SEC Chair Gary Gensler gave a speech during this year’s virtual Securities Regulation Institute, hosted annually by the Northwestern Pritzker School of Law, in which he set forth his agenda for updating, amending, and in some cases adding to SEC regulations on cybersecurity and consumer privacy. Chair Gensler emphasized how important cybersecurity is to the SEC, and the cybersecurity agenda set out in his speech is wide-ranging. It aims to impose new requirements or amend existing requirements that would impact firms that are currently registered with the SEC, some that are not registered but might become subject to registration, and also companies that make public filings pursuant to SEC requirements.
Measures under consideration by the SEC include:
- Updating Regulation SCI, which requires exchanges, clearing agencies, ATSs, and other SROs to meet specified standards for systems compliance, and potentially seeking to apply Reg SCI to “the largest market makers and broker-dealers”;
- Strengthening “cybersecurity hygiene and incident reporting” requirements for SEC-registered broker-dealers, investment advisers, and investment companies;
- Updating Regulation S-P, potentially including changing the “timing and substance” of notifications required to be sent to customers and clients regarding cyber events;
- Requiring registered entities to identify third-party service providers that pose cybersecurity risk and potentially holding the registered entity accountable for these third-party service providers’ cybersecurity measures; and
- Updating SEC requirements regarding disclosure to investors by public companies that experience cyber events.
Chair Gensler also suggested that the SEC is exploring the option of seeking authority to regulate and supervise specified third-party service providers in the financial industry that are not currently SEC-registered, such as custodians, as well as providers of:
- Investor reporting systems,
- Middle office services,
- Fund administration services,
- Data analytics, trading, and order management, and
- Pricing and other data services.
Chair Gensler’s agenda is broad. It could potentially affect many actors operating with the SEC’s jurisdiction, both registered and unregistered. Much of the agenda includes SEC efforts and initiatives that are in very early stages, and we do not expect significant changes to cybersecurity requirements in the short run as a result of those projects. Additionally, most of Chair Gensler’s agenda relates to areas regulated only by the SEC, but with respect to Regulation S-P’s privacy requirements, coordination with other agencies with the authority to regulate or enforce privacy requirements, including the CFPB, FTC, and the federal banking regulators, would result in a more clear and consistent approach to privacy requirements than if the SEC “goes it alone.” The SEC might choose not to coordinate among these agencies, but if it does, such coordination could draw out the time until any changes become effective.