Cybersecurity: Protecting Investors
Remarks before the Digital Directors Network 2023 Conference
May 16, 2023
Good morning. Thank you, Bob [Zukis]. It is a pleasure to be here today, and I thank the Digital Directors Network for hosting this discussion about cybersecurity. This topic is so essential for the safety and resiliency of our capital markets. 
My special thanks to former Commissioner Luis Aguilar for initially inviting me to speak to you today. Commissioner Aguilar had a distinguished career in public service. As the eighth longest-serving Commissioner in SEC history, he was one of only three Commissioners to have been nominated by two U.S. Presidents from different parties. A remarkable accomplishment.
It is exciting to speak to an audience of cybersecurity professionals and directors like yourselves, who share a deep commitment to robust policies and practices in cyber governance. Since 2017, the Digital Directors Network has served as a resource to the wide variety of members it represents – that is, those responsible for designing, implementing, and testing cyber governance policies and procedures. Over the next two days, you will hear a range of views on how best to address the complex and rapidly evolving cyber challenges that all market participants are confronting in our capital markets today.
At the SEC, we are at the forefront of addressing these challenges. In the face of rapid technological change and increased cyber threats at home and abroad, the Commission is taking action to require that market participants strengthen their cybersecurity practices.
Consistent with our congressional mandates, one of our key aims is to protect the investing public against potentially significant financial and reputational costs from cyberattacks and data breaches. Because once victims’ identities are stolen or their personal information is compromised, the damage can be irreparable and irreversible.
The Commission’s actions go hand-in-hand with our ongoing efforts to modernize and update some of our outdated rules. As part of our mission to protect investors, facilitate capital formation, and promote fair and efficient markets, we have a responsibility to update our regulatory framework to keep pace with emerging risks, whether driven by technological change or any other factor.
The Commission has proposed several rules that are designed to protect investors in our capital markets from cyber risks. These rules will require covered market entities to implement practices that will make their operations more secure and will mitigate risks to themselves, their customers, and our markets.
Why does robust cybersecurity matter? Cyberattacks and data breaches can have devastating impacts on companies and their customers and undermine investor and market confidence. In the last decade, cyberattacks of all sizes have resulted in hundreds of millions of records stolen and billions in damages to victims.
The interagency U.S. Financial Stability Oversight Counsel, or FSOC, noted in its 2021 annual report, that a major cyber incident could threaten the stability of U.S. markets in at least three ways: by (1) disrupting a single point of failure in our financial markets, such as a key financial service provider or utility; (2) compromising the integrity of a critical dataset; or (3) causing a significant loss of confidence in our capital markets, resulting in market participants withdrawing from the markets.
Our capital markets are nearly $100 trillion in size – representing 40 percent of the world’s total – and process over a trillion dollars of transactions per day. By facilitating capital raising by businesses large and small, they play an instrumental role in our economy. And they serve working families who invest their savings as an optimistic way of channeling their hopes and dreams for the future – to build long-term wealth. In light of this, it is critical that we do everything in our power to strengthen cyber practices, so that our financial markets can be more resilient and so that investors can be protected – in the most effective way possible.
The use of, and reliance on, technology in our capital markets has increased exponentially in recent years. A variety of factors have contributed to this trend. Digital innovations have led to greater interconnectedness, increased computing power and lower overall costs. Expanded opportunities for the public to access financial services through smartphones is another factor. The COVID-19 pandemic also contributed to this digital transformation by accelerating the shift to online services to replace in-person interactions.
While these developments and innovations have the potential to increase competition, efficiency, and participation in the capital markets, they may also increase cyber risks. Last year, the Financial Stability Board (FSB), noted in a key report that cyber incidents are “rapidly growing in frequency and sophistication,” take place in the context of “growing interconnectedness of the financial system,” and create greater risk of “spillover effects across borders and sectors.”
In 2021, the Federal Bureau of Investigation reported extortion, identity theft, and personal data breaches as three of the top five cybercrimes. In addition to financial losses from misappropriated or stolen funds, cybercriminals can threaten to disclose personal information about an individual that could damage their reputation.
Against this backdrop of increased cyber risks, the Commission has issued five rule proposals. These proposals would require issuers, funds, intermediaries, self-regulatory organizations (SROs), and other registrants to adopt and implement effective cybersecurity policies and procedures, including:
- disclosures to the Commission and to the public about significant cybersecurity incidents and risks;
- notification to customers if their personal information is compromised; and
- more robust cybersecurity practices for certain significant market infrastructures and key market participants, including enhanced oversight of cloud service providers.
These would include recordkeeping requirements to facilitate examination for compliance and identification of any deficiencies – whether by the Commission or an SRO.
The common goals in these proposals are strengthening cybersecurity in our capital markets, increasing market resiliency, and protecting investors.
As part of this package of proposals, the Commission is updating Regulation S-P, originally adopted in 2000 – 23 years ago! – and referred to as the “safeguards rule.” The Commission’s proposed update would require financial firms covered by the rule to notify individuals if their sensitive information is compromised in a data breach. The notification requirement in the updated rule is designed to ensure that customers receive timely notice of breaches and are afforded an opportunity to protect themselves.
