Statement

Protecting Investors from Cyberattacks and Enhancing Cybersecurity in U.S. Capital Markets

Washington D.C.

Cyberattacks and associated data breaches impose significant financial and emotional costs on victims. Once victims’ identities are stolen, or their personal identifiable information is inappropriately revealed and/or sold to the highest criminal bidders, the damage can be irreparable and irreversible.

This is why we must do everything in our power to enhance cybersecurity practices by market participants and to protect investors’ sensitive personal information. In that spirit, the Commission is amending existing rules and proposing new ones that will strengthen financial market resiliency and increase investor confidence.

In the face of rapid technological change and increased threats from malign actors both at home and abroad, the cybersecurity reforms being proposed today are necessary and appropriate. They are an important part of our ongoing efforts to modernize and update our rules, as well as fulfill our mission as effectively as possible on behalf of millions who invest in our capital markets and are the primary victims of cyberattacks.

Last year, the Financial Stability Board (FSB), an international body of central banks and financial regulators that promotes global financial stability, noted in a key report that cyber incidents are “rapidly growing in frequency and sophistication,” take place in the context of “growing interconnectedness of the financial system,” and create greater risk of “spillover effects across borders and sectors.”

In 2021, the Federal Bureau of Investigation reported extortion, identity theft and personal data breaches as three of the top five cybercrimes. In addition to financial losses from misappropriated or stolen funds, cybercriminals can threaten to disclose personal information about an individual that would damage their reputation.

Cyberattacks and data breaches can have devastating impacts on companies and their customers and undermine investor and market confidence. In the last decade, cyberattacks of all sizes have resulted in hundreds of millions of records stolen and billions in damages to victims.

Just last week, a data breach at a health insurance marketplace potentially exposed personally identifiable information of hundreds of Members of Congress and Capitol Hill staff.

Through the proposals being considered today, market participants will be required to adopt and implement effective cybersecurity policies and procedures, including:

  • disclosures to the Commission and to the public about significant cybersecurity incidents;
  • notification to customers if their sensitive personal information is compromised; and
  • more robust cybersecurity practices for certain significant market infrastructures and key market participants, including enhanced oversight of cloud service providers.

Market entities that strengthen their cybersecurity practices would be more secure and can mitigate risks to themselves, their customers, and our markets.

Regulation S-P

In the first portion of today’s cybersecurity package, the Commission is proposing updates to Regulation S-P. First adopted in 2000, this “safeguards rule” requires that brokers, dealers, investment companies and registered investment advisers adopt written policies and procedures with administrative, technical, and physical safeguards to protect customer records and sensitive personal information.

Since the safeguards rule’s adoption 22 years ago, advances in technology have revolutionized firms’ management and digital storage of customers’ personal identifiable information. Relative to current marketplace realities, Regulation S-P is woefully outdated, so updates and reforms to strengthen protections for the investing public are warranted and long overdue.

The Commission is proposing to require written policies and procedures relating to an entity’s incident response program, including procedures to notify individuals if their sensitive information is compromised in a data breach.

Consumers in states with stronger protections than those provided for under the proposed Federal minimum standard would not be harmed by this proposal and would continue to benefit from those stronger protections.

The proposal also affirmatively requires notification to individuals whose sensitive information has been compromised. This is an important disclosure that would provide consistent notification to consumers, regardless of state of residency.

The affirmative requirement for notification helps ensure that customers receive timely notice of breaches and are afforded an opportunity to protect themselves.

On balance, this proposal, expertly crafted by the committed public servants in the Commission’s Trading and Markets and Investment Management divisions, strengthens cybersecurity in our capital markets and increases investor protection.

For these reasons, I am pleased to support it.

Cybersecurity Risk Management

Robust cyber risk management policies and procedures are essential to protect investors and our capital markets from cyberattacks, which have increased in recent years. Today’s proposal on cybersecurity risk management establishes a practical and effective framework to achieve these goals.

The proposal would require various market entities registered with the Commission -- including broker-dealers, clearing agencies, security-based swap entities, and exchanges -- to adopt and implement policies and procedures that address cybersecurity risks. This would include recordkeeping requirements to facilitate examination for compliance and the identification of any deficiencies.

The proposal would also require public disclosure and notification to the Commission of significant cybersecurity incidents and risks. These disclosures would allow the public and the Commission to closely monitor emerging trends and cybersecurity risks and provide investors, and other market participants, with relevant information regarding cyberattacks and data breaches.

Market entities, as financial institutions, are often targets of wrongdoers who seek to illicitly profit from or to inflict harm on our markets. The threats market entities face are constantly evolving and increasing in sophistication. Market entities also face internal cybersecurity risks from errors by employees, service providers, or counterparties.

Today’s proposal would require these market entities to take reasonable steps to protect their information systems from cybersecurity risks. In light of the important benefits to investors and to market integrity, I’m pleased to support it.

Regulation SCI

Today’s proposed amendments to Regulation System Compliance and Integrity, or Regulation SCI, ensure that key securities market infrastructure entities have systems that are robust, resilient, and secure. These updates support our mission of maintaining fair, orderly, and efficient markets.

The amendments would extend coverage of Regulation SCI to registered security-based swap data repositories, large broker-dealers, and certain exempt clearing agencies. This extension would ensure that entities that perform functions such as disseminating market data, and central repository functions for security-based swaps, are treated similarly to entities that perform those functions for other asset classes, like equities.

Large broker-dealers are scoped in because of the important role they play in our capital markets. Retail broker-dealers and their customers depend on the availability, integrity, and resiliency of the systems of the largest carrying broker-dealers to execute, clear, and settle transactions. A catastrophic systems failure at a large carrying broker could effectively cut off access to the markets to their customers, with significant and disproportionate harm to retail investors.

The expansion of Regulation SCI’s scope, together with updates that account for heightened cybersecurity risks, wider use of cloud service providers, and the increasing interconnectedness of market systems, will bolster overall resiliency of the U.S. securities markets’ technology infrastructure.

I support this important proposal, and the other cybersecurity-related proposals discussed today, and welcome the public’s input on their potential benefits for retail investors and for our capital markets.

Last Reviewed or Updated: March 15, 2023