Public Statements & Remarks

Concurring Statement of Commissioner Sharon Y. Bowen Regarding Notice of Proposed Rulemaking on System Safeguards Testing Requirements

December 16, 2015

Today, we are considering two rule proposals that address an issue which is right at the heart of systemic risk in our markets – cybersecurity. The question that we face is: with a problem as immense as cybercrime, and the many measures already being employed to combat it, what would today’s proposed rules accomplish? In answer to that question, I want to say a few words about our cybercrime challenge, what is currently being done to address it, and what I hope these proposed regulations would add to these efforts.

The problem is clear – our firms are facing an unrelenting onslaught of attacks from hackers with a number of motives ranging from petty fraud to international cyberwarfare. We have all heard of notable and sizable companies that have been the victim of cybercrime, including: Sony, eBay, JPMorgan, Target, and Staples -- even the US government has fallen victim.

In recent testimony before the House Committee on Financial Services, Subcommittee on Oversight and Investigations about cybercrime, the Director of the Center for Cyber and Homeland Security noted that the “U.S. financial services sector in particular is in the crosshairs as a primary target.”i He cited one US bank which stated that it faced 30,000 cyber- attacks in one week – averaging an attack every 34 seconds.ii

Given the magnitude of the problem, it is not at all surprising that a lot is already being done to address it. The Department of Homeland Security and others have been working with private firms to shore up defenses. Regulators have certainly been active. The Securities and Exchange Commission (SEC), the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), the Federal Housing Finance Agency (FHFA), and our self-regulatory organization, the National Futures Association (NFA), have issued cybersecurity guidance. In Europe, the Bank of England (BOE) introduced the CBEST program to conduct penetration testing on firms, based on the latest data on cybercrime. We heard a presentation from the BOE about CBEST at a meeting of the Market Risk Advisory Committee this year.

I wanted to hear what market participants were doing to address the challenge of our cybersecurity landscape so I met with several of our large registrant dealers and asked them about their cybersecurity efforts. After these discussions, I was both alarmed by the immensity of the problem and heartened by efforts of these larger participants to meet that problem head on. They were employing best practices such as reviewing the practices of their third party providers, using third parties to audit systems, sharing information with other market participants, integrating cybersecurity risk management into their governance structure, and staying in communication with their regulators.

We have also been vigilant in our efforts to address cybersecurity. Under our current rule structure, many of our registrants have system safeguards requirements. They require, among other things, that the registrants have policies and resources for risk analysis and oversight with respect to their operations and automated systems, as well as reporting, recordkeeping, testing, and coordination with service providers. These requirements clearly include appropriate cybersecurity measures. We also regularly examine registrants for their adherence to the system safeguards requirements, including effective governance, use of resources, appropriate policies, and vigilant response to attacks.

So if all of this is happening, what would more regulation accomplish? In other words, what is the “value add” of the rules being proposed today? The answer is: a great deal. While some firms are clearly engaging in best practices, we have no guarantee that all of them are. And as I have said before, in a system as electronically interconnected as our financial markets, “we’re collectively only as strong as our weakest link, and so we need a high baseline level of protection for everyone…”iii We need to incentivize all firms under our purview to engage in these effective practices.

We have to do this carefully though because once a regulator inserts itself into the cybersecurity landscape at a firm – the firm now has two concerns: not just fighting the attackers, but managing its reputation with its regulator. So, if not done carefully, a regulator’s attempt to bolster cybersecurity at a firm can instead undermine it by incentivizing the firm to cover up any weaknesses in its cybersecurity infrastructure, instead of addressing them. Further, we must be careful not to mandate a one-size-fits-all standard because firms are different. Thus, we must be thoughtful about how to engage on this issue. We need to encourage best practices, while not hampering firms’ ability to customize their risk management plan to address their cybersecurity threats.

I think these rulemakings are a great first step in accomplishing that balance. There are many aspects of these proposals that I like. First, they set up a comprehensive testing regime by: (a) defining the types of cybersecurity testing essential to fulfilling system safeguards testing obligations, including vulnerability testing, penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessment; (b) requiring internal reporting and review of testing results; and (c) mandating remediation of vulnerabilities and deficiencies. Further, for certain significant entities, based on trading volume, it requires heightened measures such as minimum frequency requirements for conducting certain testing, and specific requirements for the use of independent contractors.

Second, there is a focus on governance – requiring, for instance, that firms’ Board of Directors receive and review all reports setting forth the results of all testing. And third, these rulemakings are largely based on well-regarded, accepted best practices for cybersecurity, including The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”).iv

In all, I think the staff has put together two thoughtful proposals. Clearly, however, this is only a first step since all our registrants, not just exchanges, SEFs, SDRs and DCOs, need to have clear cybersecurity measures in place. I am also very eager to hear what the general public has to say about these proposals. Do they go far enough to incentivize appropriate cybersecurity measures? Are they too burdensome for firms that do not pose significant risk to the system? And given that this is a dynamic field with a constantly evolving set of threats, what next steps should we take to address cybercrime? Please send in all your thoughts for our consideration. Thank you and I look forward to the staff’s presentation.

Last Updated: December 20, 2017