SEC Chair Gary Gensler honed in on three policy areas concerning the SEC's role in protecting the financial sector from cyber risks: (i) cyber hygiene and preparedness, (ii) reporting of certain cyber incidents to the government, and (iii) disclosure of certain cyber incidents to the public.
In his address, Mr. Gensler analyzed SEC cybersecurity policy development in the context of four affected groups: (i) SEC registrants; (ii) public companies; (iii) service providers that work with SEC registrants; and (iv) the SEC itself.
For registrants, Mr. Gensler called for broadening and strengthening Regulation Systems Compliance and Integrity ("Reg SCI"), the core goal of which has been to limit the frequency of systems issues. Mr. Gensler recommended cyber hygiene reforms concerning compliance, and bookkeeping rules affecting funds, advisors and broker-dealers, and to expand and modernize Regulation S-P to improve incident reporting and strengthen data privacy protections.
For public companies, Mr. Gensler recommended reforms to cybersecurity practices and risk disclosures, including practices with respect to governance, strategy and risk management. Mr. Gensler called for the standardization of cyber incident disclosures to promote consistency, and emphasized that public companies already have the responsibility to disclose cyber incidents when such events are material to investors.
For service providers that work with SEC registrants, Mr. Gensler noted the variety of providers that have access to registrant data, though they may not themselves be registered with the SEC. He reported that the SEC was considering requirements to identify service providers that might pose cybersecurity risks and holding registrants accountable for the cybersecurity measures of their service providers.
For the SEC itself, Mr. Gensler stated that the agency was taking measures to secure its own information and data technology, while improving data collection processes to collect only the data needed to fulfill the Commission's mission.
Primary Sources
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
