SEC cyber rule could trigger more attacks, experts warn

A new rule requiring US asset managers to disclose more information about cyber attacks could be a boon for hackers, critics of the proposal warn.

Investment firms must report any “significant cyber-security incidents” to the US Securities and Exchange Commission (SEC) within 48 hours and “promptly” inform clients of any breaches under a rule proposed by the regulator on February 9.

Cyber-security experts say these disclosures may expose compromised firms to further attacks when they are most vulnerable. “It can give cyber criminals an indication of how vulnerable an organisation is at a given time, and this is not what we would like to achieve,” says Attila Kiss, senior vice-president of non-financial risk at Nordea Asset Management.

The SEC defines a “significant cyber-security incident” as any breach that disrupts a firm’s critical operations or exposes information that could be used to harm the company, its clients or investors.

The SEC noted in its proposal that incident reports submitted to the regulator are confidential, and would “bolster the efficiency and effectiveness of our efforts to protect investors, other market participants, and the financial markets in connection with cyber-security incidents”.

However, some in the industry question whether the SEC can prevent this highly sensitive information from falling into the wrong hands. In 2016, the regulator’s Edgar filing system was infiltrated by hackers, who stole corporate earnings reports and traded ahead of their release, generating over $4 million in illicit profits.

In a comment letter dated April 11, the Securities Industry and Financial Markets Association (Sifma) called on the regulator to adopt “more robust language about how it will protect confidential data from being leaked to threat actors or members of the press”.

The SEC did not respond to requests for comment in time for publication.

It can give cyber criminals an indication of how vulnerable an organisation is at a given time

Attila Kiss, Nordea Asset Management

The proposed rule also requires investment firms to publicly disclose cyber risks and incidents in their brochures and promptly update them following an attack. Cyber experts worry these disclosures could send the wrong signal to investors, who might misinterpret the information, and could embolden would-be hackers.

The current industry practice is to provide clients directly affected by a cyber attack with as much information as possible about the breach.

“Institutions should share information with individual clients, but some of these signals are difficult to evaluate,” says Kiss. “It is difficult for non-specialists to understand what it means.”

Many financial firms are already subject to cyber incident reporting requirements from other regulators. A new cyber-security law passed by the US Senate on March 1 will require critical infrastructure providers, including financial entities such as clearing houses, to report material cyber-security incidents and ransomware payments to the US Cybersecurity and Infrastructure Security Agency within 72 and 24 hours respectively.

Cyber experts say they prefer to share information about cyber attacks through specialist agencies, such as Cisa and the Financial Services Information Sharing and Analysis Center, which alert other institutions to threats without making them public. The SEC proposal could force firms to publicly disclose an attack before they can fix the vulnerability, potentially inviting more attacks.

“If an attack is successful, it means there was a vulnerability that was unknown or not fully understood, and, by publicising it, you risk multiple attacks,” says a risk manager at a US regional bank.

“There are already means by which banks can share information in a private manner to help them prepare to defend themselves.”

Those familiar with the approach taken by other regulators say that they don’t usually ask firms to disclose vulnerabilities, and how these might be exploited, unless a breach has already taken place. The SEC proposal appears to go further in requiring investment firms to disclose information about their cyber risks and defences in public documents.

Ultimately, these public disclosures may not amount to much. The head of cyber security at a large international bank says firms generally disclose the minimum amount of information necessary to satisfy regulatory requirements, even if those disclosures are non-public. For instance, a bank may inform regulators that it sees identity and access management as areas for improvement, without detailing any specific weaknesses. “It’s the institution’s responsibility to not overdisclose,” this person says. “Hence the risk is on the part of the reporting entity.”