A global investor group on Friday called for an independent investigation into a cyber breach at the U.S. Securities and Exchange Commission (SEC) and urged the regulator to delay new data-gathering rules until it could assure investors that its computer systems were secure.
Wall Street’s top regulator came under fire on Thursday after admitting hackers had breached its database of corporate announcements in 2016 and might have used it for insider trading.
The Investment Company Institute (ICI), which represents over 95 million U.S. shareholders, wants the SEC to clear up concerns about its cyber defenses before requiring funds to submit monthly performance data to the regulator, Paul Schott Stevens, the group’s chief executive, told Reuters in a phone interview.
“What the SEC breach now makes very clear is precisely what we were concerned about – that market-sensitive information of that nature can be exploited to the disadvantage of millions and millions of investors,” Stevens said.
ICI, whose shareholders have $20 trillion plus in assets, has raised concerns about how the SEC safeguarded industry data it gathers since 2015.
“I’m certain there will be a full inquiry by the Government of Accountability Office – and there should be, so we understand exactly what happened here,” Stevens said.
In a July report, the Government Accountability Office, a congressional watchdog, criticized the SEC for failing to fully protect its computer networks from cyber attacks and recommended a slew of improvements.
Former SEC Chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.
Get Data Sheet, Fortune’s technology newsletter.
Her successor, Jay Clayton, uncovered the full extent of the hack after launching a review of the SEC’s cybersecurity standards earlier this year.
The SEC declined to comment.
New reporting rules which start to come into force in December would require funds for the first time to confidentially file complete monthly portfolio holdings with the SEC, data which the ICI has said could easily be used for insider trading if obtained by hackers.
“Until that information security environment has been established, funds should continue to collect data quarterly, not monthly information, as quarterly data is not nearly as sensitive,” said Stevens.
