June 26, 2015 - An SEC commissioner has called on the regulator to massively expand the scope of recently introduced rules designed to strengthen the US market's technology infrastructure and protect it from cyber attacks.
Regulation Systems Compliance and Integrity (Reg SCI) was approved in a unanimous vote last November, requiring exchanges, ATSs, plan processors, and certain clearing agencies to put in place comprehensive policies and procedures for their technological systems.
The rules are designed to guard against a growing cyber threat as well as more prosaic IT glitches, but are undermined by not covering huge parts of the market, including over-the-counter market-makers, stockbrokers, or transfer agents.
Commissioner Luis Aguilar says that it is already time to revisit Reg SCI as a "top priority" and expand its scope to cover these market participants.
In a wide-ranging speech on tackling cyber-crime at the Sinet Innovation Summit, Aguilar called cyber-security "one of the defining issues of our time," referencing hacks on the likes of JPMorgan Chase and Home Depot that have affected tens of millions of people over the last year.
The commissioner says that the SEC is constantly facing new types of threats, citing one scam by a gang called FIN 4 that involves spear-phishing campaigns against listed firms to gain access to email accounts and information that can be used to gain an edge in trading.
FIN 4 made the news this week when Reuters reported that the SEC has begun investigating the issue, asking at least eight listed firms for details on breaches. The regulator is refusing to confirm whether it is looking into FIN 4, but Aguilar told his audience that the group's "exploits serve as a reminder of the ingenuity of cybercriminals, and of the importance of continuously monitoring the cybersecurity landscape".
More generally, the commissioner says that the SEC needs to make sure that public companies provide better and more timely information on cyber attacks improve the guidance it gives on how to deal with such incidents.
"No single organization has the resources or the expertise to combat the advanced and persistent cyberattacks that are being launched today. A vibrant partnership between the public and private sectors is therefore essential to an effective defense," says Aguilar.