Cybersecurity Remains Focus for Financial Institutions and Service Firms’ Regulators

Posted on 02.23.17

Cybersecurity Remains Focus for Financial Institutions and Service Firms’ Regulators

By Scott Hoffmann, Business Assurance & Advisory Services Manager | Financial Services Industry team

On February 16, 2017, the New York Department of Financial Services updated its final proposed cybersecurity regulations-- described as the “first-in-the-nation” for state regulations for financial institutions. As cybersecurity continues to be a growing concern in the financial services industry, many states are looking to the New York rules as a basis to develop their own regulations.

Under the New York Rules (the “Rules”), certain regulated entities (the “Covered Entities”) will be required to establish and maintain cybersecurity programs designed to perform several functions, including:

The identification of internal and external cybersecurity risks; the use of defensive infrastructure; the implementation of policies and procedures designed to prevent unauthorized access to, and the malicious use of, the Covered Entity’s information systems and the nonpublic information stored on such systems; and the ability to detect, respond to, and mitigate cybersecurity events while still fulfilling all regulatory and reporting obligations.

The Rules also mandate that the Covered Entity perform periodic penetration testing and vulnerability assessments, establish an incident response plan, conform to audit trail requirements, conduct employee training, encrypt of all nonpublic information, and develop third-party service provider security policy. Additionally, the rules stipulate that organizations must identify a Chief Information Security Officer (CISO) to oversee, implement, and provide board reporting regarding the cybersecurity program, data retention, and network monitoring procedures. Furthermore, a strict 72-hour notification standard requires that Covered Entities report cybersecurity events, such as attempts to access the Covered Entities’ network systems, and establishment of an incident response plan.

The Rules also include an annual reporting requirement in which the Board of Directors or senior official attests to the cybersecurity program in a memo to the state superintendent and a requirement that the Covered Entity maintain evidence of their program for 5 years.


Chris Moschella, Keiter Risk Advisory Services Manager and leader of our Firm's Cybersecurity Practice, noted regarding these requirements:

“In this respect, it is kind of like Sarbanes-Oxley (SOX) for cybersecurity.  The organization has to report on their cybersecurity controls, rather than internal controls over financial reporting, annually.  As with SOX, I would expect compliance costs to be the greatest in the beginning and decrease over time.  But most firms, especially those just barely meeting the eligibility requirements for becoming a covered entity, are likely to incur non-trivial costs to comply for several years.”


Although these rules, which seemingly aim to codify various security industry best practices, are not applicable for non-New York based financial services firms, other states and the Securities and Exchange Commission (SEC) may adopt similar rules in the future. Practically speaking, the Rules represent an effort to combat or recover from cybersecurity threats that enable data theft, corporate espionage, and fraudulent money transfers, to name a few.

Given the evolution, increasing frequency, and sophistication of cyber-attacks and their implicit potential for harm to investors, firms, and the markets, the SEC is keenly focused on the security postures of the organizations it oversees.  To the point, in January, the SEC announced its 2017 examination priorities, including cybersecurity, noting with regard to cybersecurity that “The Office of Compliance Inspections and Examinations (OCIE) will continue its ongoing initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at broker-dealers and investment advisers.”

Small Firm Considerations

Smaller financial services firms may not necessarily have the resources or the requirement to comply with New York Rules but may want to enhance their cybersecurity framework based on increased external threats and the potential for the SEC and other states to pursue similar policies in the future.

The Financial Industry Regulatory Authority (FINRA) has developed a Small Firm Cyber Security Checklist to help smaller firms develop a robust cyber security framework. Although this checklist cannot be used as a safe harbor regarding compliance with SEC rules regarding cyber security, including Regulation S-P (17 CFR §248.30), Regulation S-ID (17 CFR §248.201-202) and the Securities and Exchange Act of 1934 (17 CFR §240.17a-4(f)) this checklist can be used to uncover deficiencies in firms’ current cybersecurity practices.

 width=

Please contact your Keiter representative for further information about cybersecurity best practices or 804.747.0000 | Email.
 

Sources:

....................

Posted by: Scott Hoffmann, CPA

Scott is a Manager in Keiter’s Business Assurance & Advisory Services group. He provides insights and opportunities to clients in the financial services industry. His clients include broker-dealers, alternative investment funds, hedge funds, real-estate investment funds, and other financial institutions.  Scott is a member of Keiter’s Financial Services Industry team.  Read more of Scott’s articles on our blog.