WASHINGTON—The Securities and Exchange Commission is exploring ways to improve cybersecurity in capital markets, including by extending compliance obligations to companies that currently don’t have to meet them, Chairman Gary Gensler said Monday.
“The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars,” Mr. Gensler said in a virtual speech to the Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference. “We at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector.”
Mr. Gensler said the agency is considering extending a rule known as Regulation Systems Compliance and Integrity, or Reg SCI, to large financial firms it doesn’t currently cover, such as market makers and broker-dealers. The rule, which currently applies to stock exchanges, clearinghouses and similar entities, requires firms to conduct testing for cybersecurity issues, back up their data and have business-continuity plans in the event of a breach.
At a meeting of SEC commissioners Wednesday, officials plan to propose extending Reg SCI to trading platforms that match buyers and sellers of Treasury securities, Mr. Gensler said.
Regulators have recently stepped up their scrutiny of how firms respond to attacks by hackers. Mr. Gensler reiterated Monday that publicly traded companies might have an obligation to disclose ransomware incidents that result in payments, or data breaches that expose customer information.
The SEC chairman said he also has directed staff to look into updating the timing and substance of the notifications that brokers, fund managers and investment advisers are required to send clients when their data has been accessed in a cyber incident.
In addition, the SEC is examining ways to raise cybersecurity standards for a range of service providers—such as index providers, custodians, investor-reporting systems and others—that aren’t directly covered by current regulations, Mr. Gensler said. Possible measures include requiring SEC-registered firms to identify service providers that could pose risks, or holding firms accountable for their service providers’ cybersecurity measures.
“This could help ensure important investor protections are not lost and key services are not disrupted as financial-sector registrants increasingly rely on outsourced services,” Mr. Gensler said.
Write to Paul Kiernan at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
