The Securities and Exchange Commission (SEC) is preparing new rules to beef up cybersecurity in publicly listed companies (PLCs), exchanges and other capital market participants amid the surge in digital transactions in the country.
The Commission has released a draft memorandum circular seeking to require all securities market participants, including broker-dealers, assets managers, transfer agents and self-regulatory organizations (SROs) to adopt best practices in dealing with cyber security risks.
These include the identification of critical assets, information and systems, adoption of organizational or technical measures to protect information systems, as well as the formulation of a response plan and recovery plan in the event of cybersecurity breaches.
Under the proposed rules, a regulated entity must create a management group called the Information Security Group (InfoSec Group), separate from its existing Information Technology Group, and appoint a Chief Information Security Officer.
The InfoSec Group shall take charge of formulating and enforcing an enterprise information security policy, issue-specific security policies and system-specific policies, along with an employee security education, training and awareness program, risk management program, and contingency programs.
The draft rules also state that regulated entities must implement policies and procedures that will protect the privacy of their clients’ personal information, and notify them of instances when failure to protect such information occur.
Self-regulatory organizations are further instructed to disclose their institution privacy policy to clients.
Regulated entities must conduct a regular review of their cybersecurity framework to ensure they continue to be appropriate to manage adverse impacts of cyber risks and information technology risks on their business.
The InfoSec Group and/or senior management of the regulated entity must then report the results of the regular review to the Commission, as frequent as may be deemed necessary.
Meanwhile, PLCs are required to make a full, accurate, and timely disclosure of financial results, risk, and other information which are material to investors’ decisions.
Risk factors such as reasons why the issuer is subject to cyber risk, as well as the source and nature of the cyber risk must also be disclosed in the PLC’s registration statement.
In addition, PLCs must consider including the cost of ongoing cybersecurity efforts and the costs and
other consequences of cybersecurity incidents, among others, in the management discussion and analysis.
The draft guidelines also state that companies and their directors, officers, and other corporate insiders should be mindful of complying with insider trading-related laws when handling information on cybersecurity risks and incidents.
On the other hand, SROs and other entities with a secondary license from the Commission, including brokers and dealers, exchanges, transfer agents, clearing agencies and securities depositories, are directed to work together with the SEC to protect investor privacy and strengthen trading systems’ infrastructure. Once approved, failure to comply with the draft rules will result in imposition of administrative sanctions, in addition to those already provided by law and other existing regulations.