Bates Research | 03-30-23

SEC, White House Announce New Cybersecurity Strategy and Rules; Over $10.2 Billion in Losses, says FBI Cyber Report

In response to the threat from cyber actors “who use constantly evolving and sophisticated tactics, techniques, and procedures to cause harmful cybersecurity incidents,” the SEC proposed a new set of comprehensive rules intended to mitigate that risk. The rule proposal imposes substantial new requirements on certain securities market entities and broker-dealers (“covered entities”) and is intended to protect securities markets and investors from cybersecurity threats. The proposal is consistent with the White House’s recent announcement of a new comprehensive National Cybersecurity Strategy and the annual FBI report on cybercrime trends based on 2022 data. Here’s what you need to know.

Policies and Procedures under Proposed Rule 10

On March 15, 2023, the SEC proposed new Rule 10, which would require financial institutions “to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks.” Rule 10 would require that policies and procedures include (i) periodic assessments of risk to the firm’s information systems, and documentation of those assessments; (ii) controls to minimize user-related risks and to prevent unauthorized access to information systems; (iii) internal monitoring and oversight over the firm’s information systems, including as to service providers that interact with the information systems; (iv) methods to detect, mitigate and remediate cyber threats and vulnerabilities; and (v) methods to detect, respond to, and recover from a cybersecurity incident.

All firms would have to review their cybersecurity policies and procedures to ensure they are addressing new and evolving risk.

Reporting under Proposed Rule 10

Under the proposed new rule, covered entities would have to give notice of a significant cybersecurity incident once they have a reasonable basis to think it occurred or is occurring. That written electronic notice must be reported to the SEC by filing new proposed Form SCIR which covers information about the incident and subsequent response and recovery efforts.

A second part of the new Form concerns summary descriptions to be publicly posted on the firm’s website. Broker dealers would be required to provide the form to customers annually, when they open an account, and when the forms are updated.

New White House National Cyber Strategy

On March 3, 2023, the White House unveiled its National Cybersecurity Strategy, declaring “fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” Generally, the new strategy would (i) “shift[ ] the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks;” and (ii) “realign incentives” to defend against urgent cyber threats while “investing in a resilient future.”

First, the strategy would expand regulatory requirements in “critical sectors” (i.e., the financial sector) and update federal networks and federal incident response policy. Second, the new strategy would require greater public-private engagement to disrupt malicious cyber activities “through scalable mechanisms,” and it proposes a comprehensive approach to address ransomware. Third, in relevant part, the new strategy would place the burden of mitigating cyber risks to the privacy and the security of personal data on market entities rather than on individuals, and would “shift liability for software products and services to promote secure development practices.” Fourth, to enhance market resiliency, the strategy would prioritize “cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure. Finally, the strategy calls for strengthening international collaboration to counter cyber threats. Implementation of the strategy across the Federal system is under the authority of the Office of the National Cyber Director.

FBI 2022 Cyber Report

In its annual report on Internet Crime, published in March 2023, the FBI tabulated complaints filed in 2022 with its Internet Crime Complaint Center (“IC3”). The IC3 is the repository for individual complaints involving a host of cyber-crimes (e.g., hacking, trade secret theft, money laundering, extortion, identity theft, etc.). The IC3 correlates these complaints with data from other sources to support their fieldwork, but also to track trends and threats. The latest report on 2022 data reinforces the concerns expressed by the White House about the increase in number and type of risk cybercrimes pose. It also supports the rationale behind the SEC’s proposed rule.

In 2022, the IC3 reported over 800,000 complaints with over $10 billion in losses. In the report, the IC3 highlighted complaints on business email fraud, investment scams, ransomware, and call center fraud. The numbers are significant. The report cites 21,832 business email complaints (primarily related to compromised accounts and fund transfers) with losses in excess of $2.7 billion. Losses from investment fraud complaints more than doubled since last year, rising to $3.31 billion in 2022. Cryptocurrency investment fraud specifically, rose as well, with losses approaching $2.57 billion in 2022. Noted examples of crypto-investment schemes in 2022 include: “liquidity mining” (victims are induced to link their crypto-wallets to a fraudulent liquidity mining application); hacking into a victim’s social media to perpetrate investment fraud; celebrity endorsements and fraudulent inducements; online real estate scams; and online offers of employment that lead to investment fraud.

In addition, IC3 highlighted over 2000 filed ransomware complaints with adjusted losses totaling more than $34 million. In particular, IC3 noted the 870 complaints related to critical infrastructure sectors (notably, 88 directed at the financial services sector and 107 targeting information technologies.) The highest number of complaints in critical infrastructure concerned the health care sector at 210.

According to the report, the top five cyber-related crime types involved (i) tech support (posting a Year-Over-Year increase at over 32,000;) (ii) extortion (at a similar YOY pace at over 39,000;) (iii) non-payment/non-delivery (a significant reduction YOY at 51,000;) (iv) personal data breach (a substantial increase YOY at almost 59,000;) and phishing complaints (by far the most-reported complaints at over 300,000).

Conclusion

The SEC’s proposed new Rule 10 is consistent with the President’s newly announced national cyber strategy. The FBI report underscores the argument that cyber-crime poses a devastating threat to the economy, securities markets and retail investors thereby justifying the new rules and additional compliance requirements on cybersecurity. As acknowledged in the strategy, the administration recognizes how burdensome these new requirements may be. And that will, no doubt, be the subject of many comments on the SEC’s proposed rule. Those comments will be due 60 days after the proposed rule is published in the Federal Register. Bates will keep you apprised.