Last week, the Chair of the Securities and Exchange Commission (SEC) Gary Gensler discussed the SEC’s cybersecurity policy work and publicized ongoing SEC regulatory efforts that could affect public companies, SEC registrants, and financial sector service providers. During his keynote address at the 2022 Securities Regulation Institute, Chair Gensler stressed the importance of cybersecurity to the modern economy and the SEC’s cooperation with federal agencies as part of the Biden administration’s broader cybersecurity initiatives. He then outlined six different areas where SEC staff are considering new or revised cyber regulations:
- Public Companies: Cybersecurity Event Disclosure
Chair Gensler reiterated that public companies already have certain obligations to disclose material information to investors, and that material information may include the occurrence of cybersecurity event—such as a data breach or ransomware attack. He also highlighted the SEC’s recent enforcement actions against public companies for failure to disclose material information relating to a cybersecurity event. On the regulatory front, the Chair announced that SEC staff are considering “whether and how” to change public companies’ disclosures to investors related to cybersecurity events.
- Public Companies: Cyber Risk Disclosure
Similarly, Chair Gensler reiterated that public companies “have an obligation to share [risk] information with investors on a regular basis” and that many companies already provide information on cyber risk to investors. The SEC is now considering rules regarding cyber risk disclosure, as the Chair believes that “companies and investors alike would benefit if this [cyber risk] information were presented in a consistent, comparable, and decision-useful manner.” A future SEC rule requiring uniform disclosure of cyber risks may require companies to describe “their practices with respect to cybersecurity governance, strategy, and risk management.”
- SEC Registrants: Regulation SCI
With respect to SEC registrants, Chair Gensler focused on an opportunity to “freshen up” the SEC’s 2014 rule on Regulation Systems Compliance and Integrity (Regulation SCI). Currently, Regulation SCI imposes technological and business continuity requirements on so-called “SCI entities” like stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations. SEC staff are now considering whether to “broaden and deepen” Regulation SCI by i) applying it to Treasury trading platforms, large market-makers, and large broker-dealers and ii) “shor[ing] up” the cybersecurity requirements in Regulation SCI.
- SEC Registrants: Funds, Advisers, and Broker-Dealers
SEC registrants that fall outside the scope of Regulation SCI—like investment funds, investment advisers, and broker-dealers—are subject to books-and-records and business continuity regulations which may effectively require certain cybersecurity practices. Chair Gensler announced that SEC staff are considering additional cybersecurity and incident reporting regulations for these entities. The Chair believes that such regulations “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risk.”
- SEC Registrants: Financial Consumer Data Privacy
Following the Gramm-Leach-Bliley Act of 1999, the SEC adopted Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to adopt policies to protect consumer records and information. While Chair Gensler suggested there may be several opportunities to “modernize and expand” Regulation S-P, he has asked SEC staff for recommendations on how consumers should receive notifications about data breach cybersecurity events.
- Financial Sector Service Providers
Many service providers that are essential to the financial sector—including fund administrators, data analytics providers, and trading management services—are not required to register with the SEC. The Chair has asked SEC staff to consider the broad question of how to address cybersecurity risks arising from such service providers. Chair Gensler posited such possibilities as i) requiring registered entities to identify service providers that could pose cybersecurity risks, ii) holding registrants accountable for their service providers’ cybersecurity measures, and iii) imposing regulations similar to what the Bank Service Company Act imposes on service providers in the banking sector.
Chair Gensler’s address continues the trend of the SEC’s prioritizing cybersecurity in its compliance and enforcement efforts. Last year, the SEC entered into a settlement with a real estate title insurance company related to disclosures made in connection with a cybersecurity vulnerability involving the company’s app for sharing document images related to title and escrow transactions.
The SEC’s interest in cybersecurity is consistent with that of other government agencies. As just one example, data privacy and cybersecurity is also a priority of the Federal Trade Commission (“FTC”). Earlier this month, the FTC issued a warning for companies to remediate the Log4j security vulnerability, cautioning that “[t]he duty to take reasonable steps to mitigate known software vulnerabilities implicates laws . . . [i]t is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
We expect that cybersecurity will remain of keen interest to the securities and shareholders’ plaintiffs’ bar. Public companies experiencing data privacy and other cybersecurity breaches can expect thorough scrutiny of their previous public statements about their cybersecurity practices and compliance – and securities fraud claims of misrepresentation or omissions in those statements.
Beyond that, as best practices continue to develop for data privacy and cybersecurity, directors of public (and some private) companies should expect data breaches to lead to claims by shareholders that the directors breached their fiduciary duties by failing to institute and maintain a sufficiently robust cybersecurity compliance program. Much more to come as both the law and best cybersecurity practices continue to develop.