SEC chair signals continuing focus on cybersecurity governance
In a speech to Northwestern’s Pritzker School of Law, Securities and Exchange Commission (SEC) Chair Gary Gensler outlined a number of initiatives aimed at strengthening the cybersecurity posture of financial sector and other SEC registrants. His remarks focused on rules and policy that would affect the following four target groups: financial sector SEC registrants; public companies; service providers to SEC financial sector registrants that may not be SEC registrants themselves; and the SEC itself.
In his January 24 remarks discussing cybersecurity initiatives, Chair Gensler cited the significant economic costs of cyberattacks, national security concerns, and the broad range of cybersecurity attack targets (including financial institutions). He also emphasized the key role that cybersecurity governance increasingly plays in achieving the SEC’s goal of maintaining orderly markets. He noted that both the private sector and the federal government have roles to play in securing the country’s critical infrastructure and information technology assets from cybersecurity threats.
Gensler’s two key points
While the initiatives are important, Chair Gensler made two key points that companies should focus on. First, he outlined why cyber is such a pervasive problem, as well as the potential harm that can be inflicted:
The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating. State actors and non-state hackers alike sometimes try to target various entities and businesses. Why? To steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities. All this puts our financial accounts, savings, and private information at risk.
Second, Chair Gensler outlined his policy priorities at the SEC, stating:
Though plenty of this work takes place in the private sector and elsewhere in the government, when contemplating cybersecurity policy at the SEC, I think about it in three ways:
- cyber hygiene and preparedness
- cyber incident reporting to the government
- in certain circumstances, disclosure to the public.
The initiatives that Chair Gensler discussed are summarized briefly as follows:
Financial sector SEC registrants
- Revising Regulation Systems Compliance and Integrity (Reg SCI), which regulates a subset of large registrants such as stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations and requires those entities to have certain information security measures in place. The SEC is considering both broadening the scope of the entities to which the regulation applies (eg, to include certain large market-makers and broker-dealers not already subject to the regulation) and making the cybersecurity requirements under the regulation more robust.
- Revising existing rules that apply to all financial sector registrants to strengthen cybersecurity governance at those institutions and require enhanced cybersecurity-related disclosures to investors and the SEC.
- Revising Regulation S-P, which regulates registered broker-dealers, investment companies and investment advisors, to include requirements related to cybersecurity incident notification, and to revise requirements as to the timing and content of currently required notifications.
- Enhancing public company requirements related to cybersecurity governance and disclosures, including by creating rules that drive more consistent and comparable cybersecurity disclosures, and requiring updated disclosures when cyber events happen.
Addressing cybersecurity risk originating from service providers that play a role in the financial services sector but may not be registered themselves. Examples of these service providers include cloud services providers, investor reporting systems, fund administrators, custodians, trading and order management systems, and data services providers. Measures that the Chair proposed include requiring registrants to identify service providers that may pose cybersecurity risk and making registrants liable for service providers that fail to adequately protect information.
- Continuing to protect SEC and industry data and SEC systems, and evaluating and improving the SEC’s data collection processes, including by adhering to data minimization principles.
Although the initiatives above appear to be in early stages, with SEC staff having been tasked with making recommendations related to each proposal in most cases, the SEC’s cyber-related enforcement activities over the past year and Chair Gensler’s remarks make clear that cybersecurity is front and center at the SEC. Registrants and related entities may wish to revisit their governance, disclosures and compliance with the evolving cybersecurity-related rules and regulations.
For more information, please contact the authors of this article or your DLA Piper relationship attorney.