2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy. This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.
January: Chair Gensler Sets out Cyber Regulation Roadmap
To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute. Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations. These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.
February: Proposal for Advisers and Funds
On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records. Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.
March: Proposal Requiring Public Company Cyber Incident and Risk Disclosures
The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures. Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material. The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”
April: Chair Gensler Reiterates Roadmap
On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council. His April remarks mentioned the same areas for potential regulation that he mentioned in his February address. By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.
The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.
May: Increased Enforcement Capabilities
Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50. Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.” With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.