Cybersecurity and Securities Laws
Northwestern Pritzker School of Law’s Annual Securities Regulation Institute
Jan. 24, 2022
Thank you. It’s good to be with the Annual Securities Regulation Institute. As is customary, I’d like to note that my remarks are my own, and I’m not speaking on behalf of the Commission or SEC staff.
As some of you may know, I often like to talk about the founding of our nation’s securities laws in the 1930s.
So again, today, I’d like to discuss the ‘30s — but this time, I actually mean the 1830s.
In 1834, exactly a century before the SEC was established, the Blanc brothers in Bordeaux, France, committed the world’s first hack. The two bankers bribed telegraph operators to tip them off as to the direction the market was headed. Therefore, they gained an information advantage over investors who waited for the information to arrive by mail coach from Paris.
The brothers weren’t convicted for their actions, as France didn’t have a law against the misuse of data networks. The Blancs thus pocketed their francs, point-blank.
You may be wondering what all this has to do with the SEC. Well, I think it’s telling that the world’s first cybersecurity attack involved securities.
Nearly two hundred years after the Blancs stole information about the securities markets, the financial sector remains a very real target of cyberattacks. What’s more, it’s become increasingly embedded within society’s critical infrastructure.
As the famous bank robber Willie Sutton purportedly once said, regarding why he robbed banks: “Because that’s where the money is.”
The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating. State actors and non-state hackers alike sometimes try to target various entities and businesses. Why? To steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities. All this puts our financial accounts, savings, and private information at risk.
The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars. Hackers have attacked broker-dealers, government agencies, meat processors, and pipelines. These attacks can take many forms from denials-of-service to malware to ransomware.
It’s not just the economic cost, of course. Cybersecurity is central to national security. The events of the past couple of weeks in Russia and Ukraine have once again highlighted the importance of cybersecurity to our national interest.
Recently, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said that “cybersecurity is a team sport.” “Each and every one of us are a member of Team Cyber,” she said.
Folks from the private sector are on the front lines. As President Biden recently put it, “most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone.”
Other government entities, such as the Federal Bureau of Investigation and CISA, captain Team Cyber, but the SEC has a role to play as well.
Today, we participate in the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC). We work with our foreign counterparts in the Financial Stability Board (FSB), the International Organization of Securities Commissions (IOSCO), the G7 Cyber Experts Group, and elsewhere.
We have a key role as the regulator of the capital markets with regard to SEC registrants — ranging from exchanges and brokers to advisers and public issuers. Cyber relates to each part of our three-part mission, and in particular to our goal of maintaining orderly markets.
We have many rules that implicate cyber risk, including but not limited to business continuity, books and records, compliance, disclosure, market access, and antifraud. Our Division of Examinations (EXAMS) has put out various Risk Alerts and statements regarding cybersecurity topics, and issued a report in 2020 on Cybersecurity and Resiliency Observations. This work helps SEC registrants and the public prepare for and manage some of these cyber risks.
Cyber incidents, unfortunately, happen a lot. History and any study of human nature tells us they’re going to continue to happen. Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector.
Though plenty of this work takes place in the private sector and elsewhere in the government, when contemplating cybersecurity policy at the SEC, I think about it in three ways:
- cyber hygiene and preparedness
- cyber incident reporting to the government
- in certain circumstances, disclosure to the public.
Our cybersecurity policy work relates to four groups of entities:
- SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers, and other market intermediaries
- Public companies
- Service providers that work with SEC financial sector registrants but are not necessarily registered with the SEC themselves
- The SEC itself.
We look forward to collaborating on this work with CISA, FSOC, the private sector, and the rest of Team Cyber.
Financial Sector SEC Registrants
Let me first turn to our three projects related to financial sector registrants.
Regulation Systems Compliance and Integrity
First, I believe we have an opportunity to freshen up Regulation Systems Compliance and Integrity (Reg SCI).
What is SCI? It’s a rule, adopted in 2014, that covers a subset of large registrants, including stock exchanges, clearinghouses, alternative trading systems, self-regulatory organizations (SROs) and the like — financial infrastructure that is part of the backbone of the capital markets. The Consolidated Audit Trail (CAT), as a facility of each of the participant SROs, also is subject to Reg SCI.
The rule helps ensure these large, important entities have sound technology programs, business continuity plans, testing protocols, data backups, and so on. The core goal of Reg SCI was to reduce the occurrence of systems issues and improve resiliency when they do occur.
A lot has changed, though, in the eight years since the SEC adopted Reg SCI. Thus, I’ve asked staff how we might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers?
To that end, in 2020, the Commission proposed to bring large Treasury trading platforms under the SCI umbrella. At our next Commission meeting, we will consider whether to re-propose this rule.
Similarly, I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities.
Funds, Advisers, and Broker-Dealers
Next, I’d like to discuss the broader group of financial sector registrants, like investment companies, investment advisers, and broker-dealers, beyond those covered by Reg SCI.
