On June 25, 2015, Luis Aguilar, a Commissioner at the U.S. Securities and Exchange Commission (“SEC”), provided remarks at the SINET Innovation Summit. In his remarks, Commissioner Aguilar emphasized the need for the public and private sectors to work together to combat the growing economic threat that cyber-attacks pose. Commissioner Aguilar highlighted the SEC’s recent responses to such cyber-threats, emphasizing the ways in which the SEC has used its rulemaking, inspection and examination, and enforcement powers to require financial firms to focus on cybersecurity. Further, Commissioner Aguilar called for development of an infrastructure for automated information sharing between market participants and regulators, and for new legislation that reduces the legal risks associated with such information sharing.
In his remarks, Commissioner Aguilar emphasized that only persistent, robust attention to cybersecurity will even begin to keep pace with the evolving threats posed by cyber-criminals. He commented that “no single organization has the resources or the expertise to combat the advanced and persistent cyber-attacks being launched today” and that more extensive information sharing between the private and public sectors “is essential to an effective defense” to these threats. He called on Congress to pass legislation that would allow financial firms and government actors to share information about cyber-attacks and threats, while also protecting the privacy and civil liberties of those firms’ customers.
Commissioner Aguilar characterized the SEC’s response to address the growing cybersecurity threats as multi-faceted, highlighting recent examples of the SEC’s activity in the area of cybersecurity. Concerning rulemaking, Commissioner Aguilar noted the 2014 passage of the Regulation Systems Compliance and Integrity (“Reg SCI”). Set to go into effect later this year, Reg SCI will require certain key market participants, such as stock exchanges, to implement robust cybersecurity protocols to ensure their systems are secure from cyber-attacks. Reg SCI will also require notification be provided to the SEC within 24 hours of such an attack. Commissioner Aguilar also cited the recent cybersecurity examinations of over 100 regulated broker-dealers and investment advisers by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). These examinations, conducted over the last year, have assessed the cybersecurity methods of those firms and identified areas for needed improvement.
Commissioner Aguilar also highlighted the SEC’s recent cybersecurity enforcement actions, noting current investigations into recent breaches, as well as past actions brought against stock brokers and investment advisers who failed to protect their customers’ confidential information. Finally, Commissioner Aguilar described the SEC’s efforts to educate market participants about cybersecurity issues. He noted the recent example of the guidance published two months ago by the SEC’s Division of Investment Management, which highlighted the responsibilities of investment advisers and investment companies to protect sensitive client information, and recommended numerous cyber-strategies and assessments such entities should consider.
Commissioner Aguilar’s expansive remarks relating to cybersecurity come as no surprise, as he has been at the forefront of the SEC’s regulation of cybersecurity matters. Last year, at his urging, the SEC convened a roundtable to discuss the risks that cyber-attacks pose to broker-dealers and investment advisers, public companies and the integrity of financial markets. In addition,he publicly called upon the boards of directors of public companies to play a far greater role in their companies’ cybersecurity efforts. He has also urged the SEC to form an internal working group focusing on cybersecurity issues.