An Emerging Patchwork Of Cybersecurity Rules
With the recent adoption of cybersecurity regulations governing broker-dealers (BDs) and investment advisers (IAs) registered in Colorado and Vermont, the landscape of cybersecurity regulation continues to evolve in significant ways. For those businesses not yet covered by cyber regulations, these latest moves indicate that the day of reckoning may be coming, with both federal and state regulators actively expanding their reach.
Moreover, these latest regulations may further contribute to an emerging “cybersecurity standard of care,” leaving those who lag behind best practices more vulnerable before the courts. Finally, this emerging regulatory patchwork increasingly threatens to lead to inconsistent standards — although an important thread of consistency (or regulatory convergence) exists.
The Colorado and Vermont Rules
The Colorado[1] and Vermont[2] rules — applicable to BDs and IAs registered in those states (and certain other “securities professionals” in Vermont) — are very similar, which is both fortunate for the financial services industry and the product of an emerging regulatory consensus on the core elements of a sound or “reasonable” cybersecurity strategy.
Under the rules adopted by the Colorado Division of Securities and the Vermont Department of Financial Regulation, BDs and IAs subject to the rules are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The Colorado rules include an additional requirement to specifically protect confidential personal information, which is defined to include a person’s first name or first initial and last name in combination with at least one of the following data elements:
Social Security number;
Driver’s license number or identification card number;
Account number or credit or debit card number, in combination with any required security code, access code, security questions or other authentication information that would permit access to an online account; Individual’s digitized or other electronic signature; or
User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.
In determining the reasonableness of cybersecurity procedures, the Colorado and Vermont rules do not mandate specific practices as much as the New York rules do, but they do clarify that the following factors will be considered:
The firm’s size;
The firm’s relationships with third parties;
The firm’s policies, procedures and training of employees with regard to cybersecurity practices;
Authentication practices;
The firm’s use of electronic communications;
The automatic locking of electronic devices; and
The firm’s process for reporting lost or stolen devices.
Further, to the extent “reasonably possible,” the rules require cybersecurity procedures to provide for the following:
An annual assessment by the firm or an agent of the firm of potential cybersecurity risks and vulnerabilities;
The use of secure email, including the use of encryption and digital signatures;
Authentication practices for employee access to electronic communications, databases and
media;
Procedures for authenticating client instructions received via electronic communication; and
Disclosure to clients of the risks of using electronic communications.
Comparison to New York’s Regulation
As with the Colorado and Vermont rules, the New York Department of Financial Services cyber regulation (NYDFS rule), which has its first compliance deadline later this month, embraces a risk- and principles-based approach to cybersecurity; however, it also mandates certain specific practices.[3] For example, the NYDFS rule requires firms to conduct annual penetration testing and biannual vulnerability
assessments, and also insists on multifactor authentication (MFA) and encryption of certain nonpublic information. By contrast, the Colorado and Vermont rules simply require BDs and IAs to implement “reasonable” cybersecurity policies which could include the use of MFA and encryption.
It is possible that compliance with the NYDFS rule may satisfy the Colorado and Vermont requirements, but the reverse may not be true.
Another key difference between the NYDFS rule and the Colorado and Vermont rules concerns the entities subject to each rule. Whereas the Colorado rules apply generally to Colorado-registered BDs and IAs, and the Vermont rules apply only to Vermont-registered “securities professionals,” the NYDFS rule applies to a different assortment of businesses, covering insurance companies, insurance agencies and producers, banks and certain other “covered entities” regulated by NYDFS,[4] and also mandates that those covered entities implement written policies and procedures to ensure the security of information systems and nonpublic information that are “accessible to, or held by, Third Party Service Providers.”
Comparison with Federal Regulations
For those companies which the U.S. Securities and Exchange Commission regulates, Colorado's and Vermont’s rules, unlike New York’s specific mandates, likely do not represent a major change in cybersecurity programs.
As a practical matter, SEC regulation S-P, for example, requires SEC-regulated broker-dealers, investment companies and investment advisers to adopt reasonably designed written policies and procedures to safeguard customer records and information. SEC staff guidance issued in April 2015 recommends that investment advisers conduct “periodic” cybersecurity risk assessments and develop and maintain written policies to prevent, detect and respond to cybersecurity threats.[5] In addition, an SEC risk alert issued in August 2017 also reiterates that “cybersecurity remains one of the top compliance risks for financial firms,” and that the SEC will continue to focus on the prevention of cyberattacks.[6] The most recent risk alert also highlights certain firm best practices, including:
Maintenance of an inventory of data, information and vendors;
Detailed cybersecurity-related instructions;
Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
Established and enforced controls to access data and systems;
Mandatory employee training; and
An engaged senior management.
Additionally, the Colorado and Vermont rules align with Federal Trade Commission guidance regarding what constitutes “reasonable security” designed to protect personal information.
That said, BD and IA firms doing business in Colorado and Vermont could nonetheless be faced with investigations and enforcement actions involving the adequacy of their cybersecurity procedures. This
increased risk may put a premium on documenting and explaining risk-based, proactive cybersecurity decisions in a way that will prove compelling to federal and state regulators.
Impact on Litigation
With Colorado and Vermont joining the chorus of regulators calling for “reasonable” cybersecurity programs, it is also increasingly likely that courts will look to regulatory standards to help determine the applicable standard of care in data breach cases. Falling behind in those standards — even if cybersecurity regulations do not directly apply to a particular company yet — may increase litigation risk.
On the other hand, keeping in good standing with the regulators may help fend off civil litigation. This benefit also could extend to senior management in their individual capacity, as scrutiny over the actions of officers and directors appears poised to increase.
Key Takeaways
With the adoption of cybersecurity regulations in Colorado and Vermont, the trend towards increasing cybersecurity regulation continues to pick up momentum. Even those firms not yet covered by cyber regulations may soon find themselves bound to certain minimum standards as a result of being a third- party provider for covered entities, or in order to keep pace with what may very well be an emerging standard of care. There are consistent elements across the varying cyber regulations, which largely accord with best practices for protecting against and mitigating the impacts of cyberattacks. However, compliance with one set of rules does not necessarily mean compliance with all sets of rules.