Compliance Management, Critical Infrastructure Security

Concerns emerge over proposed SEC cyber incident disclosure changes

SEC Chair Gary Gensler
SEC Chair Gary Gensler
Gary Gensler, chair of the U.S. Securities and Exchange Commission, testifies during ta Senate Banking, Housing, and Urban Affairs Committee hearing on Sept. 14, 2021, in Washington. (Photo by Bill Clark-Pool/Getty Images)

Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.

The SEC proposed new amendments in March to govern how investment firms and public companies under its purview should improve upon their IT security management and incident reporting.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler in a March release.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” Gensler said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

SEC gets tough on identity programs and incident reporting

In July, the SEC slammed JP Morgan Chase & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, each having violated the Identity Theft Red Flags Rule, or Regulation S-ID between January 2017 and October 2019. Regulation S-ID seeks to protect investors from the risk of identity theft. All three financial institutions agreed to cease and desist from future violations, to be censured, and to pay fines of $1.2 million, $925,000, and $425,000, respectively.

Among other commitments, the SEC's proposed amendments would require that financial institutions offer current reporting about “material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.

In March, the SEC issued that a “proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Within the new rule it viewed “information systems” very broadly, especially when the financial firm made use of a cloud- or host-based system.

“The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks. The registrant’s board of directors' oversight of cybersecurity risk,” said in the amendment, “and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.”

“The SEC proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any,” it said. “The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.”

In Deloitte's 2021 Future of Cyber Survey of financial industry cybersecurity, more than 72% of respondents indicated that their organizations had experienced between one and 10 cyber incidents or breaches in 2020 alone. And nearly three-quarters (74%) of so-called botnet attacks have hit the financial industry.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.