Wall Street regulator proposes new rules on hacking, data and market resistance Reuters
© Reuters By Douglas Gillison
(Reuters) – The top U.S. market regulator announced on Wednesday a package of proposed guidelines designed to harden the financial system against hacking, data theft and system failures.
In a public meeting, the Securities and Exchange Commission’s (SEC) five members voted to propose new rules to protect consumer financial data and hacking of exchanges and broker-dealers and were to vote on another proposal on the resilience of market infrastructure, part of a continuing concern with modernizing the regulations to match advanced technological threats.
SEC Chairman Gary Gensler also opened the meeting with a nod to the unfolding market turmoil, making a veiled reference to the failure of US lender Silicon Valley Bank and fears for the viability of Credit Suisse by reiterating the agency’s pledge to support market resilience.
The three proposed rules together govern how broker-dealers address hacking incidents and protect consumer data, and how exchanges, transaction clearinghouses and others deemed critical to national financial security protect against system failures and cyber intrusions.
They add to measures introduced since last year to counter what officials say are growing dangers to public companies and investors — and are likely to fuel criticism that the SEC under Gensler has embarked on an overly ambitious regulatory agenda that is testing the limits of its capacity.
Under the proposals, brokers and money managers would be required to maintain programs to detect and respond to unauthorized data access and notify affected clients within 30 days.
Broker-dealers, stock exchanges and others will also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” events. Gensler, in prepared remarks, called the proposal “the first to explicitly address cybersecurity practices for most of these market entities.”
The immediate notice requirement would likely raise eyebrows among industry advocates. A similar proposal last year for securities firms required confidential notification within 48 hours, drawing objections that this could hinder efforts to respond quickly to hacking incidents.
Gensler noted that in September a unit of Morgan Stanley (NYSE: ) had agreed to pay $35 million to settle SEC charges it failed to protect personal information over a five-year period.
In addition, the SEC proposed expanding the number of exchanges, registered clearing agencies and others covered by the 2014 “Systems Compliance and Integrity” regulation that requires operators to build systems robust enough to support market activities – including by making sure that third-party cloud computing services were sufficient to meet the requirements of the rule.
