Gensler Signals Major Cybersecurity Regulatory Changes

Our colleague, Lori Van Auken, recently wrote a post describing SEC Chair Gary Gensler’s preview of a significant expansion of rules relating to cybersecurity risks given in public remarks at the end of January. 

While Gensler focused particularly on rules for entities that form the backbone of the financial sector, including self-regulatory organizations, including the securities and options exchanges, clearing agencies, FINRA, and other similar entities and organizations, he also confirmed that the SEC is looking at new rules involving cybersecurity risk disclosures and practices that would be applicable to all public companies:

Cybersecurity Risk Disclosures. According to Gensler, the SEC is considering ways in which cybersecurity risk information can be presented by issuers in a “consistent, comparable, and decision-useful manner.” The SEC also is examining “whether and how to update disclosures” when cybersecurity events have occurred. Although no specifics were provided, proposed mandatory disclosures for cybersecurity risks, along with guidance for assessing the materiality of cyber events, may be expected.

Cybersecurity Practices. The SEC is also apparently preparing recommendations around company practices with respect to “cybersecurity governance, strategy, and risk management.” These issues have been the subject of SEC guidance, risk alerts and enforcement actions for the past several years. Look for proposed rules addressing internal controls for reporting cybersecurity risks and incidents and additional safeguards to protect customer information.”

You can read Lori’s entire post by clicking here.