Against the backdrop of a steady stream of cyber-attacks and data breaches, Securities and Exchange Commissioner Luis A. Aguilar recently spoke about his hope to expand upcoming SEC cyber security guidance, known as Regulation Systems Compliance and Integrity (“Reg SCI”), beyond the stock markets and other major market entities. In a speech he gave last month in New York, he offered the opinion that the Reg SCI cyber security rules should be extended to cover smaller market entities such as broker-dealers and investment advisers.
What is Reg SCI?
In plain text, it runs about 775 pages. At its heart, as described by Comm. Aguilar:
Reg SCI will require certain key market participants, such as stock exchanges, to implement a robust set of cybersecurity protocols to ensure that their systems are secure from cyberattacks, and are also sufficiently resilient to recover should an attack succeed. In addition, Reg SCI will require that these entities monitor their systems for possible cyberattacks, respond promptly to any significant intrusions, and report such intrusions to the SEC within 24 hours, among other things.
When it takes effect this November, it will, among other things, use a risk-based approach that requires covered entities to focus on the security of their most critical information systems, requiring that the organizations operating those critical systems to develop and adopt procedures that are tailored to their unique cyber risks. Additionally, and significantly, Reg SCI will require the organization’s senior management and directors to actively engage in cybersecurity issues and prevention.
Notably, Commissioner Aguilar voiced concerns that Reg SCI is too limited in its current reach because it did not extend to brokers and investment advisors. He referenced a recent study done by the SEC’s Office of Compliance Inspections and Examinations, which examined 57 broker-dealers and 49 investment advisers. The study found that most of those firms had been the target of a cyber-attack, either directly or through a vendor. While most of the firms conducted periodic risk assessments of their own cyber security systems, few firms conducted similar assessments of their vendors’ systems, leaving those firms exposed to attack through such vendors (which is how the massive Target data breach occurred). The study also found that while the majority of the firms had adopted written policies regarding security and cyber-attacks, these policies were unclear on how to handle client losses that resulted from such an attack. And finally, the study found only two-thirds of the broker-dealers and one-third of the investment advisers had appointed a chief information security officer, and less than a quarter of investment advisers and less than half of broker-dealers held cyber security insurance.
Given the amount of customer financial information held by these broker-dealers and investment advisers, Mr. Aguilar indicated a desire to see them covered by the enhanced cyber security guidance. It is not yet clear whether a majority of the SEC Commissioners share his view, but given the trend towards additional guidance and actual regulation in the cyber security field, it would not be surprising to see these smaller entities ultimately covered by the Reg SCI guidance.
So where does this leave broker-dealers and investment advisers?
For now, Reg SCI does not apply to these entities, although they should be aware that some members of the SEC believe expanding Reg SCI to cover them is a top priority. In any event, broker-dealers and investment advisers should recognize that they are prime targets for cyber-attacks, and that these attacks can be either direct, or indirect through vendors. These entities should consider increasing their cyber security protection, focusing on the protection of key data. They should also consider appointing a C-suite level officer to oversee and implement robust and evolving cyber security and data breach response plans, and assure that senior management and directors are regularly informed and engaged on cyber security matters.