The U.S. Securities and Exchange Commission is implementing a
campaign to overhaul the agency’s expectations around
cybersecurity and cyber incident reporting for the financial
services industry and corporate America generally. For example, in
a recent speech, Chairman Gensler reiterated his focus on
cybersecurity and underscored the SEC’s work to “improve
the overall cybersecurity posture and resiliency of the financial
sector.” These remarks echoed sentiments he has previously
conveyed (including in Congressional testimony) regarding
cybersecurity risk governance.
Based on Gensler’s remarks and other inputs, the SEC’s
enhanced cybersecurity focus will take shape in the following three
key areas:
- Cyber “hygiene” and preparedness;
- Cyber incident reporting to the SEC; and
- Public cyber disclosures.
The agency is strategically aiming its cyber policy efforts at
the following three categories of market participants and
registrants (and the SEC itself):
- Financial sector SEC registrants;
- Public companies; and
- Service providers.
Registrants and others have an opportunity to evaluate their
cybersecurity programs in light of recent SEC comments, guidance,
and rulemaking and consider whether enhancements are needed, either
to comply with an explicit requirement, proactively to aim for
presumptive approvals of pending rulemaking, or simply from a best
practices standpoint. These steps could include:
- Attention to cyber hygiene;
- Review of Reg. S-P policies and procedures, with a specific
focus on the timing and substance of notices and disclosures
related to cyber events; - Evaluation of cyber risk disclosures, including their accuracy,
completeness, and timeliness; and - Identification of third-party service providers that maintain
investor or customer information and assessment of their
cybersecurity measures.
FINANCIAL SECTOR SEC REGISTRANTS
The SEC is working on at least three initiatives related to
strengthening financial sector registrants’ cybersecurity
hygiene and incident reporting, specifically for broker-dealers,
investment companies, investment advisers, and other market
participants. Chairman Gensler explained that his objective in
proposing these reforms is to reduce the risk that these
registrants “couldn’t maintain critical operational
capability during a significant cybersecurity incident.” In an
effort to reduce this risk, the Chairman believes that these
registrants “could give clients and investors better
information with which to make decisions, create incentives to
improve cyber hygiene, and provide the [SEC] with more insight into
intermediaries’ cyber risks.”
Proposed Cybersecurity Rules for Investment Advisers and
Investment Companies
On February 9, 2022, the SEC proposed new rules and amendments
designed to enhance cybersecurity preparedness and improve cyber
resilience of investment advisers and investment companies.
Our client alert provides an overview of the
proposed requirements. Key provisions of the proposed rules
include:
- A requirement to maintain cybersecurity policies and
procedures; - A requirement to report significant cybersecurity incidents to
the SEC; - A requirement to disclose significant cybersecurity risks and
incidents to clients and prospects; and - Additional recordkeeping requirements.
The proposed rulemaking comes as no surprise. The SEC signaled
in its “Reg Flex” agenda that these
rules were coming. If adopted, these rules will incorporate
existing SEC staff guidance on cybersecurity policies and
procedures, and create new requirements for reporting cybersecurity
incidents. The proposal includes a new rule 206(4)-9 under the
Advisers Act and a new rule 38a-2 under the Investment Company
Act.
Expanding the Scope of Regulation Systems Compliance and
Integrity (Reg. SCI)
The SEC adopted Reg. SCI in 2014 as a way to strengthen the
technology infrastructure of the U.S. securities markets via rules
designed to reduce the occurrence of systems issues, improve
resiliency when systems problems do occur, and enhance the
agency’s oversight and enforcement of securities market
technology infrastructure. Reg. SCI requires an “SCI
entity” to, among other things, establish, maintain, and
enforce written policies and procedures reasonably designed to
ensure that its key automated systems have levels of capacity,
integrity, resiliency, availability, and security adequate to
maintain operational capability; take appropriate corrective action
when systems issues occur; provide certain notifications and
reports to the SEC regarding systems problems and systems changes;
inform members and participants about systems issues; conduct
business continuity and disaster recovery testing; conduct annual
reviews of automated systems, including penetration testing; and
make and keep certain books and records.
