2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy. This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.
To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute. Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations. These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.
On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records. Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.
The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures. Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material. The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”
On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council. His April remarks mentioned the same areas for potential regulation that he mentioned in his February address. By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.
The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.
Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50. Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.” With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.
About this Author
Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation.
Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.
She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.
As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this…
James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.
