(Reuters) — The top U.S. market regulator on Wednesday announced a package of proposed policies designed to help harden the financial system against hacking, data theft and system failures.
At a public meeting, the Securities and Exchange Commission’s five members were to vote on three proposals, part of a continuing concern to modernize regulations to match advancing technological threats.
The three proposed rules govern how broker-dealers handle hacking incidents and protect consumer data, and how exchanges and transaction clearinghouses and others deemed critical to national financial security protect themselves from system failures and cyber breaches.
They add to measures put in place since last year to counter what officials say are increasing dangers to public companies and investors — and are likely to fuel criticism that under Chairman Gary Gensler the SEC has embarked on an overly ambitious rulemaking agenda that is testing the limits of its capacity.
Under the proposals, broker-dealers and money managers would be required to maintain programs to detect and respond to unauthorized data access and to notify affected clients within 30 days.
Broker-dealers, stock exchanges and others would also be required to maintain cybersecurity risk policies and notify the SEC “immediately”
; of “material” incidents. Gensler, in prepared remarks, called the proposal “the first to explicitly address the cybersecurity practices of the majority of these market entities.”The requirement for immediate notice could likely raise eyebrows among industry advocates. A similar proposal last year for investment firms required a confidential notification within 48 hours, drawing objections that this could hamper efforts to quickly respond to hacking incidents.
Mr. Gensler noted that in September, a unit of Morgan Stanley had agreed to pay $35 million to settle SEC charges that it failed to protect personal information over a five-year period.
In addition, the SEC proposed expanding the number of exchanges, registered clearing agencies and others covered by the 2014 “System Compliance and Integrity” regulation that requires operators to build systems robust enough to support market activities.
The proposed amendment would also require such operators to monitor the services of cloud computing providers to ensure they match the rule’s requirements governing systems resiliency.
Source link
