SEC Probes Hacker Risk to Wall Street as Threats Mount

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.moneynews.com/Economy/SEC-Hacker-Risk-Wall-Street-Threats/2014/03/26/id/561861/

The U.S. Securities and Exchange Commission is examining the exposure of
stock exchanges, brokerages and other Wall Street firms to cyberattacks
that have been called a threat to financial stability.

The SEC is holding a roundtable discussion of those risks in Washington as
it weighs a new rule proposal asking whether stock exchanges should be
required to tell members about breaches of critical systems. More than half
of exchanges surveyed globally in 2012 said they experienced a
cyber-attack, while 67 percent of U.S. exchanges said a hacker tried to
penetrate their systems.

The agency also will probe how companies are disclosing cyberthreats to
investors in public filings. Businesses including Target Corp., from which
hackers stole payment-card data for millions of shoppers in December, are
required to disclose such threats when the information would affect an
investor's willingness to own the company's shares.

"Cyberthreats are of extraordinary and long-term seriousness," SEC Chair
Mary Jo White said. "The public and private sectors must be riveted in
lockstep in addressing these threats."

The event was spurred by SEC Commissioner Luis A. Aguilar, who called for
the agency to establish a cybersecurity task force.

"Given the extent to which the capital markets have become increasingly
dependent upon sophisticated and interconnected technological systems,
there is a substantial risk that a cyberattack could cause significant and
wide-ranging market disruptions and investor harm," Aguilar said in opening
remarks.

Mandatory Disclosures

Companies aren't required by the SEC to disclose all risks from
cyberattacks, though the regulator routinely reviews how such threats and
incidents are described in annual reports. Some lawmakers, including
Senator Jay Rockefeller, a West Virginia Democrat, have asked the agency to
consider making the disclosures mandatory.

"This is information every investor has a right to know," Rockefeller said
in a statement. "Routinely providing this information should be a regular
part of practicing business in the era of 'big data.'"

The Financial Stability Oversight Council, a group of regulators led by the
Treasury secretary, said in its 2013 annual report that successful
cyberattacks could pose a threat to the stability of financial markets.
Among exchanges, 89 percent said cybercrime should be considered a systemic
risk, according to a 2012 International Organization of Securities
Commissions report.

Finra Priority

The SEC and the Financial Industry Regulatory Authority, which oversees
broker-dealers, identified cybersecurity as a priority for compliance
examinations. Finra said in January it would ask about 20 of its member
firms how they manage and defend against the threat of cyberattacks.

Criminal hacking cost financial services companies, on average, about $18.8
million in 2013, according to a study by the Ponemon Institute, a research
and consulting firm. The report estimated an average cost for brokerages of
$19 million and $21.9 million for investment advisers.

Hackers targeting broker-dealers may seek intellectual property such as
trading algorithms or the source code of trading systems, said Richard
Bejtlich, chief security strategist at FireEye Inc., a Milipitas,
California-based information-security consultant. Manipulation of critical
data systems probably poses the greatest risk to Wall Street companies
whose buy-and-sell decisions and order routing are increasingly automated.

Breach Reports

Under a rule proposed last year, exchanges would be required to promptly
disclose to their broker-dealer members any breaches of critical systems.
Exchanges could withhold the information if they believed release of the
data would do further harm or undermine an investigation of the intrusion.
The SEC expects to advance the rule this year, White said.

"If you can start changing the data that you have access to, that can
potentially undermine the integrity of the system and that is where people
get pretty nervous," Bejtlich said in a phone interview.

Panelists scheduled to speak at the roundtable include representatives of
Bank of America Corp., BATS Global Markets Inc., the Chicago Board Options
Exchange, Nasdaq OMX Group Inc. and Wells Fargo Advisers LLC. The Treasury
Department's Cyrus Amir-Mokri, assistant secretary for financial
institutions, and White House cybersecurity adviser Ari Schwartz also will
speak, according to an SEC announcement.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!