Two men share securities regulation news

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Securities Regulation Daily, March 26, 2014

SEC roundtable panelists discuss cybersecurity landscape, challenges, responses

By Rodney F. Tonkovic, J.D.

The SEC hosted a roundtable today on the subject of cybersecurity to discuss the issues and challenges raised by protecting firms and investors from the threat of cyber-attack. In her opening statement, SEC Chair Mary Jo White noted that cybersecurity threats are global, come from many sources, and pose non-discriminating risks across all our critical infrastructures. "The public and private sectors must be riveted in lockstep in addressing these threats," she said, adding that it is incumbent on every government agency to be informed on the full range of cybersecurity risks and to be actively engaged to combat those risks.

Opening remarks. In her remarks, Chairman White also noted that under current SEC guidance, material information regarding cybersecurity risks and incidents is required to be disclosed. Proposed Regulation SCI, which would require entities covered by the rule to test their automated systems for vulnerabilities, adopt business continuity and recovery plans, and to notify the Commission of incidents within a specified time frame is expected to move ahead this year, she said.

Commissioner Luis Aguilar, on whose urging this roundtable was held, cited the recent Target breach as part of mounting evidence that the cyber threat is real and cannot be ignored. According to Aguilar, cyber attacks at financial institutions and on the infrastructure of the capital markets have become more frequent and more sophisticated, as well. Aguilar pointed to a 2012 survey in which 53 percent of the responding securities exchanges reported experiencing a cyber attack in the previous year.

Aguilar emphasized that it is clear that the SEC must play a role in this area, but it is less clear what that role should be.  The Commission, Aguilar said, has much to learn about the specific risks that regulated entities and the public face, and he expressed hope that over the course of this roundtable, he would learn what the Commission can do and what steps it can take to address potential vulnerabilities. Finally, Aguilar called for the establishment of a cybersecurity task force composed of representatives from each division to meet regularly to discuss issues and advise the Commission.

The current landscape. Mary E. Galligan, the director of Cyber Risk Services at Deloitte & Touche LLP, broke the cyber threat landscape down into three components: threat vectors (e.g., nation-states, organized criminals, and "hacktivists"), threat intelligence, and threats to the ability to be resilient. She said that companies need to create a culture where cybersecurity starts with every employee and is not treated as just a tech issue.

Larry Zelvin, director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security, remarked that the DHS looks across the globe at 16 critical infrastructures, and found that finance followed by energy are the largest targets of cyber attacks. The financial sector, he said, is way ahead of the rest of nation in cybersecurity due to the frequency of attacks. Zelvin called for the financial sector to share its experiences and said that you can't have information security and information technology without information sharing.

When asked by Commissioner Aguilar about ways to take advantage of increased reporting by companies, Zelvin said that the financial sector realizes that they are not competitors in the area of cybersecurity, but they are fearful of disclosing, and will do so only as a last resort. In response to a question by Commissioner Piwowar regarding the identities of cyberattackers in financial services industry, Zelvin said that there is a "full spectrum" of attackers, including  nation-states seeking to attack the "heart of America," hacktivists seeking to attack capitalism, and unhappy insiders.

Public company disclosure. The second panel discussed how the cybersecurity risk fits into the overall disclosure framework. Douglas Meal, a partner at Ropes & Gray LLP, observed that, on the front lines, securities laws aren't the main driver of how a company will respond to a breach. He added there is a tremendous disincentive to disclose a breach that otherwise wouldn't become public due to the attention the disclosure will get from class action litigants and consumer protection regulators. If a company can conclude that it has no obligation to disclose, he said, it's easy to conclude it's not a material situation that would generate a securities law obligation.

Both Chairman White and Commissioner Stein asked for clarification on the issue of materiality.

Commissioner Stein asked whether there should be principles-based guidance, or a floor that varies from industry to industry. Peter J. Beshar, the executive vice president and general counsel for Marsh & McLennan Companies, Inc., said that he feels that additional guidance would be helpful as opposed to relying solely on comment letters. Beshar said that while current data suggests that breaches have more of an effect on a company's reputation than on its stock price, he sees more of a quantitative impact in the future.

Market systems. In her opening remarks to the afternoon panel discussing market systems, Katheryn Rosen, deputy assistant secretary, Office of Financial Institutions Policy, Department of the Treasury, said that financial firms are becoming technology firms and the automation of the marketplace is ever-increasing. As a result, "cyber-hygiene" is important, and information protection, incident management protocols, and recovery plans are critical to the sector and the economy.

During a discussion of the market system's approach to cybersecurity, the panelists, who included representatives of BATS Global Markets, Inc., CBOE, CME Group, and DTCC, agreed on the necessity of regular vulnerability and incident response tests. Mark Graff, the chief information security officer for NASDAQ OMX observed that the main purpose of testing is to determine if system is working according to the way it is designed; system architecture, he said, is a fundamental part of cybersecurity.

Broker-dealers, investment advisers, and transfer agents. The final panel dealt with issues faced by broker-dealers, investment advisers, and transfer agents. In his opening remarks, Daniel Sibears, the executive vice president of Regulatory Operations/Shared Services for FINRA, said that cybersecurity is a key issue, particularly in the area of customer information. FINRA, he said, recently conducted a "sweep" of a cross section of broker dealer community to better understand risks faced by firms. Sibears reported that the sweep's preliminary results indicate three areas of concern: the top concern is operational risk, followed by insider risks by employees, and hackers penetrating systems.

Finally, Marcus Prendergast, the director and corporate information security officer for ITG briefly addressed Commissioner Stein's query on the need for additional guidance or rules, stating that principles-based guidance is preferable because any prescriptive rules would be outdated by the time they are written and put in place. Other panelists agreed, recognizing that firms need to be able to adapt in a rapidly-changing environment.

Attorneys: Douglas Meal (Ropes & Gray LLP)

Companies: BATS Global Markets, Inc.; Chicago Board Options Exchange; CME Group; Depository Trust and Clearing Corporation; Deloitte & Touche LLP; FINRA; ITG; Marsh & McLennan Companies, Inc.; NASDAQ OMX

MainStory: TopStory SECNewsSpeeches

Securities Regulation Daily

Introducing Wolters Kluwer Securities Regulation Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.