X

SEC Chair Recommends Additional Cybersecurity Regulation

Michael A. Kleinman Commentary by Michael A. Kleinman
"Other government entities, such as the Federal Bureau of Investigation and CISA, captain Team Cyber - but the SEC has an important role to play as well. We have a key role as the regulator of the nearly-$100 trillion capital markets with regard to SEC registrants - ranging from exchanges and brokers to advisers and public issuers."
SEC Chair Gary Gensler
"Other government entities, such as the Federal Bureau of Investigation and CISA, captain Team Cyber - but the SEC has an important role to play as well. We have a key role as the regulator of the nearly-$100 trillion capital markets with regard to SEC registrants - ranging from exchanges and brokers to advisers and public issuers."
SEC Chair Gary Gensler

SEC Chair Gary Gensler outlined additional regulatory steps to protect registrants, public companies and service providers against "cybersecurity pitfalls" facing the "financial sector, investors, issuers and the economy at large."

In a speech before the joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on the securities markets' interconnectedness with American critical infrastructure, Mr. Gensler highlighted the following:

  • SEC Registrants - Regulation Systems: Mr. Gensler stated that Reg SCI should be "broaden[ed] and deepen[ed]" to go beyond its "core goal" of reducing system issues and improving resiliency to address new cybersecurity threats that have emerged since the rule's adoption in 2014. He suggested that Reg SCI should be applied to "significant entities" such as the largest market-makers and broker-dealers that currently fall outside of its scope. He also pointed to a recently re-proposed version of a 2020 SEC rule that could potentially expand the number of platforms covered by Reg SCI to include certain large government-securities trading platforms.

  • SEC Registrants - Funds, Advisers (and Broker-Dealers): Mr. Gensler stated that the cybersecurity practices of registered investment advisers, investment companies and business development companies need to be strengthened. He touted February's proposed new rule, which would require funds and companies to, among other things, (i) adopt written policies and procedures to address cybersecurity risks, (ii) disclose certain cybersecurity incidents confidentially to the SEC and/or to the public and (iii) maintain related records. Mr. Gensler noted that he has asked SEC staff to prepare recommendations or similar appropriate measures that would apply to broker-dealers.

  • SEC Registrants - Data Privacy: Mr. Gensler stated that he asked SEC staff for recommendations to consider "modern[izing] and expand[ing]" Reg S-P to address when and how registrants should update customers about cyber events - most notably data breaches.

  • Public Companies: Mr. Gensler also highlighted March's proposed new rule that requires companies to disclose, among other things, (i) governance, risk management and strategy with respect to cybersecurity threats and (ii) material cybersecurity incidents.

  • Service Providers: Mr. Gensler stated that he has directed staff to provide recommendations on how to address cybersecurity risks posed to the financial sector by service providers - particularly those offering operational services to registrants (such as investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services providers).

Commentary

Michael A. Kleinman
Michael A. Kleinman

Embracing CISA's view that "cybersecurity is a team sport," Chair Gensler made some big plays during the winter season, underscored by the SEC's February and March proposals. What is more, his speech shows that the SEC is not taking any off-season. Chair Gensler signaled that we soon may see the SEC roll out new proposals covering, among other things, notification requirements for (i) service providers who cause cyber incidents and (ii) registrants who suffer customer data breaches (under a revised Reg S-P).

For those keeping score, a rule requiring service provider notifications would - subject to its particulars - level the playing field for service providers now subject to this month's bank notification rule. Similarly, a proposal to amend Reg S-P to require customer breach notification would mirror the FTC's proposed amendment of the Safeguards Rule, which, if adopted, would require customer notification of certain security events. While these rules and proposals may share some similarities, based on the division of federal regulatory responsibility in the financial services sector, there will no doubt be differences in definitions, notification timing and other requirements that regulated entities and their service providers and advisers will have to record and account for in their cyber playbooks. Unfortunately, absent a uniform federal privacy and security incident notification law, cybersecurity continues to be a sectoral sport dominated by individual plays.

Email me about this

Primary Sources

  1. Gary Gensler Speech "Working On 'Team Cyber'" - Remarks Before the Joint Meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC)
  2. Securities and Exchange Commission [Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22]
  3. Securities and Exchange Commission [Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Gary Gensler
Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Adviser / CTA / CPO Broker-Dealers Issuers of Securities
Sub-Entity
SEC-Registered Issuers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC