SEC Gears Up for New Cybersecurity Regulations

Earlier this month, we touched on the highlights of the latest SEC regulatory agenda. SEC Chair Gary Gensler touted the document as a reflection of the agency’s drive to “modernize… in light of ever-changing technologies and business models in the securities markets.”

No area of securities regulation fits that imperative better than cybersecurity risk. To that end, the commission is putting its finishing touches on a new round of cybersecurity rules and preparing to go through yet another round of related rulemaking.

Let’s talk first about the rules that are going final in April. One set covers registered investment advisers and funds. Under the proposal put forward by the SEC last year, both groups will be required to take practical steps to shore up their cyber defenses and communicate with the public about best practices. For instance, the new rules call for advisors and funds to disclose cybersecurity policies and document the results of their risk assessments. When they do experience cybersecurity breaches, they will have 36 hours to report the incidents.

Another batch of cybersecurity rules about to be finalized consists of guidelines for publicly traded companies. [Using the Intelligize platform (subscription required), a survey of past comment letters from the SEC indicates companies in a variety of industries have been grappling with cybersecurity disclosure issues for nearly two decades.] They include disclosures regarding companies’ cybersecurity programs and the role of companies’ boards of directors and executives in overseeing their cybersecurity risks. In terms of reporting actual cybersecurity incidents, the new rules grant companies four business days.

The latest Form 10-K filing from aerospace manufacturer Boeing Co. offers an example of what standard cybersecurity risk disclosures may look like going forward. In addition to Boeing’s own information technology, the company pointed out it faces risks through its supply-chain relationships: “A cyberattack or security breach, whether experienced directly or through our supply chain, could, among other serious consequences, result in loss of intellectual property; unauthorized access to various categories of sensitive, proprietary or customer data; disruption or degradation of business operations, or compromise of products or services.” Boeing also detailed a security breach that occurred in November at one of its subsidiaries, along with how the company responded to the incident.

The SEC appears poised to take on data privacy in the next phase of its cybersecurity rulemaking. The important guidelines to know here are Regulation S-P and Regulation SCI. Regulation S-P lays out expectations for financial institutions to protect customer information. Regulation SCI refers to requirements for the technology that supports the daily functioning of the securities market.

If you’re wondering about potential landmines for regulators going forward when it comes to cybersecurity, pay attention to the concerns of surveillance watchdogs. Privacy advocates and politicians have a heightened sensitivity to programs that pose the possibility of abusing private information, such as the recent discovery of a federal database of money transfers. While the reforms coming out of the SEC are couched as consumer protections, civil rights groups may view them differently.