The gaping holes in cybersecurity
SECURITIES RECENT BREACHES RAISE SERIOUS QUESTIONS ABOUT COMPLIANCE RULES IN U. S.
At first glance, the hacking disclosed by the Securities and Exchange Commission on Wednesday didn’t seem too much of a concern to investors.
The intrusion, after all, appeared to be limited to the SEC’s database of corporate filings, like annual and quarterly financial reports and proxy statements.
While the SEC said it believed that the attack “did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, or result in systemic risk,” the agency did acknowledge that the hackers could have profited by trading on the corporate data they gleaned.
Still, said Jay Clayton, the SEC chairman, the episode “highlighted the importance of cybersecurity to the agency and market participants.” I’ll say. The lapse at the SEC and the breach before it at Equifax, the credit monitoring agency, should both be wakeup calls for investors who regularly trade stocks. In fact, these breakdowns raise questions about significant gaps in the SEC’s computer security rules for stock exchanges and certain other significant trading platforms.
As a result of these holes, investors’ trades on certain venues may be more vulnerable to hacking than on others.
And because of the interconnectedness of the technologies supporting the nation’s stock trading systems, hackers gaining access to one venue could easily disrupt entire swaths of the market.
The concerns centre on an SEC rule written in 2014 that was intended to strengthen the technological underpin- nings of the U. S. securities markets, making them safer for investors.
The rule, known as Regulation Systems Compliance and Integrity, or Reg SCI, came after a series of troubling market system failures. One was the US$440 million glitch in 2012 at Knight Capital, a big stock trading firm. Other technical breakdowns occurred the next year on Nasdaq; on one occasion, all trading in that market was halted for three hours.
The SEC rule required exchanges and certain other trading venues to have comprehensive procedures ensuring “the robustness and resiliency of their technological systems.”
Bolstering cybersecurity measures was a component of the rule. Stock exchanges like IEX, Nasdaq and the New York Stock Exchange had to comply with the new requirements and make their operations available for audits by the SEC. These exchanges also had to tell the commission when problems arose, including system intrusions, a crucial mechanism for investor protection.
But many large trading venues did not have to comply with the rule. Among them were firms that buy stock orders f rom retail brokerage firms, known as wholesalers or internalizers. Certain alternative trading systems were also let off the hook, including some that are operated by large brokerage companies like Morgan Stanley and UBS.
Among the entities that don’t have to adhere to the cybersecurity rule are firms that handle vast volumes of trades in the nation’s equity markets. Citadel Securities, the broker- dealer unit of the powerhouse founded by Kenneth Griffin, is an example.
A division of the company — Citadel Execution Services — is what’s known as a wholesale firm. It buys investors’ orders from retail brokerage firms that don’t have their own trading operations and executes the transactions against stocks it holds in inventory. Some 200 brokerage firms, including Charles Schwab, Scottrade and E-Trade, sell their customers’ orders to Citadel.
These firms send Citadel almost three million equity orders a day totalling almost 1.7 billion shares, according to figures cited in an SEC enforcement action filed against the firm in January. These orders accounted for about 35 per cent of the average daily volume of retail stock trades in the United States, the SEC said.
It seems odd, given the volume of trades handled by Citadel, that the SEC would not require the firm to follow its heightened cybersecurity rules. So I asked the SEC about this decision. A spokeswoman declined to comment.
I also asked Citadel about its internal protections against cyberattacks. A spokesman declined to comment.
Spokesmen for both Morgan Stanley and UBS declined to comment about precautions they had taken against digital attacks on their alternative trading systems. But since both of those companies qualify as systemically important financial institutions in regulators’ eyes, at least their operations are watched more closely.
Also disquieting about the rule: Nowhere does the agency publish the list of entities that comply with the systems integrity rule. If this regulation was supposed to protect investors, as the SEC contended when it put it into effect, why aren’t investors allowed to know which trading venues have strong cybersystems in place and which may not?
This question may come up Thursday when Clayton, the SEC chairman, is scheduled to testify before the Senate banking committee. One of the committee’s members, Mark R. Warner, D-Va., who is a co- founder of the bipartisan Senate Cybersecurity Caucus, recently expressed his concern over the lack of transparency in the rule.
“Investors are unable to determine whether their orders are being routed to market centres which are being held to the requirement of having a strong, audited cybersecurity program,” Warner wrote in a letter to Clayton on Aug. 1. “If compromised, these market centres could destabilize markets by not having the protections in place that the SEC has outlined in Reg SCI to strengthen the integrity of our markets.”
The SEC was right to require market trading venues to tighten their security systems. Investors rely heavily on these entities. But exempting major firms may mean it did only half the job. And surely investors have the right to know which firms are meeting the heightened standards.
Warner thinks so. “Efforts to strengthen our nation’s f i nancial i nfrastructure, such as Reg SCI, are critical to financial stability and the security of our country,” he said in a statement. “Providing investors with information about which market centres are subject to Reg SCI and whether they are in compliance would encourage market centre adoption of strong cybersecurity standards and help investors protect themselves from cyber risks.”