greater
Than $20 Million But Less Than $50 Million, Exchange Act Release No.
89184 (June 29, 2020) [85 FR 40356 (July 6, 2020)] (``17h Release'')
(setting forth the $50 million and $1 billion thresholds).
---------------------------------------------------------------------------

These thresholds are designed to include as Covered Entities
broker-dealers that are large in terms of their assets and dealing
activities (and that would not otherwise be Covered Broker-Dealers
under the definitions in proposed Rule 10).\150\ For example, larger
broker-dealers that exceed these thresholds often engage in proprietary
trading (including high frequency trading) and are sources of liquidity
in certain securities. Consequently, if their critical functions were
disrupted or degraded by a significant cybersecurity incident it could
have a potential negative impact on those securities markets if it
reduces liquidity in the markets through the inability to continue
dealing and trading activities. For example, a broker-dealer in this
situation could lose its ability to provide liquidity to other market
participants for an indeterminate length of time, which could lead to
unfavorable market conditions for investors, such as higher buy prices
and lower sell prices or even the ability to execute a trade within a
reasonable amount of time.
---------------------------------------------------------------------------

\150\ Size has been recognized as a proxy for substantial market
activity relative to other registrants of the same type and
therefore a firm's relative risk to the financial markets. See 17h
Release (noting that broker-dealers that have less than $50 million
in regulatory capital and less than $1 billion in total assets are
``relatively small in size,'' and ``because of their relative size''
and to the extent they are not carrying firms, these entities
``present less risk to the financial markets,'' while stating that
with respect to broker-dealers with at least $50 million in
regulatory capital or at least $1 billion in total assets ``the
Commission believes . . . those broker-dealers . . . pose greater
risk to the financial markets, investors, and other market
participants'').
---------------------------------------------------------------------------

In addition, the size and dealing activities of these broker-
dealers could make them attractive targets for threat actors seeking to
access proprietary and confidential information about the broker-
dealer's trading positions and strategies to use for financial
advantage. This also may make them attractive targets for threat actors
employing ransomware schemes. Further, given their size and trading
activities, these broker-dealers may be connected to a number of
different Market Entities through information systems, including
national securities exchanges, clearing agencies, other broker-dealers,
and ATSs.
The fifth category of broker-dealers included as Covered Entities
would be broker-dealers that operate as market makers. Specifically,
proposed Rule 10 would define ``covered entity'' to include a broker-
dealer that operates as a market maker under the Exchange Act or the
rules thereunder (which includes a broker-dealer that operates pursuant
to Exchange Act Rule 15c3-1(a)(6)) or is a market maker under the rules
of an SRO of which the broker-dealer is a member.\151\ The proposed
rule's definition of ``market maker'' is tied to securities laws that
confer benefits or impose requirements on market makers and,
consequently, covers broker-dealers that take advantage of those
benefits or are subject to those requirements. The objective is to rely
on these other securities laws to define a market maker rather than set
forth a new definition of ``market maker'' in proposed Rule 10, which
could conflict with these other laws.
---------------------------------------------------------------------------

\151\ See paragraph (a)(1)(i)(E) of proposed Rule 10. See also
17 CFR 240.15c3-1 (``Rule 15c3-1''). Paragraph (a)(6) of Rule 15c3-1
permits a market maker to avoid taking capital charges for its
proprietary positions provided, among other things, its carrying
firm takes the capital charges instead. See also, e.g., Rule 103 of
the New York Stock Exchange (setting forth requirements for
Designated Market Makers and Designated Market Maker Units).
---------------------------------------------------------------------------

Market makers would be included as Covered Entities because
disruptions to their operations caused by a significant cybersecurity
incident could have a material impact on the fair, orderly, and
efficient functioning of the U.S. securities markets. For example, a
significant cybersecurity incident could imperil a market maker's
operations and ability to facilitate transactions in particular
securities between buyers and sellers. In addition, market makers
typically are connected to a number of different Market Entities
through information systems, including national securities exchanges
and other broker-dealers.
The sixth category of broker-dealers included as Covered Entities
would be broker-dealers that operate an ATS.\152\ Since Regulation ATS
was adopted in 1998, ATSs have become increasingly important venues for
trading securities in a fast and automated manner. ATSs perform
exchange-like functions such as offering limit order books and other
order types. These developments have made ATSs significant sources of
orders and trading interest for securities. ATSs use data feeds,
algorithms, and connectivity to perform these functions. ATSs rely
heavily on information systems to perform these functions, including to
connect to other Market Entities such as broker-dealers and principal
trading firms.
---------------------------------------------------------------------------

