The SEC Incorporated Cybersecurity Considerations in Oversight of Market Infrastructure
Posted by Laura Anthony, Esq. on December 06, 2017
The SEC Incorporated Cybersecurity Considerations in Oversight of Market Infrastructure- The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission’s review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. I will summarize the SEC guidance on public company disclosures related to cybersecurity later in this LawCast series. That guidance is also expected to be updated in the near future.
Related to the SEC’s oversight of market infrastructure, including regulation of exchanges and clearing agencies, the SEC adopted Regulation Systems Compliance and Integrity in 2014. Regulation SCI was proposed and adopted to require key market participants to have comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure systems operate in compliance with federal securities laws, to provide for review and testing of such systems and to provide for notices and reports to the SEC. Key market participants generally include national securities exchanges and associations, significant alternative trading systems (such as OTC Markets, which has confirmed it is in compliance with the Regulation), clearing agencies, and plan processors. I will also provide more information on this Regulation later in this Lawcast series.
Certain SEC rules and regulations governing broker-dealers, investment advisors and investment companies directly implicate information security practices. For example, Regulation S-P requires registered broker-dealers, investment companies and investment advisors to adopt written policies and procedures governing safeguards for the protection of customer information and records. Regulation S-ID requires these firms, to the extent they maintain certain types of covered accounts, to establish programs addressing how to identify, detect and respond to potential identity theft red flags.
Also, effective cybersecurity programs require cooperation among government agencies. The SEC shares oversight responsibility on some matters with other agencies, including the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation. Furthermore, the SEC often coordinates with other agencies, such as the Federal Trade Commission and the Consumer Financial Protection Bureau. The SEC coordinates cybersecurity efforts with each of these agencies, and more.
The SEC is committed to enforcing compliance with the cybersecurity disclosure obligations of reporting companies, and in enforcement proceedings against those that purse cyber threats. Part of these efforts include using advanced technology to monitor suspicious trading activity across companies, traders and geographic regions.
In 2016 enforcement actions were brought against three traders for allegedly participating in a scheme to hack into two prominent New York-based law firms to steal information pertaining to clients that were considering mergers or acquisitions, which the hackers then used to trade. In another case, defendants allegedly hacked into newswire services to obtain non-public information about corporate earnings announcements. These are just two examples among dozens of cases.