As I mentioned earlier, this group has to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations. Building upon that, I’ve asked staff to make recommendations for the Commission’s consideration around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting, taking into consideration guidance issued by CISA and others.
I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident. I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.
The next arena involving financial sector registrants is around customer and client data privacy and personal information.
Congress addressed this issue in the Gramm-Leach-Bliley Act of 1999. The Commission adopted Regulation S-P in the wake of that law. It requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. It’s the reason that, to this day, a lot of us receive notices informing us about companies’ privacy policies.
More than two decades since Reg S-P was adopted — an eternity in the cybersecurity world — I think there may be opportunities to modernize and expand this rule. In particular, I’ve asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P.
Next, let me turn to public companies’ disclosure with respect to cyber risk and cyber events.
The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.
Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.
Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.
A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.
In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.
Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.
Next, let me turn to service providers.
Service providers often play critical roles within our financial sector. These service providers go far beyond the cloud. They can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others. Many of these entities may not be registered with the SEC.
I’ve asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers. This could include a variety of measures, such as requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information. This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.
That being said, it’s worth noting that banking agencies regulate and supervise certain banks’ third-party service providers directly through the Bank Service Company Act. It might be worthwhile to consider similar authorities for market regulators.
Finally, to state the obvious, the SEC is not immune to cyberattacks either.
Agency staff continue to work to protect SEC data and information technology, as well as the industry data we need to carry out our mission. This work aligns with President Biden’s Executive Order on Improving the Nation’s Cybersecurity and directives from the Office of Management and Budget.
In addition, we continue to evaluate our data footprint and improve our data collection processes so that we collect only the data we need to fulfill our mission.
In conclusion, we’re living in a time of rapid technological changes subject to ever present cybersecurity challenges. These cyber risks have implications for the financial sector, investors, issuers and the economy at large. The SEC has a role to play, along with the rest of Team Cyber.
Nearly two centuries after that first cyber hack, I think we can think about how to protect ourselves against the cybersecurity pitfalls of the ‘30s — not the 1830s or the 1930s, but the 2030s.
 See Tom Standage, “The crooked timber of humanity” (Oct. 5, 2017), available at https://www.1843magazine.com/technology/rewind/the-crooked-timber-of-humanity.
 See Federal Bureau of Investigation, “Willie Sutton,” available at https://www.fbi.gov/history/famous-cases/willie-sutton.
 See Jacquelyn Schneider, “A World Without Trust: The Insidious Cyberthreat” (Jan./Feb.), available at https://www.foreignaffairs.com/articles/world/2021-12-14/world-without-trust.
 See “Robinhood Announces Data Security Incident (Update)” (Nov. 16, 2021), available at https://blog.robinhood.com/news/2021/11/8/data-security-incident.
 See U.S. Government Accountability Office, “SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response” (April 22, 2021), available at https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic.
 See Financial Stability Oversight Council, “2021 Annual Report,” available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf.
 See Jen Easterly, “Cybersummit 2021 Keynote Address” (Oct. 6, 2021), available at https://www.cisa.gov/cybersummit-2021-session-day-1-welcome-and-opening-remarks (see 3:32).
 See President Joe Biden, “Remarks by President Biden on Collectively Improving the Nation’s Cybersecurity” (Aug. 25, 2021), available at https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/08/25/remarks-by-president-biden-on-collectively-improving-the-nations-cybersecurity/.
 See, e.g., “Cybersecurity: Ransomware Alert,” available at https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf.
 See “SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices” (Jan. 27, 2020), available at https://www.sec.gov/news/press-release/2020-20.
 See U.S. SEC, “Spotlight on Regulation SCI,” available at https://www.sec.gov/spotlight/regulation-sci.shtml.
 In fact, several commenters back in 2014 suggested that we might consider adding Reg SCI requirements to other entities, including security-based swap data repositories, security-based swaps execution facilities, and non-ATS broker-dealers. https://www.govinfo.gov/content/pkg/FR-2014-12-05/pdf/2014-27767.pdf, p. 72363-54.
 Broker-dealers that are Financial Industry Regulatory Authority (FINRA) members have business continuity plan obligations under FINRA. See “4370. Business Continuity Plans and Emergency Contact Information,” available at https://www.finra.org/rules-guidance/rulebooks/finra-rules/4370.
 See “SEC Charges Issuer With Cybersecurity Disclosure Controls Failures” (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102, and “SEC Charges Pearson plc for Misleading Investors About Cyber Breach,” available at https://www.sec.gov/news/press-release/2021-154.
 While focused on the most critical systems, eight years ago, the SEC addressed third-party relationships in adopting Reg SCI. SCI entities are “responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on behalf of the SCI entity by a third party for certain financial sector entities.” See Regulation Systems Compliance and Integrity, https://www.govinfo.gov/content/pkg/FR-2014-12-05/pdf/2014-27767.pdf p. 72276.
 See “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.