SIFMA Testifies on Cybersecurity Priorities

SIFMA president and CEO, Kenneth E. Bentsen, Jr., has testified on cybersecurity before the House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit during a hearing titled “Data Security: Vulnerabilities and Opportunities for Improvement.”

SIFMA’s testimony notes that there is likely no greater threat to financial stability than a large-scale cyber event, so SIFMA and its member firms are deeply committed to improving our sector’s cybersecurity resiliency and working with government partners to protect the broader economy.
While data breaches of customer information dominate headlines, and are rightfully a priority for policymakers and the industry, a major cyberattack on critical financial market infrastructure or one that destroys records and financial data, are also risks with a potentially far larger impact on the economy.

SIFMA’s testimony outlines key priorities and industry efforts for enhancing cybersecurity and protecting investors:

Regulatory Harmonization
While regulation and supervision of cyber preparedness has an important role in the collective cyber defense effort, the emergence of many regulations from multiple regulators may lead to a suboptimal balance of industry resources devoted to compliance versus security. In simple terms: financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities. Enhanced harmonization of regulatory standards and supervision would improve the efficient use of critical cyber resources.

Industry-Government Partnership
No single actor – not the federal government, nor any individual firm – has the resources to protect markets from these threats on their own. It is critical that we continue to establish a robust partnership between industry and government to mitigate cyber threats and their impact. The industry’s resiliency will not be fully effective without the government’s help, and vice versa.

Data Security and CAT
In recent years there has been an increasing number of highly visible data breaches, affecting billions of customer records.  The experiences of our members show the importance of developing a culture and practice dedicated to the protection of sensitive data including an investor’s personally identifiable information, or “PII.”

Financial firms and regulatory agencies share a common goal in securing and protecting the data entrusted to them by clients and financial institutions.  As the Securities and Exchange Commission (SEC) and self-regulatory organizations (SROs) move forward with the development of the new Consolidated Audit Trail (CAT), SIFMA member firms want to ensure the CAT does not introduce new data protection risks. Importantly, just as the industry should and does consider whether sensitive information needs to be collected and retained for a particular purpose, so too does the case need to be made that PII is required to be collected and reside inside the CAT for effective surveillance.

The current CAT development plan, developed by the exchanges and FINRA and approved by the SEC, raises serious concerns around data protection and the ability to confidently secure the critical information it will contain.

Once complete, the CAT will be the world’s largest data repository for securities transactions, and one of the world largest databases of any type.  Every day the system would ingest 58 billion records – orders, executions and quotes for the equities and options markets – and would maintain data on over 100 million customer accounts and their unique customer information.  This data would grow to an estimated 21 petabytes within 5 years – the equivalent of over ten times the content of all U.S. academic research libraries, in a single database.

Despite these serious data protection concerns, the CAT technical specifications that have been released to date include alarmingly few details on data security and protection.

Industry Efforts
The securities industry is constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government, including our regulators. Best practices have been developed around penetration testing, insider threats, third-party risks, and secure data storage and recovery.

SIFMA’s full written testimony expands on these and other cybersecurity priorities, and is available here: https://www.sifma.org/resources/submissions/kenneth-e-bentsen-jr-on-data-security-vulnerabilities-and-opportunities-for-improvement/.