On January 4th, the Office of Information and Regulatory Affairs released the Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions (yes, the “Fall 2022” agenda was published in January 2023), including short and long-term Securities and Exchange Commission (“SEC”) priorities for regulatory actions for the coming year. The agenda’s intent is to provide public notice regarding upcoming actions within the Executive Branch, including the SEC. We continue to monitor developments at the SEC regarding privacy and cybersecurity.
Of the fifty-two SEC agenda items, several address planned privacy- and security-related regulatory actions, including future:
- Notice and comment on proposed rules regarding the oversight of third-party service providers
- Notice and comment on proposed rules to address registrant cybersecurity risk and related disclosures, including amending Regulation S-P and Reg SCI (which govern the security of consumer data maintained by financial institutions subject to the SEC’s jurisdiction)
- Final action on two prior notices of proposed rulemaking related to cybersecurity enhancements regarding:
- Public company disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting
- Requirements for investment advisors, registered investment companies, and business development companies to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks.
Practically, financial institutions, public companies, and other entities subject to the SEC’s jurisdiction should continue to maintain and update their written information security programs (especially with regards to incident response) while preparing for enhanced public cybersecurity risk disclosures, shortened security incident notification timelines, and increased supply-chain management oversight. The permitted timeframes to simultaneously mitigate and investigate cybersecurity incidents, internally or at vendors, is ever-diminishing as reporting windows shorten. Firms should consult with counsel to add SEC compliance checklists to the incident response plan and ensure their information security programs will withstand SEC scrutiny.