SIFMA welcomes SEC Chair Gensler’s commitment to cybersecurity, as outlined in his recent remarks, as this has been and remains a top priority of the financial services industry and must, by its nature, be a collaborative effort between all connected entities, both the regulated and the regulators. SIFMA and its members are laser-focused on cybersecurity efforts to protect our clients, data, networks and operations from diverse cyber threats including theft, disruption and destruction.

As a critical sector as defined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the industry’s investment in cyber resiliency has been ongoing for more than a decade and is part of our daily business continuity practices. The industry routinely engages in a broad array of testing to maintain and enhance defense, resiliency and recovery both at the enterprise and industry-wide levels. These efforts range from technical defense to industry and official sector communication and collaboration.

Reg SCI Covers Most of the Industry

The SEC adopted Regulation SCI in 2014 to strengthen the technology infrastructure of the U.S. securities markets. Specifically, the rules are designed to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and enhance the SEC’s oversight and enforcement of securities market technology infrastructure.

Reg SCI applies to “SCI entities,” a term which includes SROs—including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems that trade NMS and non-NMS stocks exceeding specified volume thresholds, broker-dealer ATSs, disseminators of consolidated market data, or plan processors, and certain exempt clearing agencies. The regulation applies primarily to the systems of SCI entities that directly support any one of six key securities market functions—trading, clearance and settlement, order routing, market data, market regulation, and market surveillance.

Reg SCI does not, however, operate in a vacuum. Because our markets are interconnected, the entities which are not covered under the regulation are nonetheless effectively subject to it through their constant interaction with those entities which are covered.

SIFMA Test

SIFMA facilitates the annual Reg SCI test, which requires that each SCI entity designate members and participants that meet a certain criteria like market share to take part in an annual business continuity and disaster recovery test. Reg SCI entities complete their testing requirements in parallel with the SIFMA industry backup test, which we’ve been organizing for well over a dozen years. It is an efficient way to meet testing requirements across firms. Moreover, as the SEC reviews the possibility of expanding Reg SCI, how that regulation works in practice should also be considered.

SIFMA’s other initiatives in the cyber area include the following:

• Cross-Sector Coordination to Enhance Response & Recovery: Since 2011, SIFMA has conducted a series of bi-annual industry-wide Quantum Dawn exercises covering physical, cyber, terrorism and natural disaster risks to synchronize response and recovery playbooks across financial firms, SIFMA and U.S. Treasury. In November 2019, SIFMA conducted its first global cyber exercise, Quantum Dawn V, with 150 entities across 19 countries, with the goal of implementing a network of contacts for response and recovery, which resulted in SIFMA’s Global Directory of over 250 crisis management contacts across the public and private sectors to respond to a global event.

  In November 2021, SIFMA held its sixth Quantum Dawn exercise, which allowed financial firms, central banks, regulatory authorities, trade associations, law enforcement and information sharing organizations around the world to rehearse response mechanisms, both internally and across the sector, against a broad range of ransomware attacks. The intent was to assess public and private sector-wide communications and information sharing mechanisms, crisis management protocols, and decision-making engaging SIFMA’s Global Directory Members brought together during QDV, while identifying potential gaps.

• Industry-Led Data Protection Collaboration: The SolarWinds and Microsoft incidents highlighted the need for greater collaboration between industry, regulators, and government agencies to ensure transparency and timely disclosure of data breaches in the private and public sector. The goal is to improve the protection of sensitive financial and regulatory data held by industry participants or the government. In light of concerns raised by financial firms, the Financial Services Sector Coordinating Council (FSSCC) Working Group is focused on this issue working across sectors to develop joint solutions.
• Best Practices for Insider Threats: For the last decade, SIFMA has hosted quarterly Insider Threat Forums to share information among industry participants on the best practices in identifying and protecting against insider threats. As threats evolve, so have the industry’s response capabilities, through advancements in the use of anomaly detection and big data techniques, evolving privacy issues including restrictions on employee surveillance, the use of automated decision-making tools, and legal and practical barriers to performing employee background checks.
• Partners in Penetration Testing: Since 2017, SIFMA has been leading a global effort to work with financial firms and regulators around the world on a collaborative approach to penetration testing a firm’s cybersecurity defenses and to identify vulnerabilities. In July 2019, SIFMA published, and updated in 2020, guidance on principles and best practices for financial firms and regulators to follow, which ultimately led to the development the globally harmonized threat-led penetration testing environment that exists today.

Importance of Coordination Across All Stakeholders

This is just a snapshot of SIFMA’s ongoing work to improve cybersecurity practices and stay one step ahead of current and future cyber threats. But the securities industry cannot do it alone. That is why all our efforts include close coordination across the financial services industry and with government, regulators, third parties and law enforcement agencies, to protect our clients and financial services infrastructure, improve data sharing between public and private entities and safeguard customer information.

This level of partnership is essential. The government, as we all know, is not immune to cyber-attacks, as the SEC itself saw when its EDGAR system was hacked, causing a great deal of data security concern across the industry. Cyber hygiene is a two-way street: our members are required to provide a large amount of data to regulators, so the regulators need to ensure that sensitive data is protected. This is not a command-and-control exercise but, rather, is very much essential collaborative work to protect investors. Our members have policies and protocols in place to protect client data, but once that data is reported to regulators, they no longer have control over it.

Personal and Transactional Information in CAT Database Remains at Risk

A prime example: the Consolidated Audit Trail (CAT). One immediate action item the SEC could take would be to approve the pending CAT data security rule proposal. SIFMA members have consistently supported the goals of the CAT since its inception and have been diligently working to implement the CAT transaction database, which has become operational. At the same time, we have continually voiced concerns about the type and amount of personally identifiable information (PII) data to be reported to and maintained in the Customer & Account Information System (CAIS) database of the CAT and have repeatedly offered viable alternatives that would serve the same purpose as the CAIS database without the attendant data and privacy risk to member clients. When completed, the CAT will include personal information on every retail brokerage customer in America, as well as identifying information for every pension fund, mutual fund, and other institutional accounts in America.

We also have voiced concerns about the unprecedented amount of transactional information that will be held in CAT, as it will be the largest database of customer and institutional trading data ever created.

The data security rule proposal—which we largely support—was issued by the SEC in August 2020 and has not yet been approved by the SEC. The proposal would, among other things, prohibit the bulk downloading of CAT Data by mandating the use of Secure Analytical Workspaces (SAWs) for self-regulatory organization (SRO) review of CAT Data, subject to a strict exception process in which an SRO has the ability to seek a limited exception to download CAT transaction data provided its security is as robust as the CAT System’s security. The proposal also would strictly and clearly prohibit the use of CAT Data for any commercial purpose, such as a rule filing that has both a commercial and regulatory purpose. Approving the data security proposal would be an immediate step towards holding the CAT data to the highest security standards.

As the SEC and other regulators work to further address cybersecurity risks, we encourage them to continue to collaborate with the industry on best practices to collectively improve our defense, resiliency, and recovery efforts.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also chief executive officer of the Global Financial Markets Association (GFMA).

 

 

 

Related Resources

• Cross-Sector Coordination

  Cybersecurity Exercise: Quantum Dawn VI

• The SIFMA Podcast

  Cybersecurity Readiness

• Pennsylvania + Wall Blog

  Cybersecurity: A Top SIFMA Priority