SEC Chairman Gary Gensler spoke last week, at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. After providing a brief history lesson of the first “hack” in 1834, Chairman Gensler shifted to acknowledging that that, while the private sector is on the front lines in the ongoing struggle to maintain sufficient cybersecurity to thwart cyber-attacks, the government – and the SEC in particular, has its role to play. Specifically, Chairman Gensler identified a number of projects (Read: SEC staff reviewing what new rules and disclosure could be implemented) with implications for financial sector registrants, including investment advisers, broker-dealers, investment companies, and other market intermediaries.
Financial Infrastructure
Reg SCI (2014) affects large registrants that serve as financial infrastructure – such as stock exchanges and alternative trading systems, clearinghouses, and self-regulatory organizations – with the goal of ensuring that key players have sound resiliency programs in place. While the stated goal of an update would be to identify ways to broaden its applicability, it should remain limited to larger broker-dealers and market makers.
Cybersecurity Hygiene
Focusing on investment companies, investment advisers, and broker-dealers, the emphasis of the initiative is on improving registrants’ overall cybersecurity to ensure they can remain operational in the face of a cybersecurity incident. Chairman Gensler noted in his speech that, even in the absence of a cybersecurity rule, cybersecurity risks are implicated in other regulations, “including but not limited to business continuity, books and records, compliance, disclosure, market access, and antifraud.”
Although he has thus far only requested staff recommendations, this could take the form of new rulemaking that imposes specific considerations for cybersecurity, and almost certainly will include an incident reporting regime.
Data Privacy
Regulation S-P, targeting privacy of customer personal data, was adopted in 2003 and also identified as due for an update. The emphasis here was also on customer notifications about cyber events and data breaches, including updating Reg S-P’s current notification requirements. This could take the form of unifying notification requirements already in place in some states. This could simplify response requirements should it lead to a standardization of those requirements.
Service Provider Risks
The Chairman also identified cybersecurity risk from service providers as a key area of concern. Very often these companies claim financial services firms as a broad portion of their client base, but are not subject to registration themselves. These companies can include cloud storage providers, reporting platforms, middle-office services, fund administrators, index providers, custodians, data analytics, order management, pricing, and other services.
As they are not themselves subject to regulation, the focus will be on the registrants – funds, broker-dealers, and advisers. We can expect to see a requirement for registrants to document service providers and the cyber and data risks they pose, and the steps taken to mitigate those risks. While we routinely recommend these risk inventories as a matter of good business practice, additional proposed measures could seek to hold firms accountable for service provider cybersecurity measures as it pertains to their clients. The form that this would take is still undefined, but it is not difficult to see a pass-through notification requirement – if your firm’s provider reports an event that affects your clients, then you must separately notify your clients of the service provider breach. In any event, such a proposal is likely to make necessary formalized vendor oversight policies and procedures where they have not been adopted already.
The risk of cyber-attacks is real, and the consequences can be devastating. We agree with Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), that “cybersecurity is a team sport.”[1] We urge everyone to be vigilant against cyber threats in all aspects of their lives. As for new rules, while it often takes years for potential initiatives mentioned in speeches of senior SEC staff, given the systemic risk that a timely cyber-attack could have, we expect this one might be front-burnered. We hope any proposed rules will make sense and better protect our financial markets and investors.
[1] Chairman Gensler quoted Jen Easterly – see “Cybersummit 2021 Keynote Address” (Oct. 6, 2021), available at https://www.cisa.gov/cybersummit-2021-session-day-1-welcome-and-opening-remarks (see 3:32)