Skip to main content

Statement on Amendments to Regulation S-P, Cybersecurity Risk Management, and Amendments to Regulation SCI

March 15, 2023

Thank you, Chair Gensler, and thank you to my fellow Commissioners. The three proposals we are considering today address the role of information technology in the securities markets.[1] Technology is no longer just fundamental to the operation of the markets – it is the markets, and managing it is vital for investor protection and fair, orderly, and efficient market operations.

While the three proposals we are considering today are related, each has a unique scope and purpose – the Regulation S-P amendments address data privacy and safeguarding customer information, the Cybersecurity Risk Management proposal is focused on protecting market entities from cyber threats, and the amendments to Regulation SCI relate to the strength and resilience of key market infrastructure. In some instances, these different goals may be accomplished by similar means – for example, by requiring entities to establish policies and procedures to address cybersecurity risks. And it may be that market entities can leverage the same actions to comply with more than one rule. The releases each solicit comment on whether the duplication will create any practical implementation challenges, and I encourage commenters to tell us if they believe that is the case. However, each of these proposals addresses a different, and critical, aspect of technology’s role in the markets.

Regulation S-P

The first of the three proposals introduced today is amendments to Regulation S-P, which addresses the handling and safeguarding of personal customer information.

Brokers, investment advisers, and other financial institutions increasingly store personal customer information. In many contexts, the provision of personal information is required to access our markets. That information may be passed along to service providers or other financial institutions without customers even knowing it. And while digital encryption and other practices have made the protection of that personal information more robust, the sophistication and volume of criminal activities seeking to infiltrate financial institutions have also increased.[2]

And when personal information or assets are stolen, the results can be calamitous. It can lead to identity theft, stolen savings, ruined credit, and other effects that are personally disastrous for those implicated, and that can be systematically significant to the economy.

That is why it is our imperative to impose rigorous requirements on SEC registrants and ensure that customer information is adequately secured. Since 2000, Regulation S-P has provided certain requirements for the safeguarding and proper disposal of personal information.[3] Today’s proposal would add to the protections currently afforded by Regulation S-P in meaningful ways. As we have heard today, it would impose safeguarding requirements on transfer agents, which frequently come into possession of sensitive customer information.[4] The proposal would require registrants to adopt an incident response program to address unauthorized access to, or use of, customer information. And, importantly, it would mandate certain customer notification requirements, to ensure that individuals whose sensitive information is, or is likely to have been, breached know about the breach, and can be put in a position to mitigate the damage.[5]

And, importantly, while many states already have certain customer protections in place regarding notification, among other matters, today’s proposal would create a federal baseline. Having a minimum federal standard would ensure that customers in all states are notified of any breach of their sensitive information that could result in substantial harm or inconvenience.

Many thanks to the staffs in the Divisions of Trading and Markets, Investment Management, the Division of Economic and Risk Analysis, and the Office of the General Counsel. This proposal represents a true collaborative effort across divisions, and the quality of the proposal reflects the effectiveness of that collaboration. I am happy to support the proposal and I look forward to the public comments.

Cybersecurity Risk Management

As I’ve noted in the past,[6] the threat of cyberattacks on the U.S. financial system is one of those issues that keeps me up at night. The U.S. securities markets, in particular, are a critical component of our economic infrastructure, with more than a trillion dollars’ worth of transactions flowing through them each day.[7] That makes them an enticing target for cyber criminals looking for money, sensitive data, or a means to disrupt the global economy.

Cybersecurity risk has grown over time. Cyberattacks have increased in frequency and sophistication, while financial market entities have increased their reliance on information technology, including interconnected networks, cloud computing, and mobile apps.[8]

Because I watched the Academy Awards this past weekend, I thought a bit about cyber-attacks in Hollywood movies. The hackers are often the good guys in those films, scrappy individuals sneaking into computer systems to right a wrong perpetrated by a faceless institution.[9] However, the reality could not be more different. Cyber-attacks are much more likely to be perpetrated by criminal organizations or actors associated with hostile foreign governments, with individuals as the victims.[10] Cyberattacks pose a real risk of harm to investors, including retail investors, from the theft of money or sensitive personal information, as well as the loss of services. Robust cybersecurity risk management practices are critical, both to safeguard investor funds and data, and to guard against potential market-wide instability.

As you’ve heard from my colleagues, the Cybersecurity Risk Management Rule we are considering today would apply to key market entities, including national securities exchanges, broker-dealers, security-based swap entities, transfer agents and others.[11] These entities are of fundamental importance to the fair, orderly, and efficient operation of the U.S. securities markets.

