SEC Chair Gary Gensler Highlights Opportunities to Strengthen Cybersecurity Practices of Investment Companies and Advisers in Speech

In a recent speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler focused on cybersecurity policy at the SEC, including certain potential reforms to rules governing the cybersecurity practices of registered investment companies and advisers.

For investment companies, investment advisers, and broker-dealers, Gensler announced that he has asked the SEC staff (Staff) to make recommendations for strengthening cybersecurity hygiene and incident reporting. According to Gensler, the purpose of these reforms would be to reduce the risk that these registrants would not be able to maintain critical operational capability during a significant cybersecurity incident. Gensler believes that these reforms could also give clients and investors better information on which to make decisions, create incentives to improve cyber practices and provide the SEC with more insight into intermediaries’ cyber risks.

Gensler also discussed financial sector registrants’ customer and client data privacy and protection of personal information. He noted that Congress last addressed this issue in the Gramm-Leach-Bliley Act of 1999, and that the SEC adopted Regulation S-P in response to that law, requiring registered investment companies and advisers to protect customer records and information. Gensler said it has been “an eternity in the cybersecurity world” since Regulation S-P was adopted and that there may be opportunities to modernize and expand the rule. In particular, Gensler has asked Staff for recommendations regarding how customers and clients receive notifications about cyber events when their data, such as their personally identifiable information, has been accessed. These recommendations, according to Gensler, could include proposing alterations to the timing and substance of notifications currently required under Regulation S-P.

Gensler closed the speech by emphasizing the cybersecurity challenges the financial sector, investors, issuers and the economy at large face during a time of rapid technological change, and how the SEC has a key role to play in meeting these challenges.

Chair Gensler’s speech can be found here.