Concerns emerge over proposed SEC cyber incident disclosure changes
Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.
The SEC proposed new amendments in March to govern how investment firms and public companies under its purview should improve upon their IT security management and incident reporting.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler in a March release.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” Gensler said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
SEC gets tough on identity programs and incident reporting
In July, the SEC slammed JP Morgan Chase & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, each having violated the Identity Theft Red Flags Rule, or Regulation S-ID between January 2017 and October 2019. Regulation S-ID seeks to protect investors from the risk of identity theft. All three financial institutions agreed to cease and desist from future violations, to be censured, and to pay fines of $1.2 million, $925,000, and $425,000, respectively.
Among other commitments, the SEC’s proposed amendments would require that financial institutions offer current reporting about “material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
In March, the SEC issued that a “proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information…
