Summary
A significant expansion of rules relating to cybersecurity risks—particularly for the financial sector—is under consideration by the Securities and Exchange Commission (SEC).
In public remarks last week, SEC Chair Gary Gensler previewed a number of areas in which the SEC is looking to “broaden and deepen” its oversight of cybersecurity practices and risks. They range from a broad expansion of system integrity rules to changes involving the timing and delivery of privacy notices. Although new rules governing cybersecurity disclosures have been anticipated for months, Gensler’s remarks indicate that the SEC’s plans go well beyond disclosure rules and are far more ambitious.
Significant Changes Likely for the Financial Sector and Its Service Providers
Extension of Reg SCI to “Large, Significant” Entities. One of the most far-reaching changes being considered involves broad expansion of the Regulation Systems Compliance and Integrity Rule (Reg SCI).
Reg SCI, adopted in November 2014, applies to entities that form the backbone of U.S. financial markets: self-regulatory organizations, including the securities and options exchanges, clearing agencies, FINRA,…
