SEC looks to expand cyber coverage

SEC Chairman Gary Gensler testifies before a Senate committee in September 2021.

SEC Chairman Gary Gensler testifies before a Senate committee in September 2021. Evelyn Hockstein/Getty Images

The Securities and Exchange Commission is taking a new look at how it asks publicly traded companies to disclose cybersecurity risks.

The Securities and Exchange Commission is looking at updates to cybersecurity disclosure and hygiene requirements for companies under its regulatory purview.

In a Jan. 24 speech, SEC Chairman Gary Gensler said he had asked agency staff for recommendations on how publicly traded companies disclose hacks to investors and the general public. He is also looking to update cybersecurity policy on other fronts as well.

The SEC is considering updates to a 2014 regulation that requires stock exchanges and other large trading systems to maintain reliable technology infrastructure. It is also looking at expanding the rules to take in new categories of financial companies including broker-dealers and market makers, Gensler said, noting that "a lot has changed" since the rule was first adopted. 

On Wednesday, the SEC announced a proposed rule designed in part to extend the Regulation Systems Compliance Integrity Rule to cover certain players in the government securities markets. One big goal is to improve agency oversight of "the core technology of key entities in the markets for government securities," according to a SEC press release.

Gensler also said "there may be opportunities to modernize and expand" a 2003 rule that covers the protection of investment firms' customer records and data to include changes to the speed and content of required notifications. 

While efforts to enact national data breach legislation have stalled in Congress, sector-specific regulators are moving ahead. 

Federal Communications Commission Chairwoman Jessica Rosenworcel proposed earlier this month that the FCC would take a stronger role in oversight of data breaches among telecommunications companies by eliminating a waiting period for customer notification and requiring FCC notification. 

Officials at the Department of Energy and the Federal Energy Regulatory Commission told lawmakers recently that legislation that incorporates cybersecurity into overall resiliency requirements for the oil and gas transport sector could be more effective than the current regulatory regime for pipelines overseen by the Transportation Security Administration.

 In his speech, Gensler noted that SEC already has considerable authority over data breaches and hacks.

"Public companies already have certain obligations when it comes to cybersecurity disclosures," he said. "If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions."