US SEC Amps Up Regulatory Proposals for Market CybersecurityBiden Administration Officials Show Impatience With Hacking Risk
The Securities and Exchange Commission proposed a slew of new cybersecurity rules for the companies underpinning the U.S. stock market, the latest sign of increasing unhappiness among Biden administration officials about the private sector's management of digital risk.
The commission approved a proposal that would place market entities under a mandate to report significant cybersecurity incidents to the agency after having concluded with "reasonable basis" that the incident occurred, or even is still in progress. This proposal and the others the commission approved Wednesday must undergo public comment before facing another round of commissioner voting.
The proposed rule would also require market entities to document policies and procedures meant to address cybersecurity threats and subject those controls to an annual review. The vast majority of market entities, except for small dealer-brokers the SEC classifies as not playing a significant market role, would have to publicly disclose cybersecurity incidents. The SEC would also require all but the small dealer-brokers to specifically address cybersecurity program elements such as overall risk, user access controls and a plan for responding to a cybersecurity incident while maintaining continuity of operations.
The financial sector spends considerably on cybersecurity, the agency acknowledged, but suggested that risk continues to outpace security budgets. "The budget levels themselves are not the most important facet of a cybersecurity program," the agency wrote in its proposed rule.
"Market entities across our capital markets increasingly rely on complex and ever-evolving information systems. Those who seek to harm these systems have become more sophisticated," SEC Chair Gary Gensler, a Democrat, said during a Wednesday commission meeting.
Not all commissioners agreed: "This rule is easier to understand as a tool to enhance our year-end enforcement statistics than a serious proposal to make the securities markets more secure," said Republican Commissioner Hester M. Peirce. The rule would open market entities to legal risk, she asserted, charging the agency with preparing "a cudgel to wield if the firm fails to comply with a complicated reporting regime."
The Biden administration has moved to shake up the consensus governing cybersecurity regulation for more than a decade, one that limits Washington's role in private sector cybersecurity. Administration officials, including Gensler, have advertised for more than a year their intention to ramp up regulatory requirements, a change sparked by a ransomware wave that revealed vulnerabilities in key critical infrastructure operators. The White House earlier this month published a national cybersecurity strategy laying out a program of increased regulatory authority (see: White House Unveils Biden's National Cybersecurity Strategy).
Other cybersecurity measures approved by the SEC today include a proposal that would require broker-dealers, investment companies and advisers to notify customers within 30 days in the event of a data breach involving sensitive information. The threshold for notification would be when information was accessed or was "reasonably likely to have been" accessed without authorization. The proposed rule would also expand the types of data covered by the "safeguards rule." The expansion would require cybersecurity protections for nonpublic personal information.
Another proposal would expand and update the Regulation Systems Compliance and Integrity rules. The proposal would require entities already covered by the SCI rule, such as securities exchanges and clearing agencies, to stand up programs to manage third-party risk, including from cloud service providers. Regulated entities, which would include broker-dealers that average daily transaction volume that is at least 10% of the average total daily dollar volume, would need to specifically address the problem of unauthorized access.
The commission also reopened public comment on proposed cybersecurity regulations for registered investment advisers and companies.