The proposal would require these entities to design and implement cybersecurity policies and procedures in order to be better prepared for future cyber threats. And such policies and procedures would be subject to recordkeeping requirements so that deficiencies can be identified and addressed. They would also be required, in some cases,[12] to make disclosures about the cybersecurity risks they anticipate, how they would handle those threats, and the nature and scope of any significant cybersecurity incidents that occurred in the past two years.[13]

Further, the proposal would require the immediate reporting of any significant cybersecurity incidents to the Commission, and prompt public disclosure. This would give the Commission data to assess trends, identify emerging risks, and help coordinate responses to cyber incidents that have the potential to cause broader disruptions, as well as providing the public with information they may need to respond to the incident. Taken together, these requirements are intended to enhance cybersecurity risk management for the protection of investors and the markets.

Thank you to the staff for all of your hard work on this proposal, in particular the staff in the Division of Trading and Markets, the Division of Economic and Risk Analysis, and the Office of the General Counsel. I’m pleased to support it, and I look forward to reviewing the comments.

Regulation SCI

The story of the U.S. securities markets over the last several decades has been one of automation, as trading practices have transitioned from primarily manual to almost entirely electronic.[14] In recognition of this fundamental transformation, and the importance of the electronic systems to the fair and orderly functioning of the markets, in 2014 the Commission adopted Regulation Systems Compliance and Integrity (“Reg SCI”).[15] Reg SCI established the first comprehensive framework for SEC oversight of the technology systems that comprise today’s markets, with the goal of strengthening them and improving their resilience.[16]

By many measures, it is working. While it’s always challenging to prove a negative by identifying crashes or disruptions that did not take place, the markets have demonstrated resilience in recent years, including during the unprecedented trading volumes and market volatility of early 2020.[17] Many observers credited this at least in part to Reg SCI.[18] And while some bugs and glitches are inevitable, we have not seen repeats of events like the Flash Crash of 2010, the Facebook IPO Glitch of 2012, or the multi-day exchange closures following Superstorm Sandy. It is reasonable to conclude that Reg SCI has been a mostly-unsung hero of market disruptions that did not occur.

However, the markets have continued to evolve and increase in their complexity and interconnectedness, and the exclusion of certain key market entities from Reg SCI has become increasingly untenable. Ever-increasing volumes of securities transactions now trade at lightning speed in a broad range of asset classes across competing trading platforms, including those offered by broker-dealers.[19] In 2020, the SEC proposed to extend Reg SCI to certain Alternative Trading Systems, or ATSs, trading government securities.[20] In 2021, as part of the adoption of the Market Data Infrastructure rule, the Commission amended Regulation SCI to extend it to certain “competing consolidators.”[21] Today, we are proposing to build upon those prior actions by extending Reg SCI to apply to additional key market participants, as well as updating certain of its provisions.

Specifically, the amendments we are considering today would extend the requirements of Reg SCI to security-based swap data repositories, certain registered broker-dealers, and additional clearing agencies. The amendments would also strengthen certain requirements regarding SCI entities’ policies and procedures, the oversight of third-party service providers, annual reviews, and penetration testing. These improvements to the framework should help ensure that the technology systems relied on by key market entities remain robust, resilient, and secure.[22]

As originally proposed in 2013, Reg SCI would have included ATSs trading corporate debt or municipal securities, if they exceeded certain volume thresholds.[23] These entities were not included at adoption, on the basis that these fixed income ATSs relied less on automation and electronic trading than equity markets.[24] Today’s proposal would solicit comment on the possible extension of Reg SCI to those entities. While manual trading is still more prevalent in fixed income markets as compared to the almost entirely electronic equity markets, the technology for trading corporate debt and municipal securities has evolved at a rapid pace.[25] There is ample data indicating that the distinctions drawn by the Commission in the original adopting release may not hold up today.[26] I look forward to hearing from commenters on this question.

Thank you again to the staff in the Division of Trading and Markets, the Division of Economic and Risk Analysis, and the Office of the General Counsel for your hard work on this release, and thank you to all the staff throughout the building who worked on this package of rules and rule amendments. I am pleased to support these proposals, and I look forward to reviewing the comments.

[1] See Regulation S‑P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Release Nos. 34-97141; IA-6262; IC-34854 (Mar. 15, 2023) (“Regulation S-P Proposal”); Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 33-11167 (Mar. 15, 2023) (“Cybersecurity Proposal”); Regulation Systems Compliance and Integrity, Release No. 34-97143 (Mar. 15, 2023) (“Regulation SCI Proposal”).

[2] See, e.g., Federal Bureau of Investigation, 2021 Internet Crime Report (Mar. 22, 2022, at 7-8 (stating that the FBI’s Internet Crime Complaint Center received 847,376 complaints in 2021 (an increase of approximately 181% from 2017))); see also Commission Order, In the Matter of Morgan Stanley Smith Barney LLC, Release No. 34-78021 (June 8, 2016), (settled order); Commission Order, In the Matter of Cambridge Investment Research, Inc., et al., Release No. 34-92806 (Aug. 30, 2021) (settled order); Commission Order, In the Matter of Cetera Advisor Networks LLC, et al., Release No. 34-92800 (Aug. 30, 2021) (settled order); Commission Order, In the Matter of KMS Financial Services, Inc., Release No. 34-92807 (Aug. 30, 2021) (settled order).

