Say what you like about Gary Gensler (and many on the Street have said quite unflattering things); he is an extremely effective regulator.

Gensler chaired the Commodity Futures Trading Commission (CFTC) in the post-crisis era, when US financial regulators were writing and implementing rules to fulfill the Dodd–Frank Act. By the time he stepped down in 2014, Gensler’s CFTC—a much smaller and poorer agency than, say, the Securities and Exchange Commission (SEC)—had written 70% of its allotment of Dodd–Frank rules, far more than any other regulator, and years in advance of the EU’s Markets in Financial Instruments Directive.

In April 2021, Gensler became SEC chair, and he has shown the same drive as the securities markets regulator as he did regulating the derivatives markets. After a few months in office, he released an ambitious agenda that included completing equity market modernization begun in the former administration, freshening up Regulation Alternative Trading Systems (Reg ATS), and proposing disclosure rules relating to climate risk.

It’s not even a year later, and the SEC has delivered on many of these fronts. The market data modernization efforts were rolled out quickly, though they are currently stymied by litigation brought by the New York Stock Exchange (Nyse) and Nasdaq. The almost 700-page Reg ATS amendments were proposed in February, and have a 30-day deadline for comments from the date published in the Federal Register. Most recently, on March 21, the Commission published proposals for climate-risk disclosure rules for publicly-traded companies.

Considering cyber

Gensler has also set out to tackle one of the most urgent topics facing contemporary governments: cybersecurity in the financial markets. In January 2022, he gave a speech to the Northwestern Pritzker School of Law’s Securities Regulation Institute, laying out his thinking about cybersecurity, and saying that stricter regulation was on its way from the SEC. Sure enough, the agency has since then released a batch of proposals that, while quite different in essentials, collectively feed into the agency’s aims of making the financial system safer from cyber crooks, attempting to draw in a wider set of market participants, market infrastructure and corporates under the SEC’s gaze, with stricter disclosures and resiliency requirements.

Government concerns about the exposure of the financial system to cyber threats are of course nothing new but have become more urgent since Russia invaded Ukraine. Operational risk managers at banks say they are preparing for an escalation of Kremlin-sponsored cyber-attacks on western financial infrastructure amid global sanctions of Russian banks.

Gensler said in that January speech that the SEC’s enhanced cybersecurity focus will take shape in three areas: cyber “hygiene,” by which Gensler means institutions’ preparedness to face threats; cyber incident reporting to the SEC; and making disclosures to the public.

The proposals that have come out since that speech have dealt with these issues, and will affect a wide section of companies, including public companies and broker-dealers. Future proposals could target tech vendors.

Reg SCI

The first proposal, the Reg ATS amendments, came out just a couple days after Gensler’s speech. The proposal does many things, which I outline here, one of which is to post the idea of making more ATSs, like dark pools and electronic communication networks, subject to Regulation Systems Compliance and Integrity (Reg SCI).

Gensler had said in the January speech that Reg SCI needed freshening up. “Might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers. … Similarly, I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities,” he said.

Reg SCI was adopted in 2014 to strengthen the technological infrastructure of the US securities markets. In its scope is a range of entities that support critical securities market functions like trading, order routing, and market data—including large exchanges, ATSs, and clearinghouses. The Consolidated Audit Trail (Cat) system is also subject to Reg SCI, and the SEC’s efforts to boost Cat security have been highly controversial.

Before Reg SCI, the commission had encouraged firms to voluntarily monitor their infrastructure; with the passing of the regulation, most of these rules became mandatory. Companies must maintain the security and resilience of their systems, making detailed annual reports to the SEC, and keeping compliance records. They must also make disclosures immediately to the SEC if any incidents, such as outages or cyber breaches, occur. If the proposed amendments go through, then smaller dark pools or block crossing networks, for instance, could be subject to the same resilience and testing requirements as Nasdaq or Nyse, says a compliance source at a dark pool.

Public disclosures

In February and March, the SEC put out two proposals that deal with disclosures, either to the government or to the public. One, published on its website on February 9, is aimed at investment advisers and funds, requiring them to implement written cybersecurity policies to address risks, and to report significant cybersecurity incidents that affect them to the Commission.

A separate document, published a month later, proposes amendments to rules that would beef up reporting on “material cybersecurity incidents” by publicly traded companies. The SEC’s stance here is that participants in the capital markets need to have reliable information on the companies they invest in, and that includes information on their cybersecurity. Cyber incidents can affect a company’s stock price, the proposal says.

With these amendments, public companies would have to provide periodic reports about previous incidents, describe their policies and risks, and what cyber expertise their boards have, if any. Companies would have to report in XBRL format.

The proposal says that while it’s difficult for SEC staff to tell how many cyber incidents go unreported to the agency, staff have seen cybersecurity breaches reported in the media that were not disclosed to them. Also, companies’ reports differ greatly in their level of detail and specificity. So this proposal is aimed at standardizing that process, and making it stricter.

SEC chief economist Jessica Wachter said during an SEC open meeting in March held to discuss this proposal that failing to disclose cybersecurity incidents and risks lowers market liquidity and inhibits capital formation, as investors lose faith in companies. She conceded that hackers could use these disclosures against the companies that report, knowing their vulnerabilities, and that more reporting brings a compliance cost to these companies, but added that transparency about these incidents would generally raise understanding of what the risks are that all financial firms must contend with.

Service providers

These proposals are all out there now for public comment, wending their way through the rulemaking process. But I suspect we can expect more of them soon, and this time it will be data vendors and tech providers that are in the SEC’s sights.

Almost everything Gensler spoke of in his January speech at Northwestern has come to pass—all except the question of regulating third-party service providers.

Outsourcing risk has been a big concern for EU and UK regulators over the past few years. At the end of this month, UK banks will face a raft of regulations that will require them to map their third parties—including heavyweight cloud infrastructure providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform—list their impact tolerances and identify vulnerabilities that could seriously disrupt their clients. The EU is considering regulating cloud service providers directly, via its proposed Digital Operational Resilience Act, which aims to create a resilience framework across all regulated financial institutions in the EU27.

These regulations are expressive of governments’ concerns about portability and resiliency in the cloud, as financial markets migrate more and more of their critical functions and data to these platforms.

Third-party risk goes beyond cloud service providers, however, Gensler said in his speech. “They can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others,” he said.

While some of these entities fall into the scope of existing regulations overseen by the federal prudential regulators, like the Bank Service Company Act, most won’t be registered directly with the SEC. Gensler said he had asked staff to consider recommendations about strengthening risk from service providers, which could include requiring regulated firms to identify service providers that could pose cybersecurity risks, or holding them accountable for service providers’ cybersecurity measures.

Gensler has clearly stated his agency’s priorities and is rapidly fulfilling each one. It’s almost certain we’ll see the SEC coming out with recommendations, or perhaps even proposals, on mitigating the risk it sees in tech and data vendors.