.svg)
Gary Gensler, chairman of the U.S. Securities and Exchange Commission (SEC), has said his agency is looking at ways to modernize cybersecurity rules applicable to public companies and SEC registrants.
Just a few days after the UK government published a proposal to strengthen the country's cybersecurity laws, Gensler revealed that he has directed his staff to analyze and make recommendations on a number of rules that govern cybersecurity practices of public firms and other SEC supervised entities.
The announcement follows recent high-profile cyber-attacks that cost Americans millions of dollars in ransom payments.
Although the efforts to fight cyber-attacks are often led by other government entities, such as the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, “the SEC has a role to play as well.”
Speaking at the Northwestern Pritzker School Of Law's Annual Securities Regulation Institute, Gensler stressed “cybersecurity is a team sport.”
“[W]e’re living in a time of rapid technological changes subject to ever present cybersecurity challenges. These cyber risks have implications for the financial sector, investors, issuers and the economy at large.
“The SEC has a role to play, along with the rest of Team Cyber.”
As part of this role, Gensler has said he has directed his staff to analyze the SEC’s rules that implicate cyber risk and make recommendations on how to improve them.
These rules typically apply to four types of entities: SEC registrants in the financial sector, such as broker-dealers, investment companies, or registered investment advisors; public companies; service providers that work with SEC financial sector registrants; and the SEC itself.
For public companies, Gensler underscores the importance of disclosure rules in protecting investors.
Therefore, he has asked his SEC staff to make recommendations around improving company cybersecurity practices and cyber risk disclosures, including their cybersecurity governance, strategy, and risk management.
Although a lot of issuers already provide cyber risk disclosure to investors, the SEC chair says companies and investors “would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
In addition, the SEC is also considering ways to update companies’ disclosures to investors when cyber events have occurred.
Gensler pointed out in his speech that many service providers, such as cloud providers, investor reporting systems, custodians, data analytics, and pricing and other data services, play critical roles within the financial sector, but they fall outside the scope of SEC supervision.
SEC staff will prepare recommendations around how it can further address cybersecurity risk that comes from service providers.
“This could include a variety of measures, such as requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information,” Gensler said.
The SEC chair is also looking at regulations around implementing the Gramm-Leach-Bliley Act 1999 (GLBA), which governs privacy notices and data safeguarding practices of companies that offer consumers financial products.
“More than two decades since Reg S-P was adopted — an eternity in the cybersecurity world — I think there may be opportunities to modernize and expand this rule,” he said.
The SEC will analyze how customers and clients receive notifications about data breaches, including when consumers’ personally identifiable information is stolen. This could mean that proposals to alter the timing and substance of notifications currently required under the GLBA regulations are made.
Finally, for cybersecurity rules relating to large registrants, such as clearinghouses, alternative trading systems, and self-regulatory organizations, as well as advisors and broker-dealers, modernisation efforts by the SEC are largely focused on improving cybersecurity hygiene of these entities.