\152\ See paragraph (a)(1)(i)(F) of proposed Rule 10.
---------------------------------------------------------------------------

A significant cybersecurity incident that disrupts an ATS could
negatively impact the ability of investors to liquidate or purchase
certain securities at favorable or predictable prices or in a timely
manner to the extent it provides liquidity to the market for those
securities. Further, a significant cybersecurity incident at an ATS
could provide a gateway for threat actors to attack other Market
Entities that connect to it through information systems and networks of
interconnected information systems. In addition, ATSs are connected to
a number of different Market Entities through information systems,
including national securities exchanges and other broker-dealers.
Finally, the records stored by ATSs on their information systems
include proprietary information about the Market Entities that use
their services, including confidential business information (e.g.,
information about their trading activities).
For the foregoing reasons, the categories of broker-dealers
discussed above would be Covered Entities under proposed Rule 10. All
other categories of broker-dealers would be Non-Covered Entities.
Generally, the types of broker-dealers that would be Non-Covered
Entities under proposed Rule 10 are smaller firms whose functions do
not play as significant a role in promoting the fair, orderly, and
efficient operation of the U.S. securities markets, as compared to
broker-dealers that would be Covered Entities.\153\ For example, they
tend to offer a more focused and limited set of services such as
facilitating private placements of securities, selling mutual funds and
variable contracts, underwriting securities, and participating in
direct investment

[[Page 20231]]

offerings.\154\ Further, they do not act as custodians for customer
securities and cash or serve as a conduit (i.e., an introducing broker-
dealer) for customers to access their accounts at a carrying broker-
dealer that does maintain custody of securities and cash. Therefore,
they do not pose the risk that a significant cybersecurity incident
could lead to investors losing access to their securities or cash or
having those assets stolen. In addition, Non-Covered Broker-Dealers
likely are less connected to other Market Participants through
information systems than Covered Broker-Dealers. For these reasons, the
additional policies and procedures, reporting, and disclosure
requirements would not apply to Non-Covered Broker-Dealers.
---------------------------------------------------------------------------

\153\ For example, as discussed below in section IV.C.2. of this
release, the 1,541 broker-dealers that would be Covered Entities had
average total assets of $3.5 billion and average regulatory equity
of $325 million; whereas the 1,969 that would be Non-Covered
Entities had average total assets of $4.7 million and average
regulatory equity of $3 million. This means that Non-Covered Broker-
Dealers under proposed Rule 10 accounted for about 0.2% of the total
assets of all broker-dealers and 0.1% of total capital for all
broker-dealers.
\154\ See section IV.C.2. of this release (discussing the
activities of broker-dealers that would not meet the definition of
``covered entity'' in proposed Rule 10).
---------------------------------------------------------------------------

At the same time, Non-Covered Broker-Dealers are part of the
financial sector and exposed to cybersecurity risk. Further, certain
Non-Covered Broker-Dealers maintain personal information about their
customers that if accessed by threat actors or mistakenly exposed to
unauthorized users could result in harm to the customers. For these
reasons, Non-Covered Broker-Dealers--among other things--would be
required under proposed Rule 10 to: (1) establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks taking into account their size,
business, and operations; (2) review and assess the design and
effectiveness of their cybersecurity policies and procedures annually,
including whether the policies and procedures reflect changes in
cybersecurity risk over the time period covered by the review; (3) make
a written record that documents the steps taken in performing the
annual review and the conclusions of the annual review; and (4) give
the Commission and their examining authority immediate written
electronic notice of a significant cybersecurity incident upon having a
reasonable basis to conclude that the significant cybersecurity
incident has occurred or is occurring.\155\ The Commission's objective
in proposing Rule 10 is to address the cybersecurity risks faced by all
Market Entities but apply a more limited set of requirements to Non-
Covered Broker-Dealers commensurate with the level of risk they pose to
investors, the U.S. securities markets, and the U.S. financial sector
more generally.
---------------------------------------------------------------------------

