Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

SEC chair considers updating cybersecurity rules

Securities Privacy/Cyber Risk & Data Security SEC Data Breach Agency Rule-Making & Guidance

Securities

On January 24, SEC Chair Gary Gensler discussed the agency’s cybersecurity policy work before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler commented that the SEC is working to improve the overall cybersecurity resiliency of the financial sector with a focus on four groups of entities, including broker-dealers and investment companies, public companies, service providers that are not necessarily registered with the agency but that work with SEC financial sector registrants, and the SEC itself. Areas that may benefit from being “freshen[ed] up” include SEC regulations related to systems compliance and integrity (which focus on reducing the occurrence of system issues and improving resiliency), as well as cyber “hygiene” and incident reporting requirements. With respect to data privacy, Gensler commented that there may be opportunities to modernize and expand Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. Noting that Regulation S-P was adopted more than two decades ago, Gensler has also asked SEC staff to provide “recommendations about how customers and clients receive notifications about cyber events when their data has been accessed,” including breaches of personally identifiable information. He stated that recommendations could also include changes to the timing and substance of notifications currently required under Regulation S-P. Gensler also asked for recommendations on whether and how to update public companies’ cybersecurity practices and cyber risk disclosures. He also noted that the SEC needs to explore and address cybersecurity risks arising from service providers, adding that measures “could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.”