WASHINGTON—The Securities and Exchange Commission is exploring ways to improve cybersecurity in capital markets, including by extending compliance obligations to companies that currently don’t have to meet them, Chairman Gary Gensler said Monday.
“The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars,” Mr. Gensler said in a virtual speech to the Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference. “We at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector.”
Mr. Gensler said the agency is considering extending a rule known as Regulation Systems Compliance and Integrity, or Reg SCI, to large financial firms it doesn’t currently cover, such as market makers and broker-dealers.
The rule, which currently applies to stock exchanges, clearinghouses and similar entities, requires firms to conduct testing for cybersecurity issues, back up their data and have business-continuity plans in the event of a breach.
At a meeting of SEC commissioners Wednesday, officials plan to propose extending Reg SCI to trading platforms that match buyers and sellers of Treasury securities, Mr. Gensler said.
Regulators have recently stepped up scrutiny of how companies respond to attacks by hackers.
Mr. Gensler reiterated Monday that publicly traded companies might have an obligation to disclose ransomware incidents that result in payments or data breaches that expose client information.
Kenneth Bentsen, president of the Securities Industry and Financial Markets Association, said he welcomed Mr. Gensler’s remarks, adding that cybersecurity is already a top priority for the financial industry.
“To say whether policy makers need to adopt new rules or not, I don’t know, but I think what you have to look at first is everything that’s going on right now across the industry,” Mr. Bentsen said. “You have to constantly be updating. And it’s got to be very much collaborative between the regulated and the regulators.”
The SEC chairman said he also has directed staff to look into updating the timing and substance of the notifications that brokers, fund managers and investment advisers are required to send clients when their data have been accessed in a cyber incident.
In addition, the SEC is examining ways to raise cybersecurity standards for service providers—such as index providers, custodians, investor-reporting systems and others—that aren’t directly covered by current regulations, Mr. Gensler said.
Possible measures include requiring SEC-registered firms to identify service providers that could pose risks or holding firms accountable for their service providers’ cybersecurity measures.
“This could help ensure important investor protections are not lost and key services are not disrupted as financial-sector registrants increasingly rely on outsourced services,” Mr. Gensler said.
Write to Paul Kiernan at paul.kiernan@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the January 25, 2022, print edition as ‘SEC Looks to Boost Cybersecurity Rules.’
