Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Regulation of Financial Services Firms

By Brian Neil Hoffman, Romaine Marshall and Matt Sorensen
September 02, 2017

Cybercrime poses an ever-increasing threat to consumers of financial products and services. In 2016, the then-SEC Chair said that cybercrime ranks as “one of the greatest risks facing the financial services industry.” Federal law thus requires financial services firms to implement procedures designed to protect their customers' data. Now, individual states are increasingly getting into the game. Two states recently enacted or proposed rules for financial services firms. This may be just the beginning of a national trend toward increased state regulation of cybersecurity matters. Financial services firms and their management should keep a close eye on developing cybersecurity regulations, so as to be better prepared to proactively address the shifting regulatory landscape as it continues to evolve.

Federal Focus

The U.S. Securities and Exchange Commission (SEC) has long focused on cybersecurity procedures at registered investment advisers (IAs) and broker-dealers (BDs). The SEC's examination program included cybersecurity as a priority for many years. And the SEC has engaged in outreach discussions with the securities industry about the topic as well.

In April 2015, the SEC's Division of Investment Management issued cybersecurity guidance, recognizing that “both funds and advisers increasingly use technology to conduct their business activities and need to protect confidential and sensitive information related to these activities from their partners, including information concerning fund investors and advisory clients.” Among other things, the SEC's guidance encourages firms to:

  • Conduct periodic assessments of their information collection; potential threats and vulnerabilities, security controls and processes; and the effectiveness of an organization's governance structure for the management of cybersecurity risk.
  • Develop strategies to respond to threats and incidents that include controlling access to various systems and data; data encryption; restricting the use of removable storage and deploying protective software; data backup and retrieval; and development of an incident response plan.
  • Implement strategies through written policies, procedures, and training, and engage in ongoing monitoring of compliance.

The guidance further provides:

Funds and advisers will be better prepared if they consider the measures discussed herein … when planning to address cybersecurity and a rapid response capability. The staff also recognizes that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack. Appropriate planning … nevertheless … may assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients.

Indeed, multiple regulatory tools stand behind the SEC's recommended practices. To start, the SEC expects IAs and BDs to maintain appropriate compliance policies and procedures in varied aspects of their businesses, including cybersecurity. Regulation S-P specifically requires registered IAs, BDs, and investment companies to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” And Regulation S-ID requires certain regulated IAs and BDs to adopt and maintain policies and procedures designed to detect, prevent, and mitigate identity theft. An identity theft program under this rule should:

Identify relevant red flags — that is, potential patterns, practices, or specific activities indicating the possibility of identity theft;

  • Detect potential red flags, for both new and existing accounts;
  • Prevent and mitigate identity theft through an appropriate response to the perceived risk; and
  • Provide regular updates and improvements to the program.

The SEC has not shied from pursing enforcement actions for alleged failures in these areas. In June 2016, for example, the SEC announced that an SEC registered IA and BD agreed to pay a $1 million civil penalty for its alleged failure to adopt written policies and procedures reasonably designed to protect customer data. The respondent allegedly allowed employees to access customer information through internal web portals without appropriate access restrictions or access audits. These alleged vulnerabilities were allegedly exploited by an individual then-employee, who downloaded customer data to his personal device that was then hacked. Prior SEC enforcement actions provide similar cautionary tales.

In the States

Many states already have in place general cybersecurity requirements that protect personally identifiable information in a broad range of industries. In 2002, for example, California enacted the nation's first state general data breach notification law. Since then, 46 other states, Washington, DC, and three U.S. territories have enacted similar laws.

More recently, two states emerged with their own cybersecurity regulations specifically focused on financial services firms: New York and Colorado. Nor would it be surprising to see other states following suit soon.

NY's Regulations

Effective on March 1, 2017, New York adopted cybersecurity requirements (23 NYCRR 500) that mandate financial institutions implement robust controls to detect, prevent, and report cyber-incidents. Many experts predict that the regulation may soon become the baseline standard for the industry, and may inspire similar cross-industry regulations.

Generally speaking, the New York regulation requires banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (NYDFS) to establish and maintain cybersecurity programs designed to protect consumers' private data and ensure industry safety. The regulation includes certain minimum standards and encourages firms to keep pace with technological advances.

