[BreachExchange] SEC eyes more expansive cybersecurity requirements

[Terrell Byrd]

https://www.csoonline.com/article/3648063/sec-eyes-more-expansive-cybersecurity-requirements.html#tk.rss_news

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has
laid out an ambitious cybersecurity plan for his agency that could give it
a far more expansive regulatory footprint than it currently has. Speaking
to Northwestern Pritzker School of Law’s Annual Securities Regulation
Institute, Gensler said that “the financial sector remains a very real
target of cyberattacks” and is becoming “increasingly embedded within
society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the
Financial Stability Oversight Council (FSOC) and the Financial and Banking
Information Infrastructure Committee (FBIIC), among others, that deal
directly with cybersecurity requirements, the agency has no hard and fast
cybersecurity rules or cybersecurity incident reporting requirements for
publicly traded companies. It does, however, have data protection and other
security requirements for the financial segments it directly regulates,
including exchanges, brokers, financial advisers, and others.

Staff guidance governs publicly traded companies
In 2011, the SEC issued staff guidance stating, “Although no existing
disclosure requirement explicitly refers to cybersecurity risks and cyber
incidents, companies nonetheless may be obligated to disclose such risks
and incidents.” Nevertheless, in this earlier guidance, the SEC advised
companies that “Material information regarding cybersecurity risks and
cyber incidents is required to be disclosed when necessary in order to make
other required disclosures, in light of the circumstances under which they
are made, not misleading.” Consequently, most publicly traded companies
began reporting significant cybersecurity risks and incidents, frequently
using a standard SEC reporting form called 8-K.

In 2018, the SEC issued interpretive guidance that expanded upon the 2011
guidance stressing the importance of maintaining comprehensive policies and
procedures related to cybersecurity risks and incidents. The updated
guidance also reminded companies of the applicable insider trading
prohibitions under the general antifraud provisions of the federal
securities laws. It further stressed companies’ obligations to “refrain
from making selective disclosures of material nonpublic information about
cybersecurity risks or incidents.”

Like the 2011 staff guidance, the 2018 update underscores that “no existing
disclosure requirement explicitly refers to cybersecurity risks and cyber
incidents.” The 2018 update does point to statutory financial filing
requirements known as Regulation S-K and Regulation S-X that might require
cybersecurity disclosures in registrations statements and financial reports
submitted to the SEC.

Even without mandatory disclosure rules, the SEC has brought legal action
against companies for poor cybersecurity reporting practices. In 2018, the
Commission forced Yahoo to pay a $35 million penalty to settle charges that
it misled investors by failing to disclose one of the world’s most
significant data breaches.

New proposals would expand SEC’s reach
In his speech, Gensler proposed a series of changes involving new,
“refreshed,” or expanded SEC cybersecurity authorities. These proposals
include:

“Freshen up” Regulation Systems Compliance and Integrity (Reg SCI): Gensler
said that he plans to ask the SEC at its next meeting to consider a
“freshened up” version of Reg SCI to further shore up the cyber hygiene of
important financial entities. Reg SCI is a 2014 rule covering a subset of
large registrants, including stock exchanges, clearinghouses, alternative
trading systems, and self-regulatory organizations (SROs). The rule aims to
improve the resiliency of these entities by requiring sound technology
programs, business continuity plans, testing protocols, data backups, and
other requirements.
Strengthen financial sector registrants’ cybersecurity hygiene and incident
reporting: Gensler said he had asked his staff how to strengthen financial
sector registrants’ cybersecurity hygiene and incident reporting to a
broader group, including investment companies, investment advisers, and
broker-dealers, not covered by SCI, considering guidance issued by CISA and
others.
Strengthen customer information protection for financial sector
registrants: Gensler said he had asked staff for recommendations to change
how customers and clients of financial sector registrants receive
notifications about cyber events when their data, such as personally
identifiable information, has been accessed.
Improve cyber risk and event reporting for public companies registrants:
Gensler has asked his staff to make recommendations about publicly traded
companies’ cybersecurity practices and cyber risk disclosures, including
possibly their practices concerning cybersecurity governance, strategy, and
risk management. Gensler added that both companies and investors would
benefit if this information were presented in a “consistent, comparable,
and decision-useful manner” rather than the free-form descriptions
currently appearing in the 8-K submissions. He has also asked staff to
recommend whether and how to update companies’ disclosures to investors
when cyber events have occurred.
Address cybersecurity risk from service providers: Perhaps the most
controversial of the steps outlined by Gensler is the idea of requiring
certain public company registrants to identify service providers that could
pose cybersecurity risks. Following a spate of damage supply chain attacks,
most notably the compromise of business software provider SolarWinds,
Gensler said he asked staff to consider recommendations on addressing
cybersecurity risk from service providers. Among the measures cited by
Gensler to address suppliers’ security are requiring certain registrants to
identify service providers that could pose risks and holding registrants
accountable for service providers’ cybersecurity measures for protecting
investor information.
“Seismic speech” should send waves
Scott Ferber, partner at McDermott Will & Emery, tells CSO that while
expansive, Gensler’s proposals align with how the SEC has traditionally
viewed its role in cybersecurity. “The SEC has made it clear for years that
cybersecurity is in their enforcement sites.”

Ferber adds, “The seismic speech from the chair reinforces that priority
and highlights various initiatives. It should send waves to several
constituencies, including the financial sector, SEC registrants, public
companies, and, notably, service providers, even those not regulated by the
SEC today.”

The timing of proposals is unclear
What’s unclear, however, is just how quickly the SEC might act on some of
these ideas, if at all. Last year, the SEC put on its public agenda a
rulemaking on amendments to enhance issuer disclosures regarding
cybersecurity risk governance. That rulemaking, slated for October 2021,
has yet to materialize.

Last September, Gensler told the Senate Banking Committee the agency is
developing a proposal on cybersecurity risk governance, which “could
address issues such as cyber hygiene and incident reporting.” The SEC did
not respond to requests for information on either the seemingly stalled
rulemaking or the timing of Gensler’s new proposals.

Ferber thinks the SEC is primed for fast action. “I don't think [Gensler’s
new expansive agenda] is something that is years down the road,” he tells
CSO. “It seems that they're looking to move quickly on this.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220125/22ca54ba/attachment.html>