​The SEC’s Future Role in ​Cybersecurity Enforcement

The SEC's New Role in Cybersecurity Enforcement

In a recent speech given to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gary Gensler, chair of the Securities and Exchange Commission (SEC), laid out an ambitious plan for the SEC regarding its role in cybersecurity enforcement. 

These proposals include: 

“Freshen up” Regulation Systems Compliance and Integrity (Reg SCI) – This change would require important financial entities (stock exchanges, alternative trading systems, etc.) to shore up their cyber hygiene and require upgrades including business continuity plans, testing protocols, and data backups. 

cybersecurity and defense

Strengthen financial sector registrants’ cybersecurity hygiene reporting – This would include entities not covered by Regulation SCI like investment companies, investment advisers, and brokers to strengthen their cyber hygiene and incident reporting. 

Strengthen customer information protection for financial sector registrants – This would require those same entities to protect their customer data and PII and notify their customers when their data is accessed. 

Improve cyber risk and event reporting for public companies – This would provide a uniform method for reporting a company’s cybersecurity practices including their governance, risk, and compliance programs. 

Address cybersecurity risk from service providers – In light of the SolarWinds hack, Gensler is looking to require certain public companies to publicly identify any of their service providers that may pose a cybersecurity risk and hold them accountable for their provider’s measures to protect investor information. 

It is unknown when the SEC is looking to make these rule changes, but industry experts think that it will be sooner rather than later. 

What are your thoughts on this?

Do you have any more updated information on this topic that you'd like to share?

What are your thoughts on what the SEC taking on an enforcement role in cybersecurity might look like?

Do you think this is the right or wrong direction for the SEC on this?

If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.

Related Articles