Recognizing that much has changed since 2014, Chairman Gensler
asked SEC staff to “broaden and deepen” the rule beyond
its current scope, which covers a subset of large registrants
(including stock exchanges, clearinghouses, and alternative trading
systems (“ATSs”)). A recent SEC proposal would extend Reg. SCI to
“Government Securities ATS” that meet specified volume
thresholds. Presently, Reg. SCI applies to NMS stocks and
supersedes certain system integrity provisions that exist within
Reg. ATS for non-NMS Stock ATSs. Reg. SCI compliance will be an
additional heavy-up for any Government Securities ATSs that hit the
applicable 5% SCI entity threshold.
Chairman Gensler has suggested that the SEC may consider
applying Reg. SCI to “other, large significant entities…
such as the largest market-makers and broker-dealers.” This
potential expansion in scope is significant, and means that these
other entities may be required to, among other things, maintain
“sound technology programs, business continuity plans, testing
protocols, [and] data backups.” Gensler mentioned that there
“might be opportunities to deepen Reg. SCI to further shore up
the cyber hygiene of important financial entities.” What form
that would take and to whom that would apply are not
clear.
Modernizing Regulation S-P (Reg. S-P)
Broker-dealers, investment advisers, and investment companies
are subject to Rule 30(a) of Regulation S-P, which is the SEC’s
version of the Gramm-Leach-Bliley Act “Safeguards Rule.”
The Safeguards Rule requires adoption of written policies and
procedures implementing technical, administrative, and physical
safeguards reasonably designed to protect the security and
confidentiality of customer records and information. Chairman
Gensler has said that he sees opportunities to modernize and expand
Reg. S-P and has “asked staff for recommendations about how
customers and clients receive notifications about cyber events when
their data has been accessed.” The proposed rulemaking
mentioned above for investment advisers and investment companies
takes this to the next level by imposing a reporting requirement
for significant incidents. This also comes as no surprise, given
the Federal Trade Commission’s own revamping of the Safeguards
Rule announced late last year.
PUBLIC COMPANIES
Public companies are already subject to obligations with respect
to cybersecurity disclosures and providing investors with
disclosures about cyber risk. Exchange Act Rule 13a-15(a) requires
most issuers of a security registered pursuant to Section 12 of the
Exchange Act to maintain disclosure controls and procedures
designed to ensure that information required to be disclosed in
reports the issuer files or submits under the Exchange Act is
recorded, processed, summarized, and reported timely (e.g., 8-K
filings within four business days of the occurrence of a reportable
event). In early 2018, the SEC issued a statement and guidance on public company
cybersecurity disclosures. That guidance notes the following (which
the SEC has similarly highlighted in recent enforcement
actions):
“Crucial to a public company’s ability to make any
required disclosure of cybersecurity risks and incidents in the
appropriate timeframe are disclosure controls and procedures that
provide an appropriate method of discerning the impact that such
matters may have on the company and its business, financial
condition, and results of operations, as well as a protocol to
determine the potential materiality of such risks and incidents. In
addition, the Commission believes that the development of effective
disclosure controls and procedures is best achieved when a
company’s directors, officers, and other persons responsible
for developing and overseeing such controls and procedures are
informed about the cybersecurity risks and incidents that the
company has faced or is likely to face.”
The SEC has also focused on public companies’ internal
controls over financial reporting. In 2018, shortly after the SEC
issued the guidance reference above, it issued a Section 21(a) report regarding
cyber-related frauds perpetrated against nine public companies,
citing the importance of devising and maintaining a system of
internal accounting controls for cyber-related issues.
