SEC Discusses Agency’s Efforts to Bolster Cybersecurity Resiliency

Written By Haley Metteauer

On January 24, 2022, Securities and Exchange Commission (“SEC”) Chair Gary Gensler spoke at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler’s speech centered around the history and continued threat of cyber incidents. He reaffirmed the need for the private sector and government entities, such as the SEC, to work to improve the cybersecurity resiliency of the financial sector.

Gensler outlined his ideal approach to implementing a cybersecurity policy at the SEC. The key principals of his approach centered around the following:

  • cyber hygiene and preparedness;

  • cyber incident reporting to the government; and

  • in certain circumstances, disclosure to the public.

Additionally, his policy recommendations would apply to the following entity sectors:

  • SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers, and other market intermediaries

  • Public companies

  • Service providers that work with SEC financial sector registrants but are not necessarily registered with the SEC themselves

  • The SEC itself.

Although these policy efforts are merely being proposed by Gensler, businesses should consider these potential legislation efforts in order to best prepare themselves for future changes in policy.

Additionally, Gensler made several recommendations for entities outside of the SEC.

Public Companies

Although many public companies already disclose cyber risk to their investors, public companies and their investors would receive great benefit from provision of these disclosures in a “consistent, comparable, and decision-useful manner.” Although Gensler did not provide commentary on whether these disclosures would be mandatory under his ideal policy, he did provide he has turned over this recommendation to the SEC for consideration on how the disclosure requirements should be structured.   

Service Providers

Considering the significant and critical role that service providers play in the financial sector as well as the breadth of activities that can be conducted through third-party service provider contracts, recommendations were made to establish an enhanced cybersecurity risk policy for these providers. These policies would be used to “ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.” 

An additional recommendation was to establish a cybersecurity approach that regulators could impose against third party service providers in a similar manner as the Bank Service Company Act. 

Haley Metteauer
Previous

Colorado AG Releases Best Practices for Data Security
Next

U.S. Chamber of Commerce Urge to Congress to Establish Comprehensive Privacy Legislation