\155\ See section II.C. of this release (discussing the
requirements for these broker-dealers in more detail).
---------------------------------------------------------------------------

c. Market Entities Other Than Broker-Dealers
The MSRB and all clearing agencies, national securities
associations, national securities exchanges, SBSDRs, SBS Entities,\156\
and transfer agents would be Covered Entities and, therefore, subject
to the additional requirements regarding the minimum elements that must
be included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\157\ In particular,
proposed Rule 10 would define Covered Entity to include: (1) a clearing
agency (registered or exempt) under section 3(a)(23)(A) of the Exchange
Act; \158\ (2) an MSBSP that is registered pursuant to section 15F(b)
of the Exchange Act; \159\ (3) the Municipal Securities Rulemaking
Board; \160\ (4) a national securities association under section 15A of
the Exchange Act; \161\ (5) a national securities exchange under
section 6 of the Exchange Act; \162\ (6) a security-based swap data
repository under section 3(a)(75) of the Exchange Act; \163\ (7) a
security-based swap dealer that is registered pursuant to section
15F(b) of the Exchange Act; \164\ and (8) a transfer agent as defined
in section 3(a)(25) of the Exchange Act that is registered or required
to be registered with an appropriate regulatory agency (``ARA'') as
defined in section 3(a)(34)(B) of the Exchange Act.\165\
---------------------------------------------------------------------------

\156\ In addition to the requirements proposed in Rule 10
itself, the scope of certain existing regulations applicable to SBS
Entities would include proposed Rule 10 if adopted; see, e.g., 17
CFR 240.15Fk-1(b)(2)(i) (which establishes the scope of specified
chief compliance officer duties by reference to Section 15F of the
Exchange Act (15 U.S.C. 78o-10) and the rules and regulations
thereunder); 17 CFR 240.15Fh-3(h)(2)(iii)(I) (which establishes the
scope of specified supervisory requirements by reference to Section
15F(j) of the Exchange Act (15 U.S.C. 78o-10(j)).
\157\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
\158\ See paragraph (a)(1)(ii) of proposed Rule 10. See also 15
U.S.C. 78c(a)(23)(A) (defining the term ``clearing agency'').
\159\ See paragraph (a)(1)(iii) of proposed Rule 10. See also 15
U.S.C. 78o-10(b). Registered MSBSPs include both MSBSPs that are
conditionally registered pursuant to paragraph (d) of Exchange Act
Rule 15Fb2-1 (``Rule 15Fb2-1'') (17 CFR 240.15Fb2-1) and MSBSPs that
have been granted ongoing registration pursuant to paragraph (e) of
Rule 15Fb2-1.
\160\ See paragraph (a)(1)(iv) of proposed Rule 10.
\161\ See paragraph (a)(1)(v) of proposed Rule 10. See also 15
U.S.C. 78o-3.
\162\ See paragraph (a)(1)(vi) of proposed Rule 10. See also 15
U.S.C. 78f.
\163\ See paragraph (a)(1)(vii) of proposed Rule 10.
\164\ See paragraph (a)(1)(viii) of proposed Rule 10. See also
15 U.S.C. 78o-10(b). Registered SBSDs include both SBSDs that are
conditionally registered pursuant to paragraph (d) of Rule 15Fb2-1
and SBSDs that have been granted ongoing registration pursuant to
paragraph (e) of Rule 15Fb2-1.
\165\ See paragraph (a)(1)(ix) of proposed Rule 10. See also 15
U.S.C. 78q-1(c)(1) (registration requirements for transfer agents);
15 U.S.C. 78c(a)(25) (definition of transfer agent) and (a)(34)(B)
(definition of appropriate regulatory agency).
---------------------------------------------------------------------------

