Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Cybercrime poses an ever-increasing threat to consumers of financial products and services. In 2016, the then-SEC Chair said that cybercrime ranks as “one of the greatest risks facing the financial services industry.” Federal law thus requires financial services firms to implement procedures designed to protect their customers' data. Now, individual states are increasingly getting into the game. Two states recently enacted or proposed rules for financial services firms. This may be just the beginning of a national trend toward increased state regulation of cybersecurity matters. Financial services firms and their management should keep a close eye on developing cybersecurity regulations, so as to be better prepared to proactively address the shifting regulatory landscape as it continues to evolve.
Federal Focus
The U.S. Securities and Exchange Commission (SEC) has long focused on cybersecurity procedures at registered investment advisers (IAs) and broker-dealers (BDs). The SEC's examination program included cybersecurity as a priority for many years. And the SEC has engaged in outreach discussions with the securities industry about the topic as well.
In April 2015, the SEC's Division of Investment Management issued cybersecurity guidance, recognizing that “both funds and advisers increasingly use technology to conduct their business activities and need to protect confidential and sensitive information related to these activities from their partners, including information concerning fund investors and advisory clients.” Among other things, the SEC's guidance encourages firms to:
The guidance further provides:
Funds and advisers will be better prepared if they consider the measures discussed herein … when planning to address cybersecurity and a rapid response capability. The staff also recognizes that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack. Appropriate planning … nevertheless … may assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients.
Indeed, multiple regulatory tools stand behind the SEC's recommended practices. To start, the SEC expects IAs and BDs to maintain appropriate compliance policies and procedures in varied aspects of their businesses, including cybersecurity. Regulation S-P specifically requires registered IAs, BDs, and investment companies to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” And Regulation S-ID requires certain regulated IAs and BDs to adopt and maintain policies and procedures designed to detect, prevent, and mitigate identity theft. An identity theft program under this rule should:
Identify relevant red flags — that is, potential patterns, practices, or specific activities indicating the possibility of identity theft;
The SEC has not shied from pursing enforcement actions for alleged failures in these areas. In June 2016, for example, the SEC announced that an SEC registered IA and BD agreed to pay a $1 million civil penalty for its alleged failure to adopt written policies and procedures reasonably designed to protect customer data. The respondent allegedly allowed employees to access customer information through internal web portals without appropriate access restrictions or access audits. These alleged vulnerabilities were allegedly exploited by an individual then-employee, who downloaded customer data to his personal device that was then hacked. Prior SEC enforcement actions provide similar cautionary tales.
In the States
Many states already have in place general cybersecurity requirements that protect personally identifiable information in a broad range of industries. In 2002, for example, California enacted the nation's first state general data breach notification law. Since then, 46 other states, Washington, DC, and three U.S. territories have enacted similar laws.
More recently, two states emerged with their own cybersecurity regulations specifically focused on financial services firms: New York and Colorado. Nor would it be surprising to see other states following suit soon.
NY's Regulations
Effective on March 1, 2017, New York adopted cybersecurity requirements (23 NYCRR 500) that mandate financial institutions implement robust controls to detect, prevent, and report cyber-incidents. Many experts predict that the regulation may soon become the baseline standard for the industry, and may inspire similar cross-industry regulations.
Generally speaking, the New York regulation requires banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (NYDFS) to establish and maintain cybersecurity programs designed to protect consumers' private data and ensure industry safety. The regulation includes certain minimum standards and encourages firms to keep pace with technological advances.
More specifically, the regulation requires covered entities to:
The regulation includes transition periods ranging from one to two years for most requirements. Even with the staggered compliance dates, however, full compliance with such an expansive regulation may pose challenges.
Some of the regulation's requirements will apply even to entities that seek exemption. These include conducting a risk assessment, implementing written policies and procedures to secure nonpublic information that is accessible to, or held by, third-party service providers, and establishing policies and procedures for the secure disposal of nonpublic information.
Some persons or entities will be exempt from the remainder of the regulation's requirements: small covered entities of “fewer than 10 employees” or “less than $56 million in revenue in each of the last three fiscal years,” designees covered by another covered entity, entities that do not possess or handle nonpublic information, and captive banks or insurance companies that only handle the nonpublic information of the corporate parent company.
Exempted covered entities must still file a certificate of exemption within 30 days.
Notably, the New York regulation does not expressly apply to IAs and BDs, unless those entities are otherwise licensed by the NYDFS in another capacity, for example as an insurance broker or agent.
CO Focuses on IAs and BDs
Colorado's Division of Securities recently announced proposed additions to the Colorado Securities Act (Rule 51-4.8 and 51-4.14) that would require Colorado IAs and BDs to establish and maintain written procedures “reasonably designed to ensure cybersecurity” and to include cybersecurity as part of their risk assessments.
These proposed additions are designed “to clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” Specifically, the additions would require firms' procedures to, the extent reasonably possible, provide for:
Colorado does not appear to expect a “one-size-fits-all” solution among firms. Rather, the proposed additions enumerate a list of factors that the Commissioner may consider when determining whether a firm's procedures are reasonably designed. These include:
If approved, the rules would likely take effect later in 2017. The additions may not have a significant impact on larger organizations, many of which already have in place fairly substantial cybersecurity guidelines and procedures. Yet the additions could expose small- and medium-sized IAs and BDs to new, and fairly complex, regulatory risks.
Other States May Follow Suit
New York and Colorado are likely just the first in the series of states to consider and adopt their own cybersecurity regulation regimes. Indeed, other states already appear to be paying close attention. Idaho, for example, recently issued an advisory reminding investors about the importance of understanding how their personal information is being protected by financial firms. Such advisories may sometimes end up being the first step toward new regulation. Texas is likewise attuned to the need for additional information on cybersecurity, having posted a list of cybersecurity resources to assist state-registered IAs and other professionals.
Takeaways
Due to continued federal and state regulatory focus, cybersecurity compliance has rapidly become an additional cost of doing business in the financial services industry. Firms are thus well advised to proactively review their policies and procedures, and assess potential improvements as appropriate.
*****
Brian Neil Hoffman is of counsel with Holland & Hart LLP. He is a former SEC enforcement attorney. Romaine Marshall is a partner in the firm. Matt Sorenson is an associate.
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.