In a speech yesterday at the Northwestern’s Securities Regulation Institute, Gary Gensler, the Chair of the U.S. Securities and Exchange Commission, announced that the SEC is considering a series of cybersecurity policy changes and reminders in light of the huge risk posed by hacking.  These include:

1. Reminding publicly traded companies that they might have an obligation to disclose ransomware incidents that result in payments or expose client information.
2. The SEC is considering expanding the SEC’s cybersecurity rule, known as the Regulation Systems Compliance and Integrity (“Reg SCI”) (17 CFR §§ 242.1000–242.1007). Adopted in November 2014, Reg SCI currently applies to stock and options exchanges and clearinghouses. The Gensler suggested that Reg SCI may expand to apply to the largest market-makers and broker-dealers.
3. In addition to requiring entities to conduct testing for cybersecurity issues, implement business continuity plans, and report systems disruptions and intrusions to the SEC within 24 hours, Gensler also suggested that the SEC is considering changes to Reg SCI to “shore up” the cyber hygiene of important financial entities.

The Chair also signaled forthcoming changes to Regulation S-P, an increased focus on public companies’ cybersecurity disclosures, and regulations on third-parties that provide services to registered entities.

The Commission meets tomorrow, January 26, 2022, and may address these proposals.