SEC Commissioner Elad L. Roisman described potential SEC rulemakings on cybersecurity, and offered additional measures to prevent cyberattacks that issuers might consider, even in the absence of regulatory action.
In a speech before the Los Angeles County Bar Association, Mr. Roisman underscored the importance of issuers taking cybersecurity measures in light of the frequency of cyberattacks and the potential injury to an issuer's clients and shareholders. He recommended that issuer preparation should include (i) implementing cyber threat monitoring procedures, (ii) addressing potential breaches and (iii) knowing what cyber breach information must be reported to government agencies. He noted that cybersecurity regulation in the United States falls under the jurisdiction of a number of federal agencies, making it possible for SEC registrants to have cybersecurity obligations, including reporting requirements, to multiple agencies. Mr. Roisman also observed that issuers can bolster their cybersecurity efforts by (i) designating "providers and experts" that can be contacted in the case of a cyber incident and (ii) engaging in table-top exercises to proactively determine the best courses of action for mitigating harm in the event of a cyber incident.
As to the SEC's regulatory approach, Mr. Roisman pointed to Regulation Systems Compliance and Integrity ("Regulation SCI") as the agency's "most extensive policymaking in cybersecurity." Mr. Roisman explained that the issuance of Regulation SCI improved the cybersecurity preparedness and resilience of the markets and enhanced the SEC's awareness of "SCI events," which include cybersecurity breaches and system issues.
Separately, Mr. Roisman stated that he supports a cyber incident reporting framework for advisers. He cited FINRA's broker-dealer cybersecurity incident reporting requirements as an example.
Should new public issuer cybersecurity rules be proposed, Mr. Roisman argued that they should (i) clearly define any legal requirements, (ii) ensure that such requirements are consistent with existing requirements of "sister government agencies," (iii) account for resource disparities among registrants, and (iv) be principles-based. In addition, Mr. Roisman cautioned against mandatory disclosures that could provide bad actors with "a roadmap for how to infiltrate a registrant's systems."
Primary Sources
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
