Securities Law Daily provides daily coverage of developments in the regulation of federal, state, and international securities and futures trading, with objective coverage of the...
June 25—The Securities and Exchange Commission should amend an agency cybersecurity rule so that more market participants are subject to the regulation, Commissioner Luis Aguilar said June 25.
Regulation Systems Compliance and Integrity, which requires stock exchanges to implement a robust set of cybersecurity protocols, “didn't go far enough” because it doesn't apply to a more comprehensive list of market participants such as over-the-counter market makers and transfer agents, Aguilar said at a Security Innovation Network conference in New York.
Aguilar voted to approve the rule late last year, but expressed his preference for a more robust regulation. In his June 25 address, he urged his audience to contact SEC Chairman Mary Jo White to request that the rule be strengthened.
“Unfortunately, Regulation SCI does not apply to many of the important segments of the capital markets,” Aguilar said. “Obviously, more work is needed to ensure the commission's cybersecurity rules address all areas of the market we regulate and that our economy relies on,” he said.
• monitor their computer systems continuously;
• conduct capacity stress testing;
• respond promptly to any system breaches,
• report any intrusions to the SEC within 24 hours,
• report quarterly to the SEC about any system changes; and
• have objective personnel conduct an annual compliance review.
Recent SEC exams showed that many broker-dealers and investment advisers have adopted written policies regarding cybersecurity, Aguilar said. However, he added, the exams also revealed that those firms failed to specify responsibility for client losses stemming from cyberattacks, Aguilar said.
The exams also showed that while many SEC regulated entities conducted cybersecurity self-assessments, relatively few firms conducted assessments of their third party vendors, he said.
The exams further revealed that only two-thirds of examined broker-dealers and about one-third of examined investment advisers designated a chief information security officer, Aguilar said. Further, cybersecurity insurance was carried by a little more than 50 percent of broker-dealers and less than 25 percent of investment advisers, he said.
It is “mind-blowing and disappointing that so many firms fall short” by not designating a CISO and obtaining cyber insurance, especially because those two tools have been shown to decrease the costs associated with data breaches, Aguilar said.
SEC enforcement staffers are currently investigating “multiple” data breaches and reviewing how to bring more cases using existing authority “and how that authority might need to be broadened in order for us to meet emerging cybersecurity trends,” he said. Cyberattacks designed to steal nonpublic information—especially corporate merger activity—for insider trading purposes is a worrisome trend that is on the increase, Aguilar said.
For their part, companies should disclose better and more timely information about particular cyberattacks risks they face, Aguilar continued. If companies don't do this voluntarily, the SEC may have to adopt regulations to require greater disclosure about registrants' cybersecurity risks, the commissioner said.
• risk-based approach,
• avoidance of an overly prescriptive approach; and
• requirement that a company's senior management and board of directors be actively engaged in cybersecurity issues.
He also said businesses can do a better job of protecting themselves from cyberattacks. Sharing information about cyberattacks with other industry participants can help companies reduce cyber-risks and enhance recovery responses, Aguilar said. He called on Congress to enact legislation to provide companies with liability relief when sharing information about cyberattacks in good faith.
More generally, Aguilar said the public and private sectors should work closer together to improve cyber defenses and called for a more coordinated response to attacks.
To contact the reporter on this story: Stephen Joyce in New York at firstname.lastname@example.org
To contact the editor responsible for this story:Phyllis Diamond at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)