SEC Chair Gensler Remarks Indicate 2022 Action Expanding Cyber Requirements
SEC Chair Gary Gensler made remarks on Jan. 24, 2022, at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute regarding the SEC's work to improve "the … cybersecurity posture and resiliency of the financial sector." Consistent with Holland & Knight's recent SECond Opinions Blog post highlighting the SEC's more aggressive cyber posture in 2021, Gensler indicated that the SEC will consider updating existing cybersecurity disclosure and reporting rules and requirements in 2022 for entities regulated by the SEC and expanding cybersecurity requirements on those entities falling outside the agency's direct regulatory regime.
As detailed below, Gensler teased out possible new cybersecurity disclosure and reporting rules for 1) regulated entities, such as broker-dealers, investment companies, registered investment advisers and other market intermediaries; 2) public companies; and 3) service providers that work with SEC registrants but are not necessarily registered with the SEC themselves. The contemplated changes could lead to increased SEC cybersecurity enforcement actions, which have been rare to date. In addition to unpacking Gensler's remarks, this SECond Opinions post also highlights some important takeaways for each of these parties.
Expected 2022 SEC Cyber Actions
Under the Biden Administration, there has been a shift from voluntary to mandatory cybersecurity reporting and other requirements, as well as an increased focus on cybersecurity more broadly.1 For more specifics, please see this recent Holland & Knight alert.
In line with this trend, we are likely to see increased focus on cybersecurity and data security from the SEC in 2022. Although Gensler acknowledged that the Cybersecurity and Infrastructure Security Agency (CISA) and FBI remain the tip of the spear for cybersecurity policing, he emphasized the key role that the SEC has to play as part of "Team Cyber." Specifically, Gensler highlighted that hackers often target the financial services industry to "steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities."
During his remarks, Gensler focused on cyber hygiene, incident reporting and disclosure to the public for different SEC registrants, public companies and service providers.2
First, Gensler foreshadowed changes coming for different types of regulated entities. Gensler stated that he would like to "freshen up" Regulation Systems Compliance and Integrity (Reg SCI), a rule that covers a subset of SEC-regulated entities, such as stock exchanges and self-regulatory organizations.3 In addition, he stated that the commission may seek to apply Reg SCI to some of the largest market-makers and broker-dealers and discussed consideration of a 2020 rule proposal that would apply Reg SCI to large U.S. Department of the Treasury trading platforms.
For investment companies, investment advisers and broker-dealers, Gensler stated that he has asked SEC staff to make recommendations to strengthen cybersecurity, cyber hygiene and incident reporting separate and apart from Reg SCI and with consideration of CISA guidance. For financial sector registrants, generally, Gensler stated that he has asked staff for recommendations on how to "modernize" Regulation S-P – known as the "Safeguards Rule" – which requires registrants to protect customer records and information with the aim of providing customers and clients notifications when their data has been accessed. Importantly, Gensler hinted at the possibility of changes on the "timing and substance of notifications" currently required by the Safeguards Rule.
Second, for public companies, Gensler's remarks focused on disclosure and cybersecurity practices. He stated that he has asked staff for recommendations regarding companies' cybersecurity practices and cyber risk disclosures, as well as whether and how to update companies' disclosures to investors when cyber events occur. Gensler made clear, however, that companies are already subject to certain cyber-related disclosure requirements under existing federal securities laws, citing the recent SEC Enforcement actions in this area.
Third, for service providers, Gensler's comments were more broad, focusing on seeking recommendations on how to address cybersecurity risks that come from service providers, including requiring registrants to identify service providers that could pose risks or holding registrants accountable for service providers' cybersecurity measures. Gensler added that new cybersecurity rules could extend to such entities as fund administrators, custodians and other parties not registered with the agency.4
How to Prepare
Without specific rule proposals to evaluate, it is unclear exactly how the SEC plans to extend disclosure and reporting obligations on these various entities. However, entities can anticipate that the SEC will be more aggressive on cybersecurity issues going forward. In preparation, entities can take steps now to ensure that their cyber risks policies and procedures are appropriately designed and tailored to avoid some of the landmines that have subjected others to SEC Enforcement actions. Below are some quick "ABCs" for all SEC registrants to consider and evaluate:
- Assess Cybersecurity Risks: Entities should identify and document their criteria for evaluating risks, and the risk assessment should include input and analysis from information technology/security, compliance and legal teams.
