Wall Street regulator unveils new rules on hacking, data and market resistance

March 15 (Reuters) – The top U.S. market regulator on Wednesday announced a package of proposed guidelines designed to help harden the financial system against hacking, data theft and system failures.
At a public meeting, the Securities and Exchange Commission’s five members were to vote on three proposals, part of an ongoing concern to modernize regulations to match advancing technological threats.
The three proposed rules govern how broker-dealers address hacking incidents and protect consumer data, and how exchanges and transaction clearinghouses and others deemed critical to national financial security protect against system failures and cyber intrusions.
They add to measures introduced since last year to counter what officials say are growing dangers to public companies and investors — and are likely to fuel criticism that the SEC under Chairman Gary Gensler has embarked on an overly ambitious regulatory agenda that is testing the limits of its capacity .
Under the proposals, brokers and money managers would be required to maintain programs to detect and respond to unauthorized data access and notify affected clients within 30 days.
Latest updates
See 2 more stories
Broker-dealers, stock exchanges and others will also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” events. Gensler, in prepared remarks, called the proposal “the first to explicitly address cybersecurity practices for most of these market entities.”
The immediate notice requirement would likely raise eyebrows among industry advocates. A similar proposal last year for securities firms required confidential notification within 48 hours, drawing objections that this could hinder efforts to respond quickly to hacking incidents.
Gensler noted that in September a unit of Morgan Stanley ( MS.N ) had agreed to pay $35 million to settle SEC charges it failed to protect personal information over a five-year period.
In addition, the SEC proposed expanding the number of exchanges, registered clearing agencies and others covered by 2014’s “Systems Compliance and Integrity” regulation that requires operators to build systems robust enough to support market activities.
The proposed amendment would also require such operators to oversee services from cloud computing service providers to ensure they comply with the rule’s requirements governing system resilience.
Reporting by Douglas Gillison; Editing by Leslie Adler
Our standards: Thomson Reuters Trust Principles.