SEC's Reg SCI Should Encompass More Market Participants, Aguilar Says

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Stephen Joyce

June 25—The Securities and Exchange Commission should amend an agency cybersecurity rule so that more market participants are subject to the regulation, Commissioner Luis Aguilar said June 25.

Regulation Systems Compliance and Integrity, which requires stock exchanges to implement a robust set of cybersecurity protocols, “didn't go far enough” because it doesn't apply to a more comprehensive list of market participants such as over-the-counter market makers and transfer agents, Aguilar said at a Security Innovation Network conference in New York.

Aguilar voted to approve the rule late last year, but expressed his preference for a more robust regulation. In his June 25 address, he urged his audience to contact SEC Chairman Mary Jo White to request that the rule be strengthened.

“Unfortunately, Regulation SCI does not apply to many of the important segments of the capital markets,” Aguilar said. “Obviously, more work is needed to ensure the commission's cybersecurity rules address all areas of the market we regulate and that our economy relies on,” he said.

Reg SCI, which companies must comply with beginning in November, requires regulated entities to:

• monitor their computer systems continuously;

• conduct capacity stress testing;

• respond promptly to any system breaches,

• report any intrusions to the SEC within 24 hours,

• report quarterly to the SEC about any system changes; and

• have objective personnel conduct an annual compliance review.


Stealing Data to Aid Insider Trading

Recent SEC exams showed that many broker-dealers and investment advisers have adopted written policies regarding cybersecurity, Aguilar said. However, he added, the exams also revealed that those firms failed to specify responsibility for client losses stemming from cyberattacks, Aguilar said.

The exams also showed that while many SEC regulated entities conducted cybersecurity self-assessments, relatively few firms conducted assessments of their third party vendors, he said.

The exams further revealed that only two-thirds of examined broker-dealers and about one-third of examined investment advisers designated a chief information security officer, Aguilar said. Further, cybersecurity insurance was carried by a little more than 50 percent of broker-dealers and less than 25 percent of investment advisers, he said.

It is “mind-blowing and disappointing that so many firms fall short” by not designating a CISO and obtaining cyber insurance, especially because those two tools have been shown to decrease the costs associated with data breaches, Aguilar said.

SEC enforcement staffers are currently investigating “multiple” data breaches and reviewing how to bring more cases using existing authority “and how that authority might need to be broadened in order for us to meet emerging cybersecurity trends,” he said. Cyberattacks designed to steal nonpublic information—especially corporate merger activity—for insider trading purposes is a worrisome trend that is on the increase, Aguilar said.

For their part, companies should disclose better and more timely information about particular cyberattacks risks they face, Aguilar continued. If companies don't do this voluntarily, the SEC may have to adopt regulations to require greater disclosure about registrants' cybersecurity risks, the commissioner said.

Rule's Positive Elements

While he criticized the thoroughness of Reg SCI, he also touted what he said were some of its strengths, including the rule's:

• risk-based approach,

• avoidance of an overly prescriptive approach; and

• requirement that a company's senior management and board of directors be actively engaged in cybersecurity issues.


He also said businesses can do a better job of protecting themselves from cyberattacks. Sharing information about cyberattacks with other industry participants can help companies reduce cyber-risks and enhance recovery responses, Aguilar said. He called on Congress to enact legislation to provide companies with liability relief when sharing information about cyberattacks in good faith.

More generally, Aguilar said the public and private sectors should work closer together to improve cyber defenses and called for a more coordinated response to attacks.

To contact the reporter on this story: Stephen Joyce in New York at

To contact the editor responsible for this story:Phyllis Diamond at

Request Securities & Capital Markets on Bloomberg Law