Good morning. This is an open meeting of the U.S. Securities and Exchange Commission on March 15th, 2023. I want to welcome members of the public who are listening in.
Before we get to today’s agenda, I want to address the events of the last week in the context of (1) enforcement and (2) market stability.
As to enforcement, as I said over the weekend: Our staff is particularly focused on identifying and prosecuting any form of misconduct that might threaten investors, capital formation, or the markets more broadly. Without speaking to any individual entity or person, we will investigate and bring enforcement actions if we find violations of the federal securities laws.
As to market stability, history is replete with times when tremors starting at one financial institution or corner of the financial system spill out to the broader economy.
When this happens, the American public – bystanders to the highways of finance – inevitably gets hurt.
Lest we forget, eight million Americans lost their jobs, millions of families lost their homes, and small businesses across the country folded as a result of the financial crisis of 2008.
To that end, I think the SEC has a responsibility to help protect for financial stability. That’s why I am so proud of our dedicated staff and this Commission’s focus on resiliency projects.
In today’s meeting, we’ll consider a number of such projects: related to cyber resiliency and updating our rules for systems compliance and integrity of some of the financial system’s key entities.
We earlier made proposals for enhanced resiliency relating to the U.S. Treasury markets, money market funds, open-end funds, private funds, and clearinghouses.
The events of the last week are a reminder of the importance of these resiliency projects for everyday Americans.
Unfortunately, history tells us that events like those of this past week will occur from time to time. Thus, we should do our best to make them less frequent, strengthen the guardrails of finance for when they do occur, and protect the American public.
********
Today, the Commission is considering a proposal on cybersecurity practices for broker-dealers, clearinghouses, and other market entities. I am pleased to support this proposal because, if adopted, it would set standards for these market entities’ cybersecurity practices.
The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Market entities across our capital markets increasingly rely on complex and ever-evolving information systems. Those who seek to harm these systems have become more sophisticated as well: in their tactics, techniques, and procedures.
Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal, if adopted, would help promote every part of our mission, particularly regarding investor protection and orderly markets.
While building on various requirements relating to books and records, today’s proposal is the first explicitly to address cybersecurity practices for the majority of these market entities. This proposal would address financial sector market entities’ cybersecurity in three key ways.
First, this proposal would require market entities to adopt written policies and procedures that are reasonably designed to address the market entity’s cybersecurity risks. Further, market entities other than smaller broker-dealers would be required to include in these policies and procedures that relate to (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents.
Second, the proposal would require that market entities notify the Commission of significant cyber incidents. In addition, market entities, other than small broker-dealers, would be required to file subsequent reports with the Commission providing more information about the significant cybersecurity incident. This would increase the Commission’s insight into risks affecting these market entities. It also would provide insight into risks that might cut across multiple entities or the financial sector.
Third, the proposal would require market entities, other than smaller broker-dealers, to disclose to the public a summary description of cybersecurity risks that could materially affect the entity, as well as significant cybersecurity incidents in the current or previous calendar year. I believe such disclosure would help investors make informed decisions when deciding to which firms they might entrust their finances, data, and personal information.
Critically, the proposal concerns a broad array of a firm’s information systems, which are any of the systems owned or used by the entity. As described in the release, these systems relate to the information resources owned or used by the covered entity.
The Commission also separately voted to reopen for public comment proposed amendments regarding similar cybersecurity enhancements for investment companies and investment managers.[1]
Taken together, these amendments, if adopted, would benefit investors, issuers, and markets in the face of growing cybersecurity risks.
I’d like to thank the members of the SEC staff who worked on this proposal, including:
- Randall Roy, Nina Kostyukovsky, Haoxiang Zhu, David Saltiel, Andrea Orr, Michael Macchiaroli, Thomas McGowan, Ray Lombardo, Matthew Lee, Stephanie Park, Kevin Schopp, Moshe Rothman, Carol McGee, John Guidroz, Russell Mancuso, Michael E. Coe, Leah Mesfin, Tyler Raimo, Cate Whiting, Elizabeth De boyrie, Heidi Pilpel, David Liu, Erika Berg, Katriana Roh, David Hsu, Rob Hegarty, Roman Ivanchenko, Joshua Nimmo, Devin Ryan, James Wintering, Susan Pokembla, Ed Schellhorn, Roni Bergoffen, Laura Compton, Jennifer Colihan, and William Miller in the Division of Trading and Markets;
- Greg Price, Jessica Wachter, Oliver Richard, Juan Echeverri, Wei Liu, Daniel Bresler, Michael Willis, Julie Marlowe, Greg Scopino, Parhaum Hamidi, Lauren Moore, Robert Girouard, Carolina Schulte, Michael Davis, and Jill Henderson in the Division of Economic and Risk Analysis;
- Ronesha Butler, Maureen Johansen, David Mendel, Megan Barbero, Meridith Mitchell, Malou Huth, and Robert Teply in the Office of the General Counsel;
- David Hirsch and Diana Tani in the Division of Enforcement;
- Keith Cassidy, Dan Dewaal, Alexis Hall, Joseph Murphy, and Carrie O’Brien in the Division of Examinations;
- Sarah ten Siethoff, Melissa Roverts Harke, David Joire, Chris Staley, and Rachel Kuo in the Division of Investment Management;
- Jane Patterson and Todd Canali in the EDGAR Business Office;
- Jon Balcom, Steve Benham, and Kevin Baumann in the Office of International Affairs;
- James Scobey in the Office of Information Technology;
- Dave Sanchez, Adam Wendell, and Adam Allogramento in the Office of Municipal Securities; and
- Valerie Szczepanik in the Office of the Strategic Hub for Innovation and Financial Technology.
ENDNOTE
[1] See Gary Gensler, “Statement on Cybersecurity Reforms in the Investment Management Industry” (Feb. 9, 2022), available at https://www.sec.gov/news/statement/gensler-statement-cybersecurity-reforms-020922.
These statements were issued on March 15, 2023, by Gary Gensler, chair of the U.S. Securities and Exchange Commission.