The U.S. Securities and Exchange Commission (“SEC”) has focused on cybersecurity under the Biden administration and it is expected to be one of its top priorities for the coming year. The SEC’s enforcement division is poised to focus on how firms handle, report and disclose cyberattacks. It is expected that we will see stricter enforcement and codification of prior guidance from the SEC into a cybersecurity rule.
It is not surprising to see the SEC ramp up its investigatory and enforcement activity over cybersecurity. Cybersecurity dangers are a significant threat to firms regulated by the SEC (e.g., investment advisers, broker-dealers, etc.) as well as publicly traded companies where the threats include exposure of sensitive personal (customer) information and confidential information that could be used for insider trading purposes.
In the summer of 2021, the SEC announced that it had levied civil penalties against eight broker-dealers and/or investment advisers arising from cybersecurity incidents that led to exposure of personally identifying information of thousands of customers and clients. Further, they also announced settlements with various companies for actions related to disclosure controls and misleading statements made to investors with respect to cyber incidents.
This was followed up by an October 29, 2021, speech to the Los Angeles County Bar in which SEC Commissioner Elad L. Roisman made it clear that the SEC expects firms to be prepared for cybersecurity risks, and act in advance to take “measures to prevent and mitigate damage from these threats.” He further stated that “today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood.”
Going forward, we expect to see greater scrutiny of how firms handle the disclosure of cybersecurity matters and similar enforcement actions.
New SEC Cybersecurity Rule
The SEC’s June 2021 regulatory agenda signaled that it would focus rulemaking on disclosures around cybersecurity risks and related governance. The SEC’s rulemaking agenda doesn’t offer details on what any new cyber-risk reporting rules might look like. However, it is expected the SEC will propose a new rule that is based off its prior guidance, specifically from 2011 and 2018. In 2018, the SEC built off its 2011 guidance and addressed several critical points focused on the disclosure practices of public companies with respect to cybersecurity risk, cybersecurity disclosure and board oversight. It discussed: (1) the materiality of a cybersecurity risk or incident, (2) the timing of disclosures relating to a cybersecurity incident, (3) cybersecurity risk factors (4) disclosures about board oversight, (5) insider trading, (6) cybersecurity policies and procedures, (7) cybersecurity assessments, (8) acquisitions, and (9) regulatory and litigation risk.
In Commissioner Roisman’s October 29, 2021, speech he discussed the challenges SEC registrants face when dealing with cyber threats. Roisman offered suggestions for companies related to cyberattacks. Preventative measures included monitoring procedures, addressing breaches, and knowing what information must be reported to government agencies. Roisman highlighted the SEC’s Regulation Systems Compliance and Integrity (Reg SCI), the agency’s most extensive cybersecurity regulation, and said the regulator’s cybersecurity oversight needs to widen. Roisman said Reg SCI applies to “the institutions that constitute the backbone of the securities markets,” such as the exchanges, alternative trading systems (ATSs), clearing agencies and other regulatory agencies. He further stated, “it is time that the Commission consider rules that provide registrants—particularly investment advisers and public issuers—with more of an idea of what we expect of them in today’s marketplace.”
A new mandatory rule for cybersecurity risk disclosure would clarify actions that firms need to take instead of guidance which is not binding and can change by administration.
Preparation for Increased Scrutiny on Cybersecurity
In view of the SEC’s ongoing concerns about cybersecurity, firms subject to SEC regulation, including public companies, RIAs and other registered entities, should consider allocating more resources to guard against cyber threats.
Among other things, firm’s controls and procedures should:
- Have clear cybersecurity practices and disclosures, including policies and procedures related to cybersecurity protection efforts, security measures, risks, and incidents.
- Conduct training sessions to ensure that all advisory personnel are aware of their responsibilities pertaining to cybersecurity.
- Determine the potential impact of a cybersecurity incident on the firm’s business and customers.
- Provide for careful analysis of whether the cybersecurity incident is material (taking a broader approach to what may be material), giving rise to disclosure obligations.
- Cybersecurity incidents should be reviewed by senior management, the board of directors and any appropriate committees. This may include creating a disclosure committee that is focused on cybersecurity.
- Disclose material cybersecurity incidents promptly and communicate accurately with those affected including clients and investors.
- Review existing disclosures and, if necessary, update them if new facts render them incorrect or misleading.
Every firm can benefit by beefing up its cybersecurity policies and procedures. Firms can pay special attention to cybersecurity during their annual review of the firm’s policies and procedures. The SEC views cybersecurity and the enforcement of SEC policies as important for market integrity and investor protection.