On January 24, 2022, SEC Chair Gary Gensler gave a speech on cybersecurity rulemaking to the Annual Securities Regulation Institute, outlining a number of key points he expects the SEC will consider in 2022 and emphasizing the SEC’s “key role” on the federal government’s “Team Cyber.” A number of these proposed changes – including broadening the scope of existing SEC regulations, enhancing SEC requirements for cyber hygiene, and increasing attention to public company disclosures – were among the trends that members of the Debevoise Data Strategy & Security and White Collar & Regulatory Defense practice groups discussed during a November 2021 webcast on the SEC’s Cybersecurity Year in Review, as well as in our prior Data Blog posts (here and here).
Below, we highlight a number of key takeaways from Chair Gensler’s speech for SEC-registered entities and public companies.
- Regulation Systems Compliance and Integrity (“SCI”): Chair Gensler explained that the SEC would like to “freshen up” Reg SCI, which imposes certain technological and business continuity requirements on the securities market functions of certain large registrants (classified under the Reg as “SCI Entities”) such as stock exchanges, clearinghouses, and alternative trading systems. In particular, Chair Gensler would like to “broaden and deepen” Reg SCI by, for example, bringing more entities (such as large broker-dealers and market makers) within its scope and strengthening certain cyber-hygiene requirements.
- Funds, Advisers, and Broker-Dealers: Chair Gensler similarly noted that he has already asked his staff how the SEC can “strengthen financial sector registrants’ cybersecurity hygiene and incident reporting” by incorporating guidance from CISA and others. These statements (and Chair Gensler’s comments on customer notifications discussed below) are consistent with our expectation that federal and other regulators are keenly focused on reporting obligations, even if Congress does not pass a general federal data privacy statute. Chair Gensler explained that strengthening reporting would give investors and clients better information, incentivize good cyber hygiene, and provide the SEC with greater insight into intermediaries’ cyber risks.
- Data Privacy: The SEC is actively discussing possible updates to Reg S-P. Chair Gensler explained that the SEC is examining how financial sector registrants notify customers and clients of cyber incidents affecting their data and PII. In particular, the SEC is considering changes to the “timing and substance of notifications currently required under Reg S-P[,]” suggesting that the SEC may extend the privacy notice requirements under Reg S-P to cybersecurity events.
- Public Company Disclosures: As highlighted by previous enforcement actions such as Pearson Plc, and emphasized in Chair Gensler’s comments, the SEC takes the accuracy and consistency of cybersecurity disclosures seriously. As we noted in our November 2021 webcast, the SEC believes that accurate and complete disclosures regarding cybersecurity risks – and prior actual incidents – are essential. The SEC is currently considering proposed rules that would require enhanced, specific disclosures relating to cybersecurity governance, strategy, and risk management. The proposed rules will likely delineate what is “material” for disclosure purposes after a cyber incident.
- Service Providers: Chair Gensler explained that the SEC is considering ways to address cybersecurity risk originating from service providers, including risk disclosure requirements for certain registrants, and even “holding registrants accountable for service providers’ cybersecurity measures,” as it relates to safeguarding investor information. Chair Gensler noted that bank service providers were subject to certain regulation from federal banking regulators, suggesting he saw a similar role for the SEC for vendors of entities within its jurisdiction.
We will continue to track and blog on these important updates.
* * *
To subscribe to our Data Blog, please click here.