chevron-down Created with Sketch Beta.
    March 24, 2022 Articles

    Securities and Exchange Commission Chair Emphasizes SEC’s Role in Cybersecurity and Suggests Additional Cybersecurity Regulations are on the Horizon

    Key takeaways from Chairman Gensler’s comments.

    By Charles D. Riely, Shoba Pillay, Gregory M. Boyle, and Karolina L. Bartosik

    In a speech to the Securities Regulation Institute conference, Chair Gary Gensler signaled the SEC may implement more stringent cybersecurity regulations, and in the meantime, would work to enforce existing requirements. Since taking office in 2021, Mr. Gensler has often referred to the need for the SEC to be a “cop on the beat” to root out misconduct and address potential risk to investors. Gary Gensler, Chairman, Sec. & Exch. Comm’n, Remarks at the Securities Enforcement Forum (Nov. 4, 2021) (transcript available at https://www.sec.gov/news/speech/gensler-securities-enforcement-forum-20211104). It has become increasingly clear that Mr. Gensler views addressing cybersecurity risk and misconduct as an important part of this work. In 2021, the SEC brought several actions against financial services firms or public companies that allegedly failed to heed their obligations under the federal securities law. See, e.g., SEC Charges Issuer with Cybersecurity Disclosure Controls Failures, U.S. Sec. & Exch. Comm’n (June 15, 2021), https://www.sec.gov/news/press-release/2021-102; SEC Charges Pearson plc for Misleading Investors about Cyber Breach, U.S. Sec. & Exch. Comm’n (Aug. 16, 2021), https://www.sec.gov/news/press-release/2021-154. Mr. Gensler focused on the role the SEC should play in a collaborative effort across federal agencies and the private sector to promote robust cybersecurity. Here are some key takeaways from Mr. Gensler’s comments.

    Defining the SEC’s Role in “Team Cyber”

    Mr. Gensler framed cybersecurity as critical to a strong financial system and overall economic stability, especially as the financial sector has “become increasingly embedded with society’s critical infrastructure.“ Gary Gensler, Chairman, Sec. & Exch. Comm’n, Speech at the Northwestern Pritzker School of Law Securities Regulation Institute Conference (Jan. 24, 2022) (transcript available at https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124#_ftn17) [hereinafter Gensler, Speech at Securities Regulation Institute Conference]. He described a technological landscape that includes “the interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data.” Id. The SEC’s role within this context is to “improve the overall cybersecurity posture and resiliency of the financial sector” in collaboration with other government entities Mr. Gensler named, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. Id. However, the private sector has a significant role to play in strengthening cybersecurity. To make this point, Mr. Gensler quoted President Biden’s August 2021 remarks on cybersecurity that “most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone.” President Joe Biden, Remarks on Collectively Improving the Nation’s Cybersecurity (Aug. 25, 2021) (transcript available at https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/08/25/remarks-by-president-biden-on-collectively-improving-the-nations-cybersecurity/). Mr. Gensler emphasized that the SEC was an important part of “Team Cyber” and has “a key role as the regulator of the capital markets with regard to SEC registrants—ranging from exchanges and brokers to advisers and public issuers” and used his speech to outline potential changes.

    Additional Disclosure Obligations for Public Companies

    Mr. Gensler suggested new regulations on public companies’ disclosure obligations may be forthcoming. Currently, SEC guidelines indicate a public company must disclose certain cybersecurity risks and incidents depending on “the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” 17 C.F.R. § 229, 249 (2018) (available at https://www.sec.gov/rules/interp/2018/33-10459.pdf). A public company must also disclose “the most significant factors that make investments in the company’s securities speculative or risky,” which may include cybersecurity risks and incidents. Id. Although Mr. Gensler recognized that many public companies “already provide cyber risk disclosure to investors,” he believes that “companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.” Id. Thus, the SEC may be poised to regulate the ways in which cybersecurity disclosures are made.

    While noting the need for new rules, Mr. Gensler also emphasized that the SEC would continue to bring enforcement actions under existing law where companies failed to disclose all material facts related to a cyber incident or risk. He said, “Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures.” Mr. Gensler emphasized that “[i]f customer data is stolen, if a company paid ransomware, that may be material to investors” and would need to be disclosed. He added, “As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.” Gensler, Speech at Securities Regulation Institute Conference.

    Expected Changes to Reg SCI and Reg S-P

    Throughout his speech, Mr. Gensler also indicated a desire to extend existing regulations to apply more broadly. As part of this message, he indicated the possible “broadening and deepening” of the Regulation Systems Compliance and Integrity (Reg SCI) rule to apply to market intermediaries, such as broker-dealers and investment advisors. 17 C.F.R. § 240, 242, 249 (2015) (available at https://www.sec.gov/rules/final/2014/34-73639.pdf). Reg SCI currently applies to financial sector registrants, such as exchanges and clearinghouses, mandating that covered entities “have sound technology programs, business continuity [and disaster recovery] plans, testing protocols, data backups,” and specific recordkeeping practices. Gensler, Speech at Securities Regulation Institute Conference. Mr. Gensler likewise suggested bolstering rules on cybersecurity hygiene and incident reporting. He spoke only generally about the form these rules would take but noted that potential reform could “reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident.” Id. Mr. Gensler spoke more specifically on financial sector registrants’ responsibility towards clients and customers relating to data privacy, suggesting that the SEC may alter the timing and substance of notifications mandated by the Privacy of Consumer Financial Information rule (Regulation S-P), which requires registered broker-dealers, investment companies, and investment advisers protect customer data and provide customers with privacy policy notifications. 17 C.F.R. § 248 (2000) (available at https://www.sec.gov/rules/final/34-42974.htm).

    New Regulation for Service Providers

    Mr. Gensler suggested the SEC will address cybersecurity risk related to service providers. As Mr. Gensler emphasized, service providers “go far beyond the cloud” and “can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others.” Gensler, Speech at Securities Regulation Institute Conference. Additional regulations in this area could include holding financial sector registrants “accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.” Id.

    As was clear throughout the speech, Mr. Gensler views addressing cybersecurity risk as an important part of the SEC’s mission. Thus, while we expect the new regulations that Mr. Gensler emphasized during his speech, we also expect the SEC to continue to bring enforcement actions under existing law.

    Charles D. Riely, Shoba Pillay, and Gregory M. Boyle are partners, and Karolina L. Bartosik is an associate with Jenner & Block LLP. The posting originally was published as a client alert by Jenner & Block on January 31, 2022.  

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).