SEC pushes cyber resilience frameworks for capital markets

The Securities and Exchange Commission (SEC) is moving to require capital market participants to build their own cyber resilience frameworks, stepping up defenses against cyber threats as digital risks increasingly test investor confidence and market stability.

systemic risks. By tightening cyber resilience expectations, the SEC aims to strengthen trust in the Philippine capital market and align industry practices with national security goals.

What’s happening

On Dec. 17, the SEC released for public comment the latest draft memorandum circular on Guidance for Regulated Entities on Establishing and Maintaining a Cyber Resilience Framework.

The proposal supports the government’s National Cybersecurity Plan 2023–2028, which treats cybersecurity as essential to economic development, peace, and national security.

Who’s covered

The proposed rules apply broadly across the capital market, including:

• Publicly listed companies
• Broker dealers and investment houses
• Exchanges and self-regulatory organizations
• Clearing agencies, securities depositories, and transfer agents

What’s required

Under the draft guidance, regulated entities must adopt a cyber resilience framework that clearly defines:

• Cyber resilience objectives and risk tolerance
• Processes to identify, mitigate, and manage cyber risks
• Controls that support business continuity and market stability

Boards of directors will be required to exercise direct oversight of cybersecurity risks,  elevating cyber resilience to a governance-level responsibility.

New roles, new accountability

Each covered entity will also be required to create or appoint a Computer Emergency Response Team (CERT).

To lead this team, firms must designate a chief information security officer (CISO)—a newly mandated role responsible for coordinating cybersecurity efforts and serving as the main liaison among senior management, system owners, and security officers.

Third-party risk

The draft guidelines make clear that firms remain responsible for the cybersecurity of systems they rely on—even when those systems are managed by third parties.

Entities using third-party owned Critical Information Infrastructure must secure legally binding agreements ensuring compliance with cybersecurity standards, including requirements for:

• Incident reporting
• Audits
• Risk assessments

Disclosure rules

If a cyber incident is deemed material, the affected entity must disclose details to the SEC within five days, including the incident’s nature, scope, timing, and actual or potential impact on financial condition and operations.

Bottom line

The SEC’s proposal signals a tougher regulatory stance on cyber risks, pushing capital market players to formalize cyber resilience as a core part of governance, risk management, and investor protection. —Ed: Corrie S. Narisma