Extensive Cybersecurity Rules Are Pending at the SEC

Amid ever-growing cybersecurity threats, regulatory agencies have been ratcheting up their concerns through examination priorities and other policy prescriptions. The U.S. Securities and Exchange Commission now has several rules under consideration – and is being criticized for going too far.

Proposed cybersecurity-practice standards for virtually all securities market entities would benefit “investors, issuers and market participants alike . . . from knowing that these entities have in place protections fit for a digital age,” SEC Chair Gary Gensler said with a proposal release on March 15. “This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”

Other proposals – including an expansion of Regulation SCI (Systems Compliance and Integrity) and changes in the information-protection Regulation S-P – were concurrently issued for public comment, while a comment period from 2022 on “cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies and business development companies” was reopened.

Chair Gensler: Proposal promotes “investor protection and orderly markets.”

Formal commission action on the rulemaking is not expected before October.

Too Much Regulation?

The SEC is in line – at least directionally – with other financial watchdog agencies. In addition to ongoing pronouncements from the likes of the Federal Reserve, Office of the Comptroller of the Currency and New York State Department of Financial Services, the Commodity Futures Trading Commission on June 29 announced the formation of a Cybersecurity and Emerging Technologies Task Force in its Division of Enforcement. Together with a second task force on environmental fraud, it “demonstrates the vigorous and forward-looking approach the CFTC will take to address misconduct in these critical areas,” Chairman Rostin Behnam said.

Across so-called critical infrastructures, the Cybersecurity and Infrastructure Security Agency (CISA) encourages systematized incident reporting and sharing of threat-intelligence information, although legislation to formalize such requirements was dropped from the most recent National Defense Authorization Act.

The SEC and Chair Gensler, however, have faced more general criticism from market participants and some lawmakers for their aggressive rulemaking agenda. That was manifest in submitted comments on the cyber-related proposals. The Investment Company Institute, for one, aligned itself with dissenting SEC members Hester Peirce and Mark Uyeda, quoting the latter’s statement that “the commission’s ‘spaghetti on the wall’ approach with these overlapping and potentially inconsistent regulatory regimes can create confusion and conflicts, and could even weaken cybersecurity protections.”

The Bank Policy Institute’s BITS technology policy division underlined the importance of harmonizing regulations and requirements, or else risk exacerbating financial institutions’ already complex cyber regulatory requirements.

“This would divert attention to compliance matters and away from the important day-to-day work protecting the institution, its customers and investors from well-funded and sophisticated cyber attacks,” wrote BITS senior vice president Heather Hogsett. “We therefore encourage the commission to consider these proposals collectively and how together they might create duplicative or conflicting disclosure requirements.”

Familiar Territory

Mark Chaplin, principal at the Information Security Forum (ISF), sees little new ground in the SEC’s proposals. Covering well-understood concepts including risk assessment, user access, information protection, threat vulnerability management and incident response-recovery, “they are the basic hygiene capabilities you would expect to see in an organization when looking at its cybersecurity capability,” he said in an interview.

ISF’s Mark Chaplin: “Basic hygiene capabilities.”

Chaplin noted that sophisticated financial institutions have devoted significant resources toward cyber defenses, embracing along the way benchmarks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and ISF’s Standard of Good Practice for Information Security.

Instead of the SEC layering on more complexity, he suggested, “there should be a broader governance or oversight element that incorporates policies and procedures but really drives a top-down, business-driven, risk-based approach to managing cyber threats.”

Law Enforcement and Board Engagement

James Turgal, a 22-year FBI veteran who is now a vice president of cyber risk consulting firm Optiv, said that in view of companies’ past resistance or reluctance to making cyber breach details public, “It’s incumbent on the SEC to pursue these rules, in order to force disclosures.” One benefit would be to help law enforcement connect dots and pursue criminals more effectively.

The consultant also endorses requiring financial firms to fill a chief information security officer (CISO) or equivalent position, and, for educating and engaging with corporate boards, to have a cyber-trained director.

Optiv’s James Turgal: “Force disclosures.”

“Companies should ensure the full board, as well as the committee responsible for cybersecurity, is regularly briefed on cybersecurity risks and incidents,” with the CISO “regularly report[ing] to the board or to the committee with cybersecurity oversight,” stated an advisory from law firm Wilson Sonsini Goodrich & Rosati.

Wilson Sonsini’s Demian Ahn and Nomi Conway recommended proactive steps in advance of a final SEC vote: “It can take months to update a comprehensive cybersecurity risk management program, especially if it requires changes to technology systems, updates to reporting structures or addition of new personnel. Companies can and should take steps now to evaluate their cybersecurity policies, practices and disclosures and to enhance their cybersecurity-related disclosures in proxy statements and Form 10-K filings, including enhancing their disclosures to include more details on board oversight of cybersecurity risks, the potential impacts of cybersecurity risks and other information about cybersecurity risk management.”

Turgal conceded that the SEC’s language can be vague, requiring, for instance, firms to reach “reasonable” conclusions about the materiality of an attack. And he expressed concern that the SEC would require public disclosure of information without allowing an exception for when a law enforcement investigation or national security might be compromised. “The FBI has the resources to look into the issue,” Turgal said, “whereas I don’t think the SEC has the expertise or the manpower resources.”

Attack on the SEC

The SEC took some heat for its own cybersecurity. A second ICI comment letter, in June, called attention to a reported breach of databases maintained by the commission’s Office of the Secretary.

The ICI had also mentioned the SEC’s cybersecurity record in its initial letter, in May, since the commission wants to require registrants to make highly sensitive incident disclosures that could be exploited by cyber criminals.

According to Turgal, if the SEC conducts a forensic investigation into the materiality of an attack, then information about a company’s technology ecosystem could leak out into the wrong hands.

“Until audits of the commission’s information security systems document that the commission’s security is effective in all aspects, we urge the commission not to proceed with its proposals to collect any sensitive information regarding registrants’ cybersecurity incidents,” ICI said.