- Build Policies and Procedures Specifically Tailored to Address Identified Risks and Train Employees accordingly: Upon identifying risks, entities should evaluate how to mitigate those risks through administrative, physical or technical safeguards. To mitigate these risks, employees should be appropriately trained on these safeguards. The SEC's 21(a) Report of Investigation on business email compromises highlights that implementation of policies without proper employee training can result in significant financial consequences for companies.
- Correct and Periodically Test Vulnerabilities Identified through Monitoring: Continual monitoring and testing of company systems to identify vulnerabilities are critical to any cybersecurity program. The ever-evolving nature of cyberattacks and zero-day exploits requires constant vigilance to ensure security. From vulnerability and perimeter scanning, to insider threat monitoring, to patch management, companies have a wide array of monitoring tools they can utilize. For example, entities can establish a vulnerability management program that includes routine scans of software code, servers, and workstations.
- Develop Internal Disclosure System for Cybersecurity Incident and Vulnerabilities: As the SEC's recent enforcement action against First American Financial Corp. illustrated, entities may have regulatory exposure if they don't have policies and procedures in place to ensure that material information is "accumulated and communicated" to management. Entities are required to develop and test an internal reporting system to ensure cybersecurity incidents and vulnerabilities are reported to all stakeholders and decision-makers.
- Establish an Incident Response Plan (IRP) and Test the IRP through Tabletop Exercises: As far back as 2015, the SEC's Division of Examinations found that a majority of broker-dealers (88 percent) and investment advisers (74 percent) reported that they experienced cyberattacks directly or through their vendors. Nearly seven years later, ransomware attacks are happening multiple times every minute, with cybersecurity incidents costing companies trillions of dollars annually.5 As important as it is for companies to be proactive, it is critical that entities consider how to respond when – not if – a cyber incident occurs to ensure, among other things, business continuity, damage mitigation and proper compliance with various regulatory notification requirements.
As the SEC advances some of the reviews, recommendations and reforms highlighted by Gensler, SECond Opinions will provide updates on noteworthy developments. For more information, or to examine the impact that SEC regulatory compliance may have on your business or practices, contact the authors or another member of Holland & Knight's Securities Enforcement Defense and Data Strategy, Security & Privacy teams.
Notes
1 See Executive Order on Improving the Nation's Cybersecurity (May 12, 2021); National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021); TSA Pipeline Security Directives (July 20, 2021); TSA Enhancing Rail Cybersecurity Security Directive (Dec. 2, 2021); TSA Enhancing Public Transportation and Passenger Railroad Cybersecurity Directive (Dec. 2, 2021); OFAC Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments (Sept. 21, 2021); and DOD's CMMC 2.0 (Nov. 17, 2021).
2 Gensler also noted that the SEC is not immune from cyberattack and that – consistent with President Joe Biden's May Executive Order on Improving the Nation's Cybersecurity that requires federal agencies to take steps to enhance data security and cybersecurity – the commission will continue to focus on protection of SEC data and to evaluate its data collection process to ensure it collects only data needed to fulfill its mission.
3 Reg SCI aims, in part, to ensure that these entities have sound technology programs and data backups to improve the resiliency of technological systems.
4 Notably, Gensler also foreshadowed the possibility that Congress could consider providing the SEC authority similar to that afforded to banking agencies under the Bank Service Company Act to regulate and supervise third-party service providers directly.
5 Global Cybercrime Damages Predicted To Reach $6 Trillion Annually By 2021, Cybercrime Magazine, Oct. 26, 2020