SROs play a critical role in setting and enforcing rules for their
members or registrants that govern trading, fair access, transparency,
operations, and business conduct, among other things. SROs and SBSDRs
also play a critical role in ensuring fairness in the securities
markets through the transparency they provide about securities
transactions and pricing, and the information about securities
transactions they can provide to regulators. National securities
exchanges play a critical role in ensuring the orderly and efficient
operation of the U.S. securities markets through the marketplaces they
operate. Clearing agencies are critical to the orderly and efficient
operation of the U.S. securities markets through the centralized
clearing and settlement services they provide as well as their role as
securities depositories, with exempt clearing agencies serving an
important role as part of this process. Market liquidity is critical to
the orderly and efficient operation of the U.S. securities markets. In
this regard, SBS Entities play a critical role in providing liquidity
to the security-based swap market.
The disruption or degradation of the functions of an SRO (including
functions that support securities marketplaces and the oversight of
market participants) could cause harm to investors to the extent it
negatively impacted the fair, orderly, and efficient operations of the
U.S. securities markets. For example, it could prevent investors from
purchasing or selling securities or doing so at fair or reasonable
prices. Investors also would face harm if a transfer agent's functions
were disrupted or degraded by a significant cybersecurity incident.
Transfer agents provide services such as stockholder recordkeeping,
processing of securities transactions and corporate actions, and paying
agent activities. Their core recordkeeping systems provide a direct
conduit to their issuer clients' master records that document and, in
many instances provide the legal underpinning for, registered
securityholders' ownership of the issuer's securities. If these
functions were disrupted, investors might not be able to transfer
ownership of their securities or receive dividends and

[[Page 20232]]

interest due on their securities positions.
SROs, exempt clearing agencies, and SBSDRs connect to multiple
members, registrants, users, or others though networks of information
systems. The interconnectedness of these Market Entities with other
Market Entities through information systems creates the potential that
a significant cybersecurity incident at one Market Entity (e.g., one
caused by malware) could spread to other Market Entities in a cascading
process that could cause widespread disruptions threatening the fair,
orderly, and efficient operation of the U.S. securities markets.\166\
Additionally, the disruption of a Market Entity that provides critical
services to other Market Entities through information system
connections could disrupt the activities of these other Market Entities
if they cannot obtain the services from another source.
---------------------------------------------------------------------------

\166\ See, e.g., Implications of Cyber Risk for Financial
Stability (``[T]he interconnectedness of the financial system means
that an event at one or more firms may spread to others (the domino
effect).'').
---------------------------------------------------------------------------

SROs, exempt clearing agencies, SBSDRs, SBS Entities, and transfer
agents could be prime targets of threat actors because of the central
roles they play in the securities markets. For example, threat actors
could seek to disrupt their functions for geopolitical purposes. Threat
actors also could seek to gain unauthorized access to their information
systems to conduct espionage operations on their internal non-public
activities. Moreover, because they hold financial assets (e.g.,
clearing deposits in the case of clearing agencies) and/or store
substantial confidential and proprietary information about other Market
Entities or financial transactions, they may be choice targets for
threat actors seeking to steal the assets or use the financial
information to their advantage.
SROs, exempt clearing agencies, and SBSDRs store confidential and
proprietary information about their members, registrants, and users,
including confidential business information, and personal information.
A significant cybersecurity incident at any of these types of Market
Entities could lead to the improper use of this information to harm the
members, registrants, and users or provide the unauthorized user with
an unfair advantage over other market participants and, in the case of
personal information, to steal identities. Moreover, given the volume
of information stored by these Market Entities about different persons,
the harm caused by a cybersecurity incident could be widespread,
negatively impacting many victims.
SBS Entities also store proprietary and confidential information
about their counterparties on their information systems, including
financial information they use to perform credit analysis. A
significant cybersecurity incident at an SBS Entity could lead to the
improper use of this information to harm the counterparties or provide
the unauthorized user with an unfair advantage over other market
participants. Transfer agents store proprietary information about
securities ownership and corporate actions. A significant cybersecurity
incident at a transfer agent could lead to the improper use of this
information to harm securities holders. Transfer agents also may store
personal information including names, addresses, phone numbers, email
addresses, employers, employment history, bank and specific account
information, credit card information, transaction histories, securities
holdings, and other detailed and individualized information related to
the transfer agents' recordkeeping and transaction processing on behalf
of issuers. Threat actors breaching the transfer agent's information
systems could use this information to steal identities or financial
assets of the persons to whom this information pertains. They also
could sell it to other threat actors.
In light of these considerations, the MSRB and all clearing
agencies, national securities associations, national securities
exchanges, SBSDRs, SBS Entities, and transfer agents would be Covered
Entities under proposed Rule 10 and, therefore, subject to the
additional requirements regarding the minimum elements that must be
included in their cybersecurity risk management policies and
procedures, reporting, and public disclosure.\167\
---------------------------------------------------------------------------

\167\ See paragraphs (a)(1)(ii) through (ix) of proposed Rule 10
(defining these Market Entities as ``covered entities'').
-----

[…truncated; see source link]

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on April 5, 2023.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.