(Bloomberg) — The U.S. Securities and Exchange Commission will examine the exposure of stock exchanges, brokerages and other Wall Street firms to cyber-attacks that have been called a threat to financial stability.
More than half of exchanges surveyed globally in 2012 said they experienced a cyber-attack, while 67 percent of U.S. exchanges said a hacker tried to penetrate their systems. The SECs roundtable discussion of those risks today occurs as the agency weighs a new rule proposal asking whether stock exchanges should be required to tell their members about breaches of critical systems.
The agency also will probe how public companies are disclosing cyberthreats in filings provided to investors. Businesses including Target Corp., from which hackers stole payment-card data for millions of shoppers in December, are required to disclose cyberthreats when the information would affect an investors willingness to own the companys shares.
There certainly has been a spate of very recent, high- profile data breaches, and Im sure that grabbed the attention of the SEC, said John Reed Stark, a managing director at data security firm Stroz Friedberg LLC.
Todays event was spurred by SEC Commissioner Luis A. Aguilar, who said in a speech last month that there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.
Mandatory Disclosures
Public companies arent required by the SEC to disclose all risks from cyber-attacks, though the regulator routinely reviews how such threats and incidents are described in annual reports. Some lawmakers, including Senator Jay Rockefeller, a West Virginia Democrat, have asked the SEC to consider making the disclosures mandatory.
This is information every investor has a right to know, Rockefeller said in a statement yesterday. Routinely providing this information should be a regular part of practicing business in the era of big data.
The Financial Stability Oversight Council, a group of regulators led by the Treasury Secretary, said in its 2013 annual report that successful cyber-attacks could pose a threat to the stability of financial markets. Among exchanges, 89 percent said cybercrime should be considered a systemic risk, according to a 2012 International Organization of Securities Commissions report.
FinraPriority
The SEC and the Financial Industry Regulatory Authority, which oversees broker-dealers, identified cybersecurity as a priority for compliance examinations.Finrasaid in January it would ask about 20 of its member firms how they manage and defend against the threat of cyber-attacks.
Criminal hacking cost financial services companies, on average, about $18.8 million in 2013, according to a study by the Ponemon Institute, a research and consulting firm. The report estimated an average cost for brokerages of $19 million and $21.9 million for investment advisers.
Hackers targeting broker-dealers may seek intellectual property such as trading algorithms or the source code of trading systems, said Richard Bejtlich, chief security strategist at Milipitas, California-based information-security consultant FireEye Inc. Manipulation of critical data systems probably poses the greatest risk to Wall Street companies whose buy-and-sell decisions and order routing is increasingly automated.
Breach Reports
Under a rule proposed last year, exchanges would be required to promptly disclose to their broker-dealer members any breaches of critical systems. Exchanges could withhold the information if they believed release of the data would do further harm or undermine an investigation of the intrusion.
If you can start changing the data that you have access to, that can potentially undermine the integrity of the system and that is where people get pretty nervous, Bejtlich said in a phone interview.
Panelists scheduled to speak at todays roundtable include representatives of Bank of America Corp., BATS Global Markets Inc., the Chicago Board Options Exchange, Nasdaq OMX Group Inc., and Wells Fargo Advisers LLC. The Treasury Departments Cyrus Amir-Mokri, assistant secretary for financial institutions, and White House cybersecurity adviser Ari Schwartz also will speak, according to an SEC announcement.