U.S. Securities and Exchange Commission Chairman Gary Gensler is exploring an expansion of the SEC’s core cybersecurity rules to cover a broader swath of entities and require public companies to improve disclosure of breaches and risks.
Gensler said in a speech on Monday that he instructed staff to look into an update of the commission’s “Regulation Systems Compliance and Integrity,” or Reg SCI, which the SEC adopted in 2014. Staff will examine whether the regulation — under which trading organizations and others must take security steps like backing up data — should extend to include the largest market-makers and broker-dealers.
Gensler also said he asked staff to consider recommendations on bolstering the financial sector’s cybersecurity hygiene and incident reporting, how customers and clients receive notifications of financial sector breaches and how public companies disclose cybersecurity practices and risks. And he wants staff to examine how to better address cyber risk that comes from service providers.
“Cyber incidents, unfortunately, happen a lot. History and any study of human nature tells us they’re going to continue to happen,” Gensler said in prepared remarks delivered at Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference. “Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector.”
Gensler has been contemplating asking staff to put together such recommendations since at least his March nomination hearing, citing investor demand. On Monday, he cited the economic cost of cyberattacks, estimated by some in the trillions, as well as their impact on broker-dealers.
The SEC’s foray into possibly enhancing breach disclosures dovetails with a trend afoot in multiple federal agencies as well as on Capitol Hill. The Transportation Security Administration has instituted advanced incident reporting requirements on pipelines, rail and air carriers, while a pair of agencies have done the same for banks.
The Federal Communications Commission is likewise contemplating updates to breach disclosure requirements, while a broader initiative stalled in Congress last year. Sponsors have vowed to push the legislation in 2022.