(Article from Registered Funds Regulatory Update, April 2022)
For more information, please visit the Registered Funds Resource Center.
In a January 24, 2022 speech, SEC Chair Gary Gensler expressed that given the continued rise of cybersecurity incidents and the ever evolving cybersecurity risk landscape, the SEC remains focused on improving the overall cybersecurity defense of the financial sector as well as its resiliency. Gensler noted that he thinks about cybersecurity policy at the SEC in three ways: cyber hygiene and preparedness; government reporting of cyber incidents; and, in certain cases, public disclosure.
Gensler first noted that he sees an opportunity to revisit Regulation Systems Compliance and Integrity (“Reg SCI”), which, adopted in 2014, covers a subset of large registrants like stock exchanges, clearinghouses, and self-regulatory organizations. Reg SCI helps ensure these large entities have sound technology programs, business continuity plans, testing protocols, and data backups. Gensler stated that he has asked the SEC Staff to review how the SEC might broaden the rule, for example, by possibly applying Reg SCI to other entities not currently covered, including broker-dealers. Gensler also stated that he has asked the Staff to make recommendations for the SEC’s consideration around how to strengthen cybersecurity hygiene and incident reporting for a broader group of financial sector registrants, like investment companies, investment advisers, and broker-dealers, not covered by Reg SCI.
With regards to data privacy, Gensler also sees an opportunity to modernize Reg S-P, which requires broker-dealers, investment companies, and investment advisers to protect customer records and information. In particular, he has asked the Staff for recommendations on how “customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information.” Reforms might include proposing to alter the timing and substance of notifications currently required under Reg S-P.
On public companies, Gensler has asked the Staff to make recommendations around companies’ cybersecurity practices and cyber risk disclosures—which may include their practices with respect to cybersecurity governance, strategy, and risk management—and whether and how to update disclosures to investors when cyber events have occurred.
Noting that service providers provide critical services to SEC financial sector registrants but are not typically registered with the SEC, Gensler has asked the Staff to also make recommendations to address the cyber risks unique to the services they provide. This may include holding SEC registrants accountable for their service providers’ cybersecurity programs as they relate to protecting against inappropriate access and shareholder information.
Gary Gensler, SEC Chair, Speech, Cybersecurity and Securities Laws (Jan. 24, 2022), available at: https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124.