Market Integrity Insights
Views on improving the integrity of global capital markets
mag-glass
04 December 2025

A Global Deregulation Agenda

By
Posted In: Investor protections, Standards, Ethics and Regulations (SER), Systemic Risk, US SEC

Part II – In the United States, the SEC Hits the Brakes on Several Significant Regulatory Proposals: Implications for Investors

In mid-2025, the SEC hit pause on 14 rule proposals,[1] an explicit pivot toward easing administrative burden in the broader deregulation initiatives. For investors and market intermediaries, the near-term effects are double-edged: fewer filings and program build-outs, but also fewer guardrails and less standardization. The retreat alters the control and monitoring environment around operational resilience, cyber risk reporting, derivatives transparency, and technology oversight, which are areas that directly influence client-asset protection and the visibility of risk.

In this article, we focus on three proposals that would have had the greatest system-wide impact: cyber governance, swaps transparency, and Regulation Systems Compliance and Integrity (Reg SCI). These rules were poised to reshape day-to-day controls, disclosure practices, and tech-risk supervision, driving meaningful cost and process changes across investment managers, brokers, venues, and service providers. Their withdrawal creates an immediate gap in practices. In this article, we unpack what mattered in each rule retreat and how to navigate the gap now.

Cyber Governance: Safety net or double stitching?

What it was: A new Exchange Act Rule 10 that would have required virtually every major “market entity” from broker-dealers and exchanges to clearinghouses, swap dealers, and transfer agents to establish board-level cyber governance, keep written programs, perform regular risk assessments, and review them annually.[2] It also came with “immediate” incident notification to the SEC, plus follow-ups and, in many cases, public disclosure.

Why it felt needed: Today, a single cyber breach of a market entity’s information systems, such as a broker-dealer, exchange, or clearing agency, can freeze trading, leak customer data, and dent trust. Not every firm is equally mature; a uniform baseline would have forced laggards to catch up and given the SEC real-time visibility when things break. The rule had been designed to reinforce investor and end-consumer protection.

Why critics balked: Overlap and cost. Banks already live under NYDFS 23 NYCRR 500[3] (72-hour breach notice,[4] board-approved programs), federal banking guidance,[5] and internal NIST-based controls. Adding another, even faster, reporting regime risked “check-the-box” compliance without better security, especially for midsize firms.

What the withdrawal means now: No single, comprehensive cyber rule for all market entities. Public companies still disclose cyber governance and material incidents under 2023 rules, and FINRA will keep examining broker-dealers.[6] But the burden shifts to firms to maintain best practices without a new prescriptive SEC framework and to investors to expect accountability.

Swaps Transparency (Rule 10B-1): After Archegos, how bright should the light be?

What it was: Public reporting within one business day of crossing thresholds in security-based swaps for equities greater than 5% of outstanding shares or USD 300 million exposure (with a $150 million bar for certain volatile names). The idea is to surface large, hidden buildups of directional investment positions (e.g., the 2021 Archegos collapse[7]) before they unwind explosively. Reports would have identified the underlying issuer, instruments, and related positions publicly, not just to the SEC.

The case for it: Market integrity. Regulators and counterparties shouldn’t be blindsided by synthetic stakes that move prices and margin. Transparency and visibility can deter concentrated, opaque bets and prompt earlier risk-control measures by regulators or firms themselves.

The pushback: Signal versus noise — thresholds might sweep in benign hedges and flood the market with data that is difficult to parse. Duplication — the SEC already receives swap data via repositories (however, these are considered imperfect for assessing overall positions). Strategy leakage — public filings risk front-running and discourage legitimate activity. Some argued for confidential reporting instead.

What the withdrawal means now: The potential for an Archegos-sized gap in market information remains. Renewed debate is expected about Rule 10B -1 around confidential, regulator-only position reports. In parallel, regulators and market participants are also considering higher and clearer thresholds and better aggregation of swap repository data.

Reg SCI: The SEC’s big tent for tech integrity (and why it folded for now)

What it was: The Reg SCI is a package to standardize cyber/tech risk across key market infrastructure entities (i.e., comprehensive cyber risk programs [across advisers, brokers, funds, exchanges, clearing]) with board oversight 

  1. Fast incident reporting (often within 48 hours) via SEC forms (e.g., Form ADV-C from Rule 204-6)
  2. Reg SCI expansion to more entities (large broker-dealers, security-based swap dealers, platforms) and modernized systems testing/vendor oversight

Why it resonated: Markets are now overwhelmingly electronic and can therefore be said to “run on code.” Outages and cyberattacks move prices, block access, and strain settlement processes. A uniform floor reduces weak-link risk and aligns with global trends (NYDFS,[8] EU Digital Operational Resilience Act,[9] bank 36-hour notices). Also, disclosures help investors compare operational resilience.

Why it stalled: Cost, complexity, and prescriptiveness. Smaller firms feared being buried in administrative hurdles; larger firms worried about conflicting timelines and duplicative filings (e.g., NYDFS 23 NYCRR 500.17, 8-K Item 1.05, state breach notices, and 36-hour bank regulator notices). Tech evolves faster than rule text; critics preferred a principles-based approach and beefed-up supervision over a sprawling mandate.

