Powered By:


SEC Chair Gary Gensler gave a speech during this year’s virtual Securities Regulation Institute, hosted annually by the Northwestern Pritzker School of Law, in which he set forth his agenda for updating, amending, and in some cases adding to SEC regulations on cybersecurity and consumer privacy. Chair Gensler emphasized how important cybersecurity is to the SEC, and the cybersecurity agenda set out in his speech is wide-ranging. It aims to impose new requirements or amend existing requirements that would impact firms that are currently registered with the SEC, some that are not registered but might become subject to registration, and also companies that make public filings pursuant to SEC requirements.

Measures under consideration by the SEC include:

  • Updating Regulation SCI, which requires exchanges, clearing agencies, ATSs, and other SROs to meet specified standards for systems compliance, and potentially seeking to apply Reg SCI to “the largest market makers and broker-dealers”;
  • Strengthening “cybersecurity hygiene and incident reporting” requirements for SEC-registered broker-dealers, investment advisers, and investment companies;
  • Updating Regulation S-P, potentially including changing the “timing and substance” of notifications required to be sent to customers and clients regarding cyber events;
  • Requiring registered entities to identify third-party service providers that pose cybersecurity risk and potentially holding the registered entity accountable for these third-party service providers’ cybersecurity measures; and
  • Updating SEC requirements regarding disclosure to investors by public companies that experience cyber events.

Chair Gensler also suggested that the SEC is exploring the option of seeking authority to regulate and supervise specified third-party service providers in the financial industry that are not currently SEC-registered, such as custodians, as well as providers of:

  • Investor reporting systems,
  • Middle office services,
  • Fund administration services,
  • Indexes,
  • Data analytics, trading, and order management, and
  • Pricing and other data services.


Chair Gensler’s agenda is broad. It could potentially affect many actors operating with the SEC’s jurisdiction, both registered and unregistered. Much of the agenda includes SEC efforts and initiatives that are in very early stages, and we do not expect significant changes to cybersecurity requirements in the short run as a result of those projects. Additionally, most of Chair Gensler’s agenda relates to areas regulated only by the SEC, but with respect to Regulation S-P’s privacy requirements, coordination with other agencies with the authority to regulate or enforce privacy requirements, including the CFPB, FTC, and the federal banking regulators, would result in a more clear and consistent approach to privacy requirements than if the SEC “goes it alone.” The SEC might choose not to coordinate among these agencies, but if it does, such coordination could draw out the time until any changes become effective.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


Fill out the following form to receive our cryptocurrency news and analysis.

Author's Assets

Casey Jennings

Casey Jennings | Associate

A member of Seward & Kissel’s Financial Services Regulatory Group and Blockchain and Cryptocurrency Group, Casey advises financial services companies – including banks, broker-dealers, investment funds, service providers, and financial technology companies – on federal and state banking and securities law issues and the structuring of new financial products, including anti-money laundering, deposit issues, token offerings, custody of traditional and crypto assets, transfer and liquidity issues, Volcker Rule issues, and investments in crypto assets by funds and other investors. Before joining the firm, Casey served as counsel to the Consumer Financial Protection Bureau, where he developed and implemented financial regulatory policy, including the first CFPB rulemaking to rely on unfair, deceptive, and abusive acts and practices (UDAAPs) authority. Since then, he has:

  • Represented e-retailer APMEX Inc. and alternative asset manager Sprott Inc. in connection with the launch of the online marketplace, OneGold.com.

“The whole notion of crypto is that there are no gatekeepers and the BSA requires that there be gatekeepers. Those two notions are very much at odds with one another. But the BSA is the best system that we’ve got right now.”

Casey’s perspective on crypto AML regulations as published in Cointelegraph article “How U.S. authorities are using old AML tools to crack down on crypto”


Nathan Brownback | Associate

Nathan is a member of Seward & Kissel’s Financial Services Regulatory Group, where he focuses on the regulation of domestic and foreign banks, with particular emphasis on regulation under the Dodd-Frank Act, including the Volcker Rule. He also advises on matters related to fintech, commercial lending, bank holding company regulation, bank affiliate transactions, and merchant banking rules. Prior to receiving his law degree, Nathan was an economic research analyst, first in the private sector and subsequently for a regional Federal Reserve Bank.