As a result of these holes, investors’ trades on certain venues may be more vulnerable to hacking than on others. And because of the interconnectedness of the technologies supporting the nation’s stock trading systems, hackers gaining access to one venue could easily disrupt entire swaths of the market.
The concerns center on an S.E.C. rule written in 2014 that was intended to strengthen the technological underpinnings of the United States securities markets, making them safer for investors.
The rule, known as Regulation Systems Compliance and Integrity, or Reg SCI, came after a series of troubling market system failures. One was the $ 440 million glitch in 2012 at Knight Capital, a big stock trading firm. Other technical breakdowns occurred the next year on Nasdaq; on one occasion, all trading in that market was halted for three hours.
The S.E.C. rule required exchanges and certain other trading venues to have comprehensive procedures ensuring “the robustness and resiliency of their technological systems.”
Bolstering cybersecurity measures was a component of the rule. Stock exchanges like IEX, Nasdaq and the New York Stock Exchange had to comply with the new requirements and make their operations available for audits by the S.E.C. These exchanges also had to tell the commission when problems arose, including system intrusions, a crucial mechanism for investor protection.
But many large trading venues did not have to comply with the rule. Among them were firms that buy stock orders from retail brokerage firms, known as wholesalers or internalizers. Certain alternative trading systems were also let off the hook, including some that are operated by large brokerage companies like Morgan Stanley.
Among the entities that don’t have to adhere to the cybersecurity rule are firms that handle vast volumes of trades in the nation’s equity markets. Citadel Securities, the broker-dealer unit of the powerhouse founded by Kenneth Griffin, is an example.
A division of the company — Citadel Execution Services — is what’s known as a wholesale firm. It buys investors’ orders from retail brokerage firms that don’t have their own trading operations and executes the transactions against stocks it holds in inventory. Some 200 brokerage firms, including Charles Schwab, Scottrade and E-Trade, sell their customers’ orders to Citadel.
These firms send Citadel almost three million equity orders a day totaling almost 1.7 billion shares, according to figures cited in an S.E.C. enforcement action filed against the firm in January. These orders accounted for about 35 percent of the average daily volume of retail stock trades in the United States, the S.E.C. said.
It seems odd, given the volume of trades handled by Citadel, that the S.E.C. would not require the firm to follow its heightened cybersecurity rules. So I asked the S.E.C. about this decision. A spokeswoman declined to comment.
I also asked Citadel about its internal protections against cyberattacks. A spokesman declined to comment.
A spokesman for Morgan Stanley declined to comment about precautions the bank had taken against digital attacks on their alternative trading systems. But since the company qualifies as a systemically important financial institution in regulators’ eyes, at least its operations are watched more closely.
Also disquieting about the rule: Nowhere does the agency publish the list of entities that comply with the systems integrity rule. If this regulation was supposed to protect investors, as the S.E.C. contended when it put it into effect, why aren’t investors allowed to know which trading venues have strong cybersystems in place and which may not?
This question may come up on Thursday, when Mr. Clayton, the S.E.C. chairman, is scheduled to testify before the Senate banking committee. One of the committee’s members, Mark R. Warner, a Virginia Democrat who is a co-founder of the bipartisan Senate Cybersecurity Caucus, recently expressed his concern over the lack of transparency in the rule.
“Investors are unable to determine whether their orders are being routed to market centers which are being held to the requirement of having a strong, audited cybersecurity program,” Mr. Warner wrote in a letter to Mr. Clayton on Aug. 1. “If compromised, these market centers could destabilize markets by not having the protections in place that the S.E.C. has outlined in Reg SCI to strengthen the integrity of our markets.”
The S.E.C. was right to require market trading venues to tighten their security systems. Investors rely heavily on these entities.
But exempting major firms may mean it did only half the job. And surely investors have the right to know which firms are meeting the heightened standards.
Mr. Warner thinks so. “Efforts to strengthen our nation’s financial infrastructure, such as Reg SCI, are critical to financial stability and the security of our country,” he said in a statement on Thursday. “Providing investors with information about which market centers are subject to Reg SCI and whether they are in compliance would encourage market center adoption of strong cybersecurity standards and help investors protect themselves from cyberrisks.”
An earlier version of this column misstated which large stock trading venues are exempt from the Securities and Exchange Commission’s cybersecurity rule. The alternative trading system operated by UBS must comply with the rule; it is not among those that do not have to comply.