Gensler Discusses “Team Cyber” and Recent Rule Proposals

In a speech to the joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), SEC Chair Gary Gensler remarked that when it comes to cybersecurity and resilience “[a]dopting a heightened posture is a task that requires all of us.” He stated the Commission’s cybersecurity policy work is encompassing of four groups of entities: (1) SEC registrants in the financial sector; (2) Public companies; (3) Service providers that work with SEC financial services registrants, but who may not be registered entities; and (4) the SEC itself. The Commission’s focus has been getting these groups prepared and raising their cybersecurity “hygiene,” incident reporting to the government, and when necessary, disclosure to the public. Gensler commented that for financial services registrants, the Commission is focused on initiatives in three areas: Regulation Systems Compliance and Integrity (Reg SCI), data privacy and alerting investors to cyber events, and the recent proposal on cybersecurity risk management plan that focuses on cyber resilience at registered investment advisers, registered investment companies, and business development companies. Additionally, Gensler stated he has “asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers.” Noting that the SEC itself is not immune from cyber threats, he remarked “we continue to evaluate our data footprint and improve our data collection processes so that we collect only the data we need to fulfill our mission.” On Monday, April 11 the Forum submitted comments to the Commission on proposed rules concerning “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.”