Securities and Exchange Commission Chairman Highlights SEC’s Role in Cybersecurity, Suggests Additional Cybersecurity Regulations Are on the Horizon – Corporate/Commercial Law

To print this article, all you need to do is be registered or log in to Mondaq.com.

In a speech last week at the Securities Regulation Institute conference, Chairman Gary Gensler signaled that the SEC may implement more stringent cybersecurity regulations and, in the meantime, will work to enforce compliance. existing requirements. Since taking office in 2021, Mr. Gensler has often spoken of the need for the SEC to be a “marching cop” to root out misconduct and address potential risks to investors.1 It has become increasingly clear that Gensler views cybersecurity risk and fault management as an important part of this job. In 2021, the SEC filed several lawsuits against financial services firms or public companies that allegedly failed to meet their obligations under federal securities law.2 Gensler focused on the role the SEC should play in a collaborative effort between federal agencies and the private sector to promote robust cybersecurity. Here are some key takeaways from Gensler’s comments.

Defining the role of the SEC in “Team Cyber”

Gensler called cybersecurity essential for a strong financial system and overall economic stability, especially as the financial sector is “increasingly integrated into the critical infrastructure of society.”3 He described a technology landscape that includes “the interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data.”4The SEC’s role in this context is “to improve the overall cybersecurity posture and resilience of the financial sector” in conjunction with other government entities named by Mr. Gensler, including the Federal Bureau of Investigation and Cybersecurity and Infrastructure. Security Agency.5However, the private sector has an important role to play in strengthening cybersecurity. To make the point, Gensler cited President Biden’s August 2021 remarks on cybersecurity that “most of our critical infrastructure is privately owned and operated, and the federal government can’t meet that.” challenge alone”.6 Mr. Gensler pointed out that the SEC was an important part of “Team Cyber” and has “a key role as regulator of the capital markets as it relates to SEC registrants – ranging from stock exchanges and broker-dealers to advisers and to public issuers” and used his speech to outline the potential changes.

Additional disclosure obligations for public companies

Mr. Gensler hinted that new regulations on public company disclosure obligations could emerge. Currently, SEC guidance states that a public company must disclose certain cybersecurity risks and incidents based on “the potential significance of any identified risk and, in the event of an incident, the significance of any compromised information and impact of the incident on business operations”. .”7 A public company must also disclose “the most significant factors that make investments in the company’s securities speculative or risky”, which may include cybersecurity risks and incidents.8 Although Mr. Gensler acknowledged that many public companies “already provide investors with information on cyber risks”, he believes that “companies and investors would all benefit if this information was presented in a way that is consistent, comparable and useful to decision making”.9 So the SEC could be on the verge of regulating how cybersecurity disclosures are made.

While noting the need for new rules, Gensler also stressed that the SEC would continue to pursue enforcement actions under existing law when companies fail to disclose all material facts related to a cyber incident or risk. He said: “Make no mistake: public companies already have certain cybersecurity disclosure obligations. Mr. Gensler pointed out that “[i]If customer data is stolen, if a company has paid ransomware, that may be material to investors” and should be disclosed. He added: “As recent cases show, failure to accurately disclose cybersecurity incidents and risks can result in law enforcement action. .”ten

Expected changes to Reg SCI and Reg SP

Throughout his speech, Mr. Gensler also indicated a desire to extend the existing regulations so that they apply more broadly. As part of this message, he indicated the possible “broadening and deepening” of the Regulatory Systems Compliance and Integrity (Reg SCI) rule to apply to market intermediaries, such as brokers and advisers. investment.11 Reg SCI currently applies to registrants in the financial sector, such as stock exchanges and clearinghouses, requiring covered entities “to have strong technology programs, business continuity [and
disaster recovery] plans, test protocols, data backups” and specific record keeping practices.12 Gensler also suggested strengthening cybersecurity and incident reporting hygiene rules. He spoke only generally about the form these rules would take, but he noted that potential reform could “reduce the risk that these registrants will not be able to maintain critical operational capability during a significant cybersecurity incident. “.13 Gensler spoke more specifically about the responsibility of financial industry registrants to clients and customers with respect to data privacy, suggesting that the SEC could change the timing and substance of notifications mandated by the privacy rule. Consumer Financial Information (SP Regulation), which requires registration brokers, investment firms and investment advisers protect customer data and provide customers with privacy policy notices.14

New regulations for service providers

Mr. Gensler suggested that the SEC will address cybersecurity risks related to service providers. As Gensler pointed out, service providers “go well beyond the cloud” and “can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others. »15 Additional regulations in this area could include holding financial industry registrants “accountable for the cybersecurity measures of service providers with respect to protecting against inappropriate access and investor information.”16 As was clear throughout the speech, Gensler considers cybersecurity risk management an important part of the SEC’s mission. So while we await the new regulations Mr. Gensler insisted on during his speech, we also expect the SEC to continue to pursue actions under existing law. Jenner & Block will continue to monitor the regulatory landscape surrounding the SEC and cybersecurity.

Footnotes

1 Gary Gensler, President, Sec. & Scale Comm’n, Remarks at the Securities Enforcement Forum (4 November 2021) (transcript available at https://www.sec.gov/news/speech/gensler-securitiesenforcement-forum-20211104)

2 See, for example, SEC Charges Issuer with Cybersecurity Disclosure Controls Failures, US Sec. & Scale Comm’n (June 15, 2021), https://www.sec.gov/news/press-release/2021-102; SEC accuses Pearson plc of misleading investors over cyber breach, US Sec. & Scale Comm’n (August 16, 2021), https://www.sec.gov/news/press-release/2021-154.

3 Gary Gensler, President, Sec. & Scale Comm’n, Speech at the Northwestern Pritzker School of Law Securities Regulation Institute Conference (January 24, 2022) (transcript available at https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124 #_ftn17)
[hereinafter Gensler, Speech at Securities Regulation Institute
Conference].

4 Id.

5 Id.

6 President Joe Biden, Remarks on Collectively Improving the Nation’s Cybersecurity (August 25, 2021) (transcript available at https://www.whitehouse.gov/briefing-room/speechesremarks/2021/08/25/remarks-by-president-biden -on-the-collective-improvement-of-the-cybersecurity-of-nations/).

7 17 CFR § 229, 249 (2018) (available at https://www.sec.gov/rules/interp/2018/33-10459.pdf).

8 Id.

9 Id.

10 Gensler, Speech at the Securities Regulatory Institute Conference.

11 17 CFR § 240, 242, 249 (2015) (available at https://www.sec.gov/rules/final/2014/34-73639.pdf).

12 Gensler, Speech at the Securities Regulatory Institute Conference.

13 Id.

14 17 CFR § 248 (2000) (available at https://www.sec.gov/rules/final/34-42974.htm).

15 Gensler, Speech at the Securities Regulatory Institute Conference.

16 identifier

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: US Corporate/Commercial Law

Six Common Contract Pitfalls: A Field Guide

Mint

The situation is common. Your company is in the middle of a sales process with a potential customer, and the business leaders have decided on the terms and conditions of the purchase order…

Accounting in M&A Transactions – Navigating the Numbers

Foley & Lardner

A key to success for any growing business is to navigate the numbers, with success and visibility in accounting and finance, preferably up and to the right. Businesses nowadays face accounting challenges such as…

Aurora J. William