Securities and Exchange Commission Chairman Gary Gensler
said Monday the agency is considering rules that would require financial
advisers and funds to strengthen cyber protections and disclosures regarding
cybersecurity threats.
The SEC has addressed cyber safeguards in risk alerts. It
also brought an enforcement case last year against several financial firms for
violating existing customer protection rules when hacking incidences exposed
client records and information.
Gensler said SEC rules on record keeping, compliance and
business continuity can implicate cybersecurity practices of registered
investment advisers and brokers. Now the agency is looking to step up its cyber
oversight.
“Building upon that, I’ve asked staff to make
recommendations for the commission’s consideration around how to strengthen
financial sector registrants’ cybersecurity hygiene and incident reporting,
taking into consideration guidance issued by [the Cybersecurity and
Infrastructure Security Agency] and others,” Gensler said in remarks at an
online conference sponsored by the Northwestern University Pritzker School of
Law.
The pending proposal would be designed to enhance
cybersecurity preparedness and incident reporting by funds and advisers,
Gensler said. It’s due to be released by April, according to the SEC’s latest
regulatory agenda.
“I think such reforms could reduce the risk that these
registrants couldn’t maintain critical operational capability during a
significant cybersecurity incident,” Gensler said. “I believe they could give
clients and investors better information with which to make decisions, create
incentives to improve cyber hygiene, and provide the commission with more
insight into intermediaries’ cyber risks.”
As part of its effort to strengthen cybersecurity
regulation, the agency also is looking to update its systems compliance and
integrity rule for exchanges and self-regulatory organizations, and “modernize
and expand” Regulation S-P, which requires brokers, investment advisers and
investment companies to protect customer records and information.
Another initiative is a pending rule proposal to require
public company disclosures related to cybersecurity risk and governance.
“Cyber collectively is an important resiliency project,”
Gensler said. “There’s still going to be cyber events, but it’s how we can sort
of update our rules in this modern time.”
The April deadline for new cyber rules doesn’t mean that’s
when they’ll be released. The agency often misses its self-imposed goals on its
regulatory agenda.
In a discussion about a pending climate-risk disclosure
rule, Gensler declined to predict a timeline. He said that when the agency gets
around to a rule sometimes is not in direct relationship to the urgency it
places on the rule.
“We want to put it out … when the document’s ready based
upon the economics, based upon the law, and based upon what we’re hearing from
both investors and issuers,” Gensler said. “I wouldn’t confuse sequencing with
priority.”
Click here for the
original article.