On September 8, Pennsylvania Department of Banking and Securities’ Secretary Robin Wiessmann issued a letter to Pennsylvania state-chartered, licensed, and registered financial services institutions and companies regarding the Department’s cybersecurity efforts to “prevent and defend against cyberattacks, reduce vulnerability, minimize damage and recover times, and promote awareness and education.” The letter encourages such entities to (i) develop cybersecurity attack prevention and mitigation plans; (ii) identify their cybersecurity vulnerabilities; (iii) evaluate the means necessary to protect their networks and data; (iv) conduct regular vulnerability assessments and penetration tests of their networks; (v) encrypt customer and investor data; (vi) ensure their operating systems are up-to-date; (vii) frequently update and utilize anti-virus software; and (viii) train and evaluate their staff and vendors, as well as educate their customers, regarding cybersecurity risks. In addition to reminding the Department’s regulated financial institutions and companies of the FFIEC’s June 30 release of a self-assessment tool designed to help evaluate cybersecurity risk, the letter also urges such entities to review the SEC’s April 2015 cybersecurity guidance, which identifies cybersecurity “best practices” for registered investment companies and registered investment advisers.

In a separate September 8 press release, the Department announced the formation of a Cybersecurity Task Force. Comprised of regulatory, legal, and information technology staff, the task force is one of the first created by a state financial regulator to provide financial service companies with resources to address cybersecurity issues.