SEC eyes more expansive cybersecurity requirements

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.

Staff guidance governs publicly traded companies

In 2011, the SEC issued staff guidance stating, “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents.” Nevertheless, in this earlier guidance, the SEC advised companies that “Material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” Consequently, most publicly traded companies began reporting significant cybersecurity risks and incidents, frequently using a standard SEC reporting form called 8-K.

In 2018, the SEC issued interpretive guidance that expanded upon the 2011 guidance stressing the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. The updated guidance also reminded companies of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws. It further stressed companies’ obligations to “refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

Like the 2011 staff guidance, the 2018 update underscores that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents.” The 2018 update does point to statutory financial filing requirements known as Regulation S-K and Regulation S-X that might require cybersecurity disclosures in registrations statements and financial reports submitted to the SEC.

Even without mandatory disclosure rules, the SEC has brought legal action against companies for poor cybersecurity reporting practices. In 2018, the Commission forced Yahoo to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s most significant data breaches.

New proposals would expand SEC’s reach

In his speech, Gensler proposed a series of changes involving new, “refreshed,” or expanded SEC cybersecurity authorities. These proposals include:

• “Freshen up” Regulation Systems Compliance and Integrity (Reg SCI): Gensler said that he plans to ask the SEC at its next meeting to consider a “freshened up” version of Reg SCI to further shore up the cyber hygiene of important financial entities. Reg SCI is a 2014 rule covering a subset of large registrants, including stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations (SROs). The rule aims to improve the resiliency of these entities by requiring sound technology programs, business continuity plans, testing protocols, data backups, and other requirements.
• Strengthen financial sector registrants’ cybersecurity hygiene and incident reporting: Gensler said he had asked his staff how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting to a broader group, including investment companies, investment advisers, and broker-dealers, not covered by SCI, considering guidance issued by CISA and others.
• Strengthen customer information protection for financial sector registrants: Gensler said he had asked staff for recommendations to change how customers and clients of financial sector registrants receive notifications about cyber events when their data, such as personally identifiable information, has been accessed.
• Improve cyber risk and event reporting for public companies registrants: Gensler has asked his staff to make recommendations about publicly traded companies’ cybersecurity practices and cyber risk disclosures, including possibly their practices concerning cybersecurity governance, strategy, and risk management. Gensler added that both companies and investors would benefit if this information were presented in a “consistent, comparable, and decision-useful manner” rather than the free-form descriptions currently appearing in the 8-K submissions. He has also asked staff to recommend whether and how to update companies’ disclosures to investors when cyber events have occurred.
• Address cybersecurity risk from service providers: Perhaps the most controversial of the steps outlined by Gensler is the idea of requiring certain public company registrants to identify service providers that could pose cybersecurity risks. Following a spate of damage supply chain attacks, most notably the compromise of business software provider SolarWinds, Gensler said he asked staff to consider recommendations on addressing cybersecurity risk from service providers. Among the measures cited by Gensler to address suppliers’ security are requiring certain registrants to identify service providers that could pose risks and holding registrants accountable for service providers’ cybersecurity measures for protecting investor information.

“Seismic speech” should send waves

Scott Ferber, partner at McDermott Will & Emery, tells CSO that while expansive, Gensler’s proposals align with how the SEC has traditionally viewed its role in cybersecurity. “The SEC has made it clear for years that cybersecurity is in their enforcement sites.”

Ferber adds, “The seismic speech from the chair reinforces that priority and highlights various initiatives. It should send waves to several constituencies, including the financial sector, SEC registrants, public companies, and, notably, service providers, even those not regulated by the SEC today.”

The timing of proposals is unclear

What’s unclear, however, is just how quickly the SEC might act on some of these ideas, if at all. Last year, the SEC put on its public agenda a rulemaking on amendments to enhance issuer disclosures regarding cybersecurity risk governance. That rulemaking, slated for October 2021, has yet to materialize.

Last September, Gensler told the Senate Banking Committee the agency is developing a proposal on cybersecurity risk governance, which “could address issues such as cyber hygiene and incident reporting.” The SEC did not respond to requests for information on either the seemingly stalled rulemaking or the timing of Gensler’s new proposals.

Ferber thinks the SEC is primed for fast action. “I don’t think [Gensler’s new expansive agenda] is something that is years down the road,” he tells CSO. “It seems that they’re looking to move quickly on this.”