SEC Chair Seeks to 'Modernize' Cybersecurity RegulationsPolicy Reform Could Curtail Security Incidents for Banks, Chair Gensler Says
With an emphasis on the "interconnectedness" of networks, rising concerns over the tensions between Russia and Ukraine, and third-party risk management, U.S. Security and Exchange Commission Chair Gary Gensler this week spoke of expanding cybersecurity regulations for financial institutions, specifically for vendors. Gensler highlighted three key areas of concentration: preparedness, incident reporting and the proper disclosure of major cyber incidents.
Speaking at Northwestern Pritzker School of Law's Annual Securities Regulation Institute, Gensler advocated for a team approach, referring to comments made by Cybersecurity and Infrastructure Security Agency Director Jen Easterly on interagency collaboration, and pointed to specific policy updates that could deepen security measures.
Also, at an SEC meeting on Wednesday, the agency proposed an amendment under Regulation Systems Compliance Integrity, known as Reg SCI, designed to enhance security related to Alternative Trading Systems. These systems are not currently subject to provisions in Reg SCI related to security measures, such as incident reporting, business continuity plans and other cyber resiliency safeguards.
Billions of dollars, and "possibly in the trillions," have been lost to cyberattacks, Gensler said on Monday. He outlined specific roles that the SEC envisions for financial firms, security providers and other parties involved with defending networks against malicious hacking, by disclosing actions the SEC is taking in collaboration with other federal agencies and specifying updates to long-standing regulations.
Another central point of the address, which placed an emphasis on the economic impact malware-as-a-service has had on the U.S., was threats to national security.
"Cybersecurity is central to national security," said Gensler. "The events of the past couple of weeks in Russia and Ukraine have once again highlighted the importance of cybersecurity to our national interest."
Gensler referenced the SEC's three-part mission, which includes "protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation." In tandem, Gensler mentioned three cybersecurity focuses for policy updates: preparation and cyber hygiene, incident reporting to the federal government and, following a significant incident, disclosure to the public.
In his remarks, Gensler said collaboration with CISA, FSOC and the private sector was essential if, in the event of a major cyberattack, it was necessary to alert the public or client base. He also recommended that four groups - firms, agencies, vendors and other third parties, and the SEC itself - would need to unify incident reporting standards in the finance sector.
Gensler explained specific roles for each affiliated party in safeguarding against cyberattacks and other emergency security incidents, including:
- SEC registrants - defined as broker-dealers, investment companies and other market intermediaries;
- Public firms;
- Service providers - or those that work closely with the financial sector but may not be registered to SEC;
- The SEC itself - which Gensler said "was not immune" to cyberattacks or other incidents.
For public companies, Gensler said it was a legal obligation to disclose major incidents and explained that staff members were compiling recommendations on how to update breach disclosures. This further involved the duties of registrants to make updates to key policies, as well as a responsibility to organizations to identify risky vendors.
Gensler pointed to updating Reg SCI, which he referred to as "the backbone of the capital markets" and said feedback from staff was part of discussions to update cyber resiliency strategies, such as data backups and other basic cyber hygiene.
Reg SCI, which was adopted in 2014 to strengthen cyber resiliency, has continuously been subject to updates in the ever-changing digital landscape, as noted by Gensler. This rule covers a wide range of registrants, including stock exchanges, alternative trading systems, or ATSs, and other self-regulatory organizations in regards to technology programs, data backups, and other critical topics in security protection and preparedness.
Another significant update noted by Gensler relates to the Gramm-Leach-Bliley Act of 1999 and Regulation S-P, known as the original privacy laws responsible for data protection and privacy. Gensler said he believed there was room to "modernize" the rule and sought recommendations from staff on how "to alter the timings and substance" of how clients would be notified of major cyber incidents.
Reg SCI: Proposals on the Horizon
During his remarks at Northwestern Pritzker School of Law, Gensler did not mention a timeline when proposals would be brought to the commission for review.
But, the SEC, in a meeting on Wednesday, did propose rule amendments to strengthen security protections for ATSs. According to Gensler, who said the proposal builds upon public feedback from another proposal submitted in 2020, the amendment would "enhance transparency and oversight over ATSs that trade government securities."
ATSs - which have more fluid regulation standards, according to the SEC - are currently not subject to "the systems integrity provisions" outlined in Reg SCI. According to the proposed rule, this amendment seeks to hold ATSs accountable for security compliance, such as incident reporting, business continuity planning and other security measures outlined in Reg SCI.
Public comments can be submitted 30 days after the proposal has been published on the Federal Register, the proposed rule says.
A spokesperson for the SEC declined to comment on timelines or other updates.
A highlight of Gensler's address, which has also been a focus in the financial sector, was a discussion of implementing regulations for "the broader group of financial sector registrant," or investment advisers or brokers, and also the role service providers play in incident detection and response.
"Such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident," he said.
A portion of the regulations might include added responsibility for firms to identify service providers that could pose a security risk, according to Gensler.
Chris Wysopal, co-founder and CTO of Veracode and a member of the Forbes Technology Council, tweeted his views that a hallmark of Gensler's remarks was the focus on third-party management.
2022 will be the year of vendor management.— Chris Wysopal (@WeldPond) January 24, 2022
"Gensler suggested the SEC could promulgate rules making public companies accountable for their vendors’ cybersecurity measures or to require public companies to identify which third-party providers pose risks." https://t.co/W9odH3U1nI
Some finance sector security experts and associations are zeroing in on third-party management, as well as incident reporting, specifically around major cyberattacks leading to long-term disruption. The Financial Services Information Sharing and Analysis Center, for instance, has already launched a new campaign to increase communication between third parties and firms.
Other regulations on the horizon will affect service providers as well. For instance, the Computer-Security Incident Notification Rule, which will go into effect on April 1 with full compliance expected by May 1, includes recommendations around service provider management. Bank service providers will be required "to notify at least one bank-designated point of contact" as soon as possible if a significant security incident has manifested and "disrupts or degrades" customer services for four or more hours, according to the final rule.
Threats from Russia
Gensler's remarks also reflected the increasing uneasiness around Russia's abilities to launch a cyberattack on critical infrastructure, including financial institutions and associated parties, in the U.S.
"State actors and nonstate hackers alike sometimes try to target various entities and businesses," Gensler said, adding that attackers such as APTs are seeking to loot data and money, "lower confidence in our financial system," or "just demonstrate their capabilities."
These statements by Gensler come at a time when several federal agencies have been focused on protecting against disruption and remain hyper-vigilant against nation-state threats.
CISA, earlier this month, released a joint advisory indicating Russia-backed threat actors had been leveraging more than a dozen CVEs in an effort to disrupt critical infrastructure. The alert, in some experts' eyes, was a direct response to the threat of a potential invasion of Ukraine.
This week, the Department of Homeland Security warned Russia could retaliate with a cyberattack if the U.S. or NATO takes action to prevent an invasion of Ukraine. Security experts, according to previous reporting by ISMG, believed the warning acknowledged a steeling of the U.S. cyber resiliency (see: Report: DHS Fears Russian Cyberattack If US Acts on Ukraine).