SEC plans to update cybersecurity regulations
By Robert Davis
22:03, 24 January 2022
The US Securities and Exchange Commission (SEC) is exploring ways to improve cybersecurity in the capital markets, according to a speech chairman Gary Gensler gave to Northwestern University’s Pritzker School of Law on Monday.
Some of the new security measures could include extending compliance obligations to companies that currently don’t have to meet them, such as investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, along with price setting and other data services.
Gensler told the audience the American government will rely on its partners in the private sector to implement some of the changes, since they operate some of the country’s critical infrastructure.
“We have a key role as the regulator of the capital markets with regard to SEC registrants – ranging from exchanges and brokers to advisers and public issuers,” Gensler said in his speech. “Cyber relates to each part of our three-part mission, and in particular to our goal of maintaining orderly markets.”
Cyberattacks in 2021
According to the Center for Strategic and International Studies (CISA), there were 121 major cyberattacks in 2021. This total only includes attacks that targeted government agencies, defence and high-tech companies, and those that resulted in losses of $1m (£740,000) or more.
There were seven attacks in December alone, including a breach of four US defence and technology companies by hackers from China that sought to gain access to their internal networks and secure communications.
Hackers also targeted prominent energy and infrastructure companies in other countries such as Australia, India and Belgium.
“Cyber incidents, unfortunately, happen a lot,” Gensler said. “History and any study of human nature tells us they’re going to continue to happen. Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector.”
The SEC is considering several proposals to help prevent attacks like these in the future.
For example, the agency is considering increasing disclosure requirements for publicly traded companies to present data privacy information in a “consistent, comparable, and decision-useful manner.”
For internet service providers, the SEC is considering making a list of entities that pose cyber risks and holding accountable those entities whose security systems are breached.
“We’re living in a time of rapid technological changes subject to ever present cybersecurity challenges,” Gensler said. “These cyber risks have implications for the financial sector, investors, issuers and the economy at large. The SEC has a role to play, along with the rest of Team Cyber.”