Close Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

SEC Chief Wants Advisors, BDs to Improve ‘Cyber Hygiene’

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • Gensler has asked for recommendations on how advisors and BDs can strengthen their cybersecurity and incident reporting.
  • Gensler sees opportunities to expand Regulation S-P, a rule about protecting customers' personal data.
  • He also wants to broaden Reg SCI to more types of firms, like big market makers, BDs and Treasury trading platforms.

Securities and Exchange Commission Chairman Gary Gensler said Monday that he wants  advisors and broker-dealers to improve their “cyber hygiene” as well as their data privacy disclosures.

Investment companies, investment advisors and broker-dealers, which are not covered by the SEC’s Regulation Systems Compliance and Integrity, or Reg SCI, must “comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations,” Gensler said during a speech at the Northwestern Pritzker School Of Law’s 2022 Securities Regulation Institute.

Gensler stated that he’s asked SEC staff to make recommendations for the commission’s consideration “around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting,” taking into consideration guidance issued by the Cybersecurity and Infrastructure Security Agency and others.

“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler said.

“I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the commission with more insight into intermediaries’ cyber risks.”

Cybersecurity expert John Reed Stark, president of John Reed Stark Consulting and former chief of the SEC’s Office of Internet Enforcement, told ThinkAdvisor Monday in an email that Gensler “has signaled in his early speeches and congressional testimony that cybersecurity would become a top priority during his tenure – and he has clearly begun making good on his promise.”

Added Stark: “No firm enjoys perfect cybersecurity, no matter how sophisticated and careful. Mistakes will happen and when they do, the SEC will pounce, wielding its broad and sweeping Safeguards Rule in an SEC administrative courtroom located in the basement of its headquarters.”

On whether the SEC will ever mandate specific technologies and cyber-related policies, practices and procedures, Stark opines: “Probably not. Innovative, steadfast and always unpredictable, threat actors can transform their modus operandi overnight. Thus, any SEC-mandated cyber-edicts would quickly become obsolete or ineffective, or ironically, create an unintended safe harbor for those who opted to follow those cyber-edicts.”

Data Privacy

As to data privacy, Gensler said that he sees “opportunities to modernize and expand” Regulation S-P, adopted in the wake of the Gramm-Leach-Bliley Act of 1999.

Reg S-P “requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information,” Gensler said. “It’s the reason that, to this day, a lot of us receive notices informing us about companies’ privacy policies.”

Gensler stated that he’s asked SEC staff for recommendations “about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P.”

The SEC chairman also wants to “freshen up” Reg SCI, which is intended to reduce and improve management of tech-related issues. The rule covers a subset of large SEC registrants, including stock exchanges, clearinghouses, alternative trading systems and self-regulatory organizations.

The Consolidated Audit Trail, or CAT, is subject to Reg SCI, Gensler noted.

Reg SCI helps ensure these large, important entities have sound technology programs, business continuity plans, testing protocols and data backups.

“The core goal of Reg SCI was to reduce the occurrence of systems issues and improve resiliency when they do occur,” Gensler explained. “A lot has changed, though, in the eight years since the SEC adopted Reg SCI.”

He’s asked SEC staff how the securities regulator “might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers?”

Last year, the commission “proposed to bring large Treasury trading platforms under the SCI umbrella,” Gensler said. “At our next commission meeting, we will consider whether to re-propose this rule.”

Similarly, he continued, “I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities.”

Pictured: SEC Chairman Gary Gensler. (Photo: Melissa Lyttle/Bloomberg)