The U.S. Securities and Exchange Commission is implementing a campaign to overhaul the agency’s expectations around cybersecurity and cyber incident reporting for the financial services industry and corporate America generally. For example, in a recent speech, Chairman Gensler reiterated his focus on cybersecurity and underscored the SEC’s work to “improve the overall cybersecurity posture and resiliency of the financial sector.” These remarks echoed sentiments he has previously conveyed (including in Congressional testimony) regarding cybersecurity risk governance.
Based on Gensler’s remarks and other inputs, the SEC’s enhanced cybersecurity focus will take shape in the following three key areas:
- Cyber “hygiene” and preparedness;
- Cyber incident reporting to the SEC; and
- Public cyber disclosures.
The agency is strategically aiming its cyber policy efforts at the following three categories of market participants and registrants (and the SEC itself):
- Financial sector SEC registrants;
- Public companies; and
- Service providers.
Registrants and others have an opportunity to evaluate their cybersecurity programs in light of recent SEC comments, guidance, and rulemaking and consider whether enhancements are needed, either to comply with an explicit requirement, proactively to aim for presumptive approvals of pending rulemaking, or simply from a best practices standpoint. These steps could include:
- Attention to cyber hygiene;
- Review of Reg. S-P policies and procedures, with a specific focus on the timing and substance of notices and disclosures related to cyber events;
- Evaluation of cyber risk disclosures, including their accuracy, completeness, and timeliness; and
- Identification of third-party service providers that maintain investor or customer information and assessment of their cybersecurity measures.
FINANCIAL SECTOR SEC REGISTRANTS
The SEC is working on at least three initiatives related to strengthening financial sector registrants’ cybersecurity hygiene and incident reporting, specifically for broker-dealers, investment companies, investment advisers, and other market participants. Chairman Gensler explained that his objective in proposing these reforms is to reduce the risk that these registrants “couldn’t maintain critical operational capability during a significant cybersecurity incident.” In an effort to reduce this risk, the Chairman believes that these registrants “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risks.”
Proposed Cybersecurity Rules for Investment Advisers and Investment Companies
On February 9, 2022, the SEC proposed new rules and amendments designed to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies. Our client alert provides an overview of the proposed requirements. Key provisions of the proposed rules include:
- A requirement to maintain cybersecurity policies and procedures;
- A requirement to report significant cybersecurity incidents to the SEC;
- A requirement to disclose significant cybersecurity risks and incidents to clients and prospects; and
- Additional recordkeeping requirements.
The proposed rulemaking comes as no surprise. The SEC signaled in its “Reg Flex” agenda that these rules were coming. If adopted, these rules will incorporate existing SEC staff guidance on cybersecurity policies and procedures, and create new requirements for reporting cybersecurity incidents. The proposal includes a new rule 206(4)-9 under the Advisers Act and a new rule 38a-2 under the Investment Company Act.
Expanding the Scope of Regulation Systems Compliance and Integrity (Reg. SCI)
The SEC adopted Reg. SCI in 2014 as a way to strengthen the technology infrastructure of the U.S. securities markets via rules designed to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and enhance the agency’s oversight and enforcement of securities market technology infrastructure. Reg. SCI requires an “SCI entity” to, among other things, establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its key automated systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability; take appropriate corrective action when systems issues occur; provide certain notifications and reports to the SEC regarding systems problems and systems changes; inform members and participants about systems issues; conduct business continuity and disaster recovery testing; conduct annual reviews of automated systems, including penetration testing; and make and keep certain books and records.
Recognizing that much has changed since 2014, Chairman Gensler asked SEC staff to “broaden and deepen” the rule beyond its current scope, which covers a subset of large registrants (including stock exchanges, clearinghouses, and alternative trading systems (“ATSs”)). A recent SEC proposal would extend Reg. SCI to “Government Securities ATS” that meet specified volume thresholds. Presently, Reg. SCI applies to NMS stocks and supersedes certain system integrity provisions that exist within Reg. ATS for non-NMS Stock ATSs. Reg. SCI compliance will be an additional heavy-up for any Government Securities ATSs that hit the applicable 5% SCI entity threshold.
Chairman Gensler has suggested that the SEC may consider applying Reg. SCI to “other, large significant entities… such as the largest market-makers and broker-dealers.” This potential expansion in scope is significant, and means that these other entities may be required to, among other things, maintain “sound technology programs, business continuity plans, testing protocols, [and] data backups.” Gensler mentioned that there “might be opportunities to deepen Reg. SCI to further shore up the cyber hygiene of important financial entities.” What form that would take and to whom that would apply are not clear.
