Thomson Reuters Tax & Accounting News

Featuring content from Checkpoint

Back to Thomson Reuters Tax & Accounting News

Subscribe below to the Checkpoint Daily Newsstand Email Newsletter

Budget Squeeze Blamed for Weakening Investor Protections

February 7, 2014

SEC Chairman Mary Jo White told a Senate panel that the agency isn’t getting enough funds to protect investors from identity theft and other types of computer fraud.The agency is asking Congress to grant it the budget authority to strengthen and expand its computer systems and hire experts on computer security.

Absent the appropriate level of resources, the SEC will continue to operate at a deficit despite the need to defend consumer data security, Chairman Mary Jo White testified before a Senate panel on February 6, 2014.

During a hearing of the Senate Banking Committee on the oversight of financial stability and data security, White said the agency has implemented several Dodd-Frank programs to secure consumers’ data, but it can’t do all that it would like to do without additional financial support.

“We have significant budget challenges, which impacts our technology initiatives,” White said. “Nothing is a higher priority for us than data security, but the sophistication of the bad actors constantly evolves.”

Mark Wetjen, acting chairman of the Commodity Futures Trading Commission (CFTC), agreed.

“I would echo what Chair White said,” he began. “The main tool that we have is to examine the practices of our registered entities.Because we are resource constrained, it’s likely we are not going to be able to review and examine the systems the registered entities have in place.We can’t be certain the data will be as secure as we would like.”

The SEC chief added that while the agency directs resources within its enforcement and examinations divisions to buttressing data security, it still is not enough.

White pointed to the joint adoption, along with the CFTC, of Regulation S-ID last April.The rule requires broker-dealers to implement policies and procedures designed to identify relevant types of identity theft red flags, detect their occurrence and respond accordingly, and periodically update identity theft protections.White also told the committee how the rule builds on Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that implement administrative, technical, and physical safeguards of customer records and information.

“The guidelines accompanying Regulation S-ID state that the policies and procedures should contain responses to red flags commensurate with the degree of risk posed,” White said. “In determining an appropriate response, entities covered by Regulation S-ID should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to account records.”

Senator Tim Johnson of South Dakota, the chairman of the Banking Committee, asked each of the regulators testifying, Daniel Tarullo of the Federal Reserve’s Board of Governors, Martin Gruenberg, chairman of the Federal Deposit Insurance Corp., and Thomas Curry, Comptroller of the Currency, in addition to White and Wetjen, to submit to the committee their agencies’ procedures in light of recent data breaches at Target Corp. and Neiman Marcus Group Ltd.

“I have asked each agency to detail its coordination with other regulators and law enforcement on data breaches, as well as each agency’s role in the retail payment system,” Johnson said.

Still, according to White, the issue remains largely a question of resources.

“Additional resources will be vital,” she said. “We need additional staff experts to focus on enforcement, examinations, and regulatory oversight.The SEC also is aiming to continue investing in its technology capabilities to implement the law and police the markets.If the SEC does not receive sufficient additional resources, the agency will be unable to fully build out its technology and hire the industry experts and other staff needed to oversee and police our areas of responsibility, especially in light of the expanding size and complexity of our overall regulatory space.”