In a new proposal directed towards all Market Entities based in the US, the Securities and Exchange Commission (SEC) called for a collective cybersecurity risk assessment.
Collectively known as ‘Market Entities’, these include broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.
They are capable of performing their functions through accessing certain information systems which, given their importance, are under constant threat of being disrupted by bad actors.
Addressing the proposal, SEC Chair Gary Gensler said: “I am pleased to support this proposal because, if adopted, it would set standards for Market Entities’ cybersecurity practices. The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades.
“Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”
The SEC also recognises human error as a potential cybersecurity flaw. Employees, service providers and business partners are all subject to making a mistake, which the SEC warns could have significant consequences for all US Market Entities given their interconnectedness.
Part of the proposal insists that all Market Entities are to implement additional relevant policies against cybersecurity risks and ensure their effectiveness with annual reviews and assessments.
First published in the Federal Register, the proposing release will be open to public comments for up to two months after the date of publication.