What future SEC cyber regulations could mean for US-listed companies

The US Securities and Exchange Commission (“SEC”) has put a proposal on the table for regulating cybersecurity risks of applicable entities governed by the Commission.

The proposal’s rationale states that “a significant cybersecurity incident at one Market Entity has the potential to spread to other Market Entities in a cascading process that could cause widespread disruptions threatening the fair, orderly, and efficient operation of the U.S. securities markets”.

This projects that a single incident could reduce liquidity in the markets or a sector due to one broking entity’s inability to continue dealing and trading activities.

In addition, the US securities markets are one of sixteen critical infrastructure sectors considered vital to the US that the incapacitation or destruction of such would likely lead to a debilitating effect on security, national economic security, national public health or safety.  

Rule 10 as proposed

Rule 10, as proposed, would require applicable market entities to have written policies and procedures in place to address cybersecurity risks. These policies and procedures would require regular risk reviews of the entity’s information systems with corresponding documentation as well as controls and measures in place to minimise and detect threats and vulnerabilities along with a response and recovery procedure should this occur.

The proposal also includes written notice of the event to be reported to the SEC along with the efforts in responding and recovering from the incident (See proposed Form SCIR, Part I).

Furthermore, public disclosure would be required by these entities of significant cybersecurity incidents as well as risks within a form (See proposed Form SCIR, Part II). Similarly, the London Stock Exchange requires incident notifications.

The Proposal also includes alternatives and an explanation as to the rationale behind the proposed rule.

Commentary

As the SEC has allowed for public comments, such comments widely range in feedback:

• “You need to spoon feed the horse to the watering hole - what framework, what specifically - too many people lead them stray” (Security Excellence)

• “…it will be imperative for the Commission to coordinate with CISA and other federal agencies to assure harmonization and deconfliction across cybersecurity-related regulations, rather than require the subjects of the proposed regulations to undertake that process themselves.” (Securities Industry and Financial Markets Association)

At present, the United States has several states with cybersecurity and data protection related regulations. Each state has different regulations which makes complying with all of them burdensome on companies. The hope is a unifying federal law that would cover the vast majority of these. It is debatable as to whether the federal laws should supersede or supplement state laws.

CISA to the Rescue

The Cybersecurity and Infrastructure Security Agency (“CISA”) is less than five years old but sits within the US Department of Homeland Security in which it offers best practices and current information for businesses to implement.

Relevant to risk management is CISA’s National Critical Functions set which identifies specific functions of the government and private sector so vital to the United States. This can include businesses that provide core networks, transport, energy and chemicals, investment activities, banking, insurance, food products, and R&D.

If your business falls within this category, it is essential that the correct frameworks and components of cybersecurity are implemented. Furthermore, the SEC seeks to ensure that it becomes enforceable for businesses to adhere to. The question is which frameworks are reasonable and appropriate for your business?

As one of the commenters of the Proposal stated, the Commission should consider coordinating with CISA so businesses know exactly what is needed to comply rather than playing guesswork to ensure they are within the reasonable security practices.

Without having stronger guidance, businesses risk regulatory investigations and class action lawsuits by not only those whose personal data or information is infringed but also by shareholders who felt that they were misled by the business claiming to be compliant.

However, what the actual enforceable regulation will state should be telling.