Wall Street regulator unveils new rules on hacking, data and market resistance
March 15 (Reuters) – The top U.S. market regulator on Wednesday announced a package of proposed guidelines designed to harden the financial system against hacking, data theft and system failure.
At the start of a public meeting, the Securities and Exchange Commission’s (SEC) five members voted to propose updating rules protecting consumers’ financial data and were set to vote on two other proposals regulating online security and the robustness of market infrastructure, part of a continuing concern for to modernize regulations to match advanced technological threats.
SEC Chairman Gary Gensler also opened the meeting with a nod to the unfolding market turmoil, making a veiled reference to Silicon Valley Bank’s failure and fears for the viability of Credit Suisse by reiterating the agency’s pledge to support market resilience.
The three proposed rules together govern how broker-dealers address hacking incidents and protect consumer data, and how exchanges, transaction clearinghouses and others deemed critical to national financial security protect against system failures and cyber intrusions.
They add to measures introduced since last year to counter what officials say are growing dangers to public companies and investors — and are likely to fuel criticism that the SEC under Gensler has embarked on an overly ambitious regulatory agenda that is testing the limits of its capacity.
Under the proposals, brokers and money managers would be required to maintain programs to detect and respond to unauthorized data access and notify affected clients within 30 days.
Broker-dealers, stock exchanges and others will also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” events. Gensler, in prepared remarks, called the proposal “the first to explicitly address cybersecurity practices for most of these market entities.”
The immediate notice requirement would likely raise eyebrows among industry advocates. A similar proposal last year for securities firms required confidential notification within 48 hours, drawing objections that this could hinder efforts to respond quickly to hacking incidents.
Gensler noted that in September a unit of Morgan Stanley ( MS.N ) had agreed to pay $35 million to settle SEC charges it failed to protect personal information over a five-year period.
In addition, the SEC proposed expanding the number of exchanges, registered clearing agencies and others covered by 2014’s “Systems Compliance and Integrity” regulation that requires operators to build systems robust enough to support market activities.
Reporting by Douglas Gillison; Editing by Leslie Adler and Josie Kao
Disclaimer: The views expressed in this article are those of the author and may not reflect the views of Kitco Metals Inc. The author has made every effort to ensure the accuracy of the information provided; however, neither Kitco Metals Inc. nor the author can guarantee such accuracy. This article is for informational purposes only. It is not an invitation to exchange goods, securities or other financial instruments. Kitco Metals Inc. and the author of this article do not accept responsibility for any loss and/or damage arising from the use of this publication.
