Last week, the Chair of the Securities and Exchange Commission (SEC) Gary Gensler mentioned the SEC’s cybersecurity coverage work and publicized ongoing SEC regulatory efforts that would have an effect on public corporations, SEC registrants, and monetary sector service suppliers. During his keynote tackle on the 2022 Securities Regulation Institute, Chair Gensler confused the significance of cybersecurity to the trendy financial system and the SEC’s cooperation with federal businesses as a part of the Biden administration’s broader cybersecurity initiatives. He then outlined six completely different areas the place SEC workers are contemplating new or revised cyber rules:
-
Public Companies: Cybersecurity Event Disclosure
Chair Gensler reiterated that public corporations have already got sure obligations to reveal materials data to traders, and that materials data could embody the incidence of cybersecurity occasion—comparable to a knowledge breach or ransomware assault. He additionally highlighted the SEC’s latest enforcement actions in opposition to public corporations for failure to reveal materials data regarding a cybersecurity occasion. On the regulatory entrance, the Chair introduced that SEC workers are contemplating “whether and how” to vary public corporations’ disclosures to traders associated to cybersecurity occasions.
-
Public Companies: Cyber Risk Disclosure
Similarly, Chair Gensler reiterated that public corporations “have an obligation to share [risk] information with investors on a regular basis” and that many corporations already present data on cyber threat to traders. The SEC is now contemplating guidelines relating to cyber threat disclosure, because the Chair believes that “companies and investors alike would benefit if this [cyber risk] information were presented in a consistent, comparable, and decision-useful manner.” A future SEC rule requiring uniform disclosure of cyber dangers could require corporations to explain “their practices with respect to cybersecurity governance, strategy, and risk management.”
-
SEC Registrants: Regulation SCI
With respect to SEC registrants, Chair Gensler targeted on a possibility to “freshen up” the SEC’s 2014 rule on Regulation Systems Compliance and Integrity (Regulation SCI). Currently, Regulation SCI imposes technological and enterprise continuity necessities on so-called “SCI entities” like inventory exchanges, clearinghouses, different buying and selling methods, and self-regulatory organizations. SEC workers are actually contemplating whether or not to “broaden and deepen” Regulation SCI by i) making use of it to Treasury buying and selling platforms, massive market-makers, and huge broker-dealers and ii) “shor[ing] up” the cybersecurity necessities in Regulation SCI.
-
SEC Registrants: Funds, Advisers, and Broker-Dealers
SEC registrants that fall exterior the scope of Regulation SCI—like funding funds, funding advisers, and broker-dealers—are topic to books-and-records and enterprise continuity rules which can successfully require sure cybersecurity practices. Chair Gensler introduced that SEC workers are contemplating further cybersecurity and incident reporting rules for these entities. The Chair believes that such rules “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risk.”
-
SEC Registrants: Financial Consumer Data Privacy
Following the Gramm-Leach-Bliley Act of 1999, the SEC adopted Regulation S-P, which requires registered broker-dealers, funding corporations, and funding advisers to undertake insurance policies to guard shopper data and data. While Chair Gensler recommended there could also be a number of alternatives to “modernize and expand” Regulation S-P, he has requested SEC workers for suggestions on how customers ought to obtain notifications about knowledge breach cybersecurity occasions.
-
Financial Sector Service Providers
Many service suppliers which are important to the monetary sector—together with fund directors, knowledge analytics suppliers, and buying and selling administration providers—aren’t required to register with the SEC. The Chair has requested SEC workers to contemplate the broad query of easy methods to tackle cybersecurity dangers arising from such service suppliers. Chair Gensler posited such prospects as i) requiring registered entities to establish service suppliers that would pose cybersecurity dangers, ii) holding registrants accountable for his or her service suppliers’ cybersecurity measures, and iii) imposing rules just like what the Bank Service Company Act imposes on service suppliers within the banking sector.
Chair Gensler’s tackle continues the pattern of the SEC’s prioritizing cybersecurity in its compliance and enforcement efforts. Last 12 months, the SEC entered right into a settlement with an actual property title insurance coverage firm associated to disclosures made in reference to a cybersecurity vulnerability involving the corporate’s app for sharing doc photos associated to title and escrow transactions.
The SEC’s curiosity in cybersecurity is per that of different authorities businesses. As only one instance, knowledge privateness and cybersecurity can also be a precedence of the Federal Trade Commission (“FTC”). Earlier this month, the FTC issued a warning for corporations to remediate the Log4j safety vulnerability, cautioning that “[t]he duty to take reasonable steps to mitigate known software vulnerabilities implicates laws . . . [i]t is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
We anticipate that cybersecurity will stay of eager curiosity to the securities and shareholders’ plaintiffs’ bar. Public corporations experiencing knowledge privateness and different cybersecurity breaches can anticipate thorough scrutiny of their earlier public statements about their cybersecurity practices and compliance – and securities fraud claims of misrepresentation or omissions in these statements.
Beyond that, as finest practices proceed to develop for knowledge privateness and cybersecurity, administrators of public (and a few non-public) corporations ought to anticipate knowledge breaches to result in claims by shareholders that the administrators breached their fiduciary duties by failing to institute and preserve a sufficiently strong cybersecurity compliance program. Much extra to come back as each the legislation and finest cybersecurity practices proceed to develop.
James Brennan additionally contributed to this text.
© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 34