Not so long ago, a consumer data breach at a big-box retailer would turn into headline news for days. Hackers are now setting their sights on bigger targets like government networks and oil pipelines, which raises the stakes for national security.
As the list of cyber threats grows, Securities and Exchange Commission Chair Gary Gensler is volunteering more of his agency’s aid in the fight. Speaking at an event at the Northwestern Pritzker School of Law last month, Gensler offered a preview of possible changes to cybersecurity rules for publicly held companies.
As of now, the SEC plays a nebulous role in policing the cyber frontlines, essentially working around the margins. On the one hand, the agency has oversight of cybersecurity for the financial sector, including brokers and securities exchanges. On the other, the U.S. regulatory system lacks formal cybersecurity rules for securities issuers. The same also goes for reporting to the public in the wake of hacks: Even though public companies must disclose when they fall victim to ransomware attacks and data breaches, they have no standard process for doing so.
So what does Gensler have in mind for the SEC? His recent remarks centered on the theme of “freshening up” cybersecurity rules in ways that would ultimately expand the agency’s reach.
As an example, Gensler called for updates to Regulation Systems Compliance and Integrity – better known as Reg SCI. That rule lays out the requirements for technology, business continuity plans and the like for entities that participate in the capital markets, such as stock exchanges and clearinghouses. Gensler suggested the financial ecosystem might benefit from expanding the application of Reg SCI to cover other large actors in the capital markets, such as broker-dealers.
Additionally, Gensler indicated the SEC is looking into ways to improve the financial sector’s cybersecurity “hygiene.” The goal in this case would be to reduce the damage in the event of a cyberattack and keep operations online. The agency last week unveiled new rules for investment funds and registered investment advisers, requiring them to disclose cybersecurity attacks within days of occurring. Funds and advisers would be required to craft written policies and procedures for addressing cybersecurity breaches under the proposed rules.
In terms of the broader universe of publicly traded companies, Gensler is apparently zeroing in on reporting of prospective cybersecurity risks. Specifically, he suggested the ad hoc approach by companies to describing their strategies regarding cyber governance and risk management would benefit from greater consistency. And when cyber events do occur, Gensler warned companies against being less than accurate with their disclosures. Gensler also hinted that companies should prepare for more disclosures and scrutiny around the cybersecurity of service providers, including vendors involved in middle-office services.
All in all, Gensler’s suggestions sound like an ambitious plan to increase the SEC’s influence over corporate cybersecurity. We’ll see if legislators and his peers at other federal agencies agree that’s an appropriate role for the Wall Street regulator.