Gensler says SEC to consider new rules for cybersecurity, data privacy disclosures

In a speech delivered Monday at the Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference, SEC Chair Gary Gensler laid out potential rule changes he said would strengthen existing cybersecurity hygiene and incident reporting disclosures for financial sector participants; enhance disclosures made to clients and customers regarding data breaches; and enhance existing cyber risk disclosure requirements for public companies, with a goal of increasing the transparency of their cybersecurity practices.

Cybersecurity disclosure framework coming?

Public companies are already required to disclose if they are the victim of a ransomware attack or if customer data is stolen if that information is material to investors. Gensler said the SEC might issue new rules regarding how to update those disclosures when such cyber events occur.

Haima Marlier, partner at Morrison & Foerster and co-chair of the firm’s Securities Litigation, Enforcement, and White Collar Defense Group, said Gensler has previously indicated a rulemaking emphasis on internal controls for public companies.

Indeed, in his speech, Gensler said he would ask SEC staff to make recommendations around companies’ cybersecurity practices and cyber risk disclosures. He added, “This may include their practices with respect to cybersecurity governance, strategy, and risk management.”

Marlier said this could mean Gensler and the SEC intend to provide more structure around the internal processes and systems in place within public companies for assessing a cyberattack and determining whether to elevate the incident out of IT and up the corporate chain of command.

Many public companies already issue disclosures dealing with cyber risk, but like with other nonmandatory initiatives (say, for climate-related risk), such reports differ by firm.

“I think companies and investors alike would benefit if this information was presented in a consistent, comparable, and decision-useful manner,” Gensler said.

Getting companies to make such disclosures could require safeguards, experts agreed.

“The SEC is increasingly an outlier among the regulatory community in its determination to pursue enforcement actions against the very businesses that are themselves the victims of cyberattacks,” said Scott Kimpel, a partner at law firm Hunton Andrews Kurth who previously served as counsel to a SEC commissioner.

“For example, in response to the highly publicized SolarWinds data breach over the summer, the SEC’s Division of Enforcement sent investigative demands to large numbers of American businesses who were the victims of this attack,” Kimpel continued. “I hope the SEC will use this initiative to recalibrate its approach to cybersecurity to more closely align its philosophy with that of its sister agencies, and I believe the SEC will not be successful in its efforts if it maintains an adversarial, pro-enforcement approach.”

Marlier said the concept of creating safe harbors, particularly for firms affected by cyberattacks, “would create a situation where companies are more comfortable sharing information with the government.”

New rules for investment firms, advisers, broker-dealers?

Building upon obligations already in place regarding recordkeeping, compliance, and business continuity regulations, Gensler said he has asked SEC staff “to make recommendations for the Commission’s consideration around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting, taking into consideration guidance issued by CISA (the Cybersecurity and Infrastructure Security Agency) and others.”

“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” he said. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”

On data privacy, Gensler said the SEC is mulling changes to Regulation S-P, the 22-year-old rule which requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. Gensler said the rule should be modernized and expanded, particularly considering the increasingly sophisticated types of cyberattacks that regulated entities are facing.

“I’ve asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information,” he said. “This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P.”

Cybersecurity disclosures for vendors?

Gensler said the SEC might begin requiring certain registrants to identify cybersecurity risks with their service providers, potentially holding registrants accountable for the strength of the cybersecurity measures put in place by their providers.

“This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services,” he said.

Another potential rule change would increase the breadth of entities covered by Regulation Systems Compliance and Integrity, known as Reg SCI.

The rule, which the SEC adopted in 2014, is geared to strengthen the technology marketplace of the U.S. securities markets. The rule applies to stock exchanges, clearinghouses, alternative trading systems, self-regulatory organizations, and more.

The SEC proposed to expand Reg SCI to include Treasury trading platforms in September 2020. The proposal was pushed forward again with additional requirements on Wednesday, two days after Gensler’s speech.

Editor’s note: This story was updated Jan. 26 to reflect the SEC’s revisited proposal to expand Reg SCI to include Treasury trading platforms.