Excerpts from speech by US Securities and Exchange Commission chair Gary Gensler at Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.
The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating. State actors and non-state hackers alike sometimes try to target various entities and businesses. Why? To steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities. All this puts our financial accounts, savings, and private information at risk.
We have a key role as the regulator of the capital markets with regard to SEC registrants — ranging from exchanges and brokers to advisers and public issuers. Cyber relates to each part of our three-part mission, and in particular to our goal of maintaining orderly markets. We have many rules that implicate cyber risk, including but not limited to business continuity, books and records, compliance, disclosure, market access, and antifraud.
Our cybersecurity policy work relates to four groups of entities:
- SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers, and other market intermediaries
- Public companies
- Service providers that work with SEC financial sector registrants but are not necessarily registered with the SEC themselves
- The SEC itself.
Service providers often play critical roles within our financial sector. These service providers go far beyond the cloud. They can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others. Many of these entities may not be registered with the SEC.
I’ve asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers. This could include a variety of measures, such as requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information. This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.
That being said, it’s worth noting that banking agencies regulate and supervise certain banks’ third-party service providers directly through the Bank Service Company Act. It might be worthwhile to consider similar authorities for market regulators.