Bates Research | 04-28-22
SEC Spotlight: New Cybersecurity Rules Heading Your Way
In a January 2022 speech before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler broadcast his intention to tackle an array of cybersecurity concerns. He listed four targets for revised regulatory policy: (i) SEC registrants; (ii) public companies; (iii) service providers that work with SEC registrants; and (iv) the SEC itself. To date, he has moved the ball forward on the first two of these targets, and his most recent announcements suggest more to come. Here is a quick summary of these proposed rules before we dive into the details:
- On February 9, 2022, the SEC proposed rules on cybersecurity risk management for investment companies, registered investment advisers, and business development companies.
- On March 9, 2022, the SEC proposed additional rules to enhance disclosures on cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.
- In an April 14, 2022 address before the Financial and Banking Information Infrastructure Committee (FBIIC), a chartered committee of the President’s Working Group on Financial Markets, and the Financial Services Sector Coordinating Council (FSSCC)—a group comprised of financial service providers and financial industry associations—the SEC Chair expounded on the agenda he laid out in January, reaffirming his comprehensive approach on cyber security and indicating next steps.
Here are the latest developments.
Regulatory Developments for SEC Registrants
The rules proposed on February 9, 2022, require registered investment advisers, registered investment funds, and business development companies to strengthen their cybersecurity practices by (i) adopting written plans on cybersecurity risks; (ii) disclosing cybersecurity incidents to the public; (iii) reporting incidents to the Commission; and (iv) adding recordkeeping obligations. (Note the SEC Fact Sheet accompanying the rule proposal.) The SEC rationale is that the rule, if adopted, will ensure that registrants “maintain critical operational capability during a significant cybersecurity incident;” will provide investors with more information; and will “create incentives to improve cyber hygiene.” Mr. Gensler also stated that the required disclosures would offer more insight into intermediaries’ cyber risks.
Industry to SEC: Reconsider Proposals
Industry comments on the proposal (submitted by the April 11, 2022, deadline) were supportive of the goal but critical of the means. SIFMA asked the Commission to reconsider the proposal, characterizing it as an “overreach” and challenging the proposed rule’s reliance on the antifraud authority under the Advisers Act. SIFMA argued that the Commission “should assist institutions to enhance cybersecurity programs instead of drafting new rules that punish advisers if there is a perceived deficiency in security measures.” SIFMA made several recommendations on the rule proposal, among them dispensing with public disclosure of details relating to a cybersecurity incident or cyber risks and adopting a principles-based approach to cyber risk management, rather than a "one-size-fits-all" system. Notably, on March 31, 2022, SIFMA released its own cybersecurity recommendations on strengthening defenses against cyberattacks. The recommendations were based on a broad biennial cybersecurity exercise among financial institutions. Other industry associations contended that the proposed regulations were not proportionate to the actual threats to funds and advisers, were too burdensome, or suffered from a lack of reporting uniformity.
Just Around the Corner for Registrants
In his April 2022 speech, Chair Gensler broadcast other cybersecurity areas ripe for SEC review. First, he suggested that it was time to “freshen-up” Reg SCI (Regulation Systems Compliance and Integrity)—the rule currently covering exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations, among others—to ensure that they have “sound technology programs, business continuity plans, testing protocols, data backups, and so on.” The Chair said he asked his staff to consider how to “broaden and deepen the rule,” possibly by expanding its coverage to include large market-makers and broker-dealers. Second, Mr. Gensler reported that he asked staff to offer recommendations to update Reg S-P—the rule that requires broker-dealers, investment companies, and investment advisers to safeguard customer records and information—perhaps by requiring breach notifications when a customer’s information is accessed without authorization. Finally, the SEC Chair asked staff for additional cybersecurity proposals specifically for broker-dealers along the lines of the February proposed rules for advisers.
Regulatory Developments for Public Companies
On March 9, 2022, the SEC proposed rules to enhance disclosures on cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies. The proposed rules would require (i) reporting about material cybersecurity incidents; (ii) periodic disclosures about a company’s policies and procedures on cybersecurity risks, on management implementation (including who’s responsible), on cybersecurity expertise and oversight at the board level; (iii) periodic updates about previously reported incidents; and (iv) disclosures in a specific format so that investors can better understand the risk management, strategy, and governance practices of the company. (Stay tuned for industry reaction due by May 9, 2022.)
Regulatory Developments for Service Providers Who Offer Operational Support
In his April 2022 address, Chair Gensler alluded to new cybersecurity regulations on financial service providers who offer operational support to registrants. These include providers of investor reporting systems, middle-office services, fund administration services, custody services, data analytics, trading and order management, and pricing and other data services. Mr. Gensler stated that he directed staff to make recommendations on the risks posed by these service providers, suggesting that new proposals might include notification requirements on (i) service providers that may cause or become aware of a cyber breach and (ii) registrants who may suffer customer data breaches as a result. An SEC proposed rule might parallel a new banking rule that went into effect on April 1, 2022, that requires bank service providers to notify as soon as possible their bank customers after determining that a "computer-security incident" occurred.
Regulatory Developments Turned Inward
In less-specific commentary on plans for regulatory reform of the SEC’s own cyber vulnerabilities, Chair Gensler reported that agency staff “continue to work to protect SEC data and information technology, as well as the industry data we need to carry out our mission,” noting only that staff will evaluate “our data footprint” and “improve our data collection processes.”
In general, the SEC’s heightened focus on cybersecurity is consistent with repeated warnings of increased risk and examples of significant intrusions. The issue remains at the forefront of the regulators’ agenda. (See, e.g., our post on the SEC’s 2022 Examination Priorities, highlighting extra scrutiny on operational resiliency and cybersecurity.) FINRA, too, has been issuing regular alerts on a host of cybersecurity concerns. (See, e.g., a February 15, 2022 Alert and March 21, 2022 Alert regarding anticipated increases in risk resulting from Russia’s invasion of Ukraine; and an April 4, 2022 FINRA statement on mitigating recently found internet vulnerabilities that may affect its own software.)
“Adopting a heightened posture,” as Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) said last year, has consistently been supported by market participants. (Again, note SIFMA’s recent cybersecurity recommendations based on extensive outreach and engagement.) However, the promulgation of multiple and substantial SEC cyber rules on registrants and public companies in February and March 2022, and now the anticipated rules on brokers, financial service providers and others that Mr. Gensler spoke to in his April 2022 address, raises concern for some. Bates will continue to keep you apprised.
How Bates Helps:
Bates Compliance provides tailored solutions for financial institutions and investment advisers. Our compliance team includes senior compliance staff and former regulators, with expertise in the development of policies, procedures, supervisory and compliance processes, including in state and federal registration, supervision and oversight, recordkeeping and disclosure. Contact us today:
Hank Sanchez, Managing Director, firstname.lastname@example.org or 504-450-9632
Rory O'Connor, Director, email@example.com or 860-671-7270