Securities and Exchange Commission staff is developing recommendations targeted at strengthening the financial sector’s cybersecurity hygiene, the SEC chairman said Jan. 24.
Speaking before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Chairman Gary Gensler said he has directed the SEC staff to develop recommendations around how to strengthen the “cybersecurity hygiene and incident reporting” of financial security registrants—including investment companies, investment advisers and broker-dealers. 
“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler stated. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”
Registrant Accountability for Service Providers
The SEC chairman has also asked for recommendations that address cybersecurity risk that comes from service providers, many of which may not be registered with the SEC, he noted. This could include requiring certain registrants to identify service providers that could pose such risks, as well as holding registrants accountable for service providers’ failure to protect against inappropriate access and investor information.
Noting that banking agencies regulate and supervise certain banks’ third-party service providers directly through the Bank Service Company Act, Gensler suggested that it “might be worthwhile to consider similar authorities for market regulators.” Service providers include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, Gensler noted.
Broadening Reg SCI
Revisiting Regulation Systems Compliance and Integrity (Reg SCI) was another item on Gensler’s agenda. Adopted in 2014, the rule covers a subset of large registrants—including stock exchanges, clearinghouses, alternative trading systems and self-regulatory organizations—with respect to their technology programs, business continuity plans, testing protocols and data backups.
While noting that a lot has changed in the ensuing eight years, the chairman said he asked the staff to consider how the Commission might broaden the rule, such as applying Reg SCI to other entities it does not currently cover, such as the largest market-makers and broker-dealers.
Data Privacy and Disclosure
Adopted in the wake of the Gramm-Leach-Bliley Act of 1999, modernizing Regulation S-P, which requires registered broker-dealers, investment companies and investment advisers to protect customer records and information, is another area ripe for updating, according to Gensler. “In particular, I’ve asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P,” he said.
Public companies’ disclosure with respect to cyber risk and cyber events was also singled out. Here, Gensler noted that he asked for recommendations around companies’ practices with respect to cybersecurity governance, strategy and risk management.
“A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner,” Gensler explained, adding that he also asked for recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.
SEC’s Reg Agenda
While Gensler did not address the timing of these potential reforms, the SEC’s regulatory agenda includes two items showing that the Commission plans to consider proposed rules to enhance issuer disclosures regarding cybersecurity risk and related governance, as well as to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks. The Commission has a target date for releasing the proposed rules by April 2022.
The SEC has also recently issued risk alerts, announced sanctions and warned that its examination priorities will include a greater focus on cybersecurity practices to safeguard customer accounts and prevent account intrusions.
