Cybersecurity Remains Focus for Financial Institutions and Service Firms’ Regulators
Posted on 02.23.17
By Scott Hoffmann, Business Assurance & Advisory Services Manager | Financial Services Industry team
On February 16, 2017, the New York Department of Financial Services updated its final proposed cybersecurity regulations—described as the “first-in-the-nation” for state regulations for financial institutions. As cybersecurity continues to be a growing concern in the financial services industry, many states are looking to the New York rules as a basis to develop their own regulations.
Under the New York Rules (the “Rules”), certain regulated entities (the “Covered Entities”) will be required to establish and maintain cybersecurity programs designed to perform several functions, including:
The identification of internal and external cybersecurity risks; the use of defensive infrastructure; the implementation of policies and procedures designed to prevent unauthorized access to, and the malicious use of, the Covered Entity’s information systems and the nonpublic information stored on such systems; and the ability to detect, respond to, and mitigate cybersecurity events while still fulfilling all regulatory and reporting obligations.
The Rules also mandate that the Covered Entity perform periodic penetration testing and vulnerability assessments, establish an incident response plan, conform to audit trail requirements, conduct employee training, encrypt of all nonpublic information, and develop third-party service provider security policy. Additionally, the rules stipulate that organizations must identify a Chief Information Security Officer (CISO) to oversee, implement, and provide board reporting regarding the cybersecurity program, data retention, and network monitoring procedures. Furthermore, a strict 72-hour notification standard requires that Covered Entities report cybersecurity events, such as attempts to access the Covered Entities’ network systems, and establishment of an incident response plan.
The Rules also include an annual reporting requirement in which the Board of Directors or senior official attests to the cybersecurity program in a memo to the state superintendent and a requirement that the Covered Entity maintain evidence of their program for 5 years.
“In this respect, it is kind of like Sarbanes-Oxley (SOX) for cybersecurity. The organization has to report on their cybersecurity controls, rather than internal controls over financial reporting, annually. As with SOX, I would expect compliance costs to be the greatest in the beginning and decrease over time. But most firms, especially those just barely meeting the eligibility requirements for becoming a covered entity, are likely to incur non-trivial costs to comply for several years.”
Although these rules, which seemingly aim to codify various security industry best practices, are not applicable for non-New York based financial services firms, other states and the Securities and Exchange Commission (SEC) may adopt similar rules in the future. Practically speaking, the Rules represent an effort to combat or recover from cybersecurity threats that enable data theft, corporate espionage, and fraudulent money transfers, to name a few.
Given the evolution, increasing frequency, and sophistication of cyber-attacks and their implicit potential for harm to investors, firms, and the markets, the SEC is keenly focused on the security postures of the organizations it oversees. To the point, in January, the SEC announced its 2017 examination priorities, including cybersecurity, noting with regard to cybersecurity that “The Office of Compliance Inspections and Examinations (OCIE) will continue its ongoing initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at broker-dealers and investment advisers.”
Small Firm Considerations
Smaller financial services firms may not necessarily have the resources or the requirement to comply with New York Rules but may want to enhance their cybersecurity framework based on increased external threats and the potential for the SEC and other states to pursue similar policies in the future.
The Financial Industry Regulatory Authority (FINRA) has developed a Small Firm Cyber Security Checklist to help smaller firms develop a robust cyber security framework. Although this checklist cannot be used as a safe harbor regarding compliance with SEC rules regarding cyber security, including Regulation S-P (17 CFR §248.30), Regulation S-ID (17 CFR §248.201-202) and the Securities and Exchange Act of 1934 (17 CFR §240.17a-4(f)) this checklist can be used to uncover deficiencies in firms’ current cybersecurity practices.