Hacking Our Securities Disclosure System The Need For Federal Broker-Dealer Disclosure Requirements Vis-À-Vis Cyber Incidents

Broker-dealers provide investors with the platform to access security markets. To facilitate this access, clients entrust them with sensitive information, including their names, addresses, and social security numbers. Cyberattacks on the financial sector have advances in sophistication and grown more frequent due to technological advances, adjustments in firm business models, and changes in customer behavior, causing new vulnerabilities in firm information systems. However, even with this increase of cyberattacks against broker-dealers, the lack of public disclosure requirements means little is known about the extent of broker-dealer cyber safety.

Under current SEC regulations, broker-dealers must take preventative action, such as establishing safeguards against cyber breached and maintaining security programs that can identify red flags. However, after a cyberattack occurs, firms are only required to file a Suspicious Activity Report to FinCEN, a bureau within the Treasury Department. Unlike public companies and banks, broker-dealers do not have any federal disclosure requirement to the general public for cybersecurity incidents. Addressing this gap requires a comprehensive examination of the tradeoffs involved in implementing broad new federal disclosure requirements for broker-dealers following cybersecurity incidents.