On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts. Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars.
In outlining the SEC’s enhanced cyber focus, Gensler stressed three areas of emphasis: (1) cyber hygiene and preparedness; (2) cyber incident reporting to the government; and (3) public disclosures. The SEC’s increased emphasis on cybersecurity continues to merit attention by SEC registrants in the financial sector (including broker-dealers, investment companies, registered investment advisers, and other market intermediaries) and the service providers that work with them, as well as by publicly traded companies.
Background
As we have discussed previously, the Securities and Exchange Commission (“SEC” or “Commission”) has taken an increasingly aggressive approach in evaluating companies’ responses to cyber incidents, both from disclosure and disclosure controls perspectives. In the past year, the Commission has brought cybersecurity enforcement actions against companies that allegedly maintained inadequate cybersecurity-related controls or that failed to comply with related disclosure obligations.
For example, in June 2021, the SEC announced a settlement with First American Financial Corporation after charging the company with maintaining deficient disclosure controls and procedures related to a cybersecurity vulnerability that exposed customer information.[i] Subsequently, in August 2021, the SEC announced settlements with a group of investment advisors and broker-dealers for their alleged failure to sufficiently protect cloud-based employee email accounts that were compromised by unauthorized actors, resulting in the exposure of clients’ personal information.[ii]
The SEC has also been engaged in a publicly disclosed review of companies that were potentially impacted by the SolarWinds cyberattack, which became public in December 2020. In this sweep, the SEC has sought information on a voluntary basis from companies that may have used the compromised versions of SolarWinds software, noting that providing the requested information and making any required disclosures would result in a decision by the SEC not to recommend an enforcement action relating to relevant disclosure or internal accounting controls failures. However, despite this limited safe harbor, the SEC also asked companies to provide information about other cybersecurity incidents involving external attacks, which could form the basis of further SEC investigation.[iii]
Chair Gensler’s Speech
Chair Gensler began his speech to the Annual Securities Regulation Institute by acknowledging the increasing importance of “Team Cyber,” the collection of government agencies and private actors involved in ongoing efforts to strengthen public and private defenses against malicious cyber actors. The SEC will continue to play a significant role on Team Cyber in order to “improve the overall cybersecurity posture and resiliency of the financial sector,” which may involve shoring up cyber-related policies for SEC registrants in the financial sector, publicly traded companies, service providers, and the SEC itself.
Financial Sector SEC Registrants
Chair Gensler announced three areas of focus designed to address cybersecurity risks faced by SEC registrants in the financial sector:
- First, Gensler indicated that the SEC is investigating ways to “freshen up” Regulation Systems Compliance and Integrity (“Reg SCI”), a regulation originally promulgated in 2014 to ensure that financial infrastructure entities (like stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations) have plans in place to maintain business continuity in the event of a technology systems or security incident. In an effort to “broaden and deepen” Reg SCI, Gensler suggested that the SEC explore adding additional cyber hygiene requirements and extending the rule’s application to large market-makers, broker-dealers, and Treasury trading platforms.
- Second, Gensler said that he has asked the SEC Staff to explore enhancements to the cybersecurity hygiene and incident reporting practices of financial sector registrants (including investment companies, investment advisers, and broker-dealers), such as by incorporating guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA).
- Third, Gensler previewed that the SEC is exploring whether and how to modernize and expand notification requirements for registered broker-dealers, investment companies, and investment advisers following a cyber incident that exposes client information. Such requirements are governed currently by Regulation S-P, which was adopted more than two decades ago following the enactment of the Gramm-Leach-Bliley Act of 1999.
Publicly Traded Companies
Chair Gensler noted that public companies “already have certain obligations when it comes to cybersecurity disclosures,” including the obligation to make accurate disclosures of material cybersecurity incidents. He stressed, however, that it might be time for a more “consistent, comparable, and decision-useful” approach to disclosures covering, for example, cybersecurity governance, strategy, and risk management. To this end, he has asked the SEC staff to make recommendations regarding whether and how to update companies’ disclosure obligations to investors following cyber events.
Service Providers
Chair Gensler observed that third-party service providers—many of which are not registered with the SEC—are increasingly relied upon to play critical roles in the financial sector, from providing cloud access and middle-office functions to fund administration and data analytics. Gensler has asked the SEC Staff to make recommendations on how to mitigate the cybersecurity risks faced by service providers, including by possibly holding regulated entities accountable for their service providers’ cybersecurity practices and requiring regulated entities to report service providers whose practices pose cybersecurity risks. Gensler acknowledged that third parties offering services to banks are already subject to the Bank Service Company Act and pointed to that legislation as a possible model for service providers in other contexts.
The SEC
Lastly, Chair Gensler acknowledged that the SEC itself “is not immune to cyberattacks” and said that both President Biden’s Executive Order on Improving the Nation’s Cybersecurity as well as Office of Management and Budget directives orient the SEC’s efforts to protect its data and information technology. Though Gensler did not point to specific policy proposals, he noted that the SEC was committed to reducing its “data footprint” by collecting only the data necessary to fulfill its mission.
Takeaways
Chair Gensler’s speech makes clear that the SEC intends to explore significant measures that could increase the regulatory burdens faced by financial sector SEC registrants and service providers, and by publicly traded companies, to adequately address and disclose cyber risks and incidents. In light of the SEC’s ambitious regulatory agenda and increased cyber-related enforcement activity, companies should continue to make it a top priority to strengthen their cyber-related policies and controls.
- Cybersecurity Hygiene and Procedures. In recent enforcement actions against public companies targeted by cyberattacks, the SEC has increasingly focused on disclosure controls deficiencies. Gensler’s statements further signal an intention to hold companies accountable for perceived vulnerabilities created by insufficient cybersecurity hygiene. Regulated entities should ensure they have adequate cyber protocols in place and consider additional efforts to update incident response plans, train and protect employees, and implement software and hardware defenses.
- Public Disclosures and Notification. Gensler’s proposed enhancements to disclosure obligations for public companies will put additional pressure on regulated entities to adequately assess and disclose their cyber-related risks both before and after a cyber incident occurs. In this context, Gensler specifically noted the potential materiality of data breaches and ransomware incidents—increasingly common events that companies should be in a position to respond to effectively.
- Managing Third-Party Risks. Gensler previewed efforts to target cybersecurity risks posed by the increasing reliance on third party service providers, including by potentially holding regulated entities accountable for deficiencies in their service providers’ cyber protocols. To this end, companies should maintain appropriate standards for vetting their service providers and for monitoring their service providers’ cyber practices.
Finally, companies should continue to monitor the evolving legal landscape for further developments. Gensler’s statements and the recent SEC enforcement activity are signs that the trend of increasing focus on cybersecurity threats will not abate anytime soon.
[i] U.S. Sec. and Exch. Comm’n, First Am. Fin. Corp., Exchange Act Release No. 92176, File No. 3-20367 (June 14, 2021), https://www.sec.gov/litigation/admin/2021/34-92176.pdf.
[ii] Press Release, U.S. Sec. and Exch. Comm’n, Statement on Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021), https://www.sec.gov/news/press-release/2021-169.
[iii] For further information, see the Cleary Gottlieb publication “2021 Cybersecurity and Privacy Developments in the United States” at https://www.clearygottlieb.com/-/media/files/alert-memos-2022/2021-cybersecurity-and-privacy-developments-in-the-united-states.pdf.