The next evolution in SEC cybersecurity policy could come Wednesday when commissioners consider whether to propose new rules for registered investment advisers and investment companies.
Commissioners will consider staff recommendations for addressing cybersecurity risk management for investment advisers and investment companies as one of the agenda items for their Feb. 9 meeting. The commission will also consider related amendments to certain rules regarding adviser and fund disclosures under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 under the same agenda item, according to the SEC’s meeting agenda.
SEC Chair Gary Gensler has asked staff to recommend ways to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting as part of a broader effort to tighten cybersecurity. “We’re living in a time of rapid technological changes subject to ever-present cybersecurity challenges.
“These cyber risks have implications for the financial sector, investors, issuers, and the economy at large. The SEC has a role to play,” Gensler said, in a recent speech about cybersecurity and securities laws.
Gensler talks SEC cybersecurity policy
Gensler said that he thinks about cybersecurity policy at the SEC in three ways:
- Cyber hygiene and preparedness
- Cyber incident reporting to the government
- Disclosure to the public, in some circumstances
He also noted that the SEC’s cybersecurity policy work affects four types of entities, including financial sector registrants such as broker-dealers, investment companies, registered investment advisers, and other market intermediaries. He cited three cybersecurity projects involving financial sector registrants.
Adopted in 2014, Regulation Systems Compliance and Integrity (Reg SCI), was meant to strengthen the technology infrastructure of the U.S. securities markets. It applies to “SCI entities” that directly support key securities market functions. Such entities include self-regulatory organizations (SROs), alternative trading systems (ATSs), and certain exempt clearing agencies.
“The core goal of Reg SCI was to reduce the occurrence of systems issues and improve resiliency when they do occur,” Gensler said. “A lot has changed, though, in the eight years since the SEC adopted Reg SCI. Thus, I’ve asked staff how we might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers?”
For example, the SEC may apply Reg SCI to large Treasury trading platforms. “Similarly, I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities,” Gensler said.
Cybersecurity for investment advisers, broker-dealers, and funds
Gensler also wants to improve the cyber hygiene of financial sector registrants not covered by Reg SCI, like investment companies, investment advisers, and broker-dealers. He seeks to do so by building upon existing rules related to cybersecurity practices, such as books-and-records, compliance, and business continuity regulations.
“I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident,” Gensler said. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”
In asking SEC staff to make recommendations to the commission, Gensler suggested they consider guidance issued by entities such as the Cybersecurity and Infrastructure Security Agency (CISA).
Gensler has also asked SEC staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. “This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P,” he said.
Regulation S-P requires registered investment advisers, broker-dealers, and investment companies to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Many of the notices that consumers commonly receive about companies’ privacy policies come from Regulation S-P, Gensler noted.
“More than two decades since Reg S-P was adopted — an eternity in the cybersecurity world — I think there may be opportunities to modernize and expand this rule,” Gensler said, in addressing customer and client data privacy and personal information.
RegTech helps firms comply
“Cybersecurity is a high priority for the SEC,” said Margie Webber, director of regulatory compliance for RegEd. “It expects financial sector registrations to similarly prioritize cybersecurity risks and to fulfill their obligations concerning the protection of investor information.”
As the market-leading provider of RegTech enterprise solutions, RegEd provides securities firms with highly efficient and cost-effective strategies for managing compliance with cybersecurity rules and other regulations.
- Incident Management – CODE Incident Management provides end-to-end control and oversight of cyber incident management processes. The solution installs a best-practice methodology for capturing, tracking, and resolving incidents, which drives efficiency and mitigates risks associated with incidents and compliance issues.
- Policies & Procedures Management – CODE Policies & Procedures helps firms demonstrate to regulators that policies are in place and readily available and attested to by reps. The enterprise compliance solution enables comprehensive, end-to-end administration and oversight of all elements of a firm’s policies and procedures.
- Branch Audit Management – RegEd’s Branch Audit Management solution can help firms conduct cybersecurity reviews of their branches. Firms can use the solution to efficiently plan, schedule, conduct, resolve and report on branch inspections in accordance with FINRA Rule 3110 and other regulatory guidelines.
- Education & Training – RegEd’s Education & Training Solution Suite includes cybersecurity courses for reps, investment advisers, and supervisors.
For more information about enterprise compliance solutions from RegEd, schedule a consultation.
RegEd is the market-leading provider of RegTech enterprise solutions with relationships with more than 200 enterprise clients, including 80% of the top 25 financial services firms.
Established in 2000 by former regulators, the company is recognized for continuous regulatory technology innovation with solutions hallmarked by workflow-directed processes, data integration, regulatory intelligence, automated validations, business process automation and compliance dashboards. The aggregate drives the highest levels of operational efficiency and enables our clients to cost-effectively comply with regulations and continuously mitigate risk.
Trusted by the nation’s top financial services firms, RegEd’s proven, holistic approach to RegTech meets firms where they are on the compliance and risk management continuum, scaling as their needs evolve and amplifying the value proposition delivered to clients. For more information, please visit www.reged.com.