SEC Proposes Updates to Cyber and Data Security Rules

One new rule from the SEC would update Reg SCI; the other would update Reg S-P, both to require more timely reporting of data breaches.


The SEC last week proposed changes to Regulation Systems Compliance and Integrity (Reg SCI) and Regulation S-P, also called the Safeguarding Rule, at an open hearing.

Reg SCI

The current Reg SCI, adopted in 2014, requires SCI entities to have security policies, take corrective action in response to system issues and undergo business continuity and disaster recovery testing. Under the proposal, BC/DR tests must also address the unavailability of a third party to which the SCI entity outsources. They also must immediately notify the SEC of a wider range of cyber events, such as those that deny access to systems and processes of the SCI entity.

SCI entities include self-regulatory organizations like FINRA, stock and options exchanges, registered clearing agencies and alternative trading systems.

For more stories like this, sign up for the CIO Alert newsletter.

If the new rule is adopted, SCI entities would have to make significant changes to some of their policies. They would need to update their procedures to include “the maintenance of a written inventory and classification of all SCI systems and a program for life cycle management; a program to prevent the unauthorized access to such systems and information therein; and a program to manage and oversee certain third-party providers, including cloud service providers, of covered systems.”

The proposed update to Reg SCI would also expand the entities that are subject to the rule. Currently, SCI entities are those involved in trading, clearance and settlement, and market regulation. Under the proposal, registered security-based swap data repositories, clearing agencies that are exempt from registration and large broker/dealers would also be subject to the rule.

The proposal was approved by a 3-2 vote, with SEC Commissioners Mark Uyeda and Hester Peirce dissenting. Uyeda expressed specific concern about the reporting requirements of the proposed Reg SCI and how it would interact with reporting requirements from other rules. Reg SCI requires immediate notification to the SEC of “significant cybersecurity incidents.” Uyeda wrote that overlapping reporting requirements can be confusing and might undermine cybersecurity if registrants are more concerned about reporting in a timely manner than addressing the breach.

Reg S-P

An update to Reg S-P, which was also proposed by the SEC on Wednesday, would require broker/dealers, registered investment advisers and transfer agents to adopt policies for the protection of customer records and notify clients affected by data breaches that put them at risk. Covered institutions must have written policies that outline an incident response program to address unauthorized access to customer information and to provide timely notification to affected individuals.

The covered institutions must inform customers of a data breach “as soon as practicable,” but cannot wait longer than 30 days from the date they became aware of the breach.

SEC Commissioner Caroline Crenshaw, who voted for both proposals, said the update to Reg S-P is important because it would expand safeguarding requirements to transfer agents, who are uncovered under the existing Reg S-P, which was finalized in 2000.

SEC Chairman Gary Gensler, who also voted for both proposals, said in a statement that covered institutions currently have no obligation to inform their customers of data breaches, even though awareness would allow those customers to take steps to mitigate the damage done to them by the breach.

Tags: , , , , , ,

French Fume as Macron Bypasses Parliament to Pass Pension Reform

Widespread protests and no-confidence votes respond to move to force through legislation that increases the retirement age to 64 from 62.



Major protests erupted in France again last week when French President Emmanuel Macron used executive branch constitutional powers to bypass parliament and push through a controversial pension reform that increases the retirement age by two years to 64.

 

The government faces two no-confidence votes on Monday afternoon in France as a result of the move, which came just before the pension reform plan was to be voted on by the National Assembly, France’s lower house of Parliament. Instead, Prime Minister Élisabeth Borne announced the government would invoke Article 49.3 of France’s constitution.

 

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

Article 49.3 gives the executive branch the power to force a bill through the National Assembly without a vote. While the French Senate had already approved the measure, it had become apparent after weeks of debate that it would not pass the lower house, which spurred Macron to make the controversial decision.

 

When Article 49.3 is triggered, the opposition parties by law are given 24 hours to file a no-confidence motion against the government signed by at least 10% of the members; both the far-right National Rally and a coalition of other opposition parties filed motions on Friday. If the no-confidence motions are rejected, the bill is passed. But if either motion of no confidence is supported by a majority of members, the bill is rejected, Borne must resign and Macron could either appoint a new prime minister or dissolve parliament and hold fresh elections. This, however, is extremely rare: It has only happened once, back in 1962.

 

In January, Macron announced plans to reform the French pension system, which included raising the retirement age for French workers to 64 from 62. The announcement angered many French and led to widespread protests.

 

All French retirees currently receive a state pension that averages approximately €1,400 ($1,490) per month, which is funded by contributions from current workers. The French government says the reform is needed because the system is being jeopardized by an aging population that has resulted in an increasing number of retirees supported by a decreasing number of contributors.

 

Under the French government’s plan, the retirement age will be raised by three months per year, starting in September 2023, until it reaches the target age of 64 in 2030. The reforms also mean that, beginning in 2027, it will be necessary to have worked 43 years to receive a full pension; in past reforms, that requirement would not phase in until 2035.

 

According to the Organization for Economic Cooperation and Development, France has one of the lowest retirement ages in the industrialized world and spends nearly 14% of its economic output on pensions, which is more than most countries.

 

Related Stories:

France Braces for Further Protests Over Retirement Age Increase

Macron Wins French Election, Leaving Door Open for Pension Reform

French Prime Minister Reveals Pension Reform Plan

 

Tags: , , , , , , , , ,

«