How can the SEC police cybersecurity in the financial markets when it’s struggling to keep its own house safe from data thieves?
That was the question looming uncomfortably over the agency this month as it released a report on the cybersecurity preparedness of the nation’s financial advisors. After examining the practices of 75 broker-dealers, investment advisors and funds, the SEC found that it had failed to adhere to its cybersecurity polices (among other issues). The timing of the report, however, was less than ideal for the SEC, which is experiencing a “physician, heal thyself” moment on cybersecurity.
While it was busy cataloguing the cyber-failings of financial advisors, the SEC’s own data security practices fell under the microscope of the Government Accountability Office. A 27-page report from the GAO issued in late July said that the SEC “did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion[-]detection system and made missteps in how it configured its firewalls.”
The findings create an awkward tension with the narrative that the SEC’s newly confirmed chairman, Jay Clayton, could help the agency take a leadership position on cybersecurity. While no single federal agency carries the torch on cybersecurity, The New York Law Journal echoed a popular impression when it called Clayton “cyber-savvy” and lauded his views on the subject. Many took note of the exchange at Clayton’s confirmation hearing when, in response to questioning by Sen. Mark Warner (D-Va.), he suggested that it may be appropriate to require public companies to make more disclosures on cybersecurity.
In contrast to that positive story, the GAO report supports a counter-narrative that, instead, the SEC is being left behind on cybersecurity. It’s a narrative that isn’t terribly difficult to support. Earlier this year, the state of New York implemented cybersecurity regulations for financial institutions that are the first of its kind, and if successful will serve as proof of concept that cyber issues can be regulated at the state level. Meanwhile, in the notoriously slow-moving Senate, Sen. Warner introduced legislation to guard against potential security threats posed by the so-called Internet of Things.
The dangers here for the SEC are at least twofold. First, there’s the turf issue. Any impression that the SEC can’t handle its own cybersecurity will hurt its chances to emerge as the alpha agency on cybersecurity. And if the SEC is forced to retreat on cybersecurity, that presents a separate problem. Until now, data breaches at public companies have had relatively muted effects on those companies’ stock prices. At some point, however, a cybersecurity incident at a public company will devalue its stock. When that happens, investors will look for someone to blame. Are investors going to turn their ire on the SEC for failing to do enough on data security? SEC staff who lived through the Madoff scandal know well that the agency can take heat for the wrongdoing of others.
It’s certainly a possibility. It’s just as certain, meanwhile, that the SEC can only address cybersecurity in the markets if it first addresses cybersecurity at home.