Two self-regulating financial organizations are seeking to put in place new rules that would require certain companies under their purview to modernize their IT and security networks in line with new, yet-to-be-developed standards.
In a pair of notices published in Tuesday’s Federal Register, the Securities and Exchange Commission outlined newly proposed rules on behalf of the National Securities Clearing Corporation and the Depository Trust Company — two entities responsible for regulating the U.S. securities market — that would force member companies to take a range of actions to modernize their business networks and protect against hacking threats.
Both NSCC and DTC note that there are currently no minimum standards or requirements around IT or cybersecurity for companies in order to gain membership at their organizations. Specifically, the entities say obsolete legacy systems are rampant throughout its membership and putting systems at risk. They also note the lack of standards around “any level or version for network technology, such as a web browser … email encryption, secure messaging, or file transfers, that are being used to connect or to communicate.”
That status quo, the organizations argue, must change if its member companies intend to beat back an ever-growing digital threat landscape.
“In the current environment, [DTC and NSCC] maintains multiple network and communications methods and protocols, some either obsolete or many years older than the current standard in order to support Participants using these older technologies, which leaves communications…vulnerable to interception or the introduction of unknown entries, and requires DTC to expend additional resources, both in personnel and equipment, to maintain older communications channels.”
Hackers successfully gain access through older technology
The new standards, as well as timelines for implementation, have yet to be formally set down in writing but the two organizations offered a number of details on the kinds of changes and technology modernization they are seeking.
As an example, they say many member companies still rely on older versions of Transport Layer Security protocols that are out of step with more recent guidance developed for federal agencies by the National Institute for Standards and Technology. According to the non-profit Internet Engineering Task Force, upgrading from TLS version 1.1 to versions 1.2 and 1.3 and removing support for older versions “reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.”
Adopting those newer versions could also crack down on another problem: namely organizations that use File Transfer Protocol to share documents and data. Hackers have successfully leveraged weaknesses in older versions of TLS that leave authentication data unencrypted over the network to gain access to plain-text usernames and passwords or even inject malware.
Under the newly proposed rules, member companies must provide the NSCC and DTC with documentation proving that their network technologies, communication technologies and protocols are up to date. Further changes will be dictated by the two organizations following “an evaluation of the external threat landscape, threats to [our] technology infrastructure and information assets, industry cybersecurity priorities, a review of the root causes of incidents, and an evaluation of the current state of the network infrastructure as expressed using third party assessments.”
The moves represent another regulatory push to improve cybersecurity protections in the financial sector, following a raft of regulatory reforms proposed by the SEC earlier this year that would require publicly traded companies and investment firms, to report past or ongoing hacks to the government, outline information security risk management policies and procedures and detail the cybersecurity backgrounds of executives and boards of directors.