Securities and Exchange Commission Chairman Gary Gensler said Monday that he wants advisors and broker-dealers to improve their "cyber hygiene" as well as their data privacy disclosures.
Investment companies, investment advisors and broker-dealers, which are not covered by the SEC's Regulation Systems Compliance and Integrity, or Reg SCI, must "comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations," Gensler said during a speech at the Northwestern Pritzker School Of Law's 2022 Securities Regulation Institute.
Gensler stated that he's asked SEC staff to make recommendations for the commission's consideration "around how to strengthen financial sector registrants' cybersecurity hygiene and incident reporting," taking into consideration guidance issued by the Cybersecurity and Infrastructure Security Agency and others.
"I think such reforms could reduce the risk that these registrants couldn't maintain critical operational capability during a significant cybersecurity incident," Gensler said.
"I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the commission with more insight into intermediaries' cyber risks."
Cybersecurity expert John Reed Stark, president of John Reed Stark Consulting and former chief of the SEC's Office of Internet Enforcement, told ThinkAdvisor Monday in an email that Gensler "has signaled in his early speeches and congressional testimony that cybersecurity would become a top priority during his tenure – and he has clearly begun making good on his promise."
Added Stark: "No firm enjoys perfect cybersecurity, no matter how sophisticated and careful. Mistakes will happen and when they do, the SEC will pounce, wielding its broad and sweeping Safeguards Rule in an SEC administrative courtroom located in the basement of its headquarters."
On whether the SEC will ever mandate specific technologies and cyber-related policies, practices and procedures, Stark opines: "Probably not. Innovative, steadfast and always unpredictable, threat actors can transform their modus operandi overnight. Thus, any SEC-mandated cyber-edicts would quickly become obsolete or ineffective, or ironically, create an unintended safe harbor for those who opted to follow those cyber-edicts."
Data Privacy
As to data privacy, Gensler said that he sees "opportunities to modernize and expand" Regulation S-P, adopted in the wake of the Gramm-Leach-Bliley Act of 1999.
Reg S-P "requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information," Gensler said. "It's the reason that, to this day, a lot of us receive notices informing us about companies' privacy policies."