Wall Street regulator proposes new hacking, data and market resiliency rules
By Douglas Gillison
(Reuters) – The top U.S. markets regulator on Wednesday proposed a suite of new policies designed to harden the financial system against hacking, data theft and systems failure.
With some dissents from Republican members, the Securities and Exchange Commission’s (SEC) five members voted at a public meeting to propose rules on protecting consumer financial data, preventing hacking at stock exchanges and broker-dealers and buttressing the resiliency of market infrastructure, part of a continuing concern with modernizing regulations to match advancing technological threats.
SEC Chairman Gary Gensler also opened the meeting with a nod to unfolding market turmoil, making veiled reference to the failure of U.S. lender Silicon Valley Bank and fears for the viability of Credit Suisse by restating his agency’s pledge to support market resiliency.
The three rule proposals together govern how broker-dealers address hacking incidents and protect consumer data, and how stock exchanges, transaction clearing houses and others deemed critical to national economic security gird themselves against system failure and cyber-intrusion.
The proposed regulations, which are now subject to a public comment period prior to any vote on their adoption, add to measures introduced since last year to counter what officials say are mounting dangers to public companies and investors. They are likely to fuel criticism that under Gensler the SEC has embarked on an excessively ambitious rulemaking agenda that is testing the limits of its capacity.
Under the proposals, broker-dealers and money managers would be required to maintain programs to detect and respond to unauthorized data access and to notify affected customers within 30 days.
Broker-dealers, securities exchanges and others would also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” incidents. Gensler, in prepared remarks, called the proposal “the first explicitly to address cybersecurity practices for the majority of these market entities.”
The requirement for immediate notice is likely to raise eyebrows among industry advocates. A similar proposal last year for investment firms called for confidential notice within 48 hours, drawing objections that this could hinder efforts to respond to hacking incidents quickly.
Gensler noted that in September a unit of Morgan Stanley had agreed to pay $35 million to resolve SEC charges it failed to protect personal information over a period of five years.
In addition, the SEC proposed expanding the number of stock exchanges, registered clearing agencies and others covered by the 2014 “Systems Compliance and Integrity” regulation requiring operators to build systems robust enough to support market activities – including by assuring themselves that third-party cloud computing services were sufficient to meet the rule’s requirements.