The US Securities and Exchange Commission is to update the guidelines it issued six years ago to encourage financial firms to report failures of cyber-security to their customers.

The Wall Street Journal has commented: "Although these guidelines don’t carry the full force of regulations, companies can’t ignore them because of the SEC’s authority to lead enforcement actions against those firms that mislead investors about the nature of cybersecurity risks or hacks."

The SEC itself is no stranger to hacking. Edgar, its Electronic Data Gathering, Analysis and Retrieval unit, was hacked last year. Like Equifax, the SEC sat on the revelation for an inordinate amount of time before disclosing it to the regulated community

The Equifax hack, in which intruders filched the details of more than 145 million Americans, has also brought the issue to the fore in recent months. The credit-rating giant was aware of the hack in July but told nobody until September, laying itself open to much criticism.

At the end of September the regulator embarked on two new initiatives to deal with cyber-based threats and protect retail investors: the setting-up of a cyber unit and the establishment of a retail strategy task force. The former will tackle cyber-related misconduct such as:

• market-manipulation through the spread of false information on electronic and social media;
• hacking to obtain vital information;
• misconduct involving distributed ledger technology and initial coin offerings;
• misuse of the dark web;
• intrusions into retail brokerage accounts; and
• any threats to trading platforms.

The latter will try to snuff out misconduct that affects retail investors. Data analytics and IT will be its main weapons and it will concentrate on large-scale misconduct.