SEC Commissioner Kara M. Stein urged the agency to expand its cybersecurity regulations in various ways, including (i) establishing requirements as to a corporate board of directors having meetings with the company's Chief Information Officer and (ii) subjecting broker-dealers and investment advisers to some expanded version of Regulation SCI (the regulation that establishes certain requirements as to the implementation of technology by market places).

At the 62nd Henry J. Miller Distinguished Lecture Series, Ms. Stein called upon SEC Chair Jay Clayton to prioritize revising cybersecurity regulation and to expand Regulation SCI (Systems Compliance and Integrity). Ms. Stein argued to expand these regulations, both as to the scope of their requirements and as to persons to whom it would apply, so as to include broker-dealers, investment advisers and others who have access to "extremely valuable" data as the result of the "prolific availability of data and information" that has "disrupted and transformed the capital markets." She also suggested the SEC should adopt rules that would require market participants to make disclosures to their customers in the event of a data breach.

Beyond market participants, she also noted, corporate boards have a fiduciary duty to shareholders to oversee and evaluate corporate risk-taking. Board members need to take action proactively on the oversight of cybersecurity as a critical component of a company's risk management. In this regard, she asserted, "independent directors should meet with the company's Chief Information Security Officer at least twice annually in executive session, without members of management present so that they can have open, frank, and meaningful discussions about culture, tone, and the resources dedicated to both prevention and resiliency."

More generally, Ms. Stein urged the agency to consider regulatory measures to address data mining. Ms. Stein advised policymakers to consider who owns various types of data and who should have access to it, asking:

  • should a company value its data;
  • should it disclose the value of its data;
  • who is responsible for the appropriate collection and use of data;
  • who is responsible for protecting the privacy of personally identifiable information that is collected and used;
  • who is responsible for determining how data can be shared;
  • who is responsible for establishing and implementing standards for data collection and use; and
  • who is responsible for addressing conflicts of interest?

Commentary / Steven Lofchie

There is a lot here, quite literally; it's long as speeches go, and it covers a lot of ground. Bottom line, the Commissioner believes that data is important, technology is important, and privacy is important. The Commissioner believes that the SEC should adopt more rules on these issues. But the question is what rules and to what end? For example, the suggestion that a financial market intermediary should inform its customers of a data breach seems reasonable; such notice may allow customers a better opportunity to protect themselves against cyber crime. But is it really good government to have a rule that independent directors of every company meet twice a year with the company's "Chief Information Security Officer," without management present? Is it really the case that the SEC should be dictating what meetings directors have?

Commissioner Stein asks many important questions. Unfortunately, her answer to each one seems to be "let's make a rule." More consideration about whether and where rulemaking (and which rules) would actually make a positive difference in behavior (and not just creating another cause of action when something goes wrong, which is inevitable in the cyber world) is warranted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.