The U.S. Securities and Exchange Commission (SEC) is examiningthe exposure of stock exchanges, brokerages, and other Wall Streetfirms to cyber attacks that have been called a threat to financialstability.

The SEC is holding a roundtable discussion of those risks inWashington today as it weighs a new rule proposal asking whetherstock exchanges should be required to tell members about breachesof critical systems. More than half of exchanges surveyed globallyin 2012 said they experienced a cyber attack, while 67 percent ofU.S. exchanges said a hacker tried to penetrate their systems.

The agency also will probe how companies are disclosing cyber threats to investors in publicfilings. Businesses including Target Corp., from which hackersstole payment-card data for millions of shoppers in December, arerequired to disclose such threats when the information would affectan investor's willingness to own the company's shares.

“Cyber threats are of extraordinary and long-term seriousness,”SEC Chair Mary Jo White said today. “The public and private sectorsmust be riveted in lockstep in addressing these threats.”

Today's event was spurred by SEC Commissioner Luis A. Aguilar,who today called for the agency to establish a cybersecurity taskforce.

“Given the extent to which the capital markets have becomeincreasingly dependent upon sophisticated and interconnectedtechnological systems, there is a substantial risk that a cyberattack could cause significant and wide-ranging market disruptionsand investor harm,” Aguilar said in opening remarks.

Mandatory Disclosures

Companies aren't required by the SEC to disclose all risks from cyber attacks, though the regulator routinelyreviews how such threats and incidents are described in annualreports. Some lawmakers, including Senator Jay Rockefeller, a WestVirginia Democrat, have asked the agency to consider making thedisclosures mandatory.

“This is information every investor has a right to know,”Rockefeller said in a statement yesterday. “Routinely providingthis information should be a regular part of practicing business inthe era of 'big data.'”

The Financial Stability Oversight Council, a group of regulatorsled by the Treasury secretary, said in its 2013 annual report thatsuccessful cyber attacks could pose a threat to the stability offinancial markets. Among exchanges, 89 percent said cybercrimeshould be considered a systemic risk, according to a 2012International Organization of Securities Commissions report.

The SEC and the Financial Industry Regulatory Authority, whichoversees broker-dealers, identified cybersecurity as a priority forcompliance examinations. Finra said in January it would ask about20 of its member firms how they manage and defend against thethreat of cyber attacks.

Criminal hacking cost financial services companies, on average,about $18.8 million in 2013, according to a study by the PonemonInstitute, a research and consulting firm. The report estimated anaverage cost for brokerages of $19 million and $21.9 million forinvestment advisers.

Hackers targeting broker-dealers may seek intellectual propertysuch as trading algorithms or the source code of trading systems,said Richard Bejtlich, chief security strategist at FireEye Inc., aMilipitas, California-based information-security consultant.Manipulation of critical data systems probably poses the greatestrisk to Wall Street companies whose buy-and-sell decisions andorder routing are increasingly automated.

Under a rule proposed last year, exchanges would be required topromptly disclose to their broker-dealer members any breaches ofcritical systems. Exchanges could withhold the information if theybelieved release of the data would do further harm or undermine aninvestigation of the intrusion. The SEC expects to advance the rulethis year, White said today.

“If you can start changing the data that you have access to,that can potentially undermine the integrity of the system and thatis where people get pretty nervous,” Bejtlich said in a phoneinterview.

Panelists scheduled to speak at today's roundtable includerepresentatives of Bank of America Corp., BATS Global Markets Inc.,the Chicago Board Options Exchange, Nasdaq OMX Group Inc., andWells Fargo Advisers LLC. The Treasury Department's CyrusAmir-Mokri, assistant secretary for financial institutions, andWhite House cybersecurity adviser Ari Schwartz also will speak,according to an SEC announcement.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.