Rise of state cybersecurity rules in financial services
3 states have implemented, and more may be on the way
New York, Colorado, and Vermont have all implemented some form of cybersecurity regulations amid a growing focus on cybersecurity by state regulators.
As we cover in more detail here, the New York Department of Financial Services has implemented a cybersecurity regulation whose first compliance deadline is August 28, 2017. The core of the rule requires firms to have a cybersecurity program with supporting cybersecurity policies and periodic risk assessments informing possible revisions of the cybersecurity program and policies. The rule also has a variety of specific requirements that could trip up companies that don’t pay attention to it.
The Colorado Securities Division has published a new regulation that will require broker-dealers and investment advisers to implement written cybersecurity procedures and conduct a cybersecurity risk assessment, among other requirements. It has fewer detailed requirements than the New York regulation, but it does still have some specifics, such as a requirement to use secure email for confidential personal information. More information is available here.
Vermont “securities professionals,” including broker-dealers and investment advisers, are currently required by regulation to implement written cybersecurity procedures, maintain cybersecurity insurance, conduct a cybersecurity risk assessment, and offer identity restoration services to any victim of a breach. This regulation is similar to the Colorado regulation, but it has enough unique quirks – such as its applicability to individuals and even to solicitors as well as the insurance and identity restoration requirements – to require specific attention. A more detailed summary is available here.
In addition to these implemented regulations, the North American Securities Administrators Association recently hosted a Cybersecurity Roundtable at which state regulators discussed their focus on cybersecurity, the ongoing cybersecurity exams they are conducting, and some of the guidance and publications on which they are working.
Colorado Securities Commissioner Gerald Rome said his office would be returning to firms where their exams detect an inadequate cyber focus: “When we go out on exams, and they've done nothing, we will say ‘you are deficient. Work on it. We will come back in 30 to 60 days. Make sure you have done something in the area.’” Among insurance regulators, the National Association of Insurance Commissioners recently released the fifth preliminary draft of a model cybersecurity law.
In short, broker-dealers and investment advisers are subject to state-level cybersecurity rules in several states already, and more may be on the way.