SEC Gears Up for New Cybersecurity Regulations

Earlier this month, we touched on the highlights of the latest SEC regulatory agenda. SEC Chair Gary Gensler touted the document as a reflection of the agency’s drive to “modernize… in light of ever-changing technologies and business models in the securities markets.”

No area of securities regulation fits that imperative better than cybersecurity risk. To that end, the commission is putting its finishing touches on a new round of cybersecurity rules and preparing to go through yet another round of related rulemaking.

Let’s talk first about the rules that are going final in April. One set covers registered investment advisers and funds. Under the proposal put forward by the SEC last year, both groups will be required to take practical steps to shore up their cyber defenses and communicate with the public about best practices. For instance, the new rules call for advisors and funds to disclose cybersecurity policies and document the results of their risk assessments. When they do experience cybersecurity breaches, they will have 36 hours to report the incidents.

Another batch of cybersecurity rules about to be finalized consists of guidelines for publicly traded companies. [Using the Intelligize platform (subscription required), a survey of past comment letters from the SEC indicates companies in a variety of industries have been grappling with cybersecurity disclosure issues for nearly two decades.] They include disclosures regarding companies’ cybersecurity programs and the role of companies’ boards of directors and executives in overseeing their cybersecurity risks. In terms of reporting actual cybersecurity incidents, the new rules grant companies four business days.

The latest Form 10-K filing from aerospace manufacturer Boeing Co. offers an example of what standard cybersecurity risk disclosures may look like going forward. In addition to Boeing’s own information technology, the company pointed out it faces risks through its supply-chain relationships: “A cyberattack or security breach, whether experienced directly or through our supply chain, could, among other serious consequences, result in loss of intellectual property; unauthorized access to various categories of sensitive, proprietary or customer data; disruption or degradation of business operations, or compromise of products or services.” Boeing also detailed a security breach that occurred in November at one of its subsidiaries, along with how the company responded to the incident.

The SEC appears poised to take on data privacy in the next phase of its cybersecurity rulemaking. The important guidelines to know here are Regulation S-P and Regulation SCI. Regulation S-P lays out expectations for financial institutions to protect customer information. Regulation SCI refers to requirements for the technology that supports the daily functioning of the securities market.

If you’re wondering about potential landmines for regulators going forward when it comes to cybersecurity, pay attention to the concerns of surveillance watchdogs. Privacy advocates and politicians have a heightened sensitivity to programs that pose the possibility of abusing private information, such as the recent discovery of a federal database of money transfers. While the reforms coming out of the SEC are couched as consumer protections, civil rights groups may view them differently.

Latest Articles

Companies’ Accounting Issues Lead to Missed Filing Deadlines

A few weeks ago, we wrote about the upheaval at Super Micro Computer, a California-based public company that builds computer servers. Amid allegations of accounting irregularities,...

Read More

Five Big Questions About Trump’s Plan for Tariffs on China

President-elect Donald Trump made the geopolitical rivalry between China and the United States a key theme of his campaign during the 2024 election cycle. Trump and his advisers ha...

Read More

SEC Dings SolarWinds Victims for Cybersecurity Disclosures

Last month, the Securities and Exchange Commission settled four enforcement actions against current and former publicly traded companies for making what it deemed “materially misle...

Read More