Securities and Exchange Commission Chairman Gary Gensler said Monday the agency is considering rules that would require financial advisers and funds to strengthen cyber protections and disclosures regarding cybersecurity threats.
The SEC has addressed cyber safeguards in risk alerts. It also brought an enforcement case last year against several financial firms for violating existing customer protection rules when hacking incidences exposed client records and information.
Gensler said SEC rules on record keeping, compliance and business continuity can implicate cybersecurity practices of registered investment advisers and brokers. Now the agency is looking to step up its cyber oversight.
“Building upon that, I’ve asked staff to make recommendations for the commission’s consideration around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting, taking into consideration guidance issued by [the Cybersecurity and Infrastructure Security Agency] and others,” Gensler said in remarks at an online conference sponsored by the Northwestern University Pritzker School of Law.
The pending proposal would be designed to enhance cybersecurity preparedness and incident reporting by funds and advisers, Gensler said. It’s due to be released by April, according to the SEC’s latest regulatory agenda.
“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler said. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the commission with more insight into intermediaries’ cyber risks.”
As part of its effort to strengthen cybersecurity regulation, the agency also is looking to update its systems compliance and integrity rule for exchanges and self-regulatory organizations, and “modernize and expand” Regulation S-P, which requires brokers, investment advisers and investment companies to protect customer records and information.
Another initiative is a pending rule proposal to require public company disclosures related to cybersecurity risk and governance.
“Cyber collectively is an important resiliency project,” Gensler said. “There’s still going to be cyber events, but it’s how we can sort of update our rules in this modern time.”
The April deadline for new cyber rules doesn’t mean that’s when they’ll be released. The agency often misses its self-imposed goals on its regulatory agenda.
In a discussion about a pending climate-risk disclosure rule, Gensler declined to predict a timeline. He said that when the agency gets around to a rule sometimes is not in direct relationship to the urgency it places on the rule.
“We want to put it out … when the document’s ready based upon the economics, based upon the law, and based upon what we’re hearing from both investors and issuers,” Gensler said. “I wouldn’t confuse sequencing with priority.”
The post Pending SEC proposal targets advisers’ cyber ‘hygiene’ appeared first on InvestmentNews.
Andrew is half-human, half-gamer. He’s also a science fiction author writing for BleeBot.