June 3, 2023

Volume XIII, Number 154


June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

SEC Chair Reiterates New Potential Cyber Regulations at Financial Sector Meeting

Earlier this month, U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler again described new cybersecurity regulations SEC staff are considering, this time in a speech before government organizations tasked with improving the security of financial sector infrastructure. In his remarks before a joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), Chair Gensler emphasized his belief that the SEC plays an important role in the Biden administration’s efforts to improve the nation’s cybersecurity. He then described the current cybersecurity policy work of the SEC, including rules the SEC has already proposed and new kinds of rules the SEC will likely propose affecting alternative trading systems, broker-dealers, investment companies, investment advisers, and service providers to financial sector entities. 

Current Proposal: Public Company Cyber Disclosure Requirements

Chair Gensler began by addressing some of the SEC’s outstanding proposed rules on cybersecurity. Most recently, the SEC proposed rules requiring public companies to disclose, among other things, their data breaches and their cybersecurity policies and procedures. Chair Gensler reiterated his belief that the rules would benefit both companies and investors but did not address any public comments on the rules.

Future Proposal: New Reg SCI Requirements for Alternative Trading Systems

Chair Gensler also summarized the SEC’s recent efforts to broaden the scope of its 2014 rule on Regulation Systems Compliance and Integrity (Reg SCI), which currently imposes certain technological and business continuity requirements on covered entities like stock exchanges, clearinghouses, and alternative trading systems. This January, the SEC proposed rules that would expand the types of entities that would fall within the scope of Reg SCI. In his remarks, Chair Gensler also hinted that he thinks there “might be opportunities to deepen Reg SCI” in the future. 

Future Proposal: Broker-Dealer Cyber Disclosure Requirements

In February, the SEC proposed rules that would affect registered investment advisers, investment companies, and business development companies. In short, the SEC’s proposed rules would require those entities to adopt cybersecurity policies, report cybersecurity incidents to the SEC and the public, and keep certain books and records. Significantly, Chair Gensler stated that he has asked SEC staff for recommendations on “similar appropriate measures for broker-dealers.”

Future Proposal: Reg S-P & Broker-Dealers, Investment Companies, and Investment Advisers

Following the Gramm-Leach-Bliley Act of 1999, the SEC adopted Regulation S-P (Reg S-P), which requires registered broker-dealers, investment companies, and investment advisers to adopt policies to protect consumer records and information. 

Chair Gensler said that he has asked SEC staff to consider how Reg S-P may be “modernize[d] and expand[ed],” with particular emphasis on possible requirements for consumer breach notifications in the event of unauthorized access.

Future Proposal: Service Providers

Finally, Chair Gensler repeated his belief that service providers to financial sector registrants, whether or not based in the cloud, are critical to the financial sector. In his remarks this month, he stated simply that he has asked SEC staff to consider recommendations about how to “further address cybersecurity risk that comes from service providers.” Earlier this year, he mentioned specific measures that may be part of a proposed rule, including:

i) requiring registered entities to identify service providers that could pose cybersecurity risks,

ii) holding registrants accountable for their service providers’ cybersecurity measures, and 

iii) imposing regulations similar to what the Bank Service Company Act imposes on service providers in the banking sector.


Chair Gensler’s outline of the SEC’s current and future cybersecurity policy work is in line with his address earlier this year on the same topic. Since the earlier address, the SEC has followed through and proposed multiple cyber rules presaged by Chair Gensler. If the pattern holds, the future proposals discussed above will turn into actual proposed rules sometime soon. 

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 115

About this Author

Joseph Weinstein, Litigation Attorney, squire Patton Boggs Law Firm

Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation. 

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

James M. Brennan Litigation Lawyer Squire Patton Boggs

James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.