This is an important disclosure obligation that would provide consistent notification to consumers, regardless of state of residency. The updated rule is crafted in a way that ensures that consumers in states with stronger protections than those provided for under the proposed Federal minimum standard would not be harmed by the proposal. These consumers would continue to benefit from the stronger protections provided by their state law.
The Commission has also proposed amending Regulation System Compliance and Integrity, or Regulation SCI. As proposed, this updated rule would cover additional entities, such as registered security-based swap data repositories, large broker-dealers, and certain exempt clearing agencies. The goal is to ensure that these entities, which perform functions such as disseminating market data and central repository functions for security-based swaps, are treated similarly to entities that perform those functions for other asset classes, like equities.
Large broker-dealers are scoped in because of the important role they play in our capital markets. Retail broker-dealers and their customers depend on the availability, integrity, and resiliency of the systems of the largest carrying broker-dealers to execute, clear, and settle transactions. A catastrophic systems failure at a large carrying broker could effectively cut off access to the markets to their customers, with significant and disproportionate harm to retail investors.
The expansion of Regulation SCI’s scope, together with updates that account for heightened cybersecurity risks, wider use of cloud service providers, and the increasing interconnectedness of market systems, will bolster overall resiliency of the U.S. securities markets’ technology infrastructure.
The Commission has also proposed rules to address the often inconsistent and unreliable disclosures on cybersecurity incidents by public companies. In addition to public disclosure of material cybersecurity incidents on Form 8-K, updated disclosures on Forms 10-Q and 10-K, and disclosure regarding policies and procedures, the proposal would require disclosure of management’s role in governing those risks.
Importantly, the proposed rule would also require disclosure if any member of the public company’s board of directors has expertise in cybersecurity, including the name of any such directors and any detail necessary to fully describe the nature of the expertise.
As all of you here can appreciate first-hand, board-level management and oversight are critical parts of a company’s overall cyber risk management. Improved disclosures will provide investors with critical information that will enable them to better assess whether and how companies are managing their cybersecurity risks. This will strengthen market integrity and investor confidence.
As you note in your comment letter, last year marked the 20th anniversary of the enactment of the Sarbanes-Oxley Act, a law that has strengthened corporate governance and accountability in public auditing. I served on the House Financial Services Committee staff in 2002 and witnessed up close the crafting of this law as well as the events that led up to it.
In the shadow of the dot.com crash and the dramatic corporate and accounting scandals that crash exposed, Congress designed Sarbanes-Oxley to bolster investor confidence in financial reporting and in corporate disclosures. The dot.com crash revealed significant regulatory gaps that culminated in fraud and financial misconduct by now-defunct companies like Enron, WorldCom, Arthur Andersen, and others.
One key Sarbanes-Oxley provision required the SEC to adopt rules for disclosure of director financial expertise. This requirement addressed Congress’ goal of improving the performance of gatekeepers, who play an important role in ensuring transparent and accurate financial reporting. Disclosure of financial expertise helps investors evaluate the experience in the audit committees of the companies they invest in. Providing investors with decision useful information is one of the most important parts of the SEC’s mission.
The Sarbanes-Oxley Act has succeeded in increasing the presence of financial experts on public company boards. In a similar manner, the Commission’s proposed disclosure requirement has the potential to bolster cybersecurity expertise on public boards.
Overall, the proposed rule for public companies would require more consistent, easy to use, and comparable cybersecurity disclosures that would be far more useful to investors. As is often the case, we at the Commission often aim for the highest possible level of comparability in disclosures, because it’s one of the most effective ways to protect investors. Providing investors with decision-useful information about cyber risks that could be used to compare registrants when making an investment decision meets that goal.
It warrants mentioning briefly that artificial intelligence as an emerging technology raises important questions about its possible risks to our financial markets. As Chair Gensler noted in his testimony to Congress last month, AI is already being used by financial firms in call centers, account openings, compliance programs, trading algorithms, sentiment analysis, and other ways. When used to benefit investors, I agree with Chair Gensler that this technology has the potential to increase access, efficiency, and returns.
However, AI could also be used by market insiders in ways that place their own interests ahead of those of their clients’. It is also possible that AI could be abused by criminals in schemes to manipulate stock prices or to defraud investors.
Although the full implications of AI for our financial markets, and for the retail space in particular, are unclear, it is essential for the Commission and for market participants to stay ahead of these developments and, where appropriate, to take the necessary actions, including through updating our rules, so that investors can be fully protected from any risks.
SEC registrants, including large intermediaries, financial market infrastructures, and public companies, are often targets of wrongdoers who seek to illicitly profit from or to inflict harm on our markets. The cybersecurity threats market participants face are constantly evolving and increasing in sophistication. Market entities also face internal cybersecurity risks from errors by employees, service providers, or counterparties.
That said, I’m optimistic that the Commission’s updated cybersecurity rules will result in market participants taking the necessary and reasonable steps to protect their information systems from cybersecurity risks. In light of the important benefits to investors and to market confidence and integrity, pursuing a robust cybersecurity regime that covers all SEC registrants would best fulfill our mission to promote fair, efficient, and orderly markets and protect investors.
Thank you for the invitation to speak today, and I look forward to continuing our work to strengthen cybersecurity in our capital markets.
 ] I must note at the outset that the views expressed here today are my own and do not necessarily reflect the views of the Commission or its staff, or those of my fellow Commissioners.