US Securities and Exchange Commissioner highlights data security issue as a key problem

December 17, 2014 |

Under the Privacy Act there is an obligation to provide adequate data security, at Australian Privacy Principle 11.  The Privacy Commissioner’s guidelines attempt to set out what is expected of entities.  Those guidelines are drafted in the broad and suffer from being very generalised.  Absent determinations, enforceable undertakings it is difficult to determine what the benchmarks are.  Clearly industry standards are relevant.  As posted previously (found here) the New York Department of Financial Services has issued a detailed letter regarding what is expected in the event of an IT/cybersecurity examination. It is an area where the United States Regulators are, albeit in a piecemeal and sectoral manner, taking more detailed an pro active steps than the Privacy Commissioner in Australia.

The importance of maintaining proper data security is highlighted in a World Today story, broadcast earlier this afternoon titled US Securities and Exchange Commissioner increasingly concerned about cyber security risks.

It provides (with highlights)

NICK GRIMM: The global financial crisis prompted regulators around the world to toughen laws overseeing the finance industry and share markets but putting those laws in place is proving to be something of a challenge.

The US is only half way through implementing what’s known as the Dodd-Frank financial reforms which strengthen the hand of regulators.

Mike Piwowar is a commissioner at the US securities regulator, the Securities and Exchange Commission, and he says that issue, along with cyber security, are the things that keep him awake night.

He was the Republican chief economist for the US Senate Committee on Banking and was a senior economic adviser at the White House during the global financial crisis.

He spoke to Sue Lannin at a financial conference in Sydney.

MIKE PIWOWAR: In the United States the biggest challenge is implementing Dodd-Frank.

So in the wake of the crisis, congress passed a 2,300 page law, which tasked the regulators with promulgating about 400 new rules.

Four and a half years later, after Dodd-Frank was passed in July of 2010, we’re still only about half way done with implementing Dodd-Frank.

SUE LANNIN: The global financial crisis, the cause is said to be not enough regulation so has the pendulum swung back the other way now?

MIKE PIWOWAR: That’s one question. One is have they got it right in terms of has the legislation focused on the right things, right?

I personally am sceptical in terms of whether Dodd-Frank was effective at addressing all the problems within the crisis in addition to that; there are many provisions in Dodd-Frank that have absolutely nothing to do with the crisis.

SUE LANNIN: What keeps you awake at night?

MIKE PIWOWAR: Cyber security risks.

I used to think that the next potential problem that we would see would be something like a rogue trader in a large financial institution potentially having spill-over effects at other institutions and causes disruptions in certain markets.

I have increasingly become concerned about cyber security risks and just the sheer number of attacks that happen on a daily basis across all the financial institutions that we have.

On the good side of the ledger, it seems that financial institutions, because they are at the forefront of the cyber attacks, and why, because that’s where the money is, they seem to be pretty good relative to other companies.

SUE LANNIN: We have seen credit card breaches from a number of financial institutions, so are they doing enough to protect their data?

MIKE PIWOWAR: We’ve tended at the commission to sort of think of cyber security as a part of different things that we do.

So for example we just passed a new regulation called SCI which stands for Systems Compliance and Integrity, and it was a general framework for certain entities within the market like exchanges to think about their system’s integrity, and cyber security was kind of an ancillary piece to that, but I have serious questions about whether or not we’re doing enough directly to look at this and gathering information is the first step in that process.

SUE LANNIN: Why didn’t anyone go to jail because of the GFC?

MIKE PIWOWAR: Well that’s a good question.

Well, first of all the Commission, the SEC does not have criminal authority, we only have civil authority. We can ban people from the industry, we can get what are called collateral bars we can ban them. That’s a good question for the criminal authorities.

There is sort of this palpable sense in the US that from a number of a people are just increasingly frustrated that nobody went to jail, there’s no face on the crisis.

From where I sat during the crisis, in the aftermath and looking back at it, what I see is an incredibly complex set of events that helped – so either caused the crisis or facilitated the crisis or sowed the seeds of the crisis – and so it’s hard for me to imagine that any single person or two or three people would be to blame for, you know, an entire system.

SUE LANNIN: Isn’t jail a deterrent?

MIKE PIWOWAR: In many cases it could be, but we also have to worry about that we’re getting the right people, right? We don’t just want to throw somebody in jail who’s an innocent victim in these cases.

SUE LANNIN: Should the ratings agencies be more accountable?

MIKE PIWOWAR: My preference would be to decrease the reliance on the rating agencies.

From my perspective it wasn’t just that the ratings were wrong, it’s that so many investors – institutional investors, individual investors – were simply not doing their due diligence and simply outsourcing their due diligence to the rating agencies.

And part of that reason is because a number of regulations – the SEC’s regulations and then the banking regulators – basically blessed the ratings.

And so we had a number of things that were based upon credit ratings. For example, whether or not banks could hold certain assets or how they were treated under certain capital requirements.

So people said, well if the SEC or the banking regulators are blessing these ratings, then they must be good, and so there is a provision that forces us and the other agencies to strip out from our regulations any reference to credit ratings.

And so now we have to use general terms like credit worthiness and think about alternative measures to credit ratings, whether they’re market-based models or whether there’s other types of analytical tools that people can use that are other than credit ratings.

One Response to “US Securities and Exchange Commissioner highlights data security issue as a key problem”

  1. US Securities and Exchange Commissioner highlights data security issue as a key problem | Australian Law Blogs

    […] US Securities and Exchange Commissioner highlights data security issue as a key problem […]

Leave a Reply