SEC Commissioner Kara Stein in a recent speech doubled down on the need for expanded cybersecurity regulation and said she has asked SEC Chairman Jay Clayton to prioritize an expanded version of regulations issued in 2014. She noted that while the SEC has offered non-binding “guidance” and advice to market participants, we “need to think more comprehensively about the cyber wars going on.” She also focused on the role of public company boards, urging board members to “proactively take action on the oversight of cybersecurity as a critical component of a company’s risk management.” She explained that while boards are not required to manage the day-to-day risks of cyber threats, they must take charge of oversight of cyber risks. She encouraged boards to retain independent experts to provide advice; engage with management and information security executives; and to assess whether disclosures to shareholders adequately and faithfully represent the significant cyber risks that may impact investment decisions.
Stein also remarked on the financial system’s growing dependence on data, noting that the tools that analyze data are significantly changing the financial markets. The “race for data superiority may be creating two classes—those who can pay for data and those who can’t,” Stein remarked. Financial regulations need to change in this area as well, she noted, and offered questions that could inform policymaking, including: Should a company value its data? Should it disclose the value of its data? Who is responsible for the appropriate collection and use of data? Who is responsible for protecting the privacy of personally identifiable information that is collected and used?