FROM: U.S. SECURITIES AND EXCHANGE COMMISSION
PUBLIC STATEMENT
Opening Statement at SEC Roundtable on Cybersecurity
SEC Chair Mary Jo White
March 26, 2014
Good morning. Welcome to today’s roundtable on cybersecurity.
Cybersecurity threats come from many sources: criminal and hired hackers, terrorists, state-sponsored intruders, and even misguided computer experts to see what they are able to penetrate.
Cyber threats also pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer.
This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism.[1]
What emerges from this arresting view of the cybersecurity landscape is that the public and private sectors must be riveted, in lockstep, in addressing these threats.
The President’s 2013 Cybersecurity Executive Order and the Cybersecurity Framework issued in 2014 by the National Institute of Standards and Technology are reflective of the compelling need for stronger partnerships between the government and the private sector.
The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information. But it is incumbent on every government agency to be informed on the full range of cybersecurity risks and actively engage to combat those risks in our respective spheres of responsibility.
This roundtable is one aspect of the SEC’s efforts to better inform ourselves, the marketplace, our fellow agencies, and the private sector as to what the risks are and how best to combat them.
As you know, we at the SEC have been focused on cybersecurity-related issues for some time. In connection with public company disclosures, in October 2011, our Division of Corporation Finance issued guidance on existing disclosure obligations related to cybersecurity risks and incidents to assist public companies in framing disclosures of cybersecurity issues. That guidance makes clear that material information regarding cybersecurity risks and cyber incidents is required to be disclosed.
Since we issued that guidance, our staff has continued to study the important and challenging issues that cybersecurity presents to public companies, market participants, and investors, including the intersection of our investor-focused disclosure requirements and the types of information those with national security responsibility need in order to better protect our critical infrastructure. I am looking forward to hearing the views on this.
Cybersecurity for SROs and large alternative trading systems also is a very important area of focus for our staff. Part of this focus involves the Commission’s proposed rule on Regulation Systems, Compliance and Integrity, which would require an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames. I expect the Commission to move ahead with Regulation SCI this year.
We also have focused on cybersecurity risk issues for registered investment advisers, broker-dealers, and funds, including, for example, data protection and identity theft vulnerabilities.
In this area, the Commission last year adopted Regulation S-ID, which requires certain regulated financial institutions and creditors to adopt and implement identity theft programs.[2] Regulation S-ID builds upon the SEC’s existing rules for protecting customer data, in particular Regulation S-P.[3]
I want to thank all of our panelists for participating today and sharing their views on these critical issues. There is no better way to proceed than by assembling the right people in the same room to discuss and share information, points of view, and best practices.
Each panel consists of a very impressive group of professionals who bring a great deal of expertise and a range of relevant perspectives.
In addition to our panelists, we are joined today by many others who are here in person or watching online. And, of course, we welcome your views as well. We have set up a comment file on our website for the public to submit views on cybersecurity issues or respond to the questions addressed and the views expressed by our panelists. And I especially look forward to hearing the public’s ideas and input. Your views are important to us. We and the others here today will benefit immensely from hearing them as we study these issues.
Thank you and enjoy the roundtable.
[1] Homeland Threats and Agency Responses, The Honorable James B. Comey, Jr., Statement of the Federal Bureau of Investigation Before the Committee on Homeland Security and Governmental Affairs, United States Senate (November 14, 2013).
[2] See Identity Theft Red Flags Rules, Release No. 34-69359 (April 10, 2013), available at http://www.sec.gov/rules/final/2013/34-69359.pdf.
[3] See Final Rule: Privacy of Consumer Financial Information (Regulation S-P) (November 13, 2000), available at http://www.sec.gov/rules/final/34-42974.htm