THE SECURITIES and Exchange Commission (SEC) has released a draft memorandum circular for public comment requiring capital market participants to implement cyber resilience frameworks.
The draft circular, issued on Dec. 17, is open for comments until Jan. 16, 2026. It mandates regulated entities to establish frameworks that define objectives, risk tolerance, and procedures to identify, mitigate, and manage cyber risks.
“The proposal is in line with the government’s National Cybersecurity Plan 2023 to 2028, which recognizes cybersecurity as critical to peace, security and economic development,” the commission said in a statement on Thursday.
The guidelines cover publicly listed companies, broker-dealers, investment firms, exchanges, self-regulatory organizations, clearing agencies, securities depositories, transfer agents, and other capital market participants of similar nature.
The SEC said boards of directors must oversee cybersecurity risks and establish or appoint a Computer Emergency Response Team (CERT) led by a chief information security officer (CISO).
“The CISO will be responsible for carrying out the responsibilities of the chief information officer and serve as the primary liaison to the company’s authorizing officials, information system owners, and information system security officers,” the commission added.
The draft also holds regulated entities accountable for cybersecurity and resilience even when third parties manage their systems. Entities relying on third-party Critical Information Infrastructure must secure legally binding agreements to ensure compliance with standards such as incident reporting, auditing, and risk assessment.
“If a covered entity experiences a cyber incident that is determined to be material, it should disclose to the SEC within five days after the occurrence of the event the nature, scope, and timing of the incident. The company should also report its material impact or reasonably likely material impact on the entity, including its financial condition and results of operation,” the SEC said. — Alexandria Grace C. Magno
