In remarks delivered in 2022 before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (See this PubCo post.) He might have said the same thing about cyber resilience—the topic of a Financial Times summit held last month and the subject of remarks delivered to that audience by Gurbir Grewal, the current SEC Director of Enforcement. What is cyber resilience? As defined by Grewal, it’s a concept that assumes that “breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it’s not a matter of if, but when.”
Citing a recent poll from Deloitte, Grewal observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” To maintain that integrity, the SEC has proposed…
