SEC Commissioner Issues Cybersecurity Potential Rulemakings and Preventative Measures

Written By Haley Metteauer

On October 29, 2021, the U.S. Securities and Exchange Commission (SEC) Commissioner Elad L. Roisman released potential rulemakings by the SEC on cybersecurity, and provided recommended measures companies can utilize to prevent the emerging challenge of cyberattacks, “even in the absence of regulatory action.”

Recommendations for Cybersecurity

In the article, Roisman spoke about the importance of utilizing sufficient cybersecurity measures to ward against these “criminal and illegal” cyberattacks. Specifically, he suggested that market participants “work with counsel and other experts on preparing for potential cyber-attacks before they happen” by:

  • devising a plan for monitoring for cyber threats,

  • responding to potential breaches, and

  • understanding when information must be reported outside the company and to whom.

Those companies who wish to bolster their cybersecurity measures may consider:

  • designating "providers and experts" that can be contacted in the case of a cyber incident, and

  • engaging in table-top exercises to proactively determine the best courses of action for mitigating harm in the event of a cyber incident. 

Additionally, companies may want to review the Regulation Systems Compliance and Integrity-- (“Regulation SCI”) —which resulted in improvements in cybersecurity preparedness and resilience of the markets—for the “most extensive policymaking in cybersecurity.”

Reporting Responsibilities

Companies should be aware that regulation of cybersecurity in the United States can fall under the jurisdiction of a number of federal agencies, making it possible for SEC registrants to have cybersecurity obligations, including reporting requirements, to multiple agencies.

In order to be best apprised of these requirements, Roisman suggested reaching out to counsel or expert advising.

Potential Rulemaking

Roisman made clear that he supported reporting framework —similar to that utilized by FINRA for broker-dealer cybersecurity incident reporting — for advisers to utilize upon a cyber incident.

He also outlined the following ideal structure if new public issuer cybersecurity rules are proposed:

  • clearly define any legal requirements,

  • ensure that such requirements are consistent with existing requirements of "sister government agencies,"

  • account for resource disparities among registrants, and

  • be principles-based

Haley Metteauer
Previous

New York Department of Financial Services Issues New Cybersecurity Guidance
Next

FTC Amends the Safeguards Rules for Customer Information