The SEC has already issued a couple of proposals related to cybersecurity in the past two months, but more are likely to come.
This comes as cyberattacks have been and will continue to be a big problem not only for companies but also throughout society.
“The financial sector remains a very real target of cyberattacks. What’s more, it’s become increasingly embedded within society’s critical infrastructure,” SEC Chair Gary Gensler said in a speech on April 14, 2022, at the joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC). “The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating. State actors and non-state hackers alike sometimes try to target various entities and businesses.”
Rules Already Proposed
In March, the SEC proposed a rule that would require public companies to disclose material cybersecurity breaches within four business days on Form 8-K.
Companies must also periodically report information about policies and procedures to manage cybersecurity risks as well as updates about previously disclosed incidents.
The proposal is in Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
In February, the SEC issued Release No. 33 -11028, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, to propose new cybersecurity risk management, reporting, and recordkeeping requirements for investment advisers and funds.
Rulemaking For Broker-Dealers
Gensler said that he has also asked staff to come up with recommendations on similar measures proposed in Release No. 33 -11028 for broker-dealers.
“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler said. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”
Rulemaking for Entities in Financial Sector
“I believe we have an opportunity to consider freshening up Regulation Systems Compliance and Integrity,” Gensler said.
Reg SCI, which covers stock exchanges, clearinghouses, alternative trading systems (ATSs), and self-regulatory organizations (SROs), helps make sure that these entities have robust technology, business continuity plans, and data backups, among other measures.
The rule was adopted in 2014, and Gensler said that a lot has changed since then.
“Thus, I’ve asked staff how we might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers?” he said. “I think there also might be opportunities to deepen Reg SCI in order further to shore up the cyber hygiene of important financial entities.”
Moreover, Gensler said he has asked staff for recommendations about when and how financial entities should inform customers about cyber incidents when their personal data may have been exposed.
Congress first addressed the issue in 1999, and the SEC adopted Regulation S-P in 2000 to require broker-dealers, investment companies, and investment advisers to protect customer records and information.
“More than two decades since Reg S-P was adopted—an eternity in the cybersecurity world—I think there may be opportunities to modernize and expand this rule,” he said. “This possibly could include proposing to require breach notifications when a customer’s information is accessed without authorization.”
Rulemaking for Service Providers
Often service providers play critical roles in the financial industry. Beyond the cloud, they help with investor reporting systems, middle-office work, fund administration, just to name a few. But many of these entities are not registered with the SEC.
“I’ve asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers,” Gensler said.
Final Rules in the Works for Operating Public Companies
Even as the staff is working to draft proposals, the SEC will analyze the comment letters to adopt rules proposed.
As for public company rules, William Ridgway, a partner with Skadden, Arps, Slate, Meagher & Flom LLP, said that there have been follow-ups and requests for comments after the proposal was issued.
“There has been some controversy about the four-day requirement, and the fact that there’s no exemption for dealing with law enforcement,” Ridgway said during a Cybersecurity Docket webcast on April 14. “I wouldn’t be shocked if there’s some tailoring to that particular rule in the wake of some of the feedback that the SEC is receiving.”
However, he noted that this is clearly a priority for the SEC.
Thus, “we fully expect that this is going to be something where you know if it gets watered down at all, it will not be much. And so, organizations should kind of assume that that’s coming and that you know if there’s going to be even greater disclosure about your corporate governance, for example, on cybersecurity, that’s to start preparing for that now,” he said.
Ridgway added that “we’re working with my SEC colleagues much more frequently than I did in the in the prior administration, just to say that this is a very very active SEC when it comes to cybersecurity and digital assets.”
This article originally appeared in the April 18, 2022 edition of Accounting & Compliance Alert, available on Checkpoint.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.