In 2021, the U.S. Security and Exchange Commission (SEC) continued to stake its claim as a lead regulator for cybersecurity. Going into 2022, we expect the SEC will continue to aggressively scrutinize and pursue enforcement actions related to cybersecurity disclosures by public companies and cybersecurity practices of SEC-regulated entities like broker-dealers and investment advisers. Moreover, Chair Gensler has announced that the SEC is currently working on a proposal for clearer cybersecurity governance rules, including topics such as “cyber hygiene and incident reporting.”
In many cases, the alleged faults that the SEC has found in the cybersecurity disclosures and practices of these entities go beyond the requirements of any other state or federal cybersecurity regulations. By making itself a leader in its expectations from regulated businesses, the SEC may become the agency that sets industry standard guidance for cybersecurity risk through the SEC mandates formed during its investigations and enforcement actions.