The Securities and Exchange Commission (SEC) said it is preparing rules aimed at reinforcing cybersecurity in publicly listed companies (PLCs), exchanges, and other capital market participants amid the rise of digital transactions in the country.
The agency released on Wednesday, Dec. 16, a draft memorandum circular seeking to require all securities market participants, including broker-dealers, assets managers, transfer agents, and self-regulatory organizations (SROs) to adopt best practices in dealing with cyber security risks.
These include the identification of critical assets, information and systems, adoption of organizational or technical measures to protect information systems, as well as the formulation of a response plan and recovery plan in the event of cybersecurity breaches.
Under the proposed rules, a regulated entity must create a management group called the Information Security Group (InfoSec Group), separate from its existing Information Technology Group, and appoint a Chief Information Security Officer.
The InfoSec Group shall take charge of formulating and enforcing an enterprise information security policy, issue-specific security policies and system-specific policies, along with an employee security education, training and awareness program, risk management program, and contingency programs.
The draft rules also state that regulated entities must implement policies and procedures that will protect the privacy of their clients’ personal information, and notify them of instances when failure to protect such information occurs.
SROs are further instructed to disclose their institution privacy policy to clients. Regulated entities must conduct a regular review of their cybersecurity framework to ensure they continue to be appropriate to manage adverse impacts of cyber risks and information technology risks on their business.
The InfoSec Group or senior management of the regulated entity must then report the results of the regular review to the SEC, as frequent as may be deemed necessary.
Meanwhile, PLCs are required to make a full, accurate, and timely disclosure of financial results, risk, and other information which are material to investors’ decisions.
Risk factors such as reasons why the issuer is subject to cyber risk, as well as the source and nature of the cyber risk must also be disclosed in the PLC’s registration statement.
In addition, PLCs must consider including the cost of ongoing cybersecurity efforts and the costs and other consequences of cybersecurity incidents, among others, in the management discussion and analysis.
The draft guidelines also state that companies and their directors, officers, and other corporate insiders should be mindful of complying with insider trading-related laws when handling information on cybersecurity risks and incidents.
On the other hand, SROs and other entities with a secondary license from the SEC, including brokers and dealers, exchanges, transfer agents, clearing agencies and securities depositories, are directed to work together with the SEC to protect investor privacy and strengthen trading systems’ infrastructure.
Once approved, failure to comply with the draft rules will result in imposition of administrative sanctions, in addition to those already provided by law and other existing regulations.
The guidelines are being drafted in accordance with the government’s 12-point National Security Agenda, which seeks to pursue and advance cybersecurity to protect the country from computer-generated/cyber-attacks that may adversely impact the economy.
