SEC commissioner proposes expanding cybersecurity rule

SEC Commissioner Kara Stein has asked Chairman Jay Clayton to expand the scope of an agency rule that aims to stymie cyberattacks.

In a speech last week at Georgia State University College of Law, Ms. Stein, one of two Democrats on the five-member commission, said the Securities and Exchange Commission's rule — Regulation Systems Compliance and Integrity, or Reg SCI — doesn't go far enough. Passed in 2014, Reg SCI requires large-volume equity exchanges, alternative trading systems and dark pools to submit to the agency backup operational plans in case those venues' technological systems break down.

It also requires scheduled operational testing to ensure those backup plans work, and venue operators to inform their participants of systems issues.

Ms. Stein, whose term expires at the end of the year, said she would like to see the rule expanded to cover other market players that possess investor information, such as broker-dealers, investment advisers and transfer agents.

"We need to think more comprehensively about the cyberwars going on," Ms. Stein said in her speech. "All need to up their game to protect our critical systems, personal data and economy from cyberthreats. Tepid responses from government and businesses are invitations that cybercriminals simply cannot ignore."

Since company boards have a fiduciary duty to shareholders, they must take charge of the oversight of cyber risks, Ms. Stein said. She would like boards to retain an independent member with expert knowledge of technology and cybersecurity to provide it with advice.

Additionally, independent directors should meet with the company's chief information security officer at least twice annually in executive session, "without members of management present so that they can have open, frank, and meaningful discussions about culture, tone, and the resources dedicated to both prevention and resiliency," Ms. Stein said.

The Investment Adviser Association agrees with Ms. Stein about the importance for investment advisers to develop and implement policies and procedures to address cybersecurity risks, President and CEO Karen Barr said in an email.

"However, we do not believe that it is appropriate to extend Reg SCI to investment advisers," Ms. Barr said. "Investment advisers do not present the same systemic risks as the entities covered by Reg SCI and advisers are already required to have relevant policies and procedures in place pursuant to SEC rules and guidance."

Under Mr. Clayton, the SEC has acted on cybersecurity issues, including in February when it voted unanimously to update its 2011 guidance for public companies that aimed to tell those companies how to disclose cybersecurity risks and procedures. The update added two topics: the importance of having cybersecurity policies and procedures in place, and bans on stock trading by board members and executives after a cybersecurity incident. However, the commission's two Democrats, Ms. Stein and Robert Jackson Jr., said the update didn't go far enough.