The U.S. Securities and Exchange Commission (SEC) recently initiated a groundbreaking series of regulations that set a new precedent for the handling of cybersecurity issues and the role of artificial intelligence in trading practices by publicly traded companies.
A Move towards Greater Cybersecurity Transparency
The new rules now require companies to disclose any substantial cyber incidents within four days, except in instances where this might jeopardise national security. This development aims to provide a more transparent and predictable landscape in an area often deemed opaque but increasingly significant. These rules are expected to instigate improvements in cyber defences, although smaller companies with limited resources may find meeting these standards challenging.
The Dual Mandates: Cybersecurity Incident Reporting and Annual Attestations
A closer look at these newly minted regulations reveals the presence of two key mandates - Items 1.05 and 1.06. Item 1.05, which has received significant press attention, requires reporting of "material cyber incidents" within a strict four-day timeline. However, Chris Denbigh-White, CISO of Next DLP, emphasises the importance of the lesser-highlighted item 1.061. This mandate introduces a requirement for annual attestation, a practice that mirrors the principles of the globally recognized information security management standard, ISO-270012.
Addressing AI and Conflict of Interest in Trading
On the issue of artificial intelligence in trading, the SEC is proposing that broker-dealers address any potential conflicts of interest. This move is influenced by the 2021 "meme stock" rally, an event where brokers and robo-advisers used AI and gamified features to manipulate user behaviour.
AI Proposal: Prioritising the Interests of Clients
Another significant proposal by the SEC would require broker-dealers to "eliminate or neutralise" conflicts of interest that may arise if a trading platform's predictive data analytics favours the broker's financial interest over their clients'. This rule has faced opposition from some Republicans, who argue it could hinder the development and application of new technologies. Despite the criticism, SEC’s Director of Investment Management, William Birdthistle, defended the proposal. He maintained that the rule was necessary because these technologies are often scalable, complex, and opaque3.
More Online-Based Investment Advisors Required to Register
In a unanimous decision, the SEC proposed that more internet-based investment advisors register with the federal agency. This proposal aims to narrow an exemption that officials believe some advisors have misused to dodge this requirement. If adopted, these investment advisors would have to provide investment advice through an interactive, functioning website, among other stipulations.
In conclusion, these new SEC rules mark a significant step towards improved cybersecurity and trading practices in the world of publicly traded companies.