In a speech to the Securities Regulation Institute conference, Chair Gary Gensler signaled the SEC may implement more stringent cybersecurity regulations, and in the meantime, would work to enforce existing requirements. Since taking office in 2021, Mr. Gensler has often referred to the need for the SEC to be a “cop on the beat” to root out misconduct and address potential risk to investors. Gary Gensler, Chairman, Sec. & Exch. Comm’n, Remarks at the Securities Enforcement Forum (Nov. 4, 2021) (transcript available at https://www.sec.gov/news/speech/gensler-securities-enforcement-forum-20211104). It has become increasingly clear that Mr. Gensler views addressing cybersecurity risk and misconduct as an important part of this work. In 2021, the SEC brought several actions against financial services firms or public companies that allegedly failed to heed their obligations under the federal securities law. See, e.g., SEC Charges Issuer with Cybersecurity Disclosure Controls Failures, U.S. Sec. & Exch. Comm’n (June 15, 2021), https://www.sec.gov/news/press-release/2021-102; SEC Charges Pearson plc for Misleading Investors about Cyber Breach, U.S. Sec. & Exch. Comm’n (Aug. 16, 2021), https://www.sec.gov/news/press-release/2021-154. Mr. Gensler focused on the role the SEC should play in a collaborative effort across federal agencies and the private sector to promote robust cybersecurity. Here are some key takeaways from Mr. Gensler’s comments.
Defining the SEC’s Role in “Team Cyber”
Mr. Gensler framed cybersecurity as critical to a strong financial system and overall economic stability, especially as the financial sector has “become increasingly embedded with society’s critical infrastructure.“ Gary Gensler, Chairman, Sec. & Exch. Comm’n, Speech at the Northwestern Pritzker School of Law Securities Regulation Institute Conference (Jan. 24, 2022) (transcript available at https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124#_ftn17) [hereinafter Gensler, Speech at Securities Regulation Institute Conference]. He described a technological landscape that includes “the interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data.” Id. The SEC’s role within this context is to “improve the overall cybersecurity posture and resiliency of the financial sector” in collaboration with other government entities Mr. Gensler named, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. Id. However, the private sector has a significant role to play in strengthening cybersecurity. To make this point, Mr. Gensler quoted President Biden’s August 2021 remarks on cybersecurity that “most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone.” President Joe Biden, Remarks on Collectively Improving the Nation’s Cybersecurity (Aug. 25, 2021) (transcript available at https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/08/25/remarks-by-president-biden-on-collectively-improving-the-nations-cybersecurity/). Mr. Gensler emphasized that the SEC was an important part of “Team Cyber” and has “a key role as the regulator of the capital markets with regard to SEC registrants—ranging from exchanges and brokers to advisers and public issuers” and used his speech to outline potential changes.