By Ronald D. Orol
Last year's "flash crash" and a number of hacking incidents are
driving the Securities and Exchange Commission to beef up rules for
stock exchanges that could, for the first time, lead to
sanctions.
The effort was first mentioned last week by Mary Schapiro,
Securities and Exchange Commission Chairman, and a person familiar
with the matter has provided further details of what the agency is
mulling.
Schapiro told a gathering of the securities industry Wednesday
that the agency will introduce rules that would require stock
exchanges, alternative trading systems, clearance and settlement
operators and even broker-dealers with proprietary trading systems
to hold their internal automated systems to higher standards.
The agency's endeavor comes in the wake of a "flash crash" that
rattled the markets and overwhelmed exchanges May 6. It also is
responding to incidents of hackers accessing exchanges in recent
years. The Nasdaq Stock Market disclosed in February that hackers
intruded into a program the exchange used to facilitate
confidential information exchange for boards of directors.
Specifically, the SEC rule would also pressure exchanges to
acquire technology to ensure they can function in a volatile
flash-crash-like market.
It is expected also to require exchanges and other trading
system operators to conduct a raft of capacity planning exercises,
system vulnerability assessments and even have a qualified
third-party firm conduct an independent review of the systems.
New disclosure will be needed as well. Exchanges will be under
greater pressure to report intrusions, malfunctions and system
changes to the SEC and the public more quickly.
The rule, which the agency is expected to introduce in the next
few months, will toughen existing weaker guidelines for exchanges
the agency implemented roughly 25 years ago after "Black Monday" in
October 1987, when stock markets around the world crashed.
A rule would be more powerful than the guidelines because the
agency could more readily take enforcement actions against market
participants, such as exchanges, if they didn't comply with it,
according to a person familiar with the SEC's thinking.
Currently, the SEC would be more hard pressed to take such
actions against an exchange for failing to disclose an intrusion in
a timely manner, for example, because it wouldn't be a rule
violation.
As part of the effort, exchanges could need to obtain an
external annual review of their systems by an independent
third-party, the person said, which would replace the current
system at some exchanges where only internal reviews are
completed.
Tom Kellermann, a vice president at security intelligence
software company Core Security Technologies and a former computer
security official at the World Bank, said he believes that
companies like Nasdaq that are hacked would have to report breaches
faster to the public and regulators if the SEC guidelines became
rules.
"Many publicly traded companies do not report breaches,"
Kellermann said. "This [SEC rule] needs to happen because you need
to force exchanges and public traded companies to modernize risk
management in general as it relates to two realities: All
technologies are susceptible to hacking; all controls, if hacked,
are undermined."
David Weild, a capital markets advisor at Grant Thornton LLP and
former vice chairman of the Nasdaq, said it wouldn't surprise him
if many exchanges are hiding information about being intruded upon
by hackers, in part, because of the embarrassment that comes with
such a revelation. He cautioned the SEC against requiring exchanges
to publicly disclose too quickly that there is an internal network
breach.
"The SEC has to know quickly as a regulator, but there is a
public interest in not broadcasting vulnerabilities at exchanges
before they can be fixed," he said. "It's human nature not to want
to publicize your frailties."
In her comments, Schapiro didn't comment on how fast intrusions
should be publicly disclosed. Nevertheless, she insisted that
material problems, which could include intrusions, must be made
publicly available.
"In my view, these rules should reinforce the current
expectation that registrants report systems changes, malfunctions
and intrusions to the SEC and disclose material problems to the
public," she said.
Kellermann said he didn't think exchanges are doing a good
enough job of testing for problems or responding quickly enough to
fix everything that is identified as a critical problem.
Weild acknowledged that the SEC is right to be concerned about
hackers.
"There are greater risks when you create a far-flung market like
we have today, rather than the centralized system we used to have,"
he said.
Weild said the rule will have the greatest affect on alternative
trading systems that have popped up in recent years. He argues
these firms aren't required to be as prepared as major stock
exchanges such as Nasdaq OMX Group Inc. (NDAQ) and the NYSE
Euronext Inc. (NYX) for market stresses. Currently, Weild argues,
some systems can offer lower-costing trades, in part, because they
spend less on making sure their systems can handle stresses.
"There is a bigger question about how these systems are going to
behave when stressed," Weild said. "The standards need to be
consistent across trading venues and throughout the broker-dealer
community, and there has to be less opportunity for regulatory
arbitrage."
David Baum, a partner at Alston & Bird LLP in Washington,
said companies have responded differently to the guidelines, in
part because participants aren't worried about being punished if
they don't meet expectations. He agreed that many smaller trading
systems will have to raise their costs for trades to offset new
compliance expenses.
Joe Saluzzi, co-head of equity trading for brokerage firm Themis
Trading in New Jersey, said he supported Schapiro's effort. He
argued that firms need to make sure their systems are able to
handle the "hyper-fast" markets.
"In the electronic trading world that we live in, it doesn't
take much for things to go haywire pretty quickly," he said. "The
hyper-speed, super-leveraged, short-term traders trade in all asset
classes, and if there is a technical problem in one asset class, it
will immediately spill over to almost every other asset."
The Nasdaq declined to comment for this article. The NYSE
Euronext, in a statement, welcomed the potential for tougher rules
on their smaller rivals.
"As we have learned in recent experiences, not all trading
venues are required or compelled to operate in a single regulatory
environment. Consequently, we are happy to work with the Commission
on their Automation Review Policies just as we have with regard to
other policies the SEC has implemented in aftermath of May 6," a
spokesman said over email.
-Ronald D. Orol; 415-439-6400; AskNewswires@dowjones.com