SEC Seeks to Improve Cybersecurity

Anna Lyudvig

Cyber risks have implications for the financial sector, investors, issuers and the economy at large, according to the SEC Chair Gary Gensler.

Speaking at the Jan. 24 Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, he said: “We’re living in a time of rapid technological changes subject to ever present cybersecurity challenges”. 

Gary Gensler

He said that the SEC is not immune to cyberattacks.

“Agency staff continue to work to protect SEC data and information technology, as well as the industry data we need to carry out our mission,” he said.

This work aligns with President Biden’s Executive Order on Improving the Nation’s Cybersecurity and directives from the Office of Management and Budget, he added.

“In addition, we continue to evaluate our data footprint and improve our data collection processes so that we collect only the data we need to fulfill our mission,” he said.

The SEC has many rules that implicate cyber risk, including but not limited to business continuity, books and records, compliance, disclosure, market access, and antifraud.

“Cyber incidents, unfortunately, happen a lot,” Gensler said, adding that history and any study of human nature tells us they’re going to continue to happen. 

“Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector,” he stressed.

Gensler believes there is an opportunity to freshen up Regulation Systems Compliance and Integrity (Reg SCI).

The rule, adopted in 2014, that covers a subset of large registrants, including stock exchanges, clearinghouses, alternative trading systems, self-regulatory organizations (SROs) and the like, helps ensure these entities have sound technology programs, business continuity plans, testing protocols, data backups, and so on.

In 2020, the Commission proposed to bring large Treasury trading platforms under the SCI umbrella. 

“At our next Commission meeting, we will consider whether to re-propose this rule,” Gensler said.

“I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities,” he added.

According to Gensler, the broader group of financial sector registrants, such as investment companies, investment advisers, and broker-dealers, beyond those covered by Reg SCI, has to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations.

Building upon that, he said he has asked staff to make recommendations for the Commission’s consideration around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting, taking into consideration guidance issued by CISA and others.

“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” he said.

He believes they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.

Gensler said that the next arena involving financial sector registrants is around customer and client data privacy and personal information.

Congress addressed this issue in the Gramm-Leach-Bliley Act of 1999. 

The Commission adopted Regulation S-P in the wake of that law, which requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information.

“More than two decades since Reg S-P was adopted — an eternity in the cybersecurity world — I think there may be opportunities to modernize and expand this rule,” he said.

Recently, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said that “cybersecurity is a team sport.” “Each and every one of us are a member of Team Cyber,” she said.

As President Biden recently put it, “most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone.”

Other government entities, such as the Federal Bureau of Investigation and CISA, captain Team Cyber, but the SEC has a role to play as well, Gensler said.

The SEC participates in the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC). 

The Commission also works with its foreign counterparts in the Financial Stability Board (FSB), the International Organization of Securities Commissions (IOSCO), the G7 Cyber Experts Group, and elsewhere.

“We have a key role as the regulator of the capital markets with regard to SEC registrants — ranging from exchanges and brokers to advisers and public issuers,” Gensler said.

“Cyber relates to each part of our three-part mission, and in particular to our goal of maintaining orderly markets,” he added.