How Long Until SEC, CFTC Regulate Cybersecurity?

Cybersecurity seems to be a priority of the securities and commodities regulators this year. Given the frequency of comments in this area, it is probably only a matter of time until we get additional rules regarding the requirements for cyber defense by market participants or disclosures by public companies.

SEC Chair Mary Jo White made comments Friday on the importance of disclosures by public companies to the U.S. Government even if they aren’t making public disclosures. And the CFTC in March held a roundtable on cybersecurity testing in order to ensure market participants, registered entities and other organizations are following best practices. Both White and CFTC Chairman Timothy Massad have recognized the potential impact of illegal hacking on market integrity.

It seems like only a matter of time before Congress, the SEC, or the CFTC take action. Congress is already considering several bills. One of them, passed by the House already, would provide protection from liability for companies sharing information about cyberthreats with each other and the government.

The CFTC is also considering a rule to require the exchanges and clearing organizations to test their cybersecurity defenses. In a speech in November at the Future Industry Association Expo, Massad said the commodities regulator is overseeing preparations against cyber attacks and looking to ensure robust disaster recovery capabilities.

The SEC issued a Risk Alert warning investors and the financial industry about concerns with cybersecurity in early February. The SEC, which last issued voluntary guidelines for disclosures by public companies in 2011, may also be considering further regulations in this area. However, at the moment, it seems content to let companies advance measures on their own without government interference.

Photo Credit.