August 14, 2022

Volume XII, Number 226

Advertisement
Advertisement

August 12, 2022

Subscribe to Latest Legal News and Analysis

August 11, 2022

Subscribe to Latest Legal News and Analysis

SEC Chair Emphasizes Cybersecurity and Gives Clues as to Future Cyber Regulations

Last week, the Chair of the Securities and Exchange Commission (SEC) Gary Gensler discussed the SEC’s cybersecurity policy work and publicized ongoing SEC regulatory efforts that could affect public companies, SEC registrants, and financial sector service providers.  During his keynote address at the 2022 Securities Regulation Institute, Chair Gensler stressed the importance of cybersecurity to the modern economy and the SEC’s cooperation with federal agencies as part of the Biden administration’s broader cybersecurity initiatives.  He then outlined six different areas where SEC staff are considering new or revised cyber regulations:

  1. Public Companies: Cybersecurity Event Disclosure

Chair Gensler reiterated that public companies already have certain obligations to disclose material information to investors, and that material information may include the occurrence of  cybersecurity event—such as a data breach or ransomware attack.  He also highlighted the SEC’s recent enforcement actions against public companies for failure to disclose material information relating to a cybersecurity event.  On the regulatory front, the Chair announced that SEC staff are considering “whether and how” to change public companies’ disclosures to investors related to cybersecurity events.

  1. Public Companies: Cyber Risk Disclosure

Similarly, Chair Gensler reiterated that public companies “have an obligation to share [risk] information with investors on a regular basis” and that many companies already provide information on cyber risk to investors.  The SEC is now considering rules regarding cyber risk disclosure, as the Chair believes that “companies and investors alike would benefit if this [cyber risk] information were presented in a consistent, comparable, and decision-useful manner.”  A future SEC rule requiring uniform disclosure of cyber risks may require companies to describe “their practices with respect to cybersecurity governance, strategy, and risk management.”

  1. SEC Registrants: Regulation SCI

With respect to SEC registrants, Chair Gensler focused on an opportunity to “freshen up” the SEC’s 2014 rule on Regulation Systems Compliance and Integrity (Regulation SCI).  Currently, Regulation SCI imposes technological and business continuity requirements on so-called “SCI entities” like stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations.  SEC staff are now considering whether to “broaden and deepen” Regulation SCI by i) applying it to Treasury trading platforms, large market-makers, and large broker-dealers and ii) “shor[ing] up” the cybersecurity requirements in Regulation SCI.

  1. SEC Registrants: Funds, Advisers, and Broker-Dealers

SEC registrants that fall outside the scope of Regulation SCI—like investment funds, investment advisers, and broker-dealers—are subject to books-and-records and business continuity regulations which may effectively require certain cybersecurity practices.  Chair Gensler announced that SEC staff are considering additional cybersecurity and incident reporting regulations for these entities.  The Chair believes that such regulations “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risk.”

  1. SEC Registrants: Financial Consumer Data Privacy

Following the Gramm-Leach-Bliley Act of 1999, the SEC adopted Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to adopt policies to protect consumer records and information.  While Chair Gensler suggested there may be several opportunities to “modernize and expand” Regulation S-P, he has asked SEC staff for recommendations on how consumers should receive notifications about data breach cybersecurity events.

  1. Financial Sector Service Providers

Many service providers that are essential to the financial sector—including fund administrators, data analytics providers, and trading management services—are not required to register with the SEC.  The Chair has asked SEC staff to consider the broad question of how to address cybersecurity risks arising from such service providers.  Chair Gensler posited such possibilities as i) requiring registered entities to identify service providers that could pose cybersecurity risks, ii) holding registrants accountable for their service providers’ cybersecurity measures, and iii) imposing regulations similar to what the Bank Service Company Act imposes on service providers in the banking sector.

Chair Gensler’s address continues the trend of the SEC’s prioritizing cybersecurity in its compliance and enforcement efforts.  Last year, the SEC entered into a settlement with a real estate title insurance company related to disclosures made in connection with a cybersecurity vulnerability involving the company’s app for sharing document images related to title and escrow transactions.

The SEC’s interest in cybersecurity  is consistent with that of other government agencies.  As just one example, data privacy and cybersecurity is also a priority of the Federal Trade Commission (“FTC”).  Earlier this month, the FTC issued a warning for companies to remediate the Log4j security vulnerability, cautioning that “[t]he duty to take reasonable steps to mitigate known software vulnerabilities implicates laws . . .  [i]t is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

We expect that cybersecurity will remain of keen interest to the securities and shareholders’ plaintiffs’ bar.  Public companies experiencing data privacy and other cybersecurity breaches can expect thorough scrutiny of their previous public statements about their cybersecurity practices and compliance – and securities fraud claims of  misrepresentation or omissions in those statements.

Beyond that, as best practices continue to develop for data privacy and cybersecurity, directors of public (and some private) companies should expect data breaches to lead to claims by shareholders that the directors breached their fiduciary duties by failing  to institute and maintain a sufficiently robust cybersecurity compliance program.  Much more to come as both the law and best cybersecurity practices continue to develop.

James Brennan also contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 34
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Joseph Weinstein, Litigation Attorney, squire Patton Boggs Law Firm
Partner

Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation. 

216-479-8426
Sean L. McGrane Attorney Litigation Squire Patton Boggs Cleveland
Partner

Sean McGrane is a litigation partner who focuses his practice on defending corporations and their officers and directors against civil securities-fraud claims, shareholder derivative actions, and mergers and acquisition lawsuits. His practice includes representing clients in investigations or proceedings brought by governmental or other regulatory agencies, including the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority. Before joining the firm, Sean practiced securities litigation in the New York offices of Skadden, Arps, Slate...

216-479-8538
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement