Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.
Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.
The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.
"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks," she said.
"As we go out there now, we are pointing that out."
White said SEC examiners were very pro-active about doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyber attack.
"We can't do enough in this sector," she said.
Cyber security experts said her remarks represented the SEC’s strongest warning to date of the threat posed by hackers.
A former member of the World Bank’s security team, Tom Kellermann, who is now chief executive of the investment firm Strategic Cyber Ventures LLC, called it "a historic recognition of the systemic risk facing Wall Street."
Under White, a former federal prosecutor, the SEC introduced an initiative called "broken windows" designed to crack down on small violations of SEC rules to deter traders and others from larger transgressions.
But critics have questioned whether the initiative, similar to one used by former New York City Mayor Rudy Giuliani in his crackdown on crime in the city, is an effective use of the agency’s limited resources.
The policy has been applied to instances of “rampant non-compliance” involving serious, significant rules, White said, noting that she considers the initiative a huge success.
For example, the SEC brought three groups of cases in a key area, the prohibition against short selling ahead of an IPO by individuals who then participated in the IPO, since 2013, she said. Each year, there have been fewer cases, with the most recent number at around 12, White said.
GAAP vs. NON-GAAP
Also on Tuesday, the SEC released guidance about how certain accounting practices could potentially mislead investors that White called "consequential."
Companies are increasingly using non-Generally Accepted Accounting Principles, or non-GAAP, to report earnings, permitting them to back out certain expenses from earnings figures, such as non-cash costs. But critics say the practice can also mislead investors by creating a rosier picture of a company’s profits.
The SEC’s current rules allow companies to report with figures that do not comply with GAAP, as long as certain conditions are met and White said the guidance spells out those conditions, such as a requirement that “the GAAP measure has to be of equal or greater prominence than non-GAAP."
Non-GAAP "is not supposed to supplant GAAP and obviously not obscure GAAP," she said.
She declined to say if the SEC is considering enforcement actions against companies that might be misleading investors with non-GAAP, but noted the SEC would not hesitate to bring one if it uncovered an “actionable violation.”
For months now, the SEC has only had three commissioners, down from its full complement of five, and the U.S. Congress has stalled on confirming two nominees.
"We're really functioning on all cylinders," White said, ticking off a list of projects the commission has recently completed.
She added that, to comply with rules on meetings and disclosures, commissioners typically meet one-on-one.
"If there are only three of you, it's shorter-circuited to some degree," she said. "There are some advantages, too."
(Additional reporting by Sarah N. Lynch)