X

SEC Commissioner Aguilar Proposes Public-Private Partnership to Combat Cybersecurity Threats

SEC Commissioner Luis A. Aguilar discussed ways in which the SEC approaches cybersecurity and areas where there is room for improvement. He delivered his remarks at the SINET Innovation Summit.

Commissioner Aguilar stressed that cyber attacks are becoming more pervasive, dynamic, and clandestine year-after-year. He urged the SEC to "sharpen its own focus on the cybersecurity threat, by forming an internal working group" that aims to combine the SEC's resources to address cybersecurity issues. He also suggested that the private and public sectors form a "vibrant partnership" to build an effective defense against cyber attacks.

Commissioner Aguilar outlined certain trends that he found troubling, which include:

  • cyber attackers are exploiting vulnerabilities more quickly, while defenses have been increasingly sluggish;
  • cyber criminals are now collaborating to a far greater degree, resulting in increases in the quality, quantity, and complexity of attacks;
  • cyber attackers are now leapfrogging defenses in unanticipated ways; and
  • the advent of "dark-web" has allowed amateur cyber criminals to anonymously purchase do-it-yourself malware kits.

Commissioner Aguilar explained that the SEC addresses cybersecurity through its Regulation Systems Compliance and Integrity Rule ("Reg SCI"). Reg SCI, which becomes effective in November 2015, will require certain key market participants, such as stock exchanges, to implement a "robust" set of cybersecurity protocols to ensure that their systems are secure from and resilient to cyber attacks. Commissioner Aguilar noted that Reg SCI has several noteworthy aspects, including: (i) it employs a risk-based approach, ensuring that organizations focus limited resources; and (ii) it is not overly prescriptive – therefore, firms must develop policies and procedures that are tailored to their specific risks. Commissioner Aguilar suggested the scope of Reg SCI should be expanded to reach additional market participants.

Commissioner Aguilar also discussed the role of the SEC's inspections and examinations in cybersecurity oversight. Based on recent SEC examinations, Commissioner Aguilar outlined areas that needed improvement for firms, including assessing vendors' systems, designating a chief information security officer, and carrying cyber insurance. He hinted that the SEC's enforcement authority might need to be broadened to address emerging cybersecurity threats.

Looking ahead, Commissioner Aguilar noted that challenges remain, and emphasized that private and public market participants must be proactive and cooperative in addressing cyber-related issues. He expressed dismay regarding the lack of prompt sharing of cyber threat information among market participants emphasizing that "cybersecurity is far too critical an issue to be relegated to a game of telephone." He also advocated for Congress to craft legislation that would allow firms to share information with each other and the government without fear or liability.

See: Commissioner Aguilar's Remarks.See also: GAO Report Finds Need for Strong Cybersecurity Controls across Federal Agencies (with Lofchie Comment) (June 24, 2015); House Subcommittee Holds Hearing to Examine Cyber Threats to U.S. Financial Sector (with Delta Strategy Group Summary) (June 16, 2015); Financial Industry Executives Respond to New York Times Editorial Involving Cybersecurity Legislation (May 26, 2015).

Tags

Regulated Activities
Data Protection / Cybersecurity Supervision / Compliance
Sub-Activity
Regulation SCI
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC