Roisman Speech Hits on Future Cyber Regulation

In testimony before Congress SEC Chair Gary Gensler said agency staff members are developing a proposal on cybersecurity risk governance, which could address issues such as cyber hygiene and incident reporting. While the proposal did not appear in October as was expected, cybersecurity apparently remains a high priority at the agency. In a separate speech, SEC Commissioner Elad Roisman reviewed the current cybersecurity regulatory framework and factors that could inform regulation around the disclosure and reporting of cyber incidents. According to Roisman, there is “more that the Commission should contemplate in terms of cyber guidance and/or rules to ensure that companies understand our expectations and investors get the benefit of increased disclosure and protections by companies.” Roisman stated that any new regulation should be principles-based and that the regulator should not try to set particular resource requirements for any entity. He also cautioned that any new legal obligations must be clearly defined and that these new obligations should not create inconsistencies with requirements established by other agencies. Roisman pointed to the SEC’s Enforcement and Examinations divisions to highlight how past initiatives could influence cyber regulation. For example, Roisman said, the Examinations unit for years prioritized cybersecurity in its examinations, allowing them not only to encourage compliance, but also to learn about companies’ best practices. Roisman urged firms to remain proactive and to practice proper cyber hygiene and encouraged companies to work to mitigate harm in case of a cyber-event.