SEC plans to strengthen market cyber defenses

WASHINGTON — The Securities and Exchange Commission is exploring ways to improve cybersecurity in capital markets, including extending compliance obligations to companies that currently do not have to meet them, Chairman Gary Gensler said Monday.

“The economic cost of cyberattacks is estimated to be at least in the billions, if not trillions of dollars,” Gensler said in a virtual address to the annual conference of the Institute of Securities Regulation at Northwestern Pritzker School of Law. . “We at the SEC are working to improve the overall cybersecurity posture and resilience of the financial sector.”

Gensler said the agency is considering extending a rule known as Regulatory Systems Compliance and Integrity, or Reg SCI, to large financial companies it does not currently cover, such as tenors. market and brokers.

The rule, which currently applies to exchanges, clearinghouses and similar entities, requires companies to perform testing for cybersecurity issues, back up their data and have business continuity plans in the event of a breach.

At a meeting of SEC commissioners on Wednesday, officials plan to propose expanding Reg SCI to trading platforms that match buyers and sellers of Treasury securities, Gensler said.

Regulators have recently stepped up their scrutiny of how companies respond to hacker attacks.

Gensler reiterated on Monday that publicly traded companies may have an obligation to disclose ransomware incidents that result in payments or data breaches that expose customer information.

Kenneth Bentsen, president of the Securities Industry and Financial Markets Association, said he welcomed Gensler’s remarks, adding that cybersecurity was already a top priority for the financial industry.

“To say whether policy makers should adopt new rules or not, I don’t know, but I think what needs to be looked at first is whatever is happening in the industry right now,” he said. said Mr. Bentsen. “You have to constantly update yourself. And it must be very collaborative between the regulated and the regulators.

The SEC chairman said he also asked staff to review updating the timing and substance of notifications that broker-dealers, fund managers and investment advisers are required to send to clients. when their data has been accessed during a cyber incident.

Additionally, the SEC is examining ways to raise cybersecurity standards for service providers – such as index providers, custodians, investor reporting systems and others – that are not directly covered by regulation. current situation,” Gensler said.

Possible measures include requiring SEC-registered companies to identify service providers that may pose risks or holding companies accountable for their service providers’ cybersecurity measures.

“This could help ensure that important investor protections are not lost and key services are not disrupted as financial industry registrants increasingly rely on outsourced services,” Gensler said. .

Ransomware attacks are becoming more frequent, casualties are skyrocketing, and hackers are changing targets. The WSJ’s Dustin Volz explains why these attacks are on the rise and what the United States can do to combat them. Photo illustration: Laura Kammermann

Write to Paul Kiernan at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Appeared in the print edition of January 25, 2022 under the title “SEC seeks to strengthen cybersecurity rules”.

About William G.

Check Also

TradeTech: Is innovation in the Close going in the wrong direction?

During a panel discussion at the recent TradeTech 2022 in Paris, panelists expressed concern that …