More specifically, the regulation requires covered entities to:

  • Conduct periodic, documented risk assessments, considering changing threats, business needs, and technologies;
  • Maintain a cybersecurity program based on the risk assessment and defensive IT infrastructure;
  • Include data governance, data classification, asset and device inventory, business resiliency, and incident response in written information security policies;
  • Comply with governance and staffing requirement — including appointment of a Chief Information Security Officer with specific, enumerated responsibilities, to have been achieved by August 2017;
  • Conduct annual penetration testing and bi-annual vulnerability scans;
  • Maintain transaction and server logs sufficient to detect and respond to adverse security events;
  • Limit user access privileges;
  • Adopt procedures, guidelines, and standards to ensure secure application development and software product security evaluation;
  • Install a robust third-party service provider risk-management program, policies, and procedures;
  • Ensure adequate training and qualifications of personnel and/or procure third-party expertise to operate and perform core cybersecurity functions;
  • Use multi-factor authentication (MFA) or risk-based authentication and enforce MFA for all external network access;
  • Destroy nonpublic information periodically and securely;
  • Implement controls, including encryption or compensating controls;
  • Establish a written incident-response plan;
  • Provide regular cybersecurity awareness training; and
  • Notify NYDFS of any breaches within 72 hours.

The regulation includes transition periods ranging from one to two years for most requirements. Even with the staggered compliance dates, however, full compliance with such an expansive regulation may pose challenges.

Some of the regulation's requirements will apply even to entities that seek exemption. These include conducting a risk assessment, implementing written policies and procedures to secure nonpublic information that is accessible to, or held by, third-party service providers, and establishing policies and procedures for the secure disposal of nonpublic information.

Some persons or entities will be exempt from the remainder of the regulation's requirements: small covered entities of “fewer than 10 employees” or “less than $56 million in revenue in each of the last three fiscal years,” designees covered by another covered entity, entities that do not possess or handle nonpublic information, and captive banks or insurance companies that only handle the nonpublic information of the corporate parent company.

Exempted covered entities must still file a certificate of exemption within 30 days.

Notably, the New York regulation does not expressly apply to IAs and BDs, unless those entities are otherwise licensed by the NYDFS in another capacity, for example as an insurance broker or agent.

CO Focuses on IAs and BDs

Colorado's Division of Securities recently announced proposed additions to the Colorado Securities Act (Rule 51-4.8 and 51-4.14) that would require Colorado IAs and BDs to establish and maintain written procedures “reasonably designed to ensure cybersecurity” and to include cybersecurity as part of their risk assessments.

These proposed additions are designed “to clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” Specifically, the additions would require firms' procedures to, the extent reasonably possible, provide for:

  • An annual cybersecurity risk assessment;
  • The use of secure email, including use of encryption and digital signatures;
  • Authentication practices for employee access to electronic communications, databases and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

Colorado does not appear to expect a “one-size-fits-all” solution among firms. Rather, the proposed additions enumerate a list of factors that the Commissioner may consider when determining whether a firm's procedures are reasonably designed. These include:

  • The firm's size;
  • The firm's relationships with third parties;
  • The firm's policies, procedures, and training of employees with regard to cybersecurity practices;
  • Authentication practices;
  • The firm's use of electronic communications;
  • The automatic locking of devices used to conduct the firm's electronic security; and
  • The firm's process for reporting lost or stolen devices.

If approved, the rules would likely take effect later in 2017. The additions may not have a significant impact on larger organizations, many of which already have in place fairly substantial cybersecurity guidelines and procedures. Yet the additions could expose small- and medium-sized IAs and BDs to new, and fairly complex, regulatory risks.

Other States May Follow Suit

New York and Colorado are likely just the first in the series of states to consider and adopt their own cybersecurity regulation regimes. Indeed, other states already appear to be paying close attention. Idaho, for example, recently issued an advisory reminding investors about the importance of understanding how their personal information is being protected by financial firms. Such advisories may sometimes end up being the first step toward new regulation. Texas is likewise attuned to the need for additional information on cybersecurity, having posted a list of cybersecurity resources to assist state-registered IAs and other professionals.

Takeaways

Due to continued federal and state regulatory focus, cybersecurity compliance has rapidly become an additional cost of doing business in the financial services industry. Firms are thus well advised to proactively review their policies and procedures, and assess potential improvements as appropriate.

*****
Brian Neil Hoffman is of counsel with Holland & Hart LLP. He is a former SEC enforcement attorney. Romaine Marshall is a partner in the firm. Matt Sorenson is an associate.

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.