© Reuters
By Douglas Gillison
(Reuters) – The top US markets regulator announced on Wednesday a package of policies designed to harden the financial system against hacking, data theft and system failures.
In a public meeting, the five members of the Securities and Exchange Commission (SEC) voted to propose new rules on the protection of consumer financial data and hacking on stock exchanges and brokers. stock market and were due to vote on another proposal on the resilience of market infrastructure, part of an ongoing concern with modernizing regulations to deal with advancing technological threats.
SEC Chairman Gary Gensler also opened the meeting with a nod to the developing market turmoil, making a veiled reference to the failure of US lender Silicon Valley Bank and fears for Credit Suisse’s viability by reaffirming the commitment of your agency to support the resilience of the market.
The three proposed rules together govern how broker-dealers address hacking incidents and protect consumer data, and how stock exchanges, transaction clearinghouses, and others deemed critical to national economic security protect against system crashes and cyber intrusion.
They build on measures introduced since last year to counter what officials say are growing dangers to public companies and investors, and are likely to fuel criticism that, under Gensler, the SEC has embarked on an agenda of overly ambitious regulation that is testing the limits of its capacity.
Under the proposals, broker-dealers and money managers should maintain programs to detect and respond to unauthorized data access and notify affected clients within 30 days.
Stockbrokers, exchanges and others would also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” incidents. Gensler, in prepared remarks, called the proposal “the first to explicitly address cybersecurity practices for most of these market entities.”
The immediate notification requirement is likely to surprise industry advocates. A similar proposal last year for investment firms required confidential notice within 48 hours, drawing objections that this could hamper efforts to respond quickly to hacking incidents.
Gensler noted that in September a unit of Morgan Stanley (NYSE:) had agreed to pay $35 million to settle SEC charges for failing to protect personal information over a five-year period.
In addition, the SEC has proposed expanding the number of exchanges, registered clearing houses, and others covered by the 2014 “Systems Integrity and Compliance” regulation that requires traders to build systems robust enough to support market activities. , including making sure that third-party cloud computing services were sufficient to meet the requirements of the rule.