What the withdrawal means now: Relief on near-term compliance lifts, especially for smaller firms. But the risks didn’t vanish. Expect more guidance, exams, and industry standard setting rather than an all-at-once rule. Market discipline and reputational risk management will continue to be the primary mechanism in place, until the next big incident tests the sturdiness of the framework.

Overall, what does this mean for investment practitioners?

Recommended actions

  • Pressure-test your incident playbook (who calls whom in the first hour, how you define “material”).
  • Map overlapping regimes (NYDFS, banking, SEC disclosures, vendor contracts) and harmonize timelines now before they harmonize you.
  • For derivatives, revisit counterparty concentration and synthetic exposure dashboards; don’t wait for a regulator to aggregate it for you.

Decisions to be taken

  • Whether to voluntarily align to the stricter elements (e.g., 48-hour internal reporting, board-level cyber reviews). Rehearsing is cheaper than ad-libbing under fire.
  • Your stance on public versus confidential transparency: What would you support if (when) 10B-1 returns? Come with thresholds and definitions that separate hedges from hazards.

What to keep an eye on

  • The SEC’s next moves: lighter-touch guidance, targeted Reg SCI updates, or a refreshed swaps regime.
  • FINRA’s focus areas on cyber risk, vendor oversight, and AI-driven conflicts.
  • Cross-border convergence (NYDFS tweaks, EU DORA) that will set market practice even without a federal rule.

Key takeaways

  • The regulatory retreat isn’t a repeal of risk. It’s a reset on method and scope. Firms still own the problem, and investors still deserve resilience.
  • Cyber risk: Mind the gap. No unified, all-entity rule for now. Public-company disclosure and exams carry the baton.
  • Swaps: Transparency TBD. The Archegos lesson stands; the mechanism (public versus confidential) remains the fight.
  • Reg SCI: Principles beat prescriptions for now. Expect guidance and supervision to shape the floor while the SEC rethinks the ceiling.

You can read “A Global Deregulation Agenda Part I – Remembering the History of Simplifying Regulation to Liberate Growth” here.

[1]U.S. Securities and Exchange Commission, “Withdrawal of Proposed Regulatory Actions,” Federal Register 90, no. 118 (17 June 2025): 25531–25533. [Online]. Available: https://www.federalregister.gov/documents/2025/06/17/2025-11110/withdrawal-of-proposed-regulatory-actions. Accessed: 13 August 2025.

[2]U.S. Securities and Exchange Commission, Withdrawal of Proposed Regulatory Actions (Conformed to Federal Register version) (12 June 2025). [Online]. Available: https://www.sec.gov/taxonomy/term/177456?order=field_file_number&sort=desc Accessed: 13 August 2025. 

[3]New York State Department of Financial Services, “Cybersecurity Resource Center (23 NYCRR Part 500)” (updated 2023–2024). [Online]. Available: https://www.dfs.ny.gov/industry_guidance/cybersecurity. Accessed: 13 August 2025.

[4]N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17, “Notices to Superintendent,” including 72-hour incident notice and 24-hour extortion-payment notice. [Online]. Available: https://www.law.cornell.edu/regulations/new-york/23-NYCRR-500.17. Accessed: 13 August 2025.

[5]Office of the Comptroller of the Currency; Federal Reserve; FDIC, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” Federal Register, 86 FR 66424 (23 November 2021; effective 1 April 2022). [Online]. Available: https://www.occ.gov/news-issuances/federal-register/2021/86fr66424.pdf. Accessed: 13 August 2025.

[6]Financial Industry Regulatory Authority (FINRA), “2025 FINRA Annual Regulatory Oversight Report” (28 January 2025). [Online]. Available: https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report. Accessed: 13 August 2025.

[7]U.S. Securities and Exchange Commission, “SEC Charges Archegos and its Founder with Massive Market Manipulation Scheme,” Press Release No. 2022-70 (27April 2022). [Online]. Available: https://www.sec.gov/newsroom/press-releases/2022-70

[8]New York State Department of Financial Services (NYDFS), “Cybersecurity Resource Center,” DFS Website, 2025. [Online]. Available: https://www.dfs.ny.gov/industry_guidance/cybersecurity. Accessed: 14 Oct. 2025.

[9]European Insurance and Occupational Pensions Authority (EIOPA), “Digital Operational Resilience Act (DORA),” EIOPA Home (17 January 2025). [Online]. Available: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en.

Share On
About the Author(s)
Fan Yang

Fan is an affiliate researcher at CFA Institute. He conducts capital market research on private markets and supports policy analysis on systemic risk and digital assets. He previously worked in fixed income at China Capital Management and in investment banking at China Security Co., where he focused on duration strategies, financial modeling, and transaction support. He holds a Master of Science in Finance from the University of Notre Dame and a Bachelor of Business Administration from the University of Western Ontario.

Leave a Reply

Your email address will not be published. Required fields are marked *