The New York State Department of Financial Services issued a memorandum addressed to 18 federal and state regulatory organizations previewing new regulations to increase “cyber security defenses” by financial services firms and encouraged the organizations to collaborate on instituting “strong cyber security standards for financial institutions.” The NYSDFS indicated that its regulations would require financial institutions to adopt cybersecurity policies and procedures that must address certain enumerated topics. These would include, among other topics, information security, data governance and classification, access controls, business continuity and disaster recovery; capacity and performance planning, physical security, customer data privacy and incident response); third-party service providers; and the security of all applications used by a company. Financial services firms would also be required to appoint a chief information security officer; have adequate personnel to manage a firm’s cybersecurity risks; provide mandatory training to cybersecurity personnel; conduct annual penetration tests and quarterly vulnerability assessments; and to immediately notify the NYSDFS of any cybersecurity incidents. The NYSDFS previously included cybersecurity requirements in its regulations that established minimum standards for all financial intermediaries who engage in a virtual currency business activity from New York or to a NY resident. (Click here for details in the article, “NYSDFS Issues BitLicense Framework for Regulating Virtual Currency Firms” in the June 7, 2015 edition ofBridging the Week.)
Compliance Weeds: Even before the New York State Department of Financial Services adopts any measures, expectations of regulators of registrants in both the securities and futures industry has been increasing during the past year regarding what cybersecurity protections should be in place to protect customer records and information. At the beginning of 2015, the SEC said it would focus on cybersecurity compliance and controls among its 2015 examination priorities for broker-dealers and investment advisers. In September 2015, the SEC provided specific guidance on what it would look at in connection with these reviews. The SEC said it would focus on registrants’ governance and risk assessment related to cybersecurity; access rights and controls; data loss prevention; vendor management; training; and incident response. Also at the beginning of 2015, the Financial Industry Regulatory Authority published a report identifying findings from its 2014 targeted examination of firms related to their cybersecurity practices and recommended practices broker-dealers should implement to minimize the impact of cybersecurity threats. Moreover, the National Futures Association recently adopted an Interpretive Notice requiring members to implement and maintain formal, written information systems security programs by March 1, 2016. Practically, any cyber breach that compromises customer personal information could leave an SEC or CFTC registrant vulnerable to an enforcement action if it had not previously adopted a written policy and procedure reasonably designed to minimize the threat of a cyber-attack and followed such procedure – whether or not an express requirement currently exists. Registrants should therefore ensure they have implemented such a policy and are adhering to it. (For additional information on how financial service firms might help protect themselves against cyber-threats, click here to access anAdvisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP, dated June 24, 2015.)
Totally Irrelevant (But Is It?): For years I told my Derivatives Regulation students that if they only learned one thing for the semester, remember it is the Commodity Futures Trading Commission, not the Commodities Futures Trading Commission. Alas, the NYSDFS should have taken my course. They misspelled the name of the CFTC in their memorandum referencing Commodities not Commodity! How embarrassing.