The U.S. Securities and Exchange Commission is examining the exposure of stock exchanges, brokerages and other Wall Street firms to cyber-attacks that have been called a threat to financial stability.
The SEC held a roundtable discussion of those risks in Washington today as it weighs a proposal to require stock exchanges to protect their critical technology and tell members about breaches of important systems. More than half of exchanges surveyed globally in 2012 said they experienced a cyber-attack, while 67 percent of U.S. exchanges said a hacker tried to penetrate their systems.
The agency is also probing how companies are disclosing cyberthreats to investors in public filings. Businesses including Target Corp., from which hackers stole payment-card data for millions of shoppers in December, are required to disclose such threats when the information would affect an investor’s willingness to own the company’s shares.
“Cyberthreats are of extraordinary and long-term seriousness,” SEC Chair Mary Jo White said today. “The public and private sectors must be riveted in lockstep in addressing these threats.”
Today’s event was spurred by SEC Commissioner Luis A. Aguilar, who today called for the agency to establish a cybersecurity task force.
“Given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm,” Aguilar said in opening remarks.
Companies aren’t required by the SEC to disclose all cyber-attacks they suffer, though the regulator routinely reviews how incidents are described in annual reports. Some lawmakers, including Senator Jay Rockefeller, a West Virginia Democrat, have asked the agency to consider making the disclosures mandatory.
“This is information every investor has a right to know,” Rockefeller said in a statement yesterday. “Routinely providing this information should be a regular part of practicing business in the era of ‘big data.’”
Many public companies that have disclosed data breaches don’t experience a big decline in their share price, said Peter J. Beshar, general counsel of Marsh & McLennan Companies, Inc. The impact may be more “reputational,” which is less interesting to investors, Beshar said.
“I suspect that dynamic is going to change over the next year or two, where as the nature of the threat intensifies, the impact on the operations will be more significant,” he said.
While the SEC’s guidance instructs companies to disclose material breaches or risks, companies have a “tremendous disincentive” to reveal intrusions because of the litigation they may face as a result, said Douglas H. Meal, a partner at Ropes & Gray LLP.
“You know that if the breach were to become public you’re now going to be a target of a lot of class-action plaintiffs” and face other repercussions, said Meal, who has represented companies sued over data-security breaches.
Companies’ public reports so far about cyber-attacks have mostly provided investors with “boilerplate” language, said Jonas Kron, director of shareholder advocacy at investment adviser Trillium Asset Management LLC, which has pushed Apple Inc. and EBay Inc. to disclose more about risks related to privacy and data security.
“That is really unfortunate,” Kron said today. “What the disclosure system is supposed to do is create differentiation.”
The Financial Stability Oversight Council, a group of regulators led by the Treasury secretary, said in its 2013 annual report that successful cyber-attacks could pose a threat to the stability of financial markets. Among exchanges, 89 percent said cybercrime should be considered a systemic risk, according to a 2012 International Organization of Securities Commissions report.
The SEC and the Financial Industry Regulatory Authority, which oversees broker-dealers, identified cybersecurity as a priority for compliance examinations. Finra said in January it would ask about 20 of its member firms how they manage and defend against the threat of cyber-attacks.
Criminal hacking cost financial services companies, on average, about $18.8 million in 2013, according to a study by the Ponemon Institute, a research and consulting firm. The report estimated an average cost for brokerages of $19 million and $21.9 million for investment advisers.
Hackers targeting broker-dealers may seek intellectual property such as trading algorithms or the source code of trading systems, said Richard Bejtlich, chief security strategist at FireEye Inc., a Milipitas, California-based information-security consultant. Manipulation of critical data systems probably poses the greatest risk to Wall Street companies whose buy-and-sell decisions and order routing are increasingly automated.
Under a rule proposed last year, exchanges would be required to promptly disclose to their broker-dealer members any breaches of critical systems. Exchanges could withhold the information if they believed release of the data would do further harm or undermine an investigation of the intrusion. The SEC expects to advance the rule this year, White said today.
“If you can start changing the data that you have access to, that can potentially undermine the integrity of the system and that is where people get pretty nervous,” Bejtlich said in a phone interview.
Exchange operators in December said they formed a committee to enable collaboration on improving their defenses against hackers. The World Federation of Exchanges said founding members include CME Group Inc., IntercontinentalExchange Group Inc., BM&FBovespa SA and Nasdaq OMX.