The top US markets regulator on Wednesday announced a package of proposed policies designed to help harden the financial system against hacking, data theft and systems failure.
At a public meeting, the Securities and Exchange Commission’s five members were due to vote on three proposals, part of a continuing concern with modernizing regulations to match advancing technological threats.
The three rule proposals govern how broker-dealers address hacking incidents and protect consumer data, and how stock exchanges and transaction clearing houses and others deemed critical to national economic security gird themselves from system failure and cyber-intrusion.
They add to measures introduced since last year to counter what officials say are mounting dangers to public companies and investors – and are likely fuel criticism that under Chair Gary Gensler the SEC has embarked on an excessively ambitious rulemaking agenda testing the limits of its capacity.
Under the proposals, broker-dealers and money managers would be required to maintain programs to detect and respond to unauthorized data access and to notify affected customers within 30 days.
Broker-dealers, securities exchanges and others would also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” incidents. Gensler, in prepared remarks, called the proposal “the first explicitly to address cybersecurity practices for the majority of these market entities.”
The requirement for immediate notice was likely to raise eyebrows among industry advocates.
A similar proposal last year for investment firms called for confidential notice within 48 hours, drawing objections that this could hinder efforts to respond to hacking incidents quickly.
Gensler noted that in September a unit of Morgan Stanley had agreed to pay $35 million to resolve SEC charges it failed to protect personal information over a period of five years.
In addition, the SEC proposed expanding the number of stock exchanges, registered clearing agencies and others covered by 2014’s “Systems Compliance and Integrity” regulation requiring operators to build systems robust enough to support market activities.
The proposed amendment would also require such operators to oversee services from cloud computing providers to be certain they match the rule’s requirements governing systems resiliency.