Modernizing Regulation S-P (Reg. S-P)
Broker-dealers, investment advisers, and investment companies are subject to Rule 30(a) of Regulation S-P, which is the SEC’s version of the Gramm-Leach-Bliley Act “Safeguards Rule.” The Safeguards Rule requires adoption of written policies and procedures implementing technical, administrative, and physical safeguards reasonably designed to protect the security and confidentiality of customer records and information. Chairman Gensler has said that he sees opportunities to modernize and expand Reg. S-P and has “asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed.” The proposed rulemaking mentioned above for investment advisers and investment companies takes this to the next level by imposing a reporting requirement for significant incidents. This also comes as no surprise, given the Federal Trade Commission’s own revamping of the Safeguards Rule announced late last year.
Public companies are already subject to obligations with respect to cybersecurity disclosures and providing investors with disclosures about cyber risk. Exchange Act Rule 13a-15(a) requires most issuers of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in reports the issuer files or submits under the Exchange Act is recorded, processed, summarized, and reported timely (e.g., 8-K filings within four business days of the occurrence of a reportable event). In early 2018, the SEC issued a statement and guidance on public company cybersecurity disclosures. That guidance notes the following (which the SEC has similarly highlighted in recent enforcement actions):
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents. In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
The SEC has also focused on public companies’ internal controls over financial reporting. In 2018, shortly after the SEC issued the guidance reference above, it issued a Section 21(a) report regarding cyber-related frauds perpetrated against nine public companies, citing the importance of devising and maintaining a system of internal accounting controls for cyber-related issues.
Nevertheless, and as a result of evolving disclosure regimes and the “basic bargain” between public companies and investors, Chairman Gensler believes that issuers and investors could benefit from disclosures being “presented in a consistent, comparable, and decision-useful manner.” He has asked SEC staff to make recommendations for the SEC’s consideration regarding (a) companies’ cybersecurity practices (e.g., cybersecurity governance, strategy, and risk management) and cyber risk disclosures and (b) whether and how to update companies’ disclosures to investors following cyber events. Gensler accompanied his remarks regarding the need for new regulations on public companies’ disclosure obligations with a reminder that the SEC will continue to bring enforcement actions under existing law where companies fail “ to make accurate disclosures of cybersecurity incidents and risks.”
Many of the service providers that support securities markets participants and other SEC registrants are not themselves registered with the SEC or subject to the agency’s jurisdiction. Examples include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, certain custodians, data analytics firms, trading and order management system providers, and pricing and other data services provides. In order to ensure investor protection and that key services are not disrupted for financial sector registrants, Chairman Gensler has asked the agency’s staff to consider recommendations around how to address cybersecurity risk presented by service providers. He has suggested that remedial measures could include: (a) “requiring certain registrants to identify service providers that could pose such risks” and (b) “holding registrants accountable for service providers’ cybersecurity measures [related to] protecting against inappropriate access and investor information.” Gensler also indicated that it might be worthwhile to provide market regulators with similar authorities as those granted to banking agencies, which regulate and supervise certain banks’ third-party service providers through the Bank Service Company Act. It is worth noting that some of these service providers may already be captured by the updated Federal Trade Commission Safeguards Rule.
Lastly, mindful that the SEC and its systems and data are not immune from cyber risk, Chairman Gensler has the agency’s staff looking inward to continue to (a) work to protect SEC data and technology and industry data, and (b) evaluate the SEC’s data footprint and data collection processes in an effort to only collect data needed to fulfill its mission. This is an encouraging acknowledgement and a good reminder that regulators themselves are subject to cyber perils, as the 2016 hacking of the SEC’s EDGAR system demonstrates.
Despite the self-reflection by the agency and “only if we need it” messaging on gathering, many would argue that the SEC has gone too far with various recent policy choices with respect to data gathering and warehousing requirements and regimes it has layered on the industry (or proposes to do so). The SEC-mandated Consolidated Audit Trail is one example (which would require a treatise to truly distill and explain). Another example is new Rule 10c-1 that the SEC recently proposed, which would create a new reporting and disclosure framework for the securities lending market. The SEC’s mandate under the Dodd-Frank Act is to “promulgate rules that are designed to increase the transparency of information available to brokers, dealers, and investors with respect to loan[ing] or borrowing securities.” While certain aspects of the proposal appear aimed to achieve this goal, such as public dissemination of transaction data like volume and price and aggregate market data, the proposal appears to go beyond the mandate in requiring Lenders to provide certain confidential non-public information. Specifically, it is difficult to see how transparency is furthered by the proposed requirements that securities lenders report to FINRA the identities of the parties, whether the loan will be used to close a fail to deliver, and in the case of broker-dealers, whether such securities are loaned from the broker-dealer’s inventory. While this information would give FINRA and the SEC a more detailed view into the actions of market participants, its value to transparency is low if it is not publicly disseminated.
Chairman Gensler believes that the SEC has a key role to play in improving the overall cybersecurity posture and resiliency of the financial sector and is committed to addressing ever-evolving cybersecurity challenges with an action-oriented and cyber-focused rulemaking agenda. We will continue to closely monitor developments in these areas.