2nd Edition

Tracking the trends and news for IT and IT Security

Paul

SEC targets cloud, key securities firms in latest regulatory broadside

apple-touch-icon-180x180.png SEC targets cloud, key securities firms in latest regulatory broadside>
SC Magazine – Derek B. Johnson
The Securities and Exchange Commission is seeking to broaden the range of companies in the securities market that would be subject to stricter regulations for compliance and integrity of their information systems, while proposing a host of new requirements for those businesses around cybersecurity and their use of third-party cloud providers.

The 465-page proposed rule, which was first announced on Mar. 15, includes updates to more than two dozen existing laws and regulations. Among the changes would be an expansion of how the SEC defines a covered systems intrusion, a requirement for annual penetration testing of covered systems, new requirements around notifying the commission and any affected parties about a breach, and designate key third-party providers like cloud service providers for participation in annual business continuity and disaster recovery testing.

The new rules could give the SEC greater visibility over cyberattacks on the financial ecosystem. They would also expand regulatory SCI coverage to Security-Based Data Swap Repositories (SBDSRs), as well as a subset of the 3,500 registered broker dealers who exceed certain size thresholds and clearing agencies that were previously exempt from the heightened rules. The agency said the new rules are directed at “key market participants,” who “play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue.” The proposed enhancements would cover any systems or technologies at those firms that support the trading of securities, clearance and settlement, order routing, market data, market regulation or market surveillance, as well as any systems that represent “a single point of failure” in the U.S. securities market. It would include not just systems owned and operated by those entities, but also ones managed by third parties — like cloud providers — on the firm’s behalf.

The commission also highlight the need for including SBDSRs in particular because of the role these entities play in providing “important infrastructure that assists relevant authorities in performing their market oversight,” such as the collection of market data used by regulators to conduct oversight and enforcement.
Link: https://www.scmagazine.com/analysis/business-continuity/sec-targets-cloud-key-securities-firms-regulatory-broadside

Categories:

Tags: