SEC Considering Significant Changes to Cybersecurity Rules
The Securities and Exchange Commission (SEC) recently revealed that it is considering expanding cyber risk management rules to third-party service providers and making changes to how companies provide public company disclosures related to cybersecurity.
In a recent address to securities industry professionals, SEC Chair Gary Gensler outlined the changes the agency is considering. The possible changes include adjustments to how stock exchanges and clearinghouses mitigate and report on cyber risk under the Regulation "Systems Compliance and Integrity" (SCI). New rules may include requiring certain registrants to identify service providers that could pose cybersecurity risks, holding registrants accountable for service providers’ cybersecurity measures and protecting against inappropriate access.
The new rules could extend to registered firms’ third-party service providers such as fund administrators, index providers, custodians and others not currently registered with the SEC.
The SEC is also considering making changes to rules regarding the way companies disclose their cybersecurity practices and cyber risk, including how they must notify investors when a cybersecurity breach or other event occurs.