November 26, 2022

Volume XII, Number 330

Advertisement

November 23, 2022

Subscribe to Latest Legal News and Analysis

SEC Cyber Regulation Efforts: A Mid-Year Review

2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy.  This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.

January: Chair Gensler Sets out Cyber Regulation Roadmap

To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute.  Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations.  These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

February: Proposal for Advisers and Funds

On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records.  Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.

March: Proposal Requiring Public Company Cyber Incident and Risk Disclosures

The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures.  Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material.  The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”

April: Chair Gensler Reiterates Roadmap

On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council.  His April remarks mentioned the same areas for potential regulation that he mentioned in his February address.  By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.

The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

May: Increased Enforcement Capabilities

Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50.  Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.”  With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 159
Advertisement
Advertisement
Advertisement

About this Author

Joseph Weinstein, Litigation Attorney, squire Patton Boggs Law Firm
Partner

Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation. 

216-479-8426
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
James M. Brennan Litigation Lawyer Squire Patton Boggs
Associate

James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.

216-479-8041
Advertisement
Advertisement
Advertisement