Wall Street Regulator Unveils New Hacking, Data and Market Resiliency Rules

March 15, 2023

The top U.S. markets regulator announced a package of proposed policies on Wednesday designed to harden the financial system against hacking, data theft and systems failure.

At the start of a public meeting, the Securities and Exchange Commission’s (SEC) five members voted to propose updating rules on protecting consumer financial data and were due to vote on two other proposals governing cybsersecurity and the resiliency of market infrastructure, part of a continuing concern with modernizing regulations to match advancing technological threats.

SEC Chairman Gary Gensler also opened the meeting with a nod to unfolding market turmoil, making veiled reference to the failure of Silicon Valley Bank and fears for the viability of Credit Suisse by restating his agency’s pledge to support market resiliency.

The three rule proposals together govern how broker-dealers address hacking incidents and protect consumer data, and how stock exchanges, transaction clearing houses and others deemed critical to national economic security gird themselves against system failure and cyber-intrusion.

They add to measures introduced since last year to counter what officials say are mounting dangers to public companies and investors – and are likely fuel criticism that under Gensler the SEC has embarked on an excessively ambitious rulemaking agenda testing the limits of its capacity.

Under the proposals, broker-dealers and money managers would be required to maintain programs to detect and respond to unauthorized data access and to notify affected customers within 30 days.

Broker-dealers, securities exchanges and others would also be required to maintain cybersecurity risk policies and notify the SEC “immediately” of “significant” incidents. Gensler, in prepared remarks, called the proposal “the first explicitly to address cybersecurity practices for the majority of these market entities.”

The requirement for immediate notice was likely to raise eyebrows among industry advocates. A similar proposal last year for investment firms called for confidential notice within 48 hours, drawing objections that this could hinder efforts to respond to hacking incidents quickly.

Gensler noted that in September a unit of Morgan Stanley had agreed to pay $35 million to resolve SEC charges it failed to protect personal information over a period of five years.

In addition, the SEC proposed expanding the number of stock exchanges, registered clearing agencies and others covered by 2014’s “Systems Compliance and Integrity” regulation requiring operators to build systems robust enough to support market activities.