As discussed in prior updates, the Securities and Exchange Commission (SEC) has increased its efforts with regard to cybersecurity. Towards that end, Chair of the SEC, Gary Gensler, discussed the SEC’s cybersecurity focus during his address at the 2022 Annual Securities Regulation Institute, including different areas where the SEC is analyzing cybersecurity regulations given the importance of cybersecurity to our economy and national cybersecurity initiatives. Below are some highlights.
More Regulations for Broker-Dealers, Advisors, and Funds
Mr. Gensler announced that SEC is considering additional cybersecurity and incident reporting regulations for entities such as broker-dealers, investment advisory, and funds. He explained that such regulations “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risk.” Further, Mr. Gensler noted opportunities to expand Regulation S-P to modernize how consumers would receive notifications about data breach cybersecurity events.
Cyber Events and Cyber Risk Disclosures for Public Companies
Mr. Gensler further spoke about cybersecurity events and the SEC’s recent enforcement actions against public companies for failure to disclose such cybersecurity information. Given that, Mr. Gensler announced that SEC is analyzing companies’ cybersecurity practices with respect to “cybersecurity governance, strategy, and risk management.” Mr. Gensler also stressed the important of disclosing cyber risk information in a consistent manner to investors and, thus, the SEC is considering a rule requiring uniform disclosure of cyber risks and when cyber events have occurred.
Financial Sector Service Providers
Mr. Gensler also noted that he has asked his staff to analyze how to address cyber risks arising from other financial service providers that are not required to register with the SEC, such as fund administrators, data analytics providers, as well as pricing and trading management services. Mr. Gensler provided some thoughts such as requiring registrants to identify service providers (vendors) and/or holding registrants responsible for their vendors’ cybersecurity measures, including protecting against inappropriate access and investor information.
In sum, cybersecurity will be a top priority for the SEC in 2022 and the SEC will work to protect entities as well as enforce its regulations. In other words, given the above-referenced details, entities should plan appropriately for 2022.
Mr. Gensler’s keynote address is available at the following link:
SEC.gov | Cybersecurity and Securities Laws