Earlier this month, U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler again described new cybersecurity regulations SEC staff are considering, this time in a speech before government organizations tasked with improving the security of financial sector infrastructure. In his remarks before a joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), Chair Gensler emphasized his belief that the SEC plays an important role in the Biden administration’s efforts to improve the nation’s cybersecurity. He then described the current cybersecurity policy work of the SEC, including rules the SEC has already proposed and new kinds of rules the SEC will likely propose affecting alternative trading systems, broker-dealers, investment companies, investment advisers, and service providers to financial sector entities.
Current Proposal: Public Company Cyber Disclosure Requirements
Chair Gensler began by addressing some of the SEC’s outstanding proposed rules on cybersecurity. Most recently, the SEC proposed rules requiring public companies to disclose, among other things, their data breaches and their cybersecurity policies and procedures. Chair Gensler reiterated his belief that the rules would benefit both companies and investors but did not address any public comments on the rules.
Future Proposal: New Reg SCI Requirements for Alternative Trading Systems
Chair Gensler also summarized the SEC’s recent efforts to broaden the scope of its 2014 rule on Regulation Systems Compliance and Integrity (Reg SCI), which currently imposes certain technological and business continuity requirements on covered entities like stock exchanges, clearinghouses, and alternative trading systems. This January, the SEC proposed rules that would expand the types of entities that would fall within the scope of Reg SCI. In his remarks, Chair Gensler also hinted that he thinks there “might be opportunities to deepen Reg SCI” in the future.
Future Proposal: Broker-Dealer Cyber Disclosure Requirements
In February, the SEC proposed rules that would affect registered investment advisers, investment companies, and business development companies. In short, the SEC’s proposed rules would require those entities to adopt cybersecurity policies, report cybersecurity incidents to the SEC and the public, and keep certain books and records. Significantly, Chair Gensler stated that he has asked SEC staff for recommendations on “similar appropriate measures for broker-dealers.”
Future Proposal: Reg S-P & Broker-Dealers, Investment Companies, and Investment Advisers
Following the Gramm-Leach-Bliley Act of 1999, the SEC adopted Regulation S-P (Reg S-P), which requires registered broker-dealers, investment companies, and investment advisers to adopt policies to protect consumer records and information.
Chair Gensler said that he has asked SEC staff to consider how Reg S-P may be “modernize[d] and expand[ed],” with particular emphasis on possible requirements for consumer breach notifications in the event of unauthorized access.
Future Proposal: Service Providers
Finally, Chair Gensler repeated his belief that service providers to financial sector registrants, whether or not based in the cloud, are critical to the financial sector. In his remarks this month, he stated simply that he has asked SEC staff to consider recommendations about how to “further address cybersecurity risk that comes from service providers.” Earlier this year, he mentioned specific measures that may be part of a proposed rule, including:
i) requiring registered entities to identify service providers that could pose cybersecurity risks,
ii) holding registrants accountable for their service providers’ cybersecurity measures, and
iii) imposing regulations similar to what the Bank Service Company Act imposes on service providers in the banking sector.
***
Chair Gensler’s outline of the SEC’s current and future cybersecurity policy work is in line with his address earlier this year on the same topic. Since the earlier address, the SEC has followed through and proposed multiple cyber rules presaged by Chair Gensler. If the pattern holds, the future proposals discussed above will turn into actual proposed rules sometime soon.