SEC Commissioner Elad Roisman, a Republican, wants the agency to write a rule clarifying when advisors and broker-dealers must inform investors and the commission about a cybersecurity breach.
In a speech Friday before the Los Angeles Bar Association, Roisman said he appreciates that the agency's regulatory approach to cybersecurity has largely reflected the fact that the SEC does not "regulate this area in a vacuum."
The agency, he said, has "been very targeted in imposing affirmative requirements on our registrants related to cybersecurity, only focusing on certain registrants and certain areas that we have identified as posing the highest risk."
Also, SEC rules — namely, Regulation Systems Compliance and Integrity, or Reg SCI, and Regulation S-P, the Safeguards Rule — "have largely been principles-based, as we have endeavored to provide registrants flexibility to address cybersecurity obligations in the context of their particular business and circumstances."
However, he continued, "it is time that the commission consider rules that provide registrants — particularly investment advisers and public issuers — with more of an idea of what we expect of them in today's marketplace."
Given the increasing and inevitable reliance of advisors on technology, Roisman said, "it is time that the commission bring more clarity to this issue in cases where there may be confusion about whether to notify the commission and investors in the event of a cybersecurity breach."
Any such obligation, Roisman said, "should be principles-based and allow advisers the flexibility to tailor notification measures to their business and the facts and circumstances of the situation."
