SEC Continues to Strengthen Focus on Cybersecurity
To improve cyber resiliency in the financial sector, the Securities and Exchange Commission (SEC) recently proposed amendments to existing regulation of the technology infrastructure in U.S. securities markets. SEC Chairman Gary Gensler has also reiterated in recent speeches that the SEC will continue its focus on improving the cyber-related disclosures by SEC registrants as well as the agency’s need to provide clearer and more consistent requirements to registrants around what should be disclosed and when. In addition, other potential areas for improvement identified by the SEC include adding requirements for public companies to improve cybersecurity.
Expansion of Regulation SCI to Include Alternative Trading Systems
According to a recent SEC news release, the proposed amendments include bringing Treasury trading platforms with significant volume under Regulation Systems Compliance and Integrity (SCI), a rule created to strengthen the technology infrastructure of the U.S. securities markets.
Financial Sector SEC Registrants
In a recent speech to the Securities Regulation Institute, SEC Chair Gensler offered insight into additional cybersecurity measures that the SEC will be exploring to improve the “cybersecurity hygiene and incident reporting” of financial sector registrants – i.e. funds, advisors and broker dealers.
“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler said. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”
Data Privacy
For financial sector registrants Gensler stated that the SEC would also be looking at “how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information (PII). This also could include proposing to alter the timing and substance of notifications currently required under Regulation S-P.” So, financial sector registrants may soon receive updates to privacy and notification requirements for the first time since the Graham-Leach-Bliley Act (GLBA) went into effect over 20 years ago.
Public Company Cybersecurity Practices and Cyber Risk Disclosures Requirements
Updates to public company disclosures may occur in two areas, Gensler said. “This may include their practices with respect to cybersecurity governance, strategy, and risk management. A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
“In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.”
Given the comments from the SEC Chair, it is fair to assume that staff recommendations will be followed by specific guidelines aimed at bringing more consistency to cyber-related disclosures by public companies. New disclosure guidelines may or may not lead to additional cyber-focused procedures to be performed by auditors. It’s anyone’s guess.
Third-Party Service Providers
Gensler noted that service providers play a critical role in the financial sector and that many of these entities may not be registered with the SEC. They include, but are not limited to cloud service providers, investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and miscellaneous data services, among others.
The SEC is considering such measures as “requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information. This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.”
While some sectors, such as banking, already have requirements to monitor and evaluate the cybersecurity practices of critical service providers, most others currently do not. Public companies have long had the obligation to monitor the controls at service organizations that are likely to be relevant to their internal controls over financial reporting as part of the Sarbanes-Oxley Act. However, requiring public companies as a whole to monitor the cybersecurity practices of critical service providers would be a major regulatory development that would likely entail significant incremental effort for registrants and their auditors.
For information about cybersecurity for SEC registered companies, contact us. We are here to help.
©2022