SEC Seeks Comment on Cybersecurity Issues in ANPR for Transfer Agents
On December 22, the Securities and Exchange Commission (SEC) issued an advanced notice of proposed rulemaking (ANPR) for new transfer agent requirements, and it also issued a concept release for which public comment on the SEC’s broader review of transfer agent regulation is sought. In the ANPR, the SEC specifically cited cybersecurity as an area in which the Commission intends to propose new rules and rule amendments.
Due in part to concerns that widely varying transfer agent safeguarding procedures and controls could create uncertainty and risk in the market and that insufficient safeguarding of information and data could lead to the loss of information, theft of securities or funds, fraudulent securities transfers, or the misappropriation or release of private securityholder information to unauthorized individuals, the SEC plans to propose certain amendments to the transfer agent rules to address how technology in general and cybersecurity risks in particular affect transfer agents and their activities, and how transfer agents’ technology and information systems, including securityholders’ data and personal information, may be related to their safeguarding activities. Specifically, the Commission intends to propose new or amended rules requiring registered transfer agents to, inter alia, create and maintain (1) a written business continuity plan, tailored to the size and activities of the transfer agent, identifying procedures relating to an emergency or significant business disruption, including provisions such as data back-up and recovery protocols; (2) basic procedures and guidelines governing the transfer agent’s use of information technology, including methods of safeguarding securityholders’ data and personally identifiable information; and (3) appropriate procedures and guidelines related to a transfer agent’s operational capacity, such as IT governance and management, capacity planning, computer operations, development and acquisition of software and hardware, and information security.
In connection with its desire to propose these new rules and amendments, the SEC is seeking comment on a variety of transfer agent cybersecurity issues, particularly issues related to (1) safeguarding security holder information and data and (2) operational risk, cybersecurity, and other technology-related issues. Following publication of the ANPR and the concept release in the Federal Register, there will be a 60-day public comment period to address these cybersecurity inquiries and the other issues for which the SEC seeks comment in the ANPR and the concept release.