And should a company report a data breach when it's not required to under other regulations, she asked.
"That is an area that I think the SEC will become even more interested in," she said. "If it's reasonably likely that a breach will lead to reduced revenues or have a material impact on the business, there would be some reporting obligations."
In the last couple of years, however, the SEC has turned its focus on Wall Street institutions.
For example, the SEC recently indicated that they were going to look at how brokerages are managing third-party risk, such as that from purchased software or cloud-based services.
"We're seeing that this is a new trend, and an important one," said Wysopal. "We're seeing more and more stuff moving to the cloud and being managed by third parties."
Last February, the SEC conducted a cybersecurity sweep examination that determined that 88 percent of broker-dealers and 74 percent of registered investment advisers had suffered cyberattacks either directly or through their vendors.
In the fall, the SEC announced that it will do a second round of examinations of financial services firms focusing on a number of cybersecurity topics including vendor management.
According to the SEC's Office of Compliance Inspections and Examinations, other areas of focus include governance and risk assessment, access controls, data loss prevention, training, and incident response.
"We expect continued scrutiny of the areas covered in past years, with new emerging risk areas being evaluated," said Glenn Siriano, financial services leader for KPMG Cyber at KPMG.
Those new areas include emerging technologies, new external threat vectors, deeper assessments of third-party vendors, usage of social media, and managing insider threats, he said.
And the SEC has been moving beyond conducting inspections and issuing guidance, said Dave Mahon, CSO at CenturyLink.
"They're beginning to get a better understanding that this is a bigger problem," he said. "They're trying to get their hands around it, and you're starting to see more audits."
For example, he said, there was the recent enforcement action against RT Jones, a regional investment company that had a breach that exposed client brokerage records.
In that case, the brokerage was fined $75,000 because for nearly four years the firm failed to adopt any written policies or procedures to ensure the security of personally identifiable information and to protect it from unauthorized access.
The SEC is adding teeth to its enforcement, confirmed Ernest Badway, co-chair of the securities industry practice at law firm Fox Rothschild LLP
"There have been several enforcement actions against a variety of broker dealers, investment advisers, and funds," he said.
The SEC's core objective is to protect retail investors, said Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyberrisk Services at Deloitte & Touche LLP
Sign up for CIO Asia eNewsletters.