Nevertheless, and as a result of evolving disclosure regimes and
the “basic bargain” between public companies and
investors, Chairman Gensler believes that issuers and investors
could benefit from disclosures being “presented in a
consistent, comparable, and decision-useful manner.” He has
asked SEC staff to make recommendations for the SEC’s
consideration regarding (a) companies’ cybersecurity practices
(e.g., cybersecurity governance, strategy, and risk management) and
cyber risk disclosures and (b) whether and how to update
companies’ disclosures to investors following cyber events.
Gensler accompanied his remarks regarding the need for new
regulations on public companies’ disclosure obligations with a
reminder that the SEC will continue to bring enforcement actions
under existing law where companies fail ” to make accurate
disclosures of cybersecurity incidents and risks.”
SERVICE PROVIDERS
Many of the service providers that support securities markets
participants and other SEC registrants are not themselves
registered with the SEC or subject to the agency’s
jurisdiction. Examples include investor reporting systems and
providers, middle-office service providers, fund administrators,
index providers, certain custodians, data analytics firms, trading
and order management system providers, and pricing and other data
services provides. In order to ensure investor protection and that
key services are not disrupted for financial sector registrants,
Chairman Gensler has asked the agency’s staff to consider
recommendations around how to address cybersecurity risk presented
by service providers. He has suggested that remedial measures could
include: (a) “requiring certain registrants to identify
service providers that could pose such risks” and (b)
“holding registrants accountable for service providers’
cybersecurity measures [related to] protecting against
inappropriate access and investor information.” Gensler also
indicated that it might be worthwhile to provide market regulators
with similar authorities as those granted to banking agencies,
which regulate and supervise certain banks’ third-party service
providers through the Bank Service Company Act. It is worth noting
that some of these service providers may already be captured by the
updated Federal Trade Commission Safeguards Rule.
THE SEC
Lastly, mindful that the SEC and its systems and data are not
immune from cyber risk, Chairman Gensler has the agency’s staff
looking inward to continue to (a) work to protect SEC data and
technology and industry data, and (b) evaluate the SEC’s data
footprint and data collection processes in an effort to only
collect data needed to fulfill its mission. This is an encouraging
acknowledgement and a good reminder that regulators themselves are
subject to cyber perils, as the 2016 hacking of the SEC’s EDGAR
system demonstrates.
Despite the self-reflection by the agency and “only if we
need it” messaging on gathering, many would argue that the SEC
has gone too far with various recent policy choices with respect to
data gathering and warehousing requirements and regimes it has
layered on the industry (or proposes to do so). The
SEC-mandated Consolidated Audit Trail is one example
(which would require a treatise to truly distill and explain).
Another example is new Rule 10c-1 that the SEC recently proposed, which would create a new
reporting and disclosure framework for the securities lending
market. The SEC’s mandate under the Dodd-Frank Act is to
“promulgate rules that are designed to increase the
transparency of information available to brokers, dealers, and
investors with respect to loan[ing] or borrowing securities.”
While certain aspects of the proposal appear aimed to achieve this
goal, such as public dissemination of transaction data like volume
and price and aggregate market data, the proposal appears to go
beyond the mandate in requiring Lenders to provide certain
confidential non-public information. Specifically, it is difficult
to see how transparency is furthered by the proposed requirements
that securities lenders report to FINRA the identities of the
parties, whether the loan will be used to close a fail to deliver,
and in the case of broker-dealers, whether such securities are
loaned from the broker-dealer’s inventory. While this
information would give FINRA and the SEC a more detailed view into
the actions of market participants, its value to transparency is
low if it is not publicly disseminated.
WHAT’S NEXT?
Chairman Gensler believes that the SEC has a key role to play in
improving the overall cybersecurity posture and resiliency of the
financial sector and is committed to addressing ever-evolving
cybersecurity challenges with an action-oriented and cyber-focused
rulemaking agenda.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
https://www.mondaq.com/unitedstates/securities/1161920/sec-focus-on-cybersecurity-begins-to-take-shape