In an effort to push the securities industry to step up its cyber defences, the U.S. Securities and Exchange Commission (SEC) is proposing tougher new cybersecurity requirements for industry firms.
The SEC issued proposals today that would establish standards and require a wide range of industry firms — including broker-dealers, exchanges, clearing agencies, and security-based swap dealers, data repositories, and major swap traders, among others — to ensure that they are adequately addressing their cybersecurity risks.
The regulator said the proposal reflects the interconnectedness of industry firms, which raises the risk that a significant cybersecurity breach can mushroom into a systemic incident.
Among other things, the proposal would require all firms to implement policies and procedures to address their cybersecurity risks and, at least annually, review and assess the efficacy of those measures.
Additionally, new disclosure and reporting requirements would improve transparency about the cyber risks that threaten U.S. securities markets, while also improving the SEC’s ability to monitor these risks.
“The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age,” SEC chair Gary Gensler said in a release.
SEC commissioner Hester Peirce objected to the proposal, saying that the regulator’s priority should be helping victims of cyberattacks, not punishing them.
“This rule is easier to understand as a tool to enhance our year-end enforcement statistics than a serious proposal to make the securities markets more secure,” she said in a statement.
The proposal will go out for a 60-day comment period after it’s published in the Federal Register.