Timothy M. Simons, CFA, CFP, CIPM, CSCP
Senior Managing Member
Focus 1 Associates LLC
November 30, 2016
The SEC has definitely broadcast, multiple times, to the industry that cybersecurity is a concern: in March 2014, at a Cybersecurity Roundtable, highlighting the importance of cybersecurity to the integrity of the market system and protection of client data; in April 2014, publishing a Risk Alert announcing examinations to identify risks and assess cybersecurity preparedness; in February 2015, publishing observations from those examinations and discussing some of the legal, regulatory and compliance issues; in April 2015, measures that advisers and funds may wish to consider in addressing cybersecurity risk; and in September 2015, when announcing another round of cybersecurity examinations. These examinations, to be conducted in FY2016, would focus on the following areas:
- Governance and risk assessment,
- Access rights and controls,
- Data loss prevention,
- Vendor management,
- Training, and
- Incident response.
New York State Department of Financial Services Proposed Cybersecurity Requirements for Financial Services Companies
On September 13, 2016, the New York State Department of Financial Services (“DFS”) released proposed cybersecurity regulations for financial institutions. When the regulations become effective, they will make New York the first state to implement mandatory cybersecurity requirements on financial institutions. The regulations were open for comment through November 12, and are set to take effect on January 1, 2017. Covered Entities will have 180 days transitional period from the effective date of the regulation to comply with the requirements.
From the regulation:
The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cyber threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.
The regulation defines Covered Entities as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law. There is no indication that the regulation will apply to SEC registered investment advisers who are not registered nor notice file in the state of New York, but it may apply to those who are registered or notice file in New York. We hope for clarification with the adoption of a final regulation.
Each Covered Entity will be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s information systems. The program must be designed to perform the following core cybersecurity functions:
(1) Identify internal and external cyber risks by identifying the Nonpublic Information stored, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed;
(2) Implement policies and procedures to protect the Covered Entity’s Information Systems, and the stored Nonpublic Information, from unauthorized access, use or other malicious acts;
(3) Detect Cybersecurity Events;
(4) Respond to identified or detected Cybersecurity Events to mitigate any negative effects;
(5) Recover from Cybersecurity Events and restore normal operations and services; and
(6) Fulfill all regulatory reporting obligations.
The written cybersecurity policies and procedures must include, at a minimum, the following areas:
(1) Information security;
(2) Data governance and classification;
(3) Access controls and identity management;
(4) Business continuity and disaster recovery planning and resources;
(5) Capacity and performance planning;
(6) Systems operations and availability concerns;
(7) Systems and network security;
(8) Systems and network monitoring;
(9) Systems and application development and quality assurance;
(10) Physical security and environmental controls;
(11) Customer data privacy;
(12) Vendor and third-party service provider management;
(13) Risk assessment; and
(14) Incident response.
The cybersecurity policies and procedures must be reviewed by the Covered Entity’s board of directors or equivalent governing body (if such exists), and approved by a Senior Officer of the Covered Entity. This review and approval will occur as frequently as necessary, to address the cybersecurity risks applicable to the Covered Entity, but no less frequently than annually.
Each Covered Entity must designate a qualified individual to serve as the Covered Entity’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. To the extent this requirement is met using third party service providers, the Covered Entity shall:
(1) retain responsibility for compliance;
(2) designate a senior member of the Covered Entity’s personnel responsible for oversight of the third party service provider; and
(3) require the third party service provider to maintain a cybersecurity program that meets the requirements of the regulation.
The regulation also requires penetration testing and vulnerability assessments, audit trail programs, access privileges, risk assessments, requirements for cybersecurity personnel, third party information security, multi-factor authentication, limitations on data retention, training and monitoring, encryption of Nonpublic Information, and an incident response plan.
Each Covered Entity shall promptly (no later than 72 hours after becoming aware) notify the superintendent of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.
Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations commencing January 15, 2018.
The regulation does allow an exemption from some of the requirements for smaller firms with:
(1) fewer than 1,000 customers in each of the last three (3) calendar years, and
(2) less than $5,000,000 in gross annual revenue in each of the last three (3) fiscal years, and
(3) less than $10,000,000 in year-end total assets.
Laura Jehl, a partner in Sheppard Mullin Richter & Hampton LLP’s Business Trial Group and Co-Leader of its Privacy and Cybersecurity Practice, highlighted ways in which these regulations would impact the financial industry:
“The proposed regulations go significantly beyond federal requirements currently in effect for financial institutions, and impose a number of onerous new obligations, particularly in requiring annual cybersecurity assessments, notification of state authorities within 72 hours of a breach, and the designation of a Chief Information Security Officer. If adopted in their present form, the proposed regulations will impose significant new burdens on New York financial institutions.”
Rather than wait years for a cybersecurity rule, we now have a model, even if it is not adopted as proposed, or if it is determined that it doesn’t apply to SEC registered Investment Advisers. I know we all remember the Massachusetts privacy rule and how it crept across the country, and I would expect this regulation to do the same. Perhaps the SEC will determine this to be “best practice” and not slap us with a federal rule.
I agree with Ms. Jehl that the proposed regulation will impose significant new burdens and costs, but the costs may seem reasonable compared to the cost of a system breach, especially one that reaches Nonpublic Information, not just in dollars, but in the cost to the reputation of the firm.