Cybersecurity – A Key Areas for the Commission and Every Firm

Cybersecurity is a critical area for every firm today. Threats from hacks that can cause severe damage to any business are ever present and growing by the moment. Every business should be looking at its preparedness in this key area.

As firms undertake to examine their preparedness it may be helpful to consider the recent comments of SEC Chair Gary Gensler. In remarks delivered at the Northwestern Pritzer School of Law’s Annual Securities Regulation Institute (January 24, 2022)(here). Mr. Gensler identified four areas keyed to cybersecurity where he is directing staff to assess what updates are necessary to supplement the applicable Commission rules.

First, cybersecurity begins with the financial sector and Reg SCI – Regulation Systems Compliance and Integrity. That rule, written in 2014, covers a group of registrants that include stock exchanges, clearinghouses, alternative trading systems, self-regulatory organizations and others. Stated differently, it covers the financial infrastructure of the capital markets.

The Regulation has helped ensure that key capital market entities are prepared in the area of cybersecurity. Yet in the intervening years since its passage there have been many changes and developments. Staff has been directed to examine how Reg SCI can be broadened and expanded into new areas. One may be Treasury trading platforms. This topic will be addressed shortly. No doubt virtually every business would benefit from examining its cybersecurity systems and policies in a similar manner – not just how to update but also broaden and enhance them.

Second, Chair Gensler addressed funds, advisers, and broker-dealers. These are entities for which cybersecurity can impact many of their key books, records and policies. The array of records these entities keep lead Mr. Gensler to conclude that reforms in the cybersecurity area could benefit the registrants and strengthen their policies and procedures.

Third, data privacy. Regulation S-P was adopted to focus on customer and data privacy at regulated entities such as brokers, investment companies and investment advisers. Adoption was completed two decades ago. Accordingly, Mr. Gensler requested that staff develop recommendations about how customers and clients of these firms are notified about cyber events that impact their data, always a key question.

Fourth, service providers. Firms such as investor reporting systems and providers, middle-office service providers, fund administrators and other, similar firms are key in this area. Chair Gensler has directed staff to assess how the Commission can address the risks that come from these providers.

Finally, the SEC is assessing how it can be better prepared in this critical area – the agency is clearly not immune. Indeed, there is no business entity that is immune from the risk of cybersecurity. While Chair Gensler’s ideas may not apply to every private sector firm, the approach does – it is critical for all to carefully evaluate the question of preparedness in the area of cybersecurity. If you don’t, the Commission, with updated policies and procedures, may assist.