Earlier this month, U.S. Securities and Exchange Commission (SEC) Chairman Gary Gensler again outlined new cybersecurity regulations that SEC staff are considering, this time in a speech. to government organizations tasked with improving the security of financial sector infrastructure. In his address to a joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Industry Coordinating Council (FSSCC), Chairman Gensler emphasized his belief that the SEC plays a role important in the Biden administration’s efforts to improve the country. cyber security. He went on to describe the SEC’s current work on cybersecurity policy, including rules the SEC has already proposed and new types of rules the SEC is likely to propose regarding alternative trading systems, broker-dealers, security firms, and brokers. investment, investment advisers and service providers to the financial sector. entities.
Current Proposal: Public Company Electronic Information Disclosure Requirements
Chairman Gensler began by addressing some of the SEC’s proposed cybersecurity rules. More recently, the SEC has proposed rules requiring public companies to disclose, among other things, their data breaches and their cybersecurity policies and procedures. Chairman Gensler reiterated his belief that the rules would benefit both businesses and investors, but did not respond to public comment on the rules.
Future Proposal: New Reg SCI Requirements for Alternative Trading Systems
Chairman Gensler also summarized the SEC’s recent efforts to expand the scope of its 2014 Regulatory Systems Compliance and Integrity (Reg SCI) rule, which currently imposes certain technology and business continuity requirements on covered entities. such as stock exchanges, clearing houses and alternative trading systems. Last January, the SEC proposed rules that would expand the types of entities that would fall within the scope of Reg SCI. In his remarks, Chairman Gensler also hinted that he thinks there “may be opportunities to deepen Reg SCI” in the future.
Future Proposal: Cybersecurity Information Disclosure Requirements for Brokers and Traders
In February, the SEC proposed rules that would affect registered investment advisers, investment companies and business development companies. In short, the SEC’s proposed rules would require these entities to adopt cybersecurity policies, report cybersecurity incidents to the SEC and the public, and maintain certain books and records. Significantly, Chairman Gensler said he had asked SEC staff for recommendations on “similar appropriate actions for brokers.”
Future proposal: Reg SP and brokers, investment firms and investment advisers
Following the Gramm-Leach-Bliley Act of 1999, the SEC enacted Regulation SP (Reg SP), which requires registered broker-dealers, investment firms, and investment advisers to adopt policies to protect records and consumer information.
Chairman Gensler said he asked SEC staff to consider how Reg SP could be “modernized.”[d] and expand[ed]”, with particular emphasis on potential requirements for consumer breach notifications in the event of unauthorized access.
Future Proposal: Service Providers
Finally, Chairman Gensler reiterated his belief that financial industry registrant service providers, whether cloud-based or not, are critical to the financial industry. In his remarks this month, he simply said he had asked SEC staff to consider recommendations on how to “further address cybersecurity risk emanating from service providers.” Earlier this year, he mentioned specific measures that could be part of a proposed rule, including:
i) require registered entities to identify service providers that may pose cybersecurity risks,
(ii) hold registrants accountable for the cybersecurity measures of their service providers, and
(iii) impose regulations similar to those that the Banking Services Companies Act imposes on service providers in the banking sector.
Chairman Gensler’s outline of the SEC’s current and future cybersecurity policy work is consistent with his speech earlier this year on the same topic. Since the previous speech, the SEC has followed and proposed several cyber rules announced by Chairman Gensler. If the pattern holds, the future proposals discussed above will soon turn into actual proposed rules.
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 115