
SEC eyes more expansive cybersecurity requirements
New rules for publicly traded companies could add protections for consumer information, strengthen incident reporting, and require assessment of third-party risk.
Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”
Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.
This article appeared in CSO Online. To read the rest of the article please visit here.