[3] See Privacy of Consumer Financial Information (Regulation S-P), Exch. Act Rel. No. 42974 (June 22, 2000); 17 C.F.R. § 248, et seq.

[4] The proposed rule would apply to transfer agents registered with the Commission or other appropriate regulatory agency as defined in Section 3(a)(34)(B) of the Exchange Act.

[5] Customers who know their data has been breached can take steps to protect their assets or personal information, such as change account passwords, put in place fraud alerts, monitor their credit, notify others with joint access to accounts, notify other financial institutions where they may have accounts (to prevent new accounts from being opened on their behalf), among other steps to protect against the misuse of their information and dissipation of their assets.

[6] See Commissioner Caroline Crenshaw, Statement in Support of a Multi-Pronged Approach to Cybersecurity (Mar. 9, 2022).

[7] See Cybersecurity Proposal at 11.

[8] Id. at 14.

[9] See, e.g., Robert McMillan, Are Hollywood hackers bogus or bright? (Feb. 24, 2010) (noting that hackers are “generally presented as good guys, not bad guys” in Hollywood film).

[10] See, e.g., Brian O’Connell, Ask Experian: Who is Behind Most Data Breaches? (April 24, 2018) (noting that, of the 73% of data breaches triggered by “outsiders,” organized crime groups perpetuated 50% of attacks, while 12% were launched by nation states or affiliated groups).

[11] The proposed rule would apply to Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents. See Cybersecurity Proposal.

[12] Certain smaller broker-dealers not subject to the additional policies and procedures, reporting, and disclosure requirements. Id. at Section II.C.

[13] Entities are required to provide a summary description of each significant cybersecurity incident that occurred during the current or previous calendar year, if applicable. Id. at 169.

[14] See Regulation SCI Proposal at 6.

[15] See Regulation Systems Compliance and Integrity, Release No. 34-73639 (Nov. 19, 2014).

[16] Id.

[17] See Regulation SCI Proposal at 7.

[18] See, e.g., FINRA Unscripted, Market Structure & COVID-19: Handling Increased Volatility and Volumes (April 28, 2020) (“I think the SEC gets a lot of credit. There was a regulation that they put in place a couple of years ago called Reg SCI, Regulation Systems Compliance and Integrity, and it requires entities like the exchanges and FINRA, for our critical systems, to make sure that they have capacity to withstand the volume surges or persistent volume surges, backup facilities, fail tests--all those things that you need to do to have sound technology. I think we're seeing the benefits of that.”); Shane Remolina, Is Remote Trading Leading to a Paradigm Shift on the Trading Desk? Traders Magazine (May 20, 2020) (“[F]inancial firms were more prepared during COVID-19 thanks to Regulation SCI for Systems, Compliance and Integrity.”).

[19] See, e.g., SIFMA, SIFMA Insights: Electronic Trading Market Structure Primer (Oct. 2019) (summarizing electronic trading history and trends in different markets). See also SEC Staff Report on Algorithmic Trading in U.S. Capital Markets at 16-19, 37 (Aug. 5, 2020) (discussing broker-dealer ATSs and internalizers, and other in-house sources of liquidity, such as single-dealer platforms and central risk books operated by broker-dealers).

[21] See Market Data Infrastructure, Release No. 34-90610 (Dec. 9, 2020).

[22] See Regulation SCI Proposal at 9.

[23] See Regulation Systems Compliance and Integrity, Release No. 34-69007 (Mar. 8, 2013) at 36.

[24] See Regulation Systems Compliance and Integrity, Release No. 34-73639 (Nov. 19, 2014) at 70-71.

[25] See Regulation SCI Proposal at 106-107.

[26] See, e.g., SIFMA Insights: US Fixed Income Market Structure Primer (July 2018) (discussing several different types of fixed-income markets, noting that the historically quote-driven voice broker market structure has moved to accommodate limit order book protocols in the intradealer markets and request-for-quote (“RFQ”) protocols in the dealer-to-client markets; and assessing that “Current growth [in the dealer-to-client markets] is enabling the total growth in overall electronification percentages: UST 70%, Agency 50%, Repos 50%, IG Corporates 40% and HY Corporates 25%”); see also Annabel Smith, Pandemic sees electronic fixed income trading skyrocket in 2021, The Trade (Mar. 3, 2021); Municipal Securities Rulemaking Board, Characteristics of Municipal Securities Trading on Alternative Trading Systems and Broker’s Broker Platforms (Aug. 2021) (discussing volume on ATSs and broker’s broker platforms from 2